Skip to content

Commit

Permalink
Recreated Github Action PR (#432)
Browse files Browse the repository at this point in the history
This PR features:

- Refactors the format flag's internal logic so that we can don't need
to repeat the format types so much, and we can test when we add a new
format entry if we forgot anything.
- Adds a new format "sarif", which returns a SARIF report (closes #216 )
- Adds a Github Action `action.yaml` and it's specialized dockerfile
`action.dockerfile`. This docker image runs a bash script wrapping
osv-scanner, first by preprocessing the input so the last argument will
be split by new line, allowing the workflow user to pass in multiple
directories/files they wish to scan. The script also changes exit codes
127 and 128 to 0 as they contain errors that the user can't really do
anything about.
- Adds two reusable workflows using this new github action for this repo
- Reusable PR workflow, for using to check if PRs introduce new
vulnerabilities.
- Reusable Scheduled workflow, for use to regularly check for new vulns
applying to your existing vulns.
- Adds an experimental flag: `--experimental-diff`, which will only
output the difference between a previous run and this run of the
osv-scanner. This is for use in the PR workflow.
- Sorts the grouped ID output.

Closes #57 

Currently the reusable workflow has to point to a specific action which
cannot be relative (otherwise it would point to the wrong action when
reused in another repo). This means right now it's pointed to this
fork/branch instead of the master branch, this will need to be updated
once this PR is merged.

Example of what workflow sarif output looks like:

![image](https://github.com/google/osv-scanner/assets/106129829/fc7a0ac4-f3d8-4524-93ba-7b03dd0313cd)

Here is an example of the PR reusable workflow working:

another-rex/scorecard-check-osv-e2e#1

That PR adds an additional vulnerability, which causes it to fail. You
can see that only the new vuln is showing up in the code scanning
report:
https://github.com/another-rex/scorecard-check-osv-e2e/security/code-scanning/1


TODO after this PR is merged:
- Change links that point to this PR branch to point to main (and/or a
tagged commit of main)
- Add support for annotations
- Add documentation (this is for later, as we want to dogfood it in our
own repos first before broadcasting this widely)

---------

Signed-off-by: Rex P <rexpan@google.com>
  • Loading branch information
another-rex committed Jul 31, 2023
1 parent 1e5b5bc commit ec18942
Show file tree
Hide file tree
Showing 39 changed files with 2,742 additions and 52 deletions.
29 changes: 29 additions & 0 deletions .github/workflows/osv-scanner-pr.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

name: osv-scanner

on:
pull_request:
# The branches below must be a subset of the branches above
branches: [ main ]
merge_group:
branches: [ main ]

# Declare default permissions as read only.
permissions: read-all

jobs:
scan-pr-attempt:
uses: "./.github/workflows/osv-scanner-reusable-pr.yml"
82 changes: 82 additions & 0 deletions .github/workflows/osv-scanner-reusable-pr.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

name: OSV-Scanner PR scanning

on:
workflow_call:

jobs:
scan-pr:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
# Do persist credentials, as we need it for the git checkout later
- name: "Checkout target branch"
run: git checkout $GITHUB_BASE_REF
- name: "Run scanner on existing code"
uses: another-rex/osv-scanner/actions/scanner@markdown-output
continue-on-error: true
with:
results-format: json
results-file: old-results.json
to-scan: .
- name: "Checkout current branch"
run: git checkout $GITHUB_SHA
- name: "Run scanner on new code"
uses: another-rex/osv-scanner/actions/scanner@markdown-output
with:
results-format: json
results-file: new-results.json
to-scan: .
continue-on-error: true
- name: "Run osv-diff"
uses: another-rex/osv-scanner/actions/diff@markdown-output
with:
results-format: sarif
output-file: final-results.sarif
old-results: old-results.json
new-results: new-results.json
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
if: '!cancelled()'
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: SARIF file
path: final-results.sarif
retention-days: 5
- name: "Upload old scan json results"
if: '!cancelled()'
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: old-json-results
path: old-results.json
retention-days: 5
- name: "Upload new scan json results"
if: '!cancelled()'
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: new-json-results
path: new-results.json
retention-days: 5
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
if: '!cancelled()'
uses: github/codeql-action/upload-sarif@6c089f53dd51dc3fc7e599c3cb5356453a52ca9e # v2.20.0
with:
sarif_file: final-results.sarif

47 changes: 47 additions & 0 deletions .github/workflows/osv-scanner-reusable-scheduled.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

name: OSV-Scanner PR scanning

on:
workflow_call:

jobs:
scan-pr:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: "Run scanner"
uses: another-rex/osv-scanner/actions/scanner@markdown-output
with:
results-format: sarif
results-file: results.sarif
to-scan: .
recursive-scan: true
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
if: '!cancelled()'
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: SARIF file
path: results.sarif
retention-days: 5
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
if: '!cancelled()'
uses: github/codeql-action/upload-sarif@6c089f53dd51dc3fc7e599c3cb5356453a52ca9e # v2.20.0
with:
sarif_file: results.sarif

28 changes: 28 additions & 0 deletions .github/workflows/osv-scanner-scheduled.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

name: osv-scanner

on:
schedule:
- cron: '12 12 * * 1'
push:
branches: [ "main" ]

# Declare default permissions as read only.
permissions: read-all

jobs:
scan-pr-attempt:
uses: "./.github/workflows/osv-scanner-reusable-scheduled.yml"
44 changes: 44 additions & 0 deletions action.dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

FROM golang:alpine@sha256:fd9d9d7194ec40a9a6ae89fcaef3e47c47de7746dd5848ab5343695dbbd09f8c

RUN mkdir /src
WORKDIR /src

COPY ./go.mod /src/go.mod
COPY ./go.sum /src/go.sum
RUN go mod download

COPY ./ /src/
RUN go build -o osv-scanner ./cmd/osv-scanner/
RUN go build -o osv-diff ./cmd/osv-diff/

FROM alpine:3.17@sha256:124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126
RUN apk --no-cache add \
ca-certificates \
git \
bash

# Allow git to run on mounted directories
RUN git config --global --add safe.directory '*'

WORKDIR /root/
COPY --from=0 /src/osv-scanner ./
COPY --from=0 /src/osv-diff ./
COPY ./exit_code_redirect.sh ./

ENV PATH="${PATH}:/root"

ENTRYPOINT ["bash", "/root/exit_code_redirect.sh"]
21 changes: 0 additions & 21 deletions action.yml

This file was deleted.

25 changes: 25 additions & 0 deletions actions/diff/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# Currently experimental.
name: 'osv-scanner-diff'
description: 'Finds the difference between two osv-scanner json results'
inputs:
output-file:
description: 'Output path'
required: true
results-format:
description: 'Output result format'
default: 'sarif'
old-results:
description: 'Old results to get the difference against'
required: true
new-results:
description: 'New results to get the difference against'
required: true
runs:
using: 'docker'
image: '../../action.dockerfile'
entrypoint: /root/osv-diff
args:
- '--output=${{ inputs.output-file }}'
- '--format=${{ inputs.results-format }}'
- '--old=${{ inputs.old-results }}'
- '--new=${{ inputs.new-results }}'
26 changes: 26 additions & 0 deletions actions/scanner/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
# Currently experimental.
name: 'osv-scanner'
description: 'Scans your directory against the OSV database (Experimental)'
inputs:
to-scan:
description: 'Directories to scan'
default: "./"
results-file:
description: 'Output path'
required: true
results-format:
description: 'Output result format'
default: 'sarif'
recursive-scan:
description: 'Recursively scan though subdirectories'
required: false
default: true
runs:
using: 'docker'
image: '../../action.dockerfile'
args:
- '--skip-git'
- '--output=${{ inputs.results-file }}'
- '--format=${{ inputs.results-format }}'
- '--recursive=${{ inputs.recursive-scan }}'
- ${{ inputs.to-scan }}

0 comments on commit ec18942

Please sign in to comment.