-
Notifications
You must be signed in to change notification settings - Fork 4
119 lines (101 loc) · 3.83 KB
/
generate-cve.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
name: Generate CVE
on:
push:
branches:
- main
schedule:
- cron: '*/30 * * * *'
workflow_dispatch:
inputs:
clean:
description: 'Download fresh feeds from NVD. Any value other than "false" will trigger a clean download.'
required: true
default: 'false'
permissions:
contents: write
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
VULNCHECK_API_KEY: ${{ secrets.VULNCHECK_API_KEY }}
VULNERABILITIES_CLEAN: ${{ github.event.inputs.clean || 'false' }}
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 180
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Checkout Repo
uses: actions/checkout@v4
with:
ref: main
- name: Import GPG Key
uses: crazy-max/ghaction-import-gpg@v6
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.GPG_PASSPHRASE }}
git_user_signingkey: true
git_commit_gpgsign: true
- name: Checkout Fleet
uses: actions/checkout@v4
with:
repository: fleetdm/fleet
fetch-depth: 1
ref: main
path: fleet
- name: Checkout goval-dictionary
uses: actions/checkout@v4
with:
repository: vulsio/goval-dictionary
fetch-depth: 1
ref: adcb4dc66908aa84a0aabcd376af0e6e677ea2fd
path: goval-dictionary
- name: Setup Go
uses: actions/[email protected]
with:
cache: false
go-version: '^1.23.4'
- name: Generate NVD Feeds
run: |
cd fleet
go mod download
go run cmd/cve/generate.go --db_dir ./cvefeed --debug
- name: Build goval-dictionary and ensure destination dir exists
run: |
cd goval-dictionary
make build
mkdir -p ../fleet/cvefeed
- name: Pull Amazon Linux 1 vulnerabilities
run: for i in {1..3}; do goval-dictionary/goval-dictionary fetch amazon 1 --dbpath ./fleet/cvefeed/amzn_01.sqlite3 && s=0 && break || s=$? && sleep 2; done; (exit $s)
- name: Pull Amazon Linux 2 vulnerabilities
run: for i in {1..3}; do goval-dictionary/goval-dictionary fetch amazon 2 --dbpath ./fleet/cvefeed/amzn_02.sqlite3 && s=0 && break || s=$? && sleep 2; done; (exit $s)
- name: Pull Amazon Linux 2022 vulnerabilities
run: for i in {1..3}; do goval-dictionary/goval-dictionary fetch amazon 2022 --dbpath ./fleet/cvefeed/amzn_2022.sqlite3 && s=0 && break || s=$? && sleep 2; done; (exit $s)
- name: Pull Amazon Linux 2023 vulnerabilities
run: for i in {1..3}; do goval-dictionary/goval-dictionary fetch amazon 2023 --dbpath ./fleet/cvefeed/amzn_2023.sqlite3 && s=0 && break || s=$? && sleep 2; done; (exit $s)
- name: Compress Amazon Linux vulnerability sqlite files
run: xz ./fleet/cvefeed/*.sqlite3
- name: Current date
id: date
run: |
echo "date=$(date +'%Y%m%d%H%M')" >> $GITHUB_OUTPUT
- name: Tag
run: |
git tag -a cve-${{ steps.date.outputs.date }} -m "release ${{ steps.date.outputs.date }}"
git push origin cve-${{ steps.date.outputs.date }}
- name: Release
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
with:
files: |
fleet/cvefeed/*
tag_name: cve-${{ steps.date.outputs.date }}
target_commitish: main
token: ${{ secrets.GITHUB_TOKEN }}
- name: Delete Old Releases
uses: dev-drprasad/[email protected]
with:
delete_tag_pattern: ^cve-.*
keep_latest: 144
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}