Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Generate VDR Using Github Actions #15

Merged
merged 24 commits into from
May 28, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
a36bb34
rename ci, add vdr creation yml
Scanteianu May 6, 2024
3f4b755
Merge branch 'main' of https://github.com/adoptium/temurin-vdr-genera…
Scanteianu May 10, 2024
5f07c11
try to run the downloader and upload partial
Scanteianu May 10, 2024
ff1702c
add trigger on PR
Scanteianu May 10, 2024
d80fc16
make data dir
Scanteianu May 10, 2024
b287aa4
run the conversion script
Scanteianu May 10, 2024
41a7c80
run vdr creation for the whole vdr period
Scanteianu May 10, 2024
b1307bc
fix vdr artifact name
Scanteianu May 10, 2024
a10c873
try to make nist calls use api key
Scanteianu May 13, 2024
9ee0d94
fix the build
Scanteianu May 13, 2024
772b483
add flush
Scanteianu May 13, 2024
9f29bfb
Apply suggestions from gadams
Scanteianu May 13, 2024
2058d6d
add the api key secret, remove branches from workflows
Scanteianu May 13, 2024
d76a507
check api key is actually there
Scanteianu May 13, 2024
d9e5234
Merge branch 'main' into vdr_generation_gh_action
karianna May 14, 2024
3a18942
remove pip and flake8 from the installs
Scanteianu May 14, 2024
d270e5a
update comments
Scanteianu May 14, 2024
b0fb849
Merge branch 'main' of https://github.com/adoptium/temurin-vdr-genera…
Scanteianu May 17, 2024
1d3198d
rm newlines
Scanteianu May 17, 2024
e956229
Merge branch 'main' into vdr_generation_gh_action
Scanteianu May 21, 2024
6f1b33c
Merge branch 'main' into vdr_generation_gh_action
karianna May 23, 2024
0d34532
fix flaky inability to find risk matrix
Scanteianu May 23, 2024
0068eb5
Merge branch 'main' into vdr_generation_gh_action
Scanteianu May 23, 2024
6bdcd34
Update .github/workflows/vdr-creation.yml
gdams May 28, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
File renamed without changes.
43 changes: 43 additions & 0 deletions .github/workflows/vdr-creation.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
name: VDR Creation

on:
workflow_dispatch:
push:
branches: [ main ]
pull_request: # prs don't get secrets, but the API works (albeit 10x slower) without the api key
branches: [ main ]


jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5

- name: Set up Python 3.10
uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
with:
python-version: "3.10"

- name: Install dependencies
run: |
python -m pip install --upgrade pip
if [ -f requirements.txt ]; then pip install -r requirements.txt; fi

- name: Download ojvg
env:
NIST_NVD_TOKEN: ${{ secrets.NIST_NVD_TOKEN }}
run: |
mkdir -p data
python3 ojvg_download.py
python3 ojvg_convert.py
- name: Upload data directory (for debugging/introspection)
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: data directory
path: data
- name: Upload final vdr
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: final vdr
path: data/vdr.json
8 changes: 5 additions & 3 deletions cvereporter/fetch_vulnerabilities.py
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,9 @@ def parse_to_dict(resp_text: str, date: str) -> list[dict]:

# find the table with the CVEs
table = soup.find("table", attrs={"class": "risk-matrix"})

if table is None:
print("unable to find risk matrix for "+date)
return None
# find all the rows in the table
rows = table.find_all("tr")
dicts = []
Expand Down Expand Up @@ -180,8 +182,8 @@ def dict_to_vulns(dicts: list[dict]) -> list[Vulnerability]:
"""
We assume the text for the affected versions is in a block like:

"The following vulnerabilities in OpenJDK source code were fixed in this release.
The affected versions are 12, 11.0.2, 8u202, 7u211, and earlier.
"The following vulnerabilities in OpenJDK source code were fixed in this release.
The affected versions are 12, 11.0.2, 8u202, 7u211, and earlier.
We recommend that you upgrade as soon as possible."

"""
Expand Down
12 changes: 11 additions & 1 deletion cvereporter/nist_enhance.py
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@
)
import requests
import json
import time
import os

"""
this file has the utilities for downloading data about cves from NIST and updating Vulnerability objects with the data
Expand All @@ -14,7 +16,15 @@

def fetch_nist(url: str, id: str) -> dict:
data = None
nist_resp = requests.get(url)
nist_resp = None
if "NIST_NVD_TOKEN" in os.environ and os.environ["NIST_NVD_TOKEN"]: # check not empty
print("making call to NIST using api key! "+url, flush=True)
time.sleep(1) # stay well within 50 requests/30 seconds
nist_resp = requests.get(url, headers= {"apiKey": os.environ["NIST_NVD_TOKEN"]})
else:
print("making call to NIST without using api key! "+url, flush=True)
time.sleep(10) # stay well within 5 requests/30 seconds
nist_resp = requests.get(url)
if nist_resp.status_code != 200:
print(
"error fetching {}; status code: {}; text: {}".format(
Expand Down