Snyk vulnerability scan report #358

Workflow file for this run

.github/workflows/snyc-scan.yml at 04c95a3

	name: Snyk vulnerability scan report

	on:
	schedule:
	- cron: "0 0/8 * * *"

	env:
	APP_ENGINE_REPO: entando/app-engine
	APP_ENGINE_BRANCH: develop
	CATALYST_INFRA_TEMPLATES_REPO: entando/catalyst-infra-templates
	SNYK_SCAN_MATRIX_CONFIG_URL: global-config/snyk-scan-matrix.json
	SNYK_SCAN_BUILD_POM_SCRIPT_URL: scripts/snyk-scan-build-pom.sh

	jobs:
	setup:
	runs-on: ubuntu-latest
	outputs:
	matrix: ${{ steps.set-matrix.outputs.matrix }}
	build_pom_script: ${{ steps.set-build-pom-script.outputs.build_pom_script }}
	pom_template: ${{ steps.set-pom-template.outputs.pom_template }}
	steps:

	- name: Checkout catalyst-infra-templates
	uses: actions/checkout@v3
	with:
	repository: ${{ env.CATALYST_INFRA_TEMPLATES_REPO }}
	token: ${{ secrets.ENTANDO_BOT_TOKEN }}

	- name: Load snyk-scan-matrix.json
	id: set-matrix
	run: \|
	echo "matrix=$(jq -c . < $SNYK_SCAN_MATRIX_CONFIG_URL)" >> $GITHUB_OUTPUT

	- name: Upload snyk-scan-build-pom.sh
	uses: actions/upload-artifact@v3
	with:
	name: snyk-scan-build-pom.sh
	path: ${{ env.SNYK_SCAN_BUILD_POM_SCRIPT_URL }}

	scan-matrix:
	needs: setup
	runs-on: ubuntu-latest
	strategy:
	matrix: ${{fromJson(needs.setup.outputs.matrix)}}
	fail-fast: true
	max-parallel: 10
	steps:
	- name: Checkout project
	uses: actions/checkout@v3
	with:
	repository: ${{ matrix.repo }}
	ref: ${{ matrix.branch }}
	- name: Download snyk-scan-build-pom.sh
	uses: actions/download-artifact@v3
	with:
	name: snyk-scan-build-pom.sh
	- name: Get Service Account Access Token
	run: \|
	CURL_RESPONSE=$(curl -X 'POST' \
	'https://vulnerability-reports.k8s-entando.org/auth/realms/VulnerabilityReports/protocol/openid-connect/token' \
	-H 'Content-Type: application/x-www-form-urlencoded' \
	-d 'client_id=vulnerability-reports-sa&grant_type=client_credentials&client_secret=${{ secrets.KEYCLOAK_CLIENT_SECRET }}')
	echo $CURL_RESPONSE
	TOKEN=$(echo $CURL_RESPONSE \| jq .access_token)
	TOKEN=${TOKEN:1:-1}
	echo "ACCESS_TOKEN=$TOKEN" >> $GITHUB_ENV
	- name: Scan vulnerabilities with snyk
	run: \|
	rm -rfv ./scan-prj
	mkdir scan-prj
	cd scan-prj
	mv ../snyk-scan-build-pom.sh .
	bash snyk-scan-build-pom.sh
	npm install snyk -g
	snyk auth ${{ secrets.SNYK_TOKEN }}
	snyk test >> snyk-results.txt \|\| true
	BRANCH=$(echo ${{ matrix.branch }} \| sed -r 's;/+;_;g')
	REPO_NAME=$(echo "${{ matrix.repo }}" \| awk -F '/' '{print $2}')
	REPORT_FILE_NAME=$BRANCH-$REPO_NAME.csv
	echo "Vulnerable Library, Vulnerability Type, Severity, Current Version, Fix Version, Fix Type (Update/Explicity/No Fix), Details" > $REPORT_FILE_NAME
	POST_PAYLOAD="{\"repository\": \"${REPO_NAME}\", \"branch\": \"${{ matrix.branch }}\", \"vulnerabilities\": ["
	while read LINE
	do
	if [[ $LINE == Upgrade* ]]
	then
	VULNERABLE_LIB_VERSION_FIX=$(echo "${LINE}" \| awk -F '@' '{print $3}' \| awk -F ' ' '{print $1}')
	VULNERABLE_LIB_VERSION_FIX=$(echo $VULNERABLE_LIB_VERSION_FIX \| sed -r 's\|,\|;\|g')
	FIX_TYPE="Update"
	FIX_TYPE_ENUM="UPDATE"
	ISSUES_WITH_NO_DIRECT_UPGRADE=false
	elif [[ $LINE == ✗* ]]
	then
	VULNERABILITY_TYPE=$(echo "${LINE}" \| awk -F '✗ ' '{print $2}' \| awk -F ' \\[' '{print $1}' \| sed 's/ (new)//')
	VULNERABILITY_SEVERITY=$(echo "${LINE}" \| awk -F '[' '{print $2}' \| awk -F ' ' '{print $1}')
	VULNERABILITY_SEVERITY_ENUM=$(echo $VULNERABILITY_SEVERITY \| tr '[:lower:]' '[:upper:]')
	VULNERABILITY_SNYK_LINK=$(echo "${LINE}" \| awk -F '[' '{print $3}' \| awk -F ']' '{print $1}')
	elif [[ $LINE == "Issues with no direct upgrade"* ]]
	then
	ISSUES_WITH_NO_DIRECT_UPGRADE=true
	FIX_TYPE="No fix"
	FIX_TYPE_ENUM="NO_FIX"
	VULNERABLE_LIB_VERSION_FIX=
	elif [[ $LINE == "introduced by"* ]]
	then
	VULNERABLE_LIB=$(echo "${LINE}" \| awk -F 'introduced by ' '{print $2}' \| awk -F '@' '{print $1}')
	VULNERABLE_LIB_VERSION=$(echo "${LINE}" \| awk -F '@' '{print $2}' \| awk '{print $1}')
	if [[ $ISSUES_WITH_NO_DIRECT_UPGRADE = false ]]
	then
	echo "${VULNERABLE_LIB},${VULNERABILITY_TYPE},${VULNERABILITY_SEVERITY},${VULNERABLE_LIB_VERSION},${VULNERABLE_LIB_VERSION_FIX},${FIX_TYPE},${VULNERABILITY_SNYK_LINK}" >> $REPORT_FILE_NAME
	POST_PAYLOAD="${POST_PAYLOAD} {\"detailsURL\": \"${VULNERABILITY_SNYK_LINK}\", \"vulnerableLib\": \"${VULNERABLE_LIB}\", \"type\": \"${VULNERABILITY_TYPE}\", \"severity\": \"${VULNERABILITY_SEVERITY_ENUM}\", \"currentVersion\": \"${VULNERABLE_LIB_VERSION}\", \"fixVersion\": \"${VULNERABLE_LIB_VERSION_FIX}\", \"fixType\": \"${FIX_TYPE_ENUM}\"},"
	fi
	elif [[ $LINE == "This issue was fixed in versions"* ]]
	then
	VULNERABLE_LIB_VERSION_FIX=$(echo "${LINE}" \| awk -F 'This issue was fixed in versions: ' '{print $2}')
	VULNERABLE_LIB_VERSION_FIX=$(echo $VULNERABLE_LIB_VERSION_FIX \| sed -r 's\|,\|;\|g')
	FIX_TYPE="Explicit"
	FIX_TYPE_ENUM="EXPLICIT"
	echo "${VULNERABLE_LIB},${VULNERABILITY_TYPE},${VULNERABILITY_SEVERITY},${VULNERABLE_LIB_VERSION},${VULNERABLE_LIB_VERSION_FIX},${FIX_TYPE},${VULNERABILITY_SNYK_LINK}" >> $REPORT_FILE_NAME
	POST_PAYLOAD="${POST_PAYLOAD} {\"detailsURL\": \"${VULNERABILITY_SNYK_LINK}\", \"vulnerableLib\": \"${VULNERABLE_LIB}\", \"type\": \"${VULNERABILITY_TYPE}\", \"severity\": \"${VULNERABILITY_SEVERITY_ENUM}\", \"currentVersion\": \"${VULNERABLE_LIB_VERSION}\", \"fixVersion\": \"${VULNERABLE_LIB_VERSION_FIX}\", \"fixType\": \"${FIX_TYPE_ENUM}\"},"
	elif [[ $LINE == "No upgrade or patch available"* ]]
	then
	FIX_TYPE="No fix"
	FIX_TYPE_ENUM="NO_FIX"
	VULNERABLE_LIB_VERSION_FIX=
	echo "${VULNERABLE_LIB},${VULNERABILITY_TYPE},${VULNERABILITY_SEVERITY},${VULNERABLE_LIB_VERSION},${VULNERABLE_LIB_VERSION_FIX},${FIX_TYPE},${VULNERABILITY_SNYK_LINK}" >> $REPORT_FILE_NAME
	POST_PAYLOAD="${POST_PAYLOAD} {\"detailsURL\": \"${VULNERABILITY_SNYK_LINK}\", \"vulnerableLib\": \"${VULNERABLE_LIB}\", \"type\": \"${VULNERABILITY_TYPE}\", \"severity\": \"${VULNERABILITY_SEVERITY_ENUM}\", \"currentVersion\": \"${VULNERABLE_LIB_VERSION}\", \"fixVersion\": \"${VULNERABLE_LIB_VERSION_FIX}\", \"fixType\": \"${FIX_TYPE_ENUM}\"},"
	fi
	done < snyk-results.txt
	POST_PAYLOAD=${POST_PAYLOAD:0:-1}]}
	CURL_RESPONSE=$(curl -is -X 'PUT' \
	'https://vulnerability-reports.k8s-entando.org/v1/vulnerability-reports/' \
	-H "Authorization: Bearer $ACCESS_TOKEN" \
	-H 'accept: application/json' \
	-H 'Content-Type: application/json' \
	-d "${POST_PAYLOAD}]}")
	echo $CURL_RESPONSE
	- name: Upload Snyk reports
	uses: actions/upload-artifact@v3
	with:
	name: snyk-report
	path: scan-prj/*.csv

	send-slack-message:
	needs: scan-matrix
	runs-on: ubuntu-latest
	steps:
	- name: Send message in Slack
	run: \|
	PAYLOAD="{\"text\":\"Vulnerability reports updated: \n • <https://vulnerability-reports.k8s-entando.org/\|Vulnerability Reports Page> \n • <https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}\|GitHub Artifact>\"}"
	curl -X POST -H 'Content-type: application/json' -d "${PAYLOAD}" ${{ secrets.SLACK_SV_WEBHOOK }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Snyk vulnerability scan report #358

Workflow file

Snyk vulnerability scan report #358

Jobs

Run details

Workflow file for this run