From 0adb89e478d060b3e322ecdf8fabb859aece1733 Mon Sep 17 00:00:00 2001
From: Kashif Khan <kashif.khan@est.tech>
Date: Mon, 15 Apr 2024 09:57:35 +0300
Subject: [PATCH] Add OSV scanner PR and schedule workflows

Signed-off-by: Kashif Khan <kashif.khan@est.tech>
---
 .github/workflows/osv-scanner-scan.yml |  20 +++++
 .github/workflows/osv-scanner.yml      | 106 +++++++++++++++++++++++++
 2 files changed, 126 insertions(+)
 create mode 100644 .github/workflows/osv-scanner-scan.yml
 create mode 100644 .github/workflows/osv-scanner.yml

diff --git a/.github/workflows/osv-scanner-scan.yml b/.github/workflows/osv-scanner-scan.yml
new file mode 100644
index 00000000..9fe3d159
--- /dev/null
+++ b/.github/workflows/osv-scanner-scan.yml
@@ -0,0 +1,20 @@
+# This file is adapted from https://github.com/google/osv-scanner
+
+
+name: OSV-Scanner Scan
+
+on:
+  schedule:
+  - cron: "12 12 * * 1"
+
+# Restrict jobs in this workflow to have no permissions by default; permissions
+# should be granted per job as needed using a dedicated `permissions` block
+permissions: {}
+
+jobs:
+  scan-scheduled:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
+      security-events: write # for uploading SARIF files
+    if: ${{ github.repository == 'metal3-io/ip-address-manager' && github.event_name == 'schedule' }}
+    uses: "./.github/workflows/osv-scanner.yml"
diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml
new file mode 100644
index 00000000..188b28b8
--- /dev/null
+++ b/.github/workflows/osv-scanner.yml
@@ -0,0 +1,106 @@
+# This file is adapted from https://github.com/google/osv-scanner
+
+name: OSV-Scanner
+
+permissions: {}
+
+on:
+  workflow_call:
+    inputs:
+      scan-args:
+        description: "Custom osv-scanner arguments (See https://google.github.io/osv-scanner/usage/ for options, you cannot set --format or --output)"
+        type: string
+        default: |-
+          -r
+          --skip-git
+          ./
+      results-file-name:
+        description: "File name of the result SARIF file"
+        type: string
+        default: results.sarif
+      upload-sarif:
+        description: "Whether to upload to Security > Code Scanning"
+        type: boolean
+        required: false
+        default: true
+      fail-on-vuln:
+        description: "Whether to fail the action on vulnerability found"
+        type: boolean
+        default: true
+
+jobs:
+  scan-pr:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
+      security-events: write # for uploading SARIF files
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      with:
+        fetch-depth: 0
+        # Do persist credentials, as we need it for the git checkout later
+    - name: "Checkout target branch"
+      run: git checkout $GITHUB_BASE_REF
+    - name: "Calculate go version"
+      id: vars
+      run: echo "go_version=$(make go-version)" >> $GITHUB_OUTPUT
+    - name: Set up Go
+      uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # tag=v5.0.1
+      with:
+        go-version: ${{ steps.vars.outputs.go_version }}
+    - name: "Run scanner on existing code"
+      uses: google/osv-scanner/actions/scanner@645d5b0bb9c14741b2147a5305b684e4abc039e0 # v1.7.3
+      continue-on-error: true
+      with:
+        scan-args: |-
+          --format=json
+          --output=old-results.json
+          ${{ inputs.scan-args }}
+    - name: "Checkout current branch"
+      run: git checkout $GITHUB_SHA
+    - name: "Run scanner on new code"
+      uses: google/osv-scanner/actions/scanner@645d5b0bb9c14741b2147a5305b684e4abc039e0 # v1.7.3
+      with:
+        scan-args: |-
+          --format=json
+          --output=new-results.json
+          ${{ inputs.scan-args }}
+      continue-on-error: true
+    - name: "Run osv-scanner-reporter"
+      uses: google/osv-scanner/actions/reporter@645d5b0bb9c14741b2147a5305b684e4abc039e0 # v1.7.3
+      with:
+        scan-args: |-
+          --output=${{ inputs.results-file-name }}
+          --old=old-results.json
+          --new=new-results.json
+          --gh-annotations=true
+          --fail-on-vuln=${{ inputs.fail-on-vuln }}
+    # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+    # format to the repository Actions tab.
+    - name: "Upload artifact"
+      if: "!cancelled()"
+      uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+      with:
+        name: SARIF file
+        path: ${{ inputs.results-file-name }}
+        retention-days: 5
+    - name: "Upload old scan json results"
+      if: "!cancelled()"
+      uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+      with:
+        name: old-json-results
+        path: old-results.json
+        retention-days: 5
+    - name: "Upload new scan json results"
+      if: "!cancelled()"
+      uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+      with:
+        name: new-json-results
+        path: new-results.json
+        retention-days: 5
+    # Upload the results to GitHub's code scanning dashboard.
+    - name: "Upload to code-scanning"
+      if: ${{ !cancelled() && inputs.upload-sarif == true }}
+      uses: github/codeql-action/upload-sarif@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10
+      with:
+        sarif_file: ${{ inputs.results-file-name }}