diff --git a/.github/workflows/test-vulnerabilities-data.yml b/.github/workflows/test-vulnerabilities-data.yml index 333458264cf7..d071bd1568c9 100644 --- a/.github/workflows/test-vulnerabilities-data.yml +++ b/.github/workflows/test-vulnerabilities-data.yml @@ -61,7 +61,7 @@ jobs: "${{ github.event.pull_request.number }}" \ "${{ github.event.pull_request.html_url }}" \ "${{ github.run_id }}" - + - name: Check for new vulnerabilities in Scout and Trivy files if: always() run: | @@ -71,7 +71,7 @@ jobs: cat scout_new_vulnerabilities.csv exit 1 # Fail the job if data exists fi - + # Check if Trivy vulnerabilities file is not empty if [ -s "trivy_new_vulnerabilities.csv" ]; then echo "Trivy vulnerabilities detected." diff --git a/scripts/scout_vulnerabilities_data.sh b/scripts/scout_vulnerabilities_data.sh index 9f2b91b223cb..ab37dcf4fe06 100755 --- a/scripts/scout_vulnerabilities_data.sh +++ b/scripts/scout_vulnerabilities_data.sh @@ -21,6 +21,69 @@ GITHUB_PR_LINK="$3" GITHUB_RUN_ID="$4" OLD_VULN_FILE="${5:-vulnerability_base_data.csv}" +# Function to install Docker Scout +install_docker_scout() { + echo "Installing Docker Scout..." + local attempts=0 + while [ $attempts -lt 5 ]; do + echo "Attempt $((attempts + 1))..." + curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh + sh install-scout.sh &> install_scout_log.txt + if [ $? -eq 0 ]; then + echo "Docker Scout installed successfully." + return 0 + fi + echo "Attempt $((attempts + 1)) failed. Check install_scout_log.txt for details." + ((attempts++)) + sleep 2 + done + echo "Error: Docker Scout installation failed after $attempts attempts." + exit 1 +} + +# Check if Docker is installed +if ! command -v docker &> /dev/null; then + echo "Error: Docker is not installed. Please install Docker and try again." + exit 1 +fi + +# Ensure Docker is running +if ! systemctl is-active --quiet docker; then + echo "Starting Docker..." + sudo systemctl start docker +fi + +# Check if Docker Scout is installed +if ! command -v scout &> /dev/null; then + install_docker_scout +fi + +# Prepare the output CSV file +CSV_OUTPUT_FILE="scout_vulnerabilities.csv" +rm -f "$CSV_OUTPUT_FILE" + +# Extract the product name from the image name +case "$IMAGE" in + *appsmith/appsmith-ce:*) product_name="CE" ;; + *appsmith/appsmith-ee:*) product_name="EE" ;; + *appsmith/cloud-services:*) product_name="CLOUD" ;; + *) product_name="UNKNOWN" ;; +esac + +# Fetch vulnerabilities and format the output correctly +docker scout cves "$IMAGE" | grep -E "✗ |CVE-" | awk -v product_name="$product_name" -F' ' ' +{ + # Check for valid vulnerability data and format it correctly + if ($2 != "" && $3 ~ /^CVE-/) { + # Extract severity level, CVE ID, and format output correctly + print $3","product_name",""SCOUT"","$2 + } +}' | sort -u > "$CSV_OUTPUT_FILE" + +# Check if the CSV output file is empty +[ -s "$CSV_OUTPUT_FILE" ] || echo "No vulnerabilities found for image: $IMAGE" > "$CSV_OUTPUT_FILE" + + # Compare each vulnerability with the database and store new ones in a CSV file compare_and_store_vulns() { local new_vulns_file="scout_new_vulnerabilities.csv" @@ -68,4 +131,4 @@ if [ -s "$CSV_OUTPUT_FILE" ]; then compare_and_store_vulns else echo "No vulnerabilities to process." -fi +fi \ No newline at end of file diff --git a/scripts/trivy_vulnerabilities_data.sh b/scripts/trivy_vulnerabilities_data.sh index 72eca96bf8c9..cf96a99a8123 100755 --- a/scripts/trivy_vulnerabilities_data.sh +++ b/scripts/trivy_vulnerabilities_data.sh @@ -88,7 +88,6 @@ else echo "No vulnerabilities found." > "$NEW_VULN_FILE" fi - # Compare each vulnerability with the database and store new ones in a CSV file compare_and_store_vulns() { local new_vulns_file="trivy_new_vulnerabilities.csv" @@ -154,4 +153,4 @@ else fi # Cleanup -rm -f "trivy_vulnerabilities.json" +rm -f "trivy_vulnerabilities.json" \ No newline at end of file