-
Notifications
You must be signed in to change notification settings - Fork 1
151 lines (143 loc) · 7.69 KB
/
snyc-scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
name: Snyk vulnerability scan report
on:
workflow_dispatch:
schedule:
- cron: "0 0/8 * * *"
env:
APP_ENGINE_REPO: entando/app-engine
APP_ENGINE_BRANCH: develop
CATALYST_INFRA_TEMPLATES_REPO: entando/catalyst-infra-templates
SNYK_SCAN_MATRIX_CONFIG_URL: global-config/snyk-scan-matrix.json
SNYK_SCAN_BUILD_POM_SCRIPT_URL: scripts/snyk-scan-build-pom.sh
jobs:
setup:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
build_pom_script: ${{ steps.set-build-pom-script.outputs.build_pom_script }}
pom_template: ${{ steps.set-pom-template.outputs.pom_template }}
steps:
- name: Checkout catalyst-infra-templates
uses: actions/checkout@v3
with:
repository: ${{ env.CATALYST_INFRA_TEMPLATES_REPO }}
token: ${{ secrets.ENTANDO_BOT_TOKEN }}
- name: Load snyk-scan-matrix.json
id: set-matrix
run: |
echo "matrix=$(jq -c . < $SNYK_SCAN_MATRIX_CONFIG_URL)" >> $GITHUB_OUTPUT
- name: Upload snyk-scan-build-pom.sh
uses: actions/upload-artifact@v3
with:
name: snyk-scan-build-pom.sh
path: ${{ env.SNYK_SCAN_BUILD_POM_SCRIPT_URL }}
scan-matrix:
needs: setup
runs-on: ubuntu-latest
strategy:
matrix: ${{fromJson(needs.setup.outputs.matrix)}}
fail-fast: true
max-parallel: 10
steps:
- name: Checkout project
uses: actions/checkout@v3
with:
repository: ${{ matrix.repo }}
ref: ${{ matrix.branch }}
- name: Download snyk-scan-build-pom.sh
uses: actions/download-artifact@v3
with:
name: snyk-scan-build-pom.sh
- name: Get Service Account Access Token
run: |
CURL_RESPONSE=$(curl -X 'POST' \
'https://vulnerability-reports.k8s-entando.org/auth/realms/VulnerabilityReports/protocol/openid-connect/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'client_id=vulnerability-reports-sa&grant_type=client_credentials&client_secret=${{ secrets.KEYCLOAK_CLIENT_SECRET }}')
echo $CURL_RESPONSE
TOKEN=$(echo $CURL_RESPONSE | jq .access_token)
TOKEN=${TOKEN:1:-1}
echo "ACCESS_TOKEN=$TOKEN" >> $GITHUB_ENV
- name: Scan vulnerabilities with snyk
run: |
rm -rfv ./scan-prj
mkdir scan-prj
cd scan-prj
mv ../snyk-scan-build-pom.sh .
bash snyk-scan-build-pom.sh
npm install snyk -g
snyk auth ${{ secrets.SNYK_TOKEN }}
snyk test >> snyk-results.txt || true
BRANCH=$(echo ${{ matrix.branch }} | sed -r 's;/+;_;g')
REPO_NAME=$(echo "${{ matrix.repo }}" | awk -F '/' '{print $2}')
REPORT_FILE_NAME=$BRANCH-$REPO_NAME.csv
echo "Vulnerable Library, Vulnerability Type, Severity, Current Version, Fix Version, Fix Type (Update/Explicity/No Fix), Details" > $REPORT_FILE_NAME
POST_PAYLOAD="{\"repository\": \"${REPO_NAME}\", \"branch\": \"${{ matrix.branch }}\", \"vulnerabilities\": ["
while read LINE
do
if [[ $LINE == Upgrade* ]]
then
VULNERABLE_LIB_VERSION_FIX=$(echo "${LINE}" | awk -F '@' '{print $3}' | awk -F ' ' '{print $1}')
VULNERABLE_LIB_VERSION_FIX=$(echo $VULNERABLE_LIB_VERSION_FIX | sed -r 's|,|;|g')
FIX_TYPE="Update"
FIX_TYPE_ENUM="UPDATE"
ISSUES_WITH_NO_DIRECT_UPGRADE=false
elif [[ $LINE == ✗* ]]
then
VULNERABILITY_TYPE=$(echo "${LINE}" | awk -F '✗ ' '{print $2}' | awk -F ' \\[' '{print $1}' | sed 's/ (new)//')
VULNERABILITY_SEVERITY=$(echo "${LINE}" | awk -F '[' '{print $2}' | awk -F ' ' '{print $1}')
VULNERABILITY_SEVERITY_ENUM=$(echo $VULNERABILITY_SEVERITY | tr '[:lower:]' '[:upper:]')
VULNERABILITY_SNYK_LINK=$(echo "${LINE}" | awk -F '[' '{print $3}' | awk -F ']' '{print $1}')
elif [[ $LINE == "Issues with no direct upgrade"* ]]
then
ISSUES_WITH_NO_DIRECT_UPGRADE=true
FIX_TYPE="No fix"
FIX_TYPE_ENUM="NO_FIX"
VULNERABLE_LIB_VERSION_FIX=
elif [[ $LINE == "introduced by"* ]]
then
VULNERABLE_LIB=$(echo "${LINE}" | awk -F 'introduced by ' '{print $2}' | awk -F '@' '{print $1}')
VULNERABLE_LIB_VERSION=$(echo "${LINE}" | awk -F '@' '{print $2}' | awk '{print $1}')
if [[ $ISSUES_WITH_NO_DIRECT_UPGRADE = false ]]
then
echo "${VULNERABLE_LIB},${VULNERABILITY_TYPE},${VULNERABILITY_SEVERITY},${VULNERABLE_LIB_VERSION},${VULNERABLE_LIB_VERSION_FIX},${FIX_TYPE},${VULNERABILITY_SNYK_LINK}" >> $REPORT_FILE_NAME
POST_PAYLOAD="${POST_PAYLOAD} {\"detailsURL\": \"${VULNERABILITY_SNYK_LINK}\", \"vulnerableLib\": \"${VULNERABLE_LIB}\", \"type\": \"${VULNERABILITY_TYPE}\", \"severity\": \"${VULNERABILITY_SEVERITY_ENUM}\", \"currentVersion\": \"${VULNERABLE_LIB_VERSION}\", \"fixVersion\": \"${VULNERABLE_LIB_VERSION_FIX}\", \"fixType\": \"${FIX_TYPE_ENUM}\"},"
fi
elif [[ $LINE == "This issue was fixed in versions"* ]]
then
VULNERABLE_LIB_VERSION_FIX=$(echo "${LINE}" | awk -F 'This issue was fixed in versions: ' '{print $2}')
VULNERABLE_LIB_VERSION_FIX=$(echo $VULNERABLE_LIB_VERSION_FIX | sed -r 's|,|;|g')
FIX_TYPE="Explicit"
FIX_TYPE_ENUM="EXPLICIT"
echo "${VULNERABLE_LIB},${VULNERABILITY_TYPE},${VULNERABILITY_SEVERITY},${VULNERABLE_LIB_VERSION},${VULNERABLE_LIB_VERSION_FIX},${FIX_TYPE},${VULNERABILITY_SNYK_LINK}" >> $REPORT_FILE_NAME
POST_PAYLOAD="${POST_PAYLOAD} {\"detailsURL\": \"${VULNERABILITY_SNYK_LINK}\", \"vulnerableLib\": \"${VULNERABLE_LIB}\", \"type\": \"${VULNERABILITY_TYPE}\", \"severity\": \"${VULNERABILITY_SEVERITY_ENUM}\", \"currentVersion\": \"${VULNERABLE_LIB_VERSION}\", \"fixVersion\": \"${VULNERABLE_LIB_VERSION_FIX}\", \"fixType\": \"${FIX_TYPE_ENUM}\"},"
elif [[ $LINE == "No upgrade or patch available"* ]]
then
FIX_TYPE="No fix"
FIX_TYPE_ENUM="NO_FIX"
VULNERABLE_LIB_VERSION_FIX=
echo "${VULNERABLE_LIB},${VULNERABILITY_TYPE},${VULNERABILITY_SEVERITY},${VULNERABLE_LIB_VERSION},${VULNERABLE_LIB_VERSION_FIX},${FIX_TYPE},${VULNERABILITY_SNYK_LINK}" >> $REPORT_FILE_NAME
POST_PAYLOAD="${POST_PAYLOAD} {\"detailsURL\": \"${VULNERABILITY_SNYK_LINK}\", \"vulnerableLib\": \"${VULNERABLE_LIB}\", \"type\": \"${VULNERABILITY_TYPE}\", \"severity\": \"${VULNERABILITY_SEVERITY_ENUM}\", \"currentVersion\": \"${VULNERABLE_LIB_VERSION}\", \"fixVersion\": \"${VULNERABLE_LIB_VERSION_FIX}\", \"fixType\": \"${FIX_TYPE_ENUM}\"},"
fi
done < snyk-results.txt
POST_PAYLOAD=${POST_PAYLOAD:0:-1}]}
CURL_RESPONSE=$(curl -is -X 'PUT' \
'https://vulnerability-reports.k8s-entando.org/v1/vulnerability-reports/' \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H 'accept: application/json' \
-H 'Content-Type: application/json' \
-d "${POST_PAYLOAD}]}")
echo $CURL_RESPONSE
- name: Upload Snyk reports
uses: actions/upload-artifact@v3
with:
name: snyk-report
path: scan-prj/*.csv
send-slack-message:
needs: scan-matrix
runs-on: ubuntu-latest
steps:
- name: Send message in Slack
run: |
PAYLOAD="{\"text\":\"*Vulnerability reports updated:* \n • <https://vulnerability-reports.k8s-entando.org/|Vulnerability Reports Page> \n • <https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|GitHub Artifact>\"}"
curl -X POST -H 'Content-type: application/json' -d "${PAYLOAD}" ${{ secrets.SLACK_SV_WEBHOOK }}