Skip to content

Scanner release offline vulnerability bundle update #1235

Scanner release offline vulnerability bundle update

Scanner release offline vulnerability bundle update #1235

name: Scanner release offline vulnerability bundle update
on:
schedule:
- cron: '0 */3 * * *'
workflow_dispatch:
jobs:
read-release-versions:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.output-matrix.outputs.matrix }}
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Generate matrix JSON
id: output-matrix
run: |
EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
echo "matrix<<$EOF" >> "$GITHUB_OUTPUT"
# Extract X.Y versions, ensuring uniqueness
grep -oE '^[0-9]+\.[0-9]+' scanner/updater/version/RELEASE_VERSION | sort -u | jq -Rs '{ versions: ( sub("\n$"; "")|split("\n") ) }' | tee -a "$GITHUB_OUTPUT"
echo "$EOF" >> "$GITHUB_OUTPUT"
upload-release-vulnerabilities:
needs: read-release-versions
runs-on: ubuntu-latest
strategy:
fail-fast: false # If one of the versions fails, it should not stop others from succeeding.
max-parallel: 1 # Jobs are memory intensive, so only run one at a time.
matrix:
version: ${{ fromJson(needs.read-release-versions.outputs.matrix).versions }}
env:
ROX_PRODUCT_VERSION: ${{ matrix.version }}
steps:
- name: Checkout code
uses: actions/checkout@v4
- uses: ./.github/actions/job-preamble
with:
gcp-account: ${{ secrets.GCP_SERVICE_ACCOUNT_STACKROX_CI }}
- name: Authenticate with Google Cloud
uses: google-github-actions/auth@v2
with:
credentials_json: ${{ secrets.GOOGLE_SA_STACKROX_HUB_VULN_DUMP_UPLOADER }}
- name: Set up Cloud SDK
uses: google-github-actions/setup-gcloud@v2
- name: Generate offline vulnerability bundle
run: |
case "${{ env.ROX_PRODUCT_VERSION }}" in
4.4)
.github/workflows/scripts/scanner-update-offline-bundle.sh "${{ env.ROX_PRODUCT_VERSION }}" "vulns.json.zst"
;;
*)
.github/workflows/scripts/scanner-update-offline-bundle.sh "${{ env.ROX_PRODUCT_VERSION }}" "vulnerabilities.zip"
;;
esac
send-notification:
needs:
- read-release-versions
- upload-release-vulnerabilities
runs-on: ubuntu-latest
if: failure()
steps:
- name: Send Slack notification on workflow failure
run: |
curl -X POST -H 'Content-type: application/json' --data '{"text":"<${{github.server_url}}/${{github.repository}}/actions/runs/${{github.run_id}}|Workflow ${{ github.workflow }}> failed in repository ${{ github.repository }}: Failed to update offline vulnerabilities bundle"}' ${{ secrets.SLACK_ONCALL_SCANNER_WEBHOOK }}