Generate CVE #10422
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Generate CVE | |
on: | |
push: | |
branches: | |
- main | |
schedule: | |
- cron: '*/30 * * * *' | |
workflow_dispatch: | |
inputs: | |
clean: | |
description: 'Download fresh feeds from NVD. Any value other than "false" will trigger a clean download.' | |
required: true | |
default: 'false' | |
permissions: | |
contents: write | |
env: | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
VULNCHECK_API_KEY: ${{ secrets.VULNCHECK_API_KEY }} | |
VULNERABILITIES_CLEAN: ${{ github.event.inputs.clean || 'false' }} | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
timeout-minutes: 60 | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 | |
with: | |
egress-policy: audit | |
- name: Checkout Repo | |
uses: actions/checkout@v4 | |
with: | |
ref: main | |
- name: Import GPG Key | |
uses: crazy-max/ghaction-import-gpg@v6 | |
with: | |
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} | |
passphrase: ${{ secrets.GPG_PASSPHRASE }} | |
git_user_signingkey: true | |
git_commit_gpgsign: true | |
- name: Checkout Fleet | |
uses: actions/checkout@v4 | |
with: | |
repository: fleetdm/fleet | |
fetch-depth: 1 | |
ref: main | |
path: fleet | |
- name: Checkout goval-dictionary | |
uses: actions/checkout@v4 | |
with: | |
repository: vulsio/goval-dictionary | |
fetch-depth: 1 | |
ref: adcb4dc66908aa84a0aabcd376af0e6e677ea2fd | |
path: goval-dictionary | |
- name: Setup Go | |
uses: actions/setup-go@v4.1.0 | |
with: | |
cache: false | |
go-version: '^1.21.4' | |
- name: Generate NVD Feeds | |
run: | | |
cd fleet | |
go mod download | |
go run cmd/cve/generate.go --db_dir ./cvefeed --debug | |
- name: Generate goval-dictionary sqlite files | |
run: | | |
cd goval-dictionary | |
make build | |
./goval-dictionary fetch amazon 1 --dbpath ../fleet/cvefeed/amzn_01.sqlite3 | |
./goval-dictionary fetch amazon 2 --dbpath ../fleet/cvefeed/amzn_02.sqlite3 | |
./goval-dictionary fetch amazon 2022 --dbpath ../fleet/cvefeed/amzn_2022.sqlite3 | |
./goval-dictionary fetch amazon 2023 --dbpath ../fleet/cvefeed/amzn_2023.sqlite3 | |
xz ../fleet/cvefeed/*.sqlite3 | |
- name: Current date | |
id: date | |
run: | | |
echo "date=$(date +'%Y%m%d%H%M')" >> $GITHUB_OUTPUT | |
- name: Tag | |
run: | | |
git tag -a cve-${{ steps.date.outputs.date }} -m "release ${{ steps.date.outputs.date }}" | |
git push origin cve-${{ steps.date.outputs.date }} | |
- name: Release | |
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15 | |
with: | |
files: | | |
fleet/cvefeed/* | |
tag_name: cve-${{ steps.date.outputs.date }} | |
target_commitish: main | |
token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Delete Old Releases | |
uses: dev-drprasad/delete-older-releases@v0.3.2 | |
with: | |
delete_tag_pattern: ^cve-.* | |
keep_latest: 144 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Slack Notification | |
if: failure() | |
uses: slackapi/slack-github-action@v1.18.0 | |
with: | |
payload: | | |
{ | |
"text": "${{ job.status }}\n${{ github.event.pull_request.html_url || github.event.head.html_url }}", | |
"blocks": [ | |
{ | |
"type": "section", | |
"text": { | |
"type": "mrkdwn", | |
"text": "Security artifacts generation result: ${{ job.status }}\nhttps://github.com/fleetdm/vulnerabilities/actions/runs/${{ github.run_id }}\n${{ github.event.pull_request.html_url || github.event.head.html_url }}" | |
} | |
} | |
] | |
} | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_G_HELP_P2_WEBHOOK_URL }} | |
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK |