-
Notifications
You must be signed in to change notification settings - Fork 86
99 lines (98 loc) · 3.8 KB
/
pr-cve-check.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
name: pr-cve-check
on:
workflow_dispatch:
pull_request:
branches:
- 'master-next'
paths:
- '**.bb'
- '**.inc'
jobs:
pr-cve-check:
runs-on: ubuntu-22.04
steps:
- name: Install required packages to run cve-check
run: |
sudo apt-get -y install gawk wget git diffstat unzip texinfo gcc build-essential chrpath socat cpio python3 xz-utils zstd liblz4-tool locales
echo "en_US.UTF-8 UTF-8" | sudo tee --append /etc/locale.gen
sudo locale-gen
- name: Checkout meta-aws
uses: actions/checkout@v3
with:
path: yocto_cve/meta-aws
- name: Checkout meta-oe
uses: actions/checkout@v3
with:
repository: openembedded/meta-openembedded
path: yocto_cve/meta-openembedded
- name: Checkout poky
run: |
cd yocto_cve/
git clone git://git.yoctoproject.org/poky --single-branch
- name: Cache sstate + downloads
uses: actions/cache@v3
with:
path: |
yocto_cve/build/sstate-cache
yocto_cve/build/downloads
key: cache-cve-sstate-downloads
- name: Run CVE check
run: |
cd yocto_cve/
source poky/oe-init-build-env build
bitbake-layers add-layer ../meta-openembedded/meta-oe
bitbake-layers add-layer ../meta-openembedded/meta-python
bitbake-layers add-layer ../meta-openembedded/meta-networking
bitbake-layers add-layer ../meta-openembedded/meta-multimedia
bitbake-layers add-layer ../meta-aws
echo 'INHERIT += "cve-check"' >> conf/local.conf
bitbake -c cve_check `find ../meta-aws -name *.bb -type f | sed 's!.*/!!' | sed 's!.bb!!' | sed 's!_.*!!' | sort | uniq | sed -z 's/\n/ /g'`
- name: Show cve-summary.json
run: |
cat yocto_cve/build/tmp/log/cve/cve-summary.json
- name: Check results (cve-summary.json) for unpatched CVEs
shell: bash {0}
run: |
# find unpatched cvs and always exit 0 to not fail the step, but store return value
jq -e '.package[] | select(.issue[].status | contains ("Unpatched") )' yocto_cve/build/tmp/log/cve/cve-summary.json > cve-unpatched.json ; ret=$?; true
if [ $ret -eq 0 ]; then
echo "::error::Found unpatched CVEs in packages: $(jq -e '. | select(.issue[].status | contains ("Unpatched") ) | .name' cve-unpatched.json)"
exit 1
elif [ $ret -eq 4 ]; then
echo "::notice::No unpatched CVEs found"
exit 0
else
echo "::error::General error"
exit 99
fi
- name: Generate step summary
if: '!cancelled()'
run: |
if [ -s cve-unpatched.json ]; then
echo -e "# Found unpatched CVE(s) in package(s):" >> $GITHUB_STEP_SUMMARY
cat cve-unpatched.json >> $GITHUB_STEP_SUMMARY
else
echo -e "# No unpatched CVE(s) found" >> $GITHUB_STEP_SUMMARY
fi
echo -e "# CVE-SUMMARY:\n" >> $GITHUB_STEP_SUMMARY
cat yocto_cve/build/tmp/log/cve/cve-summary.json >> $GITHUB_STEP_SUMMARY
- name: Save cve-summary.json
if: '!cancelled()'
uses: actions/[email protected]
with:
name: cve-summary.json
path: yocto_cve/build/tmp/log/cve/cve-summary.json
- name: Save cve-summary
if: '!cancelled()'
uses: actions/[email protected]
with:
name: cve-summary
path: yocto_cve/build/tmp/log/cve/cve-summary
if-no-files-found: ignore
- name: Save cve-unpatched.json
if: '!cancelled()'
uses: actions/[email protected]
with:
name: cve-unpatched.json
path: cve-unpatched.json
if-no-files-found: ignore