Generate CVE #12087
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Generate CVE | |
on: | |
push: | |
branches: | |
- main | |
schedule: | |
- cron: '*/30 * * * *' | |
workflow_dispatch: | |
inputs: | |
clean: | |
description: 'Download fresh feeds from NVD. Any value other than "false" will trigger a clean download.' | |
required: true | |
default: 'false' | |
permissions: | |
contents: write | |
env: | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
VULNCHECK_API_KEY: ${{ secrets.VULNCHECK_API_KEY }} | |
VULNERABILITIES_CLEAN: ${{ github.event.inputs.clean || 'false' }} | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
timeout-minutes: 180 | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 | |
with: | |
egress-policy: audit | |
- name: Checkout Repo | |
uses: actions/checkout@v4 | |
with: | |
ref: main | |
- name: Import GPG Key | |
uses: crazy-max/ghaction-import-gpg@v6 | |
with: | |
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} | |
passphrase: ${{ secrets.GPG_PASSPHRASE }} | |
git_user_signingkey: true | |
git_commit_gpgsign: true | |
- name: Checkout Fleet | |
uses: actions/checkout@v4 | |
with: | |
repository: fleetdm/fleet | |
fetch-depth: 1 | |
ref: main | |
path: fleet | |
- name: Checkout goval-dictionary | |
uses: actions/checkout@v4 | |
with: | |
repository: vulsio/goval-dictionary | |
fetch-depth: 1 | |
ref: adcb4dc66908aa84a0aabcd376af0e6e677ea2fd | |
path: goval-dictionary | |
- name: Setup Go | |
uses: actions/[email protected] | |
with: | |
cache: false | |
go-version: '^1.23.4' | |
- name: Generate NVD Feeds | |
run: | | |
cd fleet | |
go mod download | |
go run cmd/cve/generate.go --db_dir ./cvefeed --debug | |
- name: Build goval-dictionary and ensure destination dir exists | |
run: | | |
cd goval-dictionary | |
make build | |
mkdir -p ../fleet/cvefeed | |
- name: Pull Amazon Linux 1 vulnerabilities | |
run: for i in {1..3}; do goval-dictionary/goval-dictionary fetch amazon 1 --dbpath ./fleet/cvefeed/amzn_01.sqlite3 && s=0 && break || s=$? && sleep 2; done; (exit $s) | |
- name: Pull Amazon Linux 2 vulnerabilities | |
run: for i in {1..3}; do goval-dictionary/goval-dictionary fetch amazon 2 --dbpath ./fleet/cvefeed/amzn_02.sqlite3 && s=0 && break || s=$? && sleep 2; done; (exit $s) | |
- name: Pull Amazon Linux 2022 vulnerabilities | |
run: for i in {1..3}; do goval-dictionary/goval-dictionary fetch amazon 2022 --dbpath ./fleet/cvefeed/amzn_2022.sqlite3 && s=0 && break || s=$? && sleep 2; done; (exit $s) | |
- name: Pull Amazon Linux 2023 vulnerabilities | |
run: for i in {1..3}; do goval-dictionary/goval-dictionary fetch amazon 2023 --dbpath ./fleet/cvefeed/amzn_2023.sqlite3 && s=0 && break || s=$? && sleep 2; done; (exit $s) | |
- name: Compress Amazon Linux vulnerability sqlite files | |
run: xz ./fleet/cvefeed/*.sqlite3 | |
- name: Current date | |
id: date | |
run: | | |
echo "date=$(date +'%Y%m%d%H%M')" >> $GITHUB_OUTPUT | |
- name: Tag | |
run: | | |
git tag -a cve-${{ steps.date.outputs.date }} -m "release ${{ steps.date.outputs.date }}" | |
git push origin cve-${{ steps.date.outputs.date }} | |
- name: Release | |
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15 | |
with: | |
files: | | |
fleet/cvefeed/* | |
tag_name: cve-${{ steps.date.outputs.date }} | |
target_commitish: main | |
token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Delete Old Releases | |
uses: dev-drprasad/[email protected] | |
with: | |
delete_tag_pattern: ^cve-.* | |
keep_latest: 144 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Slack Notification | |
if: failure() | |
uses: slackapi/[email protected] | |
with: | |
payload: | | |
{ | |
"text": "${{ job.status }}\n${{ github.event.pull_request.html_url || github.event.head.html_url }}", | |
"blocks": [ | |
{ | |
"type": "section", | |
"text": { | |
"type": "mrkdwn", | |
"text": "Security artifacts generation result: ${{ job.status }}\nhttps://github.com/fleetdm/vulnerabilities/actions/runs/${{ github.run_id }}\n${{ github.event.pull_request.html_url || github.event.head.html_url }}" | |
} | |
} | |
] | |
} | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_G_HELP_P2_WEBHOOK_URL }} | |
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK |