Skip to content
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
143 changes: 143 additions & 0 deletions .github/workflows/test-vurnabilities-data.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,143 @@
name: Run Vulnerability Data Script with Parameters and Update PR

on:
workflow_dispatch:
inputs:
image_name:
description: 'Docker image name to scan'
required: true
default: 'appsmith/appsmith-ce:release'

Comment on lines +1 to +

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Fix typo in workflow filename

The workflow filename contains a typo: "vurnabilities" should be "vulnerabilities". This should be corrected for better maintainability.

Rename the file from:

- .github/workflows/test-vurnabilities-data.yml
+ .github/workflows/test-vulnerabilities-data.yml

jobs:
run-and-update-pr:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v3

- name: Set up Node.js
uses: actions/setup-node@v3
with:
node-version: '20'

- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_HUB_USERNAME }}
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}

- name: Install pg
run: npm install pg

- name: Fetch vulnerability data
id: vulnerability_data
env:
DB_HOST: ${{ secrets.CYPRESS_DB_HOST }}
DB_NAME: ${{ secrets.CYPRESS_DB_NAME }}
DB_USER: ${{ secrets.CYPRESS_DB_USER }}
DB_PWD: ${{ secrets.CYPRESS_DB_PWD }}
uses: actions/github-script@v7
with:
script: |
const { Pool } = require("pg");
const fs = require('fs');
const path = require('path');
const { DB_HOST, DB_NAME, DB_USER, DB_PWD } = process.env;

const pool = new Pool({
user: DB_USER,
host: DB_HOST,
database: DB_NAME,
password: DB_PWD,
port: 5432,
connectionTimeoutMillis: 60000,
});

(async () => {
const client = await pool.connect();
try {
// Fetch vurn_id, product, scanner_tool, and priority from the database
const result = await client.query(`SELECT vurn_id, product, scanner_tool, priority FROM vulnerability_tracking`);
console.log('Vulnerability Data:', result.rows);

// Extract relevant fields from the result
const extractedData = result.rows.map(({ vurn_id, product, scanner_tool, priority }) => ({
vurn_id,
product,
scanner_tool,
priority
}));
console.log('Extracted Vulnerability Data:', extractedData);

// Prepare CSV content
const csvContent = [
['vurn_id', 'product', 'scanner_tool', 'priority'], // Add priority column header
...extractedData.map(row => [row.vurn_id, row.product, row.scanner_tool, row.priority])
]
.map(e => e.join(',')) // Join columns
.join('\n'); // Join rows

// Write to CSV file in workspace
const csvFilePath = path.join(process.env.GITHUB_WORKSPACE, 'vulnerability_base_data.csv');
fs.writeFileSync(csvFilePath, csvContent);
console.log(`Data successfully written to ${csvFilePath}`);

// Prepare TXT content
const txtContent = extractedData
.map(row => `vurn_id: ${row.vurn_id}, product: ${row.product}, scanner_tool: ${row.scanner_tool}, priority: ${row.priority}`)
.join('\n'); // Join rows

// Write to TXT file in workspace
const txtFilePath = path.join(process.env.GITHUB_WORKSPACE, 'vulnerability_base_data.txt');
fs.writeFileSync(txtFilePath, txtContent);
console.log(`Data successfully written to ${txtFilePath}`);

client.release();
return extractedData; // Return the extracted data
} catch (err) {
console.error('Error fetching vulnerability data:', err);
client.release();
}
})();

Comment on lines +32 to +

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Address potential database connection and I/O issues.

  1. Replace synchronous file operations with async versions
  2. Ensure pool is properly closed in all scenarios
  3. Add proper error propagation
- fs.writeFileSync(csvFilePath, csvContent);
+ await fs.promises.writeFile(csvFilePath, csvContent);

- fs.writeFileSync(txtFilePath, txtContent);
+ await fs.promises.writeFile(txtFilePath, txtContent);

  } catch (err) {
    console.error('Error fetching vulnerability data:', err);
    client.release();
+   throw err;
  } finally {
+   await pool.end();
  }

Committable suggestion was skipped due to low confidence.

🧰 Tools
🪛 yamllint

[error] 102-102: trailing spaces

(trailing-spaces)

- name: Upload Vulnerability Data
uses: actions/upload-artifact@v3
with:
name: vulnerability-data
path: |
vulnerability_base_data.csv
vulnerability_base_data.txt

Comment on lines +103 to +

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Fix YAML indentation

The path field indentation should be 10 spaces to match the YAML structure.

  with:
    name: vulnerability-data
-            path: |
-              vulnerability_base_data.csv
-              vulnerability_base_data.txt      
+    path: |
+      vulnerability_base_data.csv
+      vulnerability_base_data.txt
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Upload Vulnerability Data
uses: actions/upload-artifact@v3
with:
name: vulnerability-data
path: |
vulnerability_base_data.csv
vulnerability_base_data.txt
- name: Upload Vulnerability Data
uses: actions/upload-artifact@v3
with:
name: vulnerability-data
path: |
vulnerability_base_data.csv
vulnerability_base_data.txt
🧰 Tools
🪛 yamllint

[warning] 106-106: wrong indentation: expected 10 but found 12

(indentation)


[error] 109-109: trailing spaces

(trailing-spaces)

# Run Scout vulnerability data script
- name: Run Scout vulnerability data script
if: always()
env:
DB_HOST: ${{ secrets.CYPRESS_DB_HOST }}
DB_NAME: ${{ secrets.CYPRESS_DB_NAME }}
DB_USER: ${{ secrets.CYPRESS_DB_USER }}
DB_PWD: ${{ secrets.CYPRESS_DB_PWD }}
run: |
chmod +x scripts/scout_vulnerabilities_data.sh
./scripts/scout_vulnerabilities_data.sh \
"${{ inputs.image_name }}" \
"${{ github.event.pull_request.number }}" \
"${{ github.event.pull_request.html_url }}" \
"${{ github.run_id }}"

Comment on lines +111 to +

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Add error handling for script execution.

The script execution should include error handling and status checks.

  run: |
    chmod +x scripts/scout_vulnerabilities_data.sh
-   ./scripts/scout_vulnerabilities_data.sh \
+   if ! ./scripts/scout_vulnerabilities_data.sh \
      "${{ inputs.image_name }}" \
      "${{ github.event.pull_request.number }}" \
      "${{ github.event.pull_request.html_url }}" \
-     "${{ github.run_id }}"
+     "${{ github.run_id }}"; then
+     echo "Scout vulnerability scan failed"
+     exit 1
+   fi
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# Run Scout vulnerability data script
- name: Run Scout vulnerability data script
if: always()
env:
DB_HOST: ${{ secrets.CYPRESS_DB_HOST }}
DB_NAME: ${{ secrets.CYPRESS_DB_NAME }}
DB_USER: ${{ secrets.CYPRESS_DB_USER }}
DB_PWD: ${{ secrets.CYPRESS_DB_PWD }}
run: |
chmod +x scripts/scout_vulnerabilities_data.sh
./scripts/scout_vulnerabilities_data.sh \
"${{ inputs.image_name }}" \
"${{ github.event.pull_request.number }}" \
"${{ github.event.pull_request.html_url }}" \
"${{ github.run_id }}"
# Run Scout vulnerability data script
- name: Run Scout vulnerability data script
if: always()
env:
DB_HOST: ${{ secrets.CYPRESS_DB_HOST }}
DB_NAME: ${{ secrets.CYPRESS_DB_NAME }}
DB_USER: ${{ secrets.CYPRESS_DB_USER }}
DB_PWD: ${{ secrets.CYPRESS_DB_PWD }}
run: |
chmod +x scripts/scout_vulnerabilities_data.sh
if ! ./scripts/scout_vulnerabilities_data.sh \
"${{ inputs.image_name }}" \
"${{ github.event.pull_request.number }}" \
"${{ github.event.pull_request.html_url }}" \
"${{ github.run_id }}"; then
echo "Scout vulnerability scan failed"
exit 1
fi

- name: Run Trivy vulnerability data script
if: always()
env:
DB_HOST: ${{ secrets.CYPRESS_DB_HOST }}
DB_NAME: ${{ secrets.CYPRESS_DB_NAME }}
DB_USER: ${{ secrets.CYPRESS_DB_USER }}
DB_PWD: ${{ secrets.CYPRESS_DB_PWD }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
chmod +x scripts/trivy_vulnerabilities_data.sh
./scripts/trivy_vulnerabilities_data.sh \
"${{ inputs.image_name }}" \
"${{ github.event.pull_request.number }}" \
"${{ github.event.pull_request.html_url }}" \
"${{ github.run_id }}"

Comment on lines +127 to +

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Enhance Trivy scan reliability.

  1. Add error handling for Docker login and script execution
  2. Add newline at end of file
  run: |
-   echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
+   if ! echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin; then
+     echo "Failed to login to GitHub Container Registry"
+     exit 1
+   fi
    chmod +x scripts/trivy_vulnerabilities_data.sh
-   ./scripts/trivy_vulnerabilities_data.sh \
+   if ! ./scripts/trivy_vulnerabilities_data.sh \
      "${{ inputs.image_name }}" \
      "${{ github.event.pull_request.number }}" \
      "${{ github.event.pull_request.html_url }}" \
-     "${{ github.run_id }}"
+     "${{ github.run_id }}"; then
+     echo "Trivy vulnerability scan failed"
+     exit 1
+   fi
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Run Trivy vulnerability data script
if: always()
env:
DB_HOST: ${{ secrets.CYPRESS_DB_HOST }}
DB_NAME: ${{ secrets.CYPRESS_DB_NAME }}
DB_USER: ${{ secrets.CYPRESS_DB_USER }}
DB_PWD: ${{ secrets.CYPRESS_DB_PWD }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
chmod +x scripts/trivy_vulnerabilities_data.sh
./scripts/trivy_vulnerabilities_data.sh \
"${{ inputs.image_name }}" \
"${{ github.event.pull_request.number }}" \
"${{ github.event.pull_request.html_url }}" \
"${{ github.run_id }}"
- name: Run Trivy vulnerability data script
if: always()
env:
DB_HOST: ${{ secrets.CYPRESS_DB_HOST }}
DB_NAME: ${{ secrets.CYPRESS_DB_NAME }}
DB_USER: ${{ secrets.CYPRESS_DB_USER }}
DB_PWD: ${{ secrets.CYPRESS_DB_PWD }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
if ! echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin; then
echo "Failed to login to GitHub Container Registry"
exit 1
fi
chmod +x scripts/trivy_vulnerabilities_data.sh
if ! ./scripts/trivy_vulnerabilities_data.sh \
"${{ inputs.image_name }}" \
"${{ github.event.pull_request.number }}" \
"${{ github.event.pull_request.html_url }}" \
"${{ github.run_id }}"; then
echo "Trivy vulnerability scan failed"
exit 1
fi
🧰 Tools
🪛 yamllint

[error] 143-143: no new line character at the end of file

(new-line-at-end-of-file)


[error] 143-143: trailing spaces

(trailing-spaces)

173 changes: 173 additions & 0 deletions scripts/scout_vulnerabilities_data.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,173 @@
#!/bin/bash

#Check required environment variables
required_vars=("DB_HOST" "DB_NAME" "DB_USER" "DB_PWD")
for var in "${required_vars[@]}"; do
if [ -z "${!var}" ] || [[ "${!var}" == "your_${var,,}" ]]; then
echo "Error: Required environment variable $var is missing or not set correctly."
exit 1
fi
done
Comment thread
sagar-qa007 marked this conversation as resolved.

DB_HOST="${DB_HOST}"
DB_NAME="${DB_NAME}"
DB_USER="${DB_USER}"
DB_PWD="${DB_PWD}"

# Assign the parameters from the workflow
IMAGE="$1"
GITHUB_PR_ID="$2"
GITHUB_PR_LINK="$3"
GITHUB_RUN_ID="$4"
OLD_VULN_FILE="${5:-vulnerability_base_data.csv}"

# Function to install Docker Scout
install_docker_scout() {
echo "Installing Docker Scout..."
local attempts=0
while [ $attempts -lt 3 ]; do
echo "Attempt $((attempts + 1))..."
curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh
sh install-scout.sh &> install_scout_log.txt
Comment on lines +30 to +31

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Check curl exit status before executing the script

Ensure that the curl command successfully downloads the script before attempting to execute it.

Apply this diff to enhance error handling:

 curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh
+if [ $? -ne 0 ]; then
+    echo "Failed to download Docker Scout install script."
+    ((attempts++))
+    sleep 2
+    continue
+fi
 sh install-scout.sh &> install_scout_log.txt

Committable suggestion was skipped due to low confidence.

if [ $? -eq 0 ]; then
echo "Docker Scout installed successfully."
return 0
fi
echo "Attempt $((attempts + 1)) failed. Check install_scout_log.txt for details."
((attempts++))
sleep 2
done
echo "Error: Docker Scout installation failed after $attempts attempts."
exit 1
}

# Check if Docker is installed
if ! command -v docker &> /dev/null; then
echo "Error: Docker is not installed. Please install Docker and try again."
exit 1
fi

# Ensure Docker is running
if ! systemctl is-active --quiet docker; then
echo "Starting Docker..."
sudo systemctl start docker
fi
Comment on lines +51 to +54

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Improve Docker daemon check for better compatibility

Using systemctl may not work on all systems. Consider checking if Docker is running by attempting to communicate with it directly.

Apply this diff to enhance the Docker check:

 if ! systemctl is-active --quiet docker; then
     echo "Starting Docker..."
     sudo systemctl start docker
 fi
+if ! docker info > /dev/null 2>&1; then
+    echo "Docker is not running. Please start Docker and try again."
+    exit 1
+fi

Committable suggestion was skipped due to low confidence.


# Check if Docker Scout is installed
if ! command -v scout &> /dev/null; then
install_docker_scout
fi

# Prepare the output CSV file
CSV_OUTPUT_FILE="scout_vulnerabilities.csv"
rm -f "$CSV_OUTPUT_FILE"

# Extract the product name from the image name
case "$IMAGE" in
*appsmith/appsmith-ce:*) product_name="CE" ;;
*appsmith/appsmith-ee:*) product_name="EE" ;;
*appsmith/cloud-services:*) product_name="CLOUD" ;;
*) product_name="UNKNOWN" ;;
esac

# Fetch vulnerabilities and format the output correctly
docker scout cves "$IMAGE" | grep -E "✗ |CVE-" | awk -v product_name="$product_name" -F' ' '
{
# Check for valid vulnerability data and format it correctly
if ($2 != "" && $3 ~ /^CVE-/) {
# Extract severity level, CVE ID and format output correctly
print $3","product_name",""SCOUT"","$2
}
}' | sort -u > "$CSV_OUTPUT_FILE"

# Check if the CSV output file is empty
[ -s "$CSV_OUTPUT_FILE" ] || echo "No vulnerabilities found for image: $IMAGE" > "$CSV_OUTPUT_FILE"

# Compare new vulnerabilities against old vulnerabilities
echo "Comparing new vulnerabilities with existing vulnerabilities in $OLD_VULN_FILE..."
if [ -s "$OLD_VULN_FILE" ]; then
awk -F, 'NR==FNR {seen[$1","$2","$3","$4]; next} !($1","$2","$3","$4 in seen)' "$OLD_VULN_FILE" "$CSV_OUTPUT_FILE" > "scout_vulnerabilities_diff.csv"
else
echo "$OLD_VULN_FILE is empty. All new vulnerabilities will be included."
cp "$CSV_OUTPUT_FILE" "scout_vulnerabilities_diff.csv"
fi

# Output for verification
echo "Fetching passed data..."
cat "$OLD_VULN_FILE"
echo ""
echo "Fetching new data..."
cat "$CSV_OUTPUT_FILE"
echo ""
echo "Fetching diff..."
cat "scout_vulnerabilities_diff.csv"
echo ""

# Insert new vulnerabilities into the PostgreSQL database using psql
insert_vulns_into_db() {
local count=0
local query_file="insert_vulns.sql"
echo "BEGIN;" > "$query_file" # Start the transaction

# Create an associative array to hold existing entries from the database
declare -A existing_entries

# Fetch existing vulnerabilities from the database to avoid duplicates
psql -t -c "SELECT vurn_id, product, scanner_tool, priority FROM vulnerability_tracking WHERE scanner_tool = 'SCOUT'" "postgresql://$DB_USER:$DB_PWD@$DB_HOST/$DB_NAME" | while IFS='|' read -r db_vurn_id db_product db_scanner_tool db_priority; do
existing_entries["$db_product,$db_scanner_tool,$db_vurn_id"]="$db_priority"
done

Comment on lines +116 to +119

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Fix variable scoping issue due to subshell in pipeline

The associative array existing_entries may not be populated correctly because the while loop runs in a subshell created by the pipe. Refactor the code to avoid this issue.

Apply this diff to fix the scoping issue:

-  psql -t -c "SELECT vurn_id, product, scanner_tool, priority FROM vulnerability_tracking WHERE scanner_tool = 'SCOUT'" "postgresql://$DB_USER:$DB_PWD@$DB_HOST/$DB_NAME" | while IFS='|' read -r db_vurn_id db_product db_scanner_tool db_priority; do
+  while IFS='|' read -r db_vurn_id db_product db_scanner_tool db_priority; do
     existing_entries["$db_product,$db_scanner_tool,$db_vurn_id"]="$db_priority"
-  done
+  done < <(psql -t -c "SELECT vurn_id, product, scanner_tool, priority FROM vulnerability_tracking WHERE scanner_tool = 'SCOUT'" "postgresql://$DB_USER:$DB_PWD@$DB_HOST/$DB_NAME")
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
psql -t -c "SELECT vurn_id, product, scanner_tool, priority FROM vulnerability_tracking WHERE scanner_tool = 'SCOUT'" "postgresql://$DB_USER:$DB_PWD@$DB_HOST/$DB_NAME" | while IFS='|' read -r db_vurn_id db_product db_scanner_tool db_priority; do
existing_entries["$db_product,$db_scanner_tool,$db_vurn_id"]="$db_priority"
done
while IFS='|' read -r db_vurn_id db_product db_scanner_tool db_priority; do
existing_entries["$db_product,$db_scanner_tool,$db_vurn_id"]="$db_priority"
done < <(psql -t -c "SELECT vurn_id, product, scanner_tool, priority FROM vulnerability_tracking WHERE scanner_tool = 'SCOUT'" "postgresql://$DB_USER:$DB_PWD@$DB_HOST/$DB_NAME")

while IFS=, read -r vurn_id product scanner_tool priority; do
# Skip empty lines
if [[ -z "$vurn_id" || -z "$priority" || -z "$product" || -z "$scanner_tool" ]]; then
echo "Skipping empty vulnerability entry"
continue
fi

# Check if the entry already exists
if [[ -n "${existing_entries["$product,$scanner_tool,$vurn_id"]}" ]]; then
echo "Entry for $vurn_id already exists in the database. Skipping."
continue
fi

local pr_id="$GITHUB_PR_ID"
local pr_link="$GITHUB_PR_LINK"
local created_date=$(date -u +"%Y-%m-%dT%H:%M:%SZ")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Separate declaration and assignment to avoid masking return values

Declaring and assigning created_date in the same command can mask return values. Separate the declaration and assignment as per ShellCheck SC2155.

Apply this diff to fix the issue:

-local created_date=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+local created_date
+created_date=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
local created_date=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
local created_date
created_date=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
🧰 Tools
🪛 Shellcheck

[warning] 136-136: Declare and assign separately to avoid masking return values.

(SC2155)

local update_date="$created_date"
local comments="Initial vulnerability report"
local owner="John Doe"
local pod="Security"

# Escape single quotes in vulnerability ID, product, and priority
vurn_id=$(echo "$vurn_id" | sed "s/'/''/g")
priority=$(echo "$priority" | sed "s/'/''/g")
product=$(echo "$product" | sed "s/'/''/g")
scanner_tool=$(echo "$scanner_tool" | sed "s/'/''/g")

Comment on lines +143 to +146

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Escape all variables in SQL statements to prevent SQL injection

Variables like $comments, $owner, and $pod are not escaped and could contain special characters. Ensure all variables used in the SQL statement are properly escaped.

Apply this diff to enhance security:

     # Escape single quotes in vulnerability ID, product, and priority
     vurn_id=$(echo "$vurn_id" | sed "s/'/''/g")
     priority=$(echo "$priority" | sed "s/'/''/g")
     product=$(echo "$product" | sed "s/'/''/g")
     scanner_tool=$(echo "$scanner_tool" | sed "s/'/''/g")
+    comments=$(echo "$comments" | sed "s/'/''/g")
+    owner=$(echo "$owner" | sed "s/'/''/g")
+    pod=$(echo "$pod" | sed "s/'/''/g")
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
priority=$(echo "$priority" | sed "s/'/''/g")
product=$(echo "$product" | sed "s/'/''/g")
scanner_tool=$(echo "$scanner_tool" | sed "s/'/''/g")
priority=$(echo "$priority" | sed "s/'/''/g")
product=$(echo "$product" | sed "s/'/''/g")
scanner_tool=$(echo "$scanner_tool" | sed "s/'/''/g")
comments=$(echo "$comments" | sed "s/'/''/g")
owner=$(echo "$owner" | sed "s/'/''/g")
pod=$(echo "$pod" | sed "s/'/''/g")

# Write each insert query to the SQL file
echo "INSERT INTO vulnerability_tracking (product, scanner_tool, vurn_id, priority, pr_id, pr_link, github_run_id, created_date, update_date, comments, owner, pod) VALUES ('$product', '$scanner_tool', '$vurn_id', '$priority', '$pr_id', '$pr_link', '$GITHUB_RUN_ID', '$created_date', '$update_date', '$comments', '$owner', '$pod');" >> "$query_file"

((count++))
done < "scout_vulnerabilities_diff.csv"

echo "COMMIT;" >> "$query_file" # End the transaction
echo "Queries written to $query_file."

# Execute the SQL file
psql -e "postgresql://$DB_USER:$DB_PWD@$DB_HOST/$DB_NAME" -f "$query_file"

# Check if the execution was successful
if [ $? -eq 0 ]; then
echo "Vulnerabilities successfully inserted into the database."
else
echo "Error: Failed to insert vulnerabilities. Please check the database connection or query."
exit 1
fi
}

# Call the function to generate the insert queries and execute them
if [ -s "scout_vulnerabilities_diff.csv" ]; then
insert_vulns_into_db
else
echo "No new vulnerabilities to insert."
fi
Loading