-
Notifications
You must be signed in to change notification settings - Fork 1
/
alerts_summary.sh
125 lines (121 loc) · 4.49 KB
/
alerts_summary.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
#!/bin/bash
dependency_tree_summary () {
mvn -ntp dependency:tree -Dverbose=true -DoutputFile="dependency-tree.txt"
if [[ "$INPUT_VERBOSE" == true ]]; then
cat dependency-tree.txt
fi
{
echo "### $INPUT_DIRECTORY$1"
echo "<details>"
echo ""
echo "\`\`\`"
cat dependency-tree.txt
echo "\`\`\`"
echo "</details>"
echo ""
} >> "$GITHUB_STEP_SUMMARY"
}
vulnerabilities_summary () {
mapfile -t info_pack < <(jq -r --arg MANIFEST "$1" '.[] | select(.dependency.manifest_path == $MANIFEST and .state == "open") | (.number|tostring) + "|" + .security_vulnerability.package.name + "|" + .security_vulnerability.severity + "|" + .security_advisory.ghsa_id + "|" + .security_advisory.cve_id + "|" + .security_vulnerability.first_patched_version.identifier + "|"' <<< "$2")
for i in "${info_pack[@]}"
do
IFS='|' read -r -a array_i <<< "$i"
cd "/${1/'pom.xml'/''}" || exit
dep_level=$(mvn -ntp dependency:tree -DoutputType=dot -Dincludes="${array_i[1]}" | grep -e "->" | cut -d ">" -f 2 | cut -d '"' -f 2 | cut -d ":" -f 1-2)
IFS=' ' read -r -a dependency_level <<< "$dep_level"
array_i+=("${dependency_level[0]}")
table_row="| "
counter=0
for j in "${array_i[@]}"
do
if [[ $counter == 0 ]]; then
table_row+="[$j](https://github.com/$GITHUB_REPOSITORY/security/dependabot/$j) | "
counter=$((counter+1))
elif [[ $counter == 1 ]]; then
table_row+="$j | "
counter=$((counter+1))
elif [[ $counter == 2 ]]; then
if [[ $j == "critical" ]] || [[ $j == "high" ]]; then
table_row+="‼️ $j | "
else
table_row+="$j | "
fi
counter=$((counter+1))
elif [[ $counter == 3 ]]; then
table_row+="$j | "
counter=$((counter+1))
elif [[ $counter == 4 ]]; then
if [[ $j = "null" ]]; then
table_row+=" | "
else
table_row+="$j | "
fi
counter=$((counter+1))
elif [[ $counter == 5 ]]; then
table_row+="$j | "
counter=$((counter+1))
elif [[ $counter == 6 ]]; then
table_row+="$j | "
counter=$((counter+1))
else
continue
fi
done
echo "$table_row" >> "$GITHUB_STEP_SUMMARY"
done
}
# $1 - "project.clj" or "deps.edn"
if [[ -n $INPUT_DIRECTORY ]]; then
if [[ "$INPUT_VERBOSE" == true ]]; then
echo "Moving to $GITHUB_WORKSPACE$INPUT_DIRECTORY"
fi
cd "$GITHUB_WORKSPACE$INPUT_DIRECTORY" || exit
fi
if [[ "$INPUT_VERBOSE" == true ]]; then
echo "Finding all $1 files"
fi
mapfile -t array < <(find . -name "$1")
if [[ $1 == "project.clj" ]]; then
echo "## Dependency Tree" >> "$GITHUB_STEP_SUMMARY"
fi
if [[ $INPUT_INCLUDE_SUBDIRECTORIES != true ]]; then
if [[ $1 == "project.clj" ]] && [[ "${array[*]}" == *"./project.clj"* ]]; then
array=("./project.clj")
elif [[ $1 == "deps.edn" ]] && [[ "${array[*]}" == *"./deps.edn"* ]]; then
array=("./deps.edn")
else
array=()
fi
fi
vul_page=$(cat /tmp/dependabot_alerts.json)
for i in "${array[@]}"
do
if [[ "$INPUT_VERBOSE" == true ]]; then
echo "Creating the dependency tree for $i"
fi
i=${i/.}
cljdir=$GITHUB_WORKSPACE$INPUT_DIRECTORY${i//\/$1}
if [[ $1 == "project.clj" ]]; then
cd "${cljdir}/projectclj" || exit
dependency_tree_summary "$i"
db_path="${cljdir}/projectclj/pom.xml"
db_path=${db_path:1}
{
echo "| Number | Package | Severity | GHSA | CVE | Patched in | Dependency level |"
echo "| --- | --- | --- | --- | --- | --- | --- |"
} >> "$GITHUB_STEP_SUMMARY"
vulnerabilities_summary "$db_path" "$vul_page"
echo "" >> "$GITHUB_STEP_SUMMARY"
else
cd "${cljdir}/depsedn" || exit
dependency_tree_summary "$i"
db_path="${cljdir}/depsedn/pom.xml"
db_path=${db_path:1}
{
echo "| Number | Package | Severity | GHSA | CVE | Patched in | Dependency level |"
echo "| --- | --- | --- | --- | --- | --- | --- |"
} >> "$GITHUB_STEP_SUMMARY"
vulnerabilities_summary "$db_path" "$vul_page"
echo "" >> "$GITHUB_STEP_SUMMARY"
fi
done