Merge pull request #78 from DIVD-NL/add_cvelint

Adding cvelint to cnabot
DIVD-NL · Nov 20, 2023 · 378015a · 378015a
2 parents a65fa74 + 9fd2ddb
commit 378015a
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 6 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,13 +1,16 @@
 # Container image that runs your code
 FROM alpine:latest
 
-RUN apk update && apk add python3 py3-pip git github-cli
+RUN apk update && apk add python3 py3-pip git github-cli  tar
 RUN pip install cvelib jsonschema python-dateutil deepdiff
 
 # Copies your code file from your action repository to the filesystem path `/` of the container
 COPY program/* /run/
 COPY entrypoint.sh /run/
 
+ADD https://github.com/mprpic/cvelint/releases/download/v0.1.0/cvelint_Linux_x86_64.tar.gz /tmp/
+RUN tar -xvzf /tmp/cvelint_Linux_x86_64.tar.gz -C /run/
+
 # Code file to execute when the docker container starts up (`entrypoint.sh`)
 ENTRYPOINT ["/run/entrypoint.sh"]
 WORKDIR /cve
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -22,6 +22,11 @@
 set -e
 
 # Process env variables
+if [[ "$CVE_PATH" == "" ]]; then
+	echo "CVE_PATH should not be empty, bailing out..."
+	exit 1
+fi
+
 if [[ $( echo $CVE_PATH | egrep "^\/" | wc -l ) -gt 0 ]] ; then
 	echo "CVE_PATH should be a relative path, '$CVE_PATH' isn't, bailing out..."
 	exit 1
@@ -50,14 +55,14 @@ if [[ -z "$RESERVATIONS_PATH" ]]; then
 	RESERVATIONS_PATH="$CVE_PATH/reservations/"
 fi
 
-if [[ "$INCLUDE_RESERVATIONS" == true ]]; then
+if [[ "$INCLUDE_RESERVATIONS" == "true" ]]; then
 	RESERVATIONS_TOO="--include-reservations"
 	DO_RESERVATIONS="--reservations-path $RESERVATIONS_PATH"
+	if [[ ! -d $RESERVATIONS_PATH ]]; then
+		mkdir $RESERVATIONS_PATH
+	fi
 fi
 
-if [[ $INCLUDE_RESERVATIONS == "true" && ! -d $RESERVATIONS_PATH ]]; then
-	mkdir $RESERVATIONS_PATH
-fi
 if [[ $( echo $RESERVATIONS_PATH | egrep "^\/" | wc -l ) -gt 0 ]] ; then
 	echo "RESERVATIONS_PATH should be a relative path, '$RESERVATIONS_PATH' isn't, bailing out..."
 	exit 1
@@ -91,6 +96,10 @@ rm -f /tmp/cve_check.log && touch /tmp/cve_check.log
 CMD="/run/cve_check.py --path $CVE_PATH $IGNORE_CHECKS $MIN_RESERVED $RESERVE $RESERVATIONS_TOO $DO_RESERVATIONS $VERBOSE_FLAG --schema /run/cve50.json --log /tmp/cve_check.log"
 echo "Running: $CMD"
 $CMD || echo "Check failed!"
+echo "*** Checking CVE records with cvelint ***"
+CMD="/run/cvelint $CVE_PATH"
+echo "Running: $CMD"
+$CMD || echo "Check failed!"
 
 if [[ ! -z "${GITHUB_TOKEN}" ]]; then
 	if [[ $( cat /tmp/cve_check.log | wc -l ) -gt 0 ]] ; then

diff --git a/test-local.sh b/test-local.sh
@@ -6,11 +6,29 @@ if [[ "$CVE_ENVIRONMENT" != "test" ]]; then
 	exit 1
 fi
 
-docker build -t cve-rsus-validate-submit:local .
+docker build -t cve-rsus-validate-submit:local . || exit 1
+
+echo
+echo "*** Correct CVEs ***"
+echo
+
+docker run  \
+	-e CVE_ORG=$CVE_ORG \
+	-e CVE_USER=$CVE_USER \
+	-e CVE_ENVIRONMENT=$CVE_ENVIRONMENT \
+	-e CVE_API_KEY=$CVE_API_KEY \
+	-e CVE_PATH=test-cves \
+	-v $PWD:/cve \
+	-ti cve-rsus-validate-submit:local test-cves true
+echo
+echo "*** Error record CVEs ***"
+echo
 docker run  \
 	-e CVE_ORG=$CVE_ORG \
 	-e CVE_USER=$CVE_USER \
 	-e CVE_ENVIRONMENT=$CVE_ENVIRONMENT \
 	-e CVE_API_KEY=$CVE_API_KEY \
+	-e CVE_PATH=error-cves \
 	-v $PWD:/cve \
 	-ti cve-rsus-validate-submit:local test-cves true
+