-
Notifications
You must be signed in to change notification settings - Fork 2
132 lines (115 loc) · 4 KB
/
generate-cve.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
name: Generate CVE
on:
push:
branches:
- main
schedule:
- cron: '*/30 * * * *'
workflow_dispatch:
inputs:
clean:
description: 'Download fresh feeds from NVD. Any value other than "false" will trigger a clean download.'
required: true
default: 'false'
permissions:
contents: write
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
VULNCHECK_API_KEY: ${{ secrets.VULNCHECK_API_KEY }}
VULNERABILITIES_CLEAN: ${{ github.event.inputs.clean || 'false' }}
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 60
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Checkout Repo
uses: actions/checkout@v4
with:
ref: main
- name: Import GPG Key
uses: crazy-max/ghaction-import-gpg@v6
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.GPG_PASSPHRASE }}
git_user_signingkey: true
git_commit_gpgsign: true
- name: Checkout Fleet
uses: actions/checkout@v4
with:
repository: fleetdm/fleet
fetch-depth: 1
ref: main
path: fleet
- name: Checkout goval-dictionary
uses: actions/checkout@v4
with:
repository: vulsio/goval-dictionary
fetch-depth: 1
ref: adcb4dc66908aa84a0aabcd376af0e6e677ea2fd
path: goval-dictionary
- name: Setup Go
uses: actions/[email protected]
with:
cache: false
go-version: '^1.21.4'
- name: Generate NVD Feeds
run: |
cd fleet
go mod download
go run cmd/cve/generate.go --db_dir ./cvefeed --debug
- name: Generate goval-dictionary sqlite files
run: |
cd goval-dictionary
make build
./goval-dictionary fetch amazon 1 --dbpath ../fleet/cvefeed/amzn_01.sqlite3
./goval-dictionary fetch amazon 2 --dbpath ../fleet/cvefeed/amzn_02.sqlite3
./goval-dictionary fetch amazon 2022 --dbpath ../fleet/cvefeed/amzn_2022.sqlite3
./goval-dictionary fetch amazon 2023 --dbpath ../fleet/cvefeed/amzn_2023.sqlite3
xz ../fleet/cvefeed/*.sqlite3
- name: Current date
id: date
run: |
echo "date=$(date +'%Y%m%d%H%M')" >> $GITHUB_OUTPUT
- name: Tag
run: |
git tag -a cve-${{ steps.date.outputs.date }} -m "release ${{ steps.date.outputs.date }}"
git push origin cve-${{ steps.date.outputs.date }}
- name: Release
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
with:
files: |
fleet/cvefeed/*
tag_name: cve-${{ steps.date.outputs.date }}
target_commitish: main
token: ${{ secrets.GITHUB_TOKEN }}
- name: Delete Old Releases
uses: dev-drprasad/[email protected]
with:
delete_tag_pattern: ^cve-.*
keep_latest: 144
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Slack Notification
if: failure()
uses: slackapi/[email protected]
with:
payload: |
{
"text": "${{ job.status }}\n${{ github.event.pull_request.html_url || github.event.head.html_url }}",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "Security artifacts generation result: ${{ job.status }}\nhttps://github.com/fleetdm/vulnerabilities/actions/runs/${{ github.run_id }}\n${{ github.event.pull_request.html_url || github.event.head.html_url }}"
}
}
]
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_G_HELP_P2_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK