nightly-cve-check #20
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: nightly-cve-check | |
on: | |
workflow_dispatch: | |
schedule: | |
- cron: '0 0 * * *' | |
jobs: | |
nightly-cve-check: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Install required packages to run nighly-cve-check | |
run: | | |
sudo apt-get -y install gawk wget git diffstat unzip texinfo gcc build-essential chrpath socat cpio python3 xz-utils zstd liblz4-tool locales | |
echo "en_US.UTF-8 UTF-8" | sudo tee --append /etc/locale.gen | |
sudo locale-gen | |
- name: Checkout meta-aws | |
uses: actions/checkout@v3 | |
with: | |
path: yocto_cve/meta-aws | |
- name: Checkout meta-oe | |
uses: actions/checkout@v3 | |
with: | |
repository: openembedded/meta-openembedded | |
path: yocto_cve/meta-openembedded | |
- name: Checkout poky | |
run: | | |
cd yocto_cve/ | |
git clone git://git.yoctoproject.org/poky --single-branch | |
- name: Cache sstate + downloads | |
uses: actions/cache@v3 | |
with: | |
path: | | |
yocto_cve/build/sstate-cache | |
yocto_cve/build/downloads | |
key: cache-cve-sstate-downloads | |
- name: Run CVE check | |
run: | | |
cd yocto_cve/ | |
source poky/oe-init-build-env build | |
bitbake-layers add-layer ../meta-openembedded/meta-oe | |
bitbake-layers add-layer ../meta-openembedded/meta-python | |
bitbake-layers add-layer ../meta-openembedded/meta-networking | |
bitbake-layers add-layer ../meta-openembedded/meta-multimedia | |
bitbake-layers add-layer ../meta-aws | |
echo 'INHERIT += "cve-check"' >> conf/local.conf | |
bitbake -c cve_check `find ../meta-aws -name *.bb -type f | sed 's!.*/!!' | sed 's!.bb!!' | sed 's!_.*!!' | sort | uniq | sed -z 's/\n/ /g'` | |
- name: Show cve-summary.json | |
run: | | |
cat yocto_cve/build/tmp/log/cve/cve-summary.json | |
- name: Check results (cve-summary.json) for unpatched CVEs | |
shell: bash {0} | |
run: | | |
# find unpatched cvs and always exit 0 to not fail the step, but store return value | |
jq -e '.package[] | select(.issue[].status | contains ("Unpatched") )' yocto_cve/build/tmp/log/cve/cve-summary.json > cve-unpatched.json ; ret=$?; true | |
if [ $ret -eq 0 ]; then | |
echo "::error::Found unpatched CVEs in packages: $(jq -e '. | select(.issue[].status | contains ("Unpatched") ) | .name' cve-unpatched.json)" | |
exit 1 | |
elif [ $ret -eq 4 ]; then | |
echo "::notice::No unpatched CVEs found" | |
exit 0 | |
else | |
echo "::error::General error" | |
exit 99 | |
fi | |
- name: Generate step summary | |
if: '!cancelled()' | |
run: | | |
if [ -s cve-unpatched.json ]; then | |
echo -e "# Found unpatched CVE(s) in package(s):" >> $GITHUB_STEP_SUMMARY | |
cat cve-unpatched.json >> $GITHUB_STEP_SUMMARY | |
else | |
echo -e "# No unpatched CVE(s) found" >> $GITHUB_STEP_SUMMARY | |
fi | |
echo -e "# CVE-SUMMARY:\n" >> $GITHUB_STEP_SUMMARY | |
cat yocto_cve/build/tmp/log/cve/cve-summary.json >> $GITHUB_STEP_SUMMARY | |
- name: Save cve-summary.json | |
if: '!cancelled()' | |
uses: actions/upload-artifact@v4 | |
with: | |
name: cve-summary.json | |
path: yocto_cve/build/tmp/log/cve/cve-summary.json | |
- name: Save cve-summary | |
if: '!cancelled()' | |
uses: actions/upload-artifact@v4 | |
with: | |
name: cve-summary | |
path: yocto_cve/build/tmp/log/cve/cve-summary | |
if-no-files-found: ignore | |
- name: Save cve-unpatched.json | |
if: '!cancelled()' | |
uses: actions/upload-artifact@v4 | |
with: | |
name: cve-unpatched.json | |
path: cve-unpatched.json | |
if-no-files-found: ignore |