From 083266c8bdd82c3ff2aa0d58c1acb57d974cd46d Mon Sep 17 00:00:00 2001 From: Sagar Khalasi Date: Mon, 4 Nov 2024 17:59:53 +0530 Subject: [PATCH] New schema change --- .../workflows/test-vulnerabilities-data.yml | 79 ------- scripts/scout_vulnerabilities_data.sh | 103 ++++---- scripts/trivy_vulnerabilities_data.sh | 222 +++++++----------- 3 files changed, 131 insertions(+), 273 deletions(-) diff --git a/.github/workflows/test-vulnerabilities-data.yml b/.github/workflows/test-vulnerabilities-data.yml index ba39ebb9a36f..2ba1b8ced6f4 100644 --- a/.github/workflows/test-vulnerabilities-data.yml +++ b/.github/workflows/test-vulnerabilities-data.yml @@ -29,85 +29,6 @@ jobs: - name: Install pg run: npm install pg - - name: Fetch vulnerability data - id: vulnerability_data - env: - DB_HOST: ${{ secrets.CYPRESS_DB_HOST }} - DB_NAME: ${{ secrets.CYPRESS_DB_NAME }} - DB_USER: ${{ secrets.CYPRESS_DB_USER }} - DB_PWD: ${{ secrets.CYPRESS_DB_PWD }} - uses: actions/github-script@v7 - with: - script: | - const { Pool } = require("pg"); - const fs = require('fs'); - const path = require('path'); - const { DB_HOST, DB_NAME, DB_USER, DB_PWD } = process.env; - - const pool = new Pool({ - user: DB_USER, - host: DB_HOST, - database: DB_NAME, - password: DB_PWD, - port: 5432, - connectionTimeoutMillis: 60000, - }); - - (async () => { - const client = await pool.connect(); - try { - // Fetch vurn_id, product, scanner_tool, and priority from the database - const result = await client.query(`SELECT vurn_id, product, scanner_tool, priority FROM vulnerability_tracking`); - console.log('Vulnerability Data:', result.rows); - - // Extract relevant fields from the result - const extractedData = result.rows.map(({ vurn_id, product, scanner_tool, priority }) => ({ - vurn_id, - product, - scanner_tool, - priority - })); - console.log('Extracted Vulnerability Data:', extractedData); - - // Prepare CSV content - const csvContent = [ - ['vurn_id', 'product', 'scanner_tool', 'priority'], // Add priority column header - ...extractedData.map(row => [row.vurn_id, row.product, row.scanner_tool, row.priority]) - ] - .map(e => e.join(',')) // Join columns - .join('\n'); // Join rows - - // Write to CSV file in workspace - const csvFilePath = path.join(process.env.GITHUB_WORKSPACE, 'vulnerability_base_data.csv'); - fs.writeFileSync(csvFilePath, csvContent); - console.log(`Data successfully written to ${csvFilePath}`); - - // Prepare TXT content - const txtContent = extractedData - .map(row => `vurn_id: ${row.vurn_id}, product: ${row.product}, scanner_tool: ${row.scanner_tool}, priority: ${row.priority}`) - .join('\n'); // Join rows - - // Write to TXT file in workspace - const txtFilePath = path.join(process.env.GITHUB_WORKSPACE, 'vulnerability_base_data.txt'); - fs.writeFileSync(txtFilePath, txtContent); - console.log(`Data successfully written to ${txtFilePath}`); - - client.release(); - return extractedData; // Return the extracted data - } catch (err) { - console.error('Error fetching vulnerability data:', err); - client.release(); - } - })(); - - - name: Upload Vulnerability Data - uses: actions/upload-artifact@v3 - with: - name: vulnerability-data - path: | - vulnerability_base_data.csv - vulnerability_base_data.txt - # Run Scout vulnerability data script - name: Run Scout vulnerability data script if: always() diff --git a/scripts/scout_vulnerabilities_data.sh b/scripts/scout_vulnerabilities_data.sh index 01e2d6424180..563534ad9b5c 100755 --- a/scripts/scout_vulnerabilities_data.sh +++ b/scripts/scout_vulnerabilities_data.sh @@ -1,6 +1,6 @@ #!/bin/bash -#Check required environment variables +# Check required environment variables required_vars=("DB_HOST" "DB_NAME" "DB_USER" "DB_PWD") for var in "${required_vars[@]}"; do if [ -z "${!var}" ] || [[ "${!var}" == "your_${var,,}" ]]; then @@ -25,7 +25,7 @@ OLD_VULN_FILE="${5:-vulnerability_base_data.csv}" install_docker_scout() { echo "Installing Docker Scout..." local attempts=0 - while [ $attempts -lt 3 ]; do + while [ $attempts -lt 5 ]; do echo "Attempt $((attempts + 1))..." curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh sh install-scout.sh &> install_scout_log.txt @@ -75,7 +75,7 @@ docker scout cves "$IMAGE" | grep -E "✗ |CVE-" | awk -v product_name="$product { # Check for valid vulnerability data and format it correctly if ($2 != "" && $3 ~ /^CVE-/) { - # Extract severity level, CVE ID and format output correctly + # Extract severity level, CVE ID, and format output correctly print $3","product_name",""SCOUT"","$2 } }' | sort -u > "$CSV_OUTPUT_FILE" @@ -83,90 +83,75 @@ docker scout cves "$IMAGE" | grep -E "✗ |CVE-" | awk -v product_name="$product # Check if the CSV output file is empty [ -s "$CSV_OUTPUT_FILE" ] || echo "No vulnerabilities found for image: $IMAGE" > "$CSV_OUTPUT_FILE" -# Compare new vulnerabilities against old vulnerabilities -echo "Comparing new vulnerabilities with existing vulnerabilities in $OLD_VULN_FILE..." -if [ -s "$OLD_VULN_FILE" ]; then - awk -F, 'NR==FNR {seen[$1","$2","$3","$4]; next} !($1","$2","$3","$4 in seen)' "$OLD_VULN_FILE" "$CSV_OUTPUT_FILE" > "scout_vulnerabilities_diff.csv" -else - echo "$OLD_VULN_FILE is empty. All new vulnerabilities will be included." - cp "$CSV_OUTPUT_FILE" "scout_vulnerabilities_diff.csv" -fi - -# Output for verification -echo "Fetching passed data..." -cat "$OLD_VULN_FILE" -echo "" -echo "Fetching new data..." -cat "$CSV_OUTPUT_FILE" -echo "" -echo "Fetching diff..." -cat "scout_vulnerabilities_diff.csv" -echo "" - # Insert new vulnerabilities into the PostgreSQL database using psql insert_vulns_into_db() { - local count=0 local query_file="insert_vulns.sql" - echo "BEGIN;" > "$query_file" # Start the transaction - - # Create an associative array to hold existing entries from the database - declare -A existing_entries - - # Fetch existing vulnerabilities from the database to avoid duplicates - psql -t -c "SELECT vurn_id, product, scanner_tool, priority FROM vulnerability_tracking WHERE scanner_tool = 'SCOUT'" "postgresql://$DB_USER:$DB_PWD@$DB_HOST/$DB_NAME" | while IFS='|' read -r db_vurn_id db_product db_scanner_tool db_priority; do - existing_entries["$db_product,$db_scanner_tool,$db_vurn_id"]="$db_priority" - done + echo "BEGIN;" > "$query_file" while IFS=, read -r vurn_id product scanner_tool priority; do - # Skip empty lines if [[ -z "$vurn_id" || -z "$priority" || -z "$product" || -z "$scanner_tool" ]]; then echo "Skipping empty vulnerability entry" continue fi - # Check if the entry already exists - if [[ -n "${existing_entries["$product,$scanner_tool,$vurn_id"]}" ]]; then - echo "Entry for $vurn_id already exists in the database. Skipping." - continue - fi - - local pr_id="$GITHUB_PR_ID" - local pr_link="$GITHUB_PR_LINK" + local pr_id="${GITHUB_PR_ID:-}" + local pr_link="${GITHUB_PR_LINK:-}" local created_date=$(date -u +"%Y-%m-%dT%H:%M:%SZ") - local update_date="$created_date" local comments="Initial vulnerability report" local owner="John Doe" local pod="Security" - # Escape single quotes in vulnerability ID, product, and priority + # Clean up input values vurn_id=$(echo "$vurn_id" | sed "s/'/''/g") priority=$(echo "$priority" | sed "s/'/''/g") - product=$(echo "$product" | sed "s/'/''/g") - scanner_tool=$(echo "$scanner_tool" | sed "s/'/''/g") + product=$(echo "$product" | sed "s/'/''/g" | tr -d '[:space:]' | sed 's/[|]//g' | sed 's/,$//') + scanner_tool=$(echo "$scanner_tool" | sed "s/'/''/g" | tr -d '[:space:]' | sed 's/[|]//g' | sed 's/,$//') - # Write each insert query to the SQL file - echo "INSERT INTO vulnerability_tracking (product, scanner_tool, vurn_id, priority, pr_id, pr_link, github_run_id, created_date, update_date, comments, owner, pod) VALUES ('$product', '$scanner_tool', '$vurn_id', '$priority', '$pr_id', '$pr_link', '$GITHUB_RUN_ID', '$created_date', '$update_date', '$comments', '$owner', '$pod');" >> "$query_file" + # Fetch existing values for this vulnerability ID + existing_entry=$(psql -t -c "SELECT product, scanner_tool FROM vulnerability_tracking WHERE vurn_id = '$vurn_id'" "postgresql://$DB_USER:$DB_PWD@$DB_HOST/$DB_NAME" 2>/dev/null) - ((count++)) - done < "scout_vulnerabilities_diff.csv" + # Process fetched data + if [[ -z "$existing_entry" ]]; then + combined_products="$product" + combined_scanner_tools="$scanner_tool" + else + IFS='|' read -r existing_product existing_scanner_tool <<< "$existing_entry" + combined_products=$(echo "$existing_product,$product" | tr ',' '\n' | sed '/^$/d' | sort -u | tr '\n' ',' | sed 's/^,//; s/,$//') + combined_scanner_tools=$(echo "$existing_scanner_tool,$scanner_tool" | tr ',' '\n' | sed '/^$/d' | sort -u | tr '\n' ',' | sed 's/^,//; s/,$//') + fi - echo "COMMIT;" >> "$query_file" # End the transaction + # Write the insert query to the SQL file + echo "INSERT INTO vulnerability_tracking (product, scanner_tool, vurn_id, priority, pr_id, pr_link, github_run_id, created_date, update_date, comments, owner, pod) + VALUES ('$combined_products', '$combined_scanner_tools', '$vurn_id', '$priority', '$pr_id', '$pr_link', '$GITHUB_RUN_ID', '$created_date', '$created_date', '$comments', '$owner', '$pod') + ON CONFLICT (vurn_id) + DO UPDATE SET + product = '$combined_products', + scanner_tool = '$combined_scanner_tools', + priority = EXCLUDED.priority, + pr_id = EXCLUDED.pr_id, + pr_link = EXCLUDED.pr_link, + github_run_id = EXCLUDED.github_run_id, + update_date = EXCLUDED.update_date, + comments = EXCLUDED.comments, + owner = EXCLUDED.owner, + pod = EXCLUDED.pod;" >> "$query_file" + + done < "$CSV_OUTPUT_FILE" + + echo "COMMIT;" >> "$query_file" echo "Queries written to $query_file." - # Execute the SQL file - psql -e "postgresql://$DB_USER:$DB_PWD@$DB_HOST/$DB_NAME" -f "$query_file" - - # Check if the execution was successful - if [ $? -eq 0 ]; then + # Execute the SQL file and rollback on failure + if psql -e "postgresql://$DB_USER:$DB_PWD@$DB_HOST/$DB_NAME" -f "$query_file"; then echo "Vulnerabilities successfully inserted into the database." else - echo "Error: Failed to insert vulnerabilities. Please check the database connection or query." + echo "Error: Failed to insert vulnerabilities. Performing rollback." + echo "ROLLBACK;" | psql "postgresql://$DB_USER:$DB_PWD@$DB_HOST/$DB_NAME" exit 1 fi } -# Call the function to generate the insert queries and execute them -if [ -s "scout_vulnerabilities_diff.csv" ]; then +if [ -s "$CSV_OUTPUT_FILE" ]; then insert_vulns_into_db else echo "No new vulnerabilities to insert." diff --git a/scripts/trivy_vulnerabilities_data.sh b/scripts/trivy_vulnerabilities_data.sh index 852be9cc608f..82a337bb4bb8 100755 --- a/scripts/trivy_vulnerabilities_data.sh +++ b/scripts/trivy_vulnerabilities_data.sh @@ -1,6 +1,6 @@ #!/bin/bash -#Check required environment variables +# Check required environment variables required_vars=("DB_HOST" "DB_NAME" "DB_USER" "DB_PWD") for var in "${required_vars[@]}"; do if [ -z "${!var}" ] || [[ "${!var}" == "your_${var,,}" ]]; then @@ -14,16 +14,13 @@ DB_NAME="${DB_NAME}" DB_USER="${DB_USER}" DB_PWD="${DB_PWD}" -# Assign the parameters from the workflow +# Assign parameters from the workflow IMAGE="$1" GITHUB_PR_ID="$2" GITHUB_PR_LINK="$3" GITHUB_RUN_ID="$4" -OLD_VULN_FILE="${5:-vulnerability_base_data.csv}" - -# Define the maximum number of retries -MAX_RETRIES=3 +MAX_RETRIES=5 # Function to install Trivy with retry logic install_trivy_with_retry() { @@ -33,23 +30,14 @@ install_trivy_with_retry() { while [[ $count -lt $MAX_RETRIES ]]; do echo "Attempting to install Trivy (attempt $((count + 1)))..." - # Fetch the latest release dynamically instead of hardcoding TRIVY_VERSION=$(curl -s https://api.github.com/repos/aquasecurity/trivy/releases/latest | grep '"tag_name"' | sed -E 's/.*"v([^"]+)".*/\1/') - TRIVY_URL="https://github.com/aquasecurity/trivy/releases/download/v$TRIVY_VERSION/trivy_"$TRIVY_VERSION"_Linux-64bit.tar.gz" - echo "Attempting to install $TRIVY_VERSION from $TRIVY_URL" - # Download and extract Trivy - curl -sfL "$TRIVY_URL" | tar -xzf - trivy + TRIVY_URL="https://github.com/aquasecurity/trivy/releases/download/v$TRIVY_VERSION/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" - # Check if extraction was successful + curl -sfL "$TRIVY_URL" | tar -xzf - trivy if [[ $? -eq 0 ]]; then - # Create a local bin directory if it doesn't exist mkdir -p "$HOME/bin" - # Move Trivy to the local bin directory mv trivy "$HOME/bin/" - # Manually add the bin directory to PATH for this session export PATH="$HOME/bin:$PATH" - - # Check if Trivy is successfully installed if command -v trivy &> /dev/null; then success=true break @@ -64,22 +52,18 @@ install_trivy_with_retry() { echo "Error: Trivy installation failed after $MAX_RETRIES attempts." exit 1 fi - echo "Trivy installed successfully." } -# Check if Trivy is installed, if not, install it with retry logic +# Check if Trivy is installed, if not, install it if ! command -v trivy &> /dev/null; then install_trivy_with_retry fi NEW_VULN_FILE="trivy_vulnerabilities_new.csv" -DIFF_OUTPUT_FILE="trivy_vulnerabilities_diff.csv" - -rm -f "$NEW_VULN_FILE" "$DIFF_OUTPUT_FILE" -touch "$OLD_VULN_FILE" +rm -f "$NEW_VULN_FILE" -# Extract the product name from the image name +# Determine product name based on the image name case "$IMAGE" in *appsmith/appsmith-ce:*) product_name="CE" ;; *appsmith/appsmith-ee:*) product_name="EE" ;; @@ -87,132 +71,100 @@ case "$IMAGE" in *) product_name="UNKNOWN" ;; esac -# Function to run Trivy scan -run_trivy_scan() { - echo "Cleaning up Trivy data..." - trivy clean --all - - echo "Running Trivy scan for image: $IMAGE..." - if ! trivy image \ - --db-repository public.ecr.aws/aquasecurity/trivy-db \ - --java-db-repository public.ecr.aws/aquasecurity/trivy-java-db \ - --insecure \ - --format json \ - "$IMAGE" > "trivy_vulnerabilities.json"; then - echo "Error: Trivy is not available or the image does not exist." - exit 1 - fi +# Run Trivy scan +echo "Running Trivy scan for image: $IMAGE..." +trivy image --db-repository public.ecr.aws/aquasecurity/trivy-db --java-db-repository public.ecr.aws/aquasecurity/trivy-java-db --insecure --format json "$IMAGE" > "trivy_vulnerabilities.json" || { + echo "Error: Trivy scan failed for image: $IMAGE" + exit 1 } -# Call the function to run the scan -run_trivy_scan -# Process vulnerabilities and generate the desired CSV format +# Process vulnerabilities and generate CSV if jq -e '.Results | length > 0' "trivy_vulnerabilities.json" > /dev/null; then - jq -r --arg product "$product_name" '.Results[].Vulnerabilities[] | "\(.VulnerabilityID),\($product),TRIVY,\(.Severity)"' "trivy_vulnerabilities.json" | sed 's/^\s*//;s/\s*$//' | sort -u > "$NEW_VULN_FILE" + jq -r --arg product "$product_name" '.Results[]? | .Vulnerabilities[]? | "\(.VulnerabilityID),\($product),TRIVY,\(.Severity)"' "trivy_vulnerabilities.json" | sort -u > "$NEW_VULN_FILE" echo "Vulnerabilities saved to $NEW_VULN_FILE" else echo "No vulnerabilities found for image: $IMAGE" echo "No vulnerabilities found." > "$NEW_VULN_FILE" fi -# Compare new vulnerabilities with the old file -if [ -s "$NEW_VULN_FILE" ]; then - sort "$OLD_VULN_FILE" -o "$OLD_VULN_FILE" # Sort the old vulnerabilities file - sort "$NEW_VULN_FILE" -o "$NEW_VULN_FILE" # Sort the new vulnerabilities file - - # Get the difference between new and old vulnerabilities - comm -13 "$OLD_VULN_FILE" "$NEW_VULN_FILE" > "$DIFF_OUTPUT_FILE" - - if [ -s "$DIFF_OUTPUT_FILE" ]; then - echo "New vulnerabilities found and recorded in $DIFF_OUTPUT_FILE." - else - echo "No new vulnerabilities found for image: $IMAGE." - fi -else - echo "No new vulnerabilities found for image: $IMAGE." -fi - -# Cleanup JSON file -rm -f "trivy_vulnerabilities.json" +# Insert new vulnerabilities into PostgreSQL +insert_vulns_into_db() { + local query_file="insert_vulns.sql" + echo "BEGIN;" > "$query_file" -# Output for verification -echo "Fetching passed data..." -cat "$OLD_VULN_FILE" -echo "" -echo "Fetching new data..." -cat "$NEW_VULN_FILE" -echo "" -echo "Fetching diff..." -cat $DIFF_OUTPUT_FILE -echo "" + while IFS=, read -r vurn_id product scanner_tool priority; do + if [[ -z "$vurn_id" || -z "$priority" || -z "$product" || -z "$scanner_tool" ]]; then + continue + fi -# Insert new vulnerabilities into the PostgreSQL database using psql -insert_vulns_into_db() { - local count=0 - local query_file="insert_vulns.sql" - echo "BEGIN;" > "$query_file" # Start the transaction - - # Create an associative array to hold existing entries from the database - declare -A existing_entries - - # Fetch existing vulnerabilities from the database to avoid duplicates - psql -t -c "SELECT vurn_id, product, scanner_tool, priority FROM vulnerability_tracking WHERE scanner_tool = 'TRIVY'" "postgresql://$DB_USER:$DB_PWD@$DB_HOST/$DB_NAME" | while IFS='|' read -r db_vurn_id db_product db_scanner_tool db_priority; do - existing_entries["$db_product,$db_scanner_tool,$db_vurn_id"]="$db_priority" - done - - while IFS=, read -r vurn_id product scanner_tool priority; do - # Skip empty lines - if [[ -z "$vurn_id" || -z "$priority" || -z "$product" || -z "$scanner_tool" ]]; then - echo "Skipping empty vulnerability entry" - continue - fi + local pr_id="${GITHUB_PR_ID:-}" + local pr_link="${GITHUB_PR_LINK:-}" + local created_date=$(date -u +"%Y-%m-%dT%H:%M:%SZ") + local comments="Initial vulnerability report" + local owner="John Doe" + local pod="Security" + + # Remove spaces and redundant commas, and escape single quotes for SQL + vurn_id=$(echo "$vurn_id" | sed "s/'/''/g") + priority=$(echo "$priority" | sed "s/'/''/g") + product=$(echo "$product" | sed "s/'/''/g" | tr -d ' ' | sed 's/,*$//') + scanner_tool=$(echo "$scanner_tool" | sed "s/'/''/g" | tr -d ' ' | sed 's/,*$//') + + # Fetch existing product and scanner_tool values for the vulnerability + existing_entry=$(psql -t -c "SELECT product, scanner_tool FROM vulnerability_tracking WHERE vurn_id = '$vurn_id'" "postgresql://$DB_USER:$DB_PWD@$DB_HOST/$DB_NAME" 2>/dev/null) + + if [ -n "$existing_entry" ]; then + # Parse existing products and tools + existing_product=$(echo "$existing_entry" | cut -d '|' -f 1 | tr -d ' ') + existing_scanner_tool=$(echo "$existing_entry" | cut -d '|' -f 2 | tr -d ' ') + + # Merge with new values, ensuring uniqueness + combined_products="$existing_product,$product" + unique_products=$(echo "$combined_products" | tr ',' '\n' | sed '/^$/d' | sort -u | tr '\n' ',' | sed 's/^,//; s/,$//') + + combined_scanner_tools="$existing_scanner_tool,$scanner_tool" + unique_scanner_tools=$(echo "$combined_scanner_tools" | tr ',' '\n' | sed '/^$/d' | sort -u | tr '\n' ',' | sed 's/^,//; s/,$//') + else + unique_products="$product" + unique_scanner_tools="$scanner_tool" + fi - # Check if the entry already exists - if [[ -n "${existing_entries["$product,$scanner_tool,$vurn_id"]}" ]]; then - echo "Entry for $vurn_id already exists in the database. Skipping." - continue + # Write the insert query to the SQL file + echo "INSERT INTO vulnerability_tracking (product, scanner_tool, vurn_id, priority, pr_id, pr_link, github_run_id, created_date, update_date, comments, owner, pod) + VALUES ('$unique_products', '$unique_scanner_tools', '$vurn_id', '$priority', '$pr_id', '$pr_link', '$GITHUB_RUN_ID', '$created_date', '$created_date', '$comments', '$owner', '$pod') + ON CONFLICT (vurn_id) + DO UPDATE SET + product = '$unique_products', + scanner_tool = '$unique_scanner_tools', + priority = EXCLUDED.priority, + pr_id = EXCLUDED.pr_id, + pr_link = EXCLUDED.pr_link, + github_run_id = EXCLUDED.github_run_id, + update_date = EXCLUDED.update_date, + comments = EXCLUDED.comments, + owner = EXCLUDED.owner, + pod = EXCLUDED.pod;" >> "$query_file" + done < "$NEW_VULN_FILE" + + echo "COMMIT;" >> "$query_file" + + # Execute the SQL file + if psql -e "postgresql://$DB_USER:$DB_PWD@$DB_HOST/$DB_NAME" -f "$query_file"; then + echo "Vulnerabilities successfully inserted into the database." + else + echo "Error: Failed to insert vulnerabilities. Check logs for details." + exit 1 fi - - local pr_id="$GITHUB_PR_ID" - local pr_link="$GITHUB_PR_LINK" - local created_date=$(date -u +"%Y-%m-%dT%H:%M:%SZ") - local update_date="$created_date" - local comments="Initial vulnerability report" - local owner="John Doe" - local pod="Security" - - # Escape single quotes in vulnerability ID, product, and priority - vurn_id=$(echo "$vurn_id" | sed "s/'/''/g") - priority=$(echo "$priority" | sed "s/'/''/g") - product=$(echo "$product" | sed "s/'/''/g") - scanner_tool=$(echo "$scanner_tool" | sed "s/'/''/g") - - # Write each insert query to the SQL file - echo "INSERT INTO vulnerability_tracking (product, scanner_tool, vurn_id, priority, pr_id, pr_link, github_run_id, created_date, update_date, comments, owner, pod) VALUES ('$product', '$scanner_tool', '$vurn_id', '$priority', '$pr_id', '$pr_link', '$GITHUB_RUN_ID', '$created_date', '$update_date', '$comments', '$owner', '$pod');" >> "$query_file" - - ((count++)) - done < $DIFF_OUTPUT_FILE - - echo "COMMIT;" >> "$query_file" # End the transaction - echo "Queries written to $query_file." - - # Execute the SQL file - psql -e "postgresql://$DB_USER:$DB_PWD@$DB_HOST/$DB_NAME" -f "$query_file" - - # Check if the execution was successful - if [ $? -eq 0 ]; then - echo "Vulnerabilities successfully inserted into the database." - else - echo "Error: Failed to insert vulnerabilities. Please check the database connection or query." - exit 1 - fi } -# Call the function to generate the insert queries and execute them -if [ -s $DIFF_OUTPUT_FILE ]; then - insert_vulns_into_db +# Run insertion if vulnerabilities are found +if [ -s "$NEW_VULN_FILE" ]; then + insert_vulns_into_db else - echo "No new vulnerabilities to insert." -fi \ No newline at end of file + echo "No vulnerabilities to insert." +fi + +# Cleanup +rm -f "trivy_vulnerabilities.json" \ No newline at end of file