Skip to content

Scanner release vulnerability update #1719

Scanner release vulnerability update

Scanner release vulnerability update #1719

name: Scanner release vulnerability update
on:
schedule:
- cron: "0 */3 * * *"
workflow_dispatch:
inputs:
job:
type: choice
description: "Choose the NVD source"
options:
- nvd-api
- nvd-feeds
required: true
default: nvd-api
jobs:
download-nvd:
runs-on: ubuntu-latest
env:
JOB: ${{ github.event.inputs.job || 'nvd-api' }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
- name: Download NVD
run: |
set -eu
since_time=$(date -u -d '24 hours ago' '+%a, %d %b %Y %H:%M:%S GMT')
if [ "$JOB" = "nvd-api" ]; then
url="https://definitions.stackrox.io/v4/nvd/nvd-api.zip"
else
url="https://definitions.stackrox.io/v4/nvd/nvd-feeds.zip"
fi
code=$(curl \
-o nvd.zip \
-w "%{http_code}" \
-H "If-Modified-Since: $since_time" \
"$url")
echo "code: $code"
echo "$code" | grep -q 200
- uses: ./.github/actions/upload-artifact-with-retry
with:
name: nvd
path: nvd.zip
if-no-files-found: error
read-release-versions:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.output-matrix.outputs.matrix }}
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Generate matrix JSON
id: output-matrix
run: |
EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
echo "matrix<<$EOF" >> "$GITHUB_OUTPUT"
./.github/workflows/scripts/scanner-output-release-versions.sh | tee -a "$GITHUB_OUTPUT"
echo "$EOF" >> "$GITHUB_OUTPUT"
upload-release-vulnerabilities:
needs:
- read-release-versions
- download-nvd
runs-on: ubuntu-latest
container:
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.4.4
volumes:
# The updater makes heavy use of /tmp files.
- /tmp:/tmp
- /usr:/mnt/usr
- /opt:/mnt/opt
strategy:
# If one of the versions fails, it should not stop others from succeeding.
fail-fast: false
# The updater is memory intensive, so only run one at a time.
max-parallel: 1
matrix:
include: ${{ fromJson(needs.read-release-versions.outputs.matrix).versions }}
env:
ROX_PRODUCT_VERSION: ${{ matrix.version }}
ROX_PRODUCT_TAG: ${{ matrix.tag }}
steps:
# Checkout to run ./.github/actions/{download,upload}-artifact-with-retry
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
- uses: ./.github/actions/job-preamble
with:
gcp-account: ${{ secrets.GCP_SERVICE_ACCOUNT_STACKROX_CI }}
- name: Free up disk space
shell: bash
run: |
set +e
set -x
df -h
for delete in /usr/share/dotnet /usr/local/lib/android /opt/ghc /opt/hostedtoolcache/CodeQL; do
rm -rf "/mnt${delete:?}"
done
df -h
- name: Authenticate with Google Cloud
if: github.ref_name == 'master'
uses: google-github-actions/auth@v2
with:
credentials_json: ${{ secrets.GOOGLE_SA_STACKROX_HUB_VULN_DUMP_UPLOADER }}
- name: Authenticate with Google Cloud
if: github.ref_name != 'master'
uses: google-github-actions/auth@v2
with:
credentials_json: ${{ secrets.GOOGLE_SA_CIRCLECI_SCANNER }}
- name: Set up Cloud SDK
uses: google-github-actions/setup-gcloud@v2
- uses: ./.github/actions/download-artifact-with-retry
with:
name: nvd
path: .
- name: Update vulnerabilities
env:
STACKROX_NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
STACKROX_NVD_API_CALL_INTERVAL: 6s
run: |
# Use fully qualified path to refer to the NVD bundle
STACKROX_NVD_ZIP_PATH="$(pwd)/nvd.zip"
export STACKROX_NVD_ZIP_PATH
DOWNLOAD_URL="https://github.com/stackrox/stackrox/archive/refs/tags/${{ env.ROX_PRODUCT_TAG }}.zip"
FILE_NAME=$(basename "$DOWNLOAD_URL")
if ! wget "$DOWNLOAD_URL" -O "$FILE_NAME"; then
echo "Download failed. Terminating current matrix step."
exit 1
fi
unzip "$FILE_NAME" -d "${FILE_NAME}-dir"
cd "${FILE_NAME}-dir/stackrox-"*
if [ ! -d "scanner" ]; then
echo "Scanner directory not found. Terminating current matrix step."
exit 1
fi
# Do not use the make target, as there may be some incompatibilities.
# See https://github.com/stackrox/stackrox/pull/9227.
# Similarly, any updates to the Go version may require go.mod updates.
# Just run go mod tidy and hope for the best.
go mod tidy
cd scanner
go build -trimpath -buildvcs=false -o bin/updater ./cmd/updater
go clean -cache -modcache
mkdir ${{ env.ROX_PRODUCT_VERSION }}
# Run updater per release/product version.
case "${{ env.ROX_PRODUCT_VERSION }}" in
4.4.*)
./bin/updater -output-dir="${{ env.ROX_PRODUCT_VERSION }}"
;;
*)
./bin/updater export --split bundles
zip ${{ env.ROX_PRODUCT_VERSION }}/vulnerabilities.zip bundles/*.json.zst
;;
esac
bucket="gs://definitions.stackrox.io/v4/vulnerability-bundles"
if [[ "${{ github.ref_name }}" != "master" ]]; then
# If dispatched from a branch other then master, upload bundles
# to a test bucket for inspection.
bucket="gs://scanner-v4-test/vulnerability-bundles"
fi
echo "Copying ${{ env.ROX_PRODUCT_VERSION }} to $bucket"
gsutil cp -r "${{ env.ROX_PRODUCT_VERSION }}" "$bucket"
send-notification:
needs:
- read-release-versions
- upload-release-vulnerabilities
runs-on: ubuntu-latest
if: ${{ failure() && github.ref_name == 'master' }}
steps:
- name: Send Slack notification on workflow failure
run: |
curl -X POST -H 'Content-type: application/json' --data '{"text":"<${{github.server_url}}/${{github.repository}}/actions/runs/${{github.run_id}}|Workflow ${{ github.workflow }}> failed in repository ${{ github.repository }}: Failed to update vulnerabilities"}' ${{ secrets.SLACK_ONCALL_SCANNER_WEBHOOK }}