diff --git a/.github/workflows/ci-build.yaml b/.github/workflows/ci-build.yaml index 542f27fbc99..81d7ea00b4d 100644 --- a/.github/workflows/ci-build.yaml +++ b/.github/workflows/ci-build.yaml @@ -84,18 +84,6 @@ jobs: echo "exists=false" >> $GITHUB_OUTPUT fi - # Note: vulns found in scans do not currently block CI - - name: 'Grype scan APKs' - id: grype-scan - if: steps.file_check.outputs.exists == 'true' - run: | - set -x - for line in `cat packages.log`; do - # convert the melange output (e.g. "x86_64|grype|grype|0.63.0-r1" ) to an actual apk path - apk_path=$(echo "${line}" | awk '{ split($1, pkg, "|"); printf("packages/%s/%s-%s.apk\n", pkg[1], pkg[3], pkg[4]) }') - ./scripts/grype-scan-apk.sh "${apk_path}" - done - - name: Check sonames id: soname if: steps.file_check.outputs.exists == 'true' @@ -131,3 +119,29 @@ jobs: with: filePath: diff.log GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + # Note: vulns found in scans do not currently block CI + - name: Grype scan + id: grype_scan + if: steps.file_check.outputs.exists == 'true' + continue-on-error: true + run: | + ./scripts/grype-scan-packages-log.sh > grype_scan_results.md + + - name: Check for scan results file + id: scan_file_check + run: | + if test -f "grype_scan_results.md"; then + echo "exists=true" >> $GITHUB_OUTPUT + else + echo "exists=false" >> $GITHUB_OUTPUT + fi + + - name: PR comment scan + uses: thollander/actions-comment-pull-request@632cf9ce90574d125be56b5f3405cda41a84e2fd # v2.3.1 + # We're seeing jobs using merge queues fail + continue-on-error: true + if: steps.scan_file_check.outputs.exists == 'true' + with: + filePath: grype_scan_results.md + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/scripts/grype-scan-packages-log.sh b/scripts/grype-scan-packages-log.sh new file mode 100755 index 00000000000..29841e99069 --- /dev/null +++ b/scripts/grype-scan-packages-log.sh @@ -0,0 +1,56 @@ +#!/usr/bin/env bash + +# THIS SCRIPT IS EXPERIMENTAL! + +# IMPORTANT: One unfortunate trait of this script is that, by necessity (for +# now), it uses what Grype calls "directory scanning catalogers" and not "image +# scanning catalogers" (for more information on the difference, see +# https://github.com/anchore/syft/#default-cataloger-configuration-by-scan-type). +# The latter is desirable here, since it equates to scanning software that is +# determined to be installed rather than merely referenced (e.g a test +# dependency mentioned in a lockfile). The Grype team is aware of the need to +# make it easier to scan 'installed' software in directory scans (see +# https://github.com/anchore/syft/issues/1039), and we can improve this script +# when that functionality is added. + +set -eo pipefail + +# Make sure Grype is installed. + +if ! command -v grype > /dev/null; then + echo "This script requires Grype to be installed. To install Grype, check out https://github.com/anchore/grype#installation." + exit 1 +fi + +# Check if packages.log file exists + +if [[ ! -f "packages.log" ]]; then + echo "Cannot find packages.log file. No apks to scan." + exit 0 +fi + +# Optionally let the user pass in a Grype output flag argument. + +output_flag="" + +if [[ ${#1} -gt 0 ]]; then + output_flag="-o ${1}" +fi + +set -u + +while IFS="|" read -r arch _ package version; do + apk_file="packages/${arch}/${package}-${version}.apk" + if [[ -f "$apk_file" ]]; then + echo "Processing ${apk_file}" + tmpdir=$(mktemp -d) + + trap 'rm -rf "$tmpdir"' EXIT + + tar -xf "$apk_file" -C "$tmpdir" + + grype -q "$tmpdir" $output_flag + else + echo "File ${apk_file} not found." + fi +done < "packages.log" \ No newline at end of file