-
Notifications
You must be signed in to change notification settings - Fork 471
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Added CI-PRE-CHECKER for VENDOR_PRODUCT #3840
base: main
Are you sure you want to change the base?
Changes from 28 commits
a1e428d
f0bd35d
97ec9a5
829036e
1d8812e
50b4fc1
81af301
6884f0f
22910c4
91479a6
4e5d72f
fc83aa6
c9cbe6e
5867336
8dcb522
1f122bf
d974753
02add8a
63f09d6
4eb7629
20bbea3
706196e
5fe48ab
b02df40
3e286ec
7ec0cc3
9bf7a8e
426bfe3
6b7fbe0
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change | ||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
@@ -0,0 +1,75 @@ | ||||||||||||||||||||||
name: Checkers-Action | ||||||||||||||||||||||
|
||||||||||||||||||||||
on: | ||||||||||||||||||||||
push: | ||||||||||||||||||||||
branches: [ main ] | ||||||||||||||||||||||
paths: | ||||||||||||||||||||||
- 'cve_bin_tool/checkers/**/*.py' | ||||||||||||||||||||||
pull_request: | ||||||||||||||||||||||
branches: [ main ] | ||||||||||||||||||||||
paths: | ||||||||||||||||||||||
- 'cve_bin_tool/checkers/**/*.py' | ||||||||||||||||||||||
|
||||||||||||||||||||||
jobs: | ||||||||||||||||||||||
run-script: | ||||||||||||||||||||||
runs-on: ubuntu-latest | ||||||||||||||||||||||
steps: | ||||||||||||||||||||||
- name: Checkout code | ||||||||||||||||||||||
uses: actions/checkout@v3 | ||||||||||||||||||||||
|
||||||||||||||||||||||
- name: Get date | ||||||||||||||||||||||
id: get-date | ||||||||||||||||||||||
run: | | ||||||||||||||||||||||
echo "date=$(/bin/date -u "+%Y%m%d")" >> $GITHUB_OUTPUT | ||||||||||||||||||||||
echo "yesterday=$(/bin/date -d "-1 day" -u "+%Y%m%d")" >> $GITHUB_OUTPUT | ||||||||||||||||||||||
|
||||||||||||||||||||||
- name: Print Cache Keys | ||||||||||||||||||||||
run: | | ||||||||||||||||||||||
echo "Today's Cache Key: Linux-cve-bin-tool-${{ steps.get-date.outputs.date }}" | ||||||||||||||||||||||
echo "Yesterday's Cache Key: Linux-cve-bin-tool-${{ steps.get-date.outputs.yesterday }}" | ||||||||||||||||||||||
|
||||||||||||||||||||||
- name: Get today's cached database | ||||||||||||||||||||||
uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 | ||||||||||||||||||||||
id: todays-cache | ||||||||||||||||||||||
with: | ||||||||||||||||||||||
path: cache | ||||||||||||||||||||||
key: Linux-cve-bin-tool-${{ steps.get-date.outputs.date }} | ||||||||||||||||||||||
|
||||||||||||||||||||||
- name: Get yesterday's cached database if today's is not available | ||||||||||||||||||||||
uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 | ||||||||||||||||||||||
if: steps.todays-cache.outputs.cache-hit != 'true' | ||||||||||||||||||||||
with: | ||||||||||||||||||||||
path: cache | ||||||||||||||||||||||
key: Linux-cve-bin-tool-${{ steps.get-date.outputs.yesterday }} | ||||||||||||||||||||||
|
||||||||||||||||||||||
- name: Install cve-bin-tool | ||||||||||||||||||||||
if: env.sbom != 'true' | ||||||||||||||||||||||
run: | | ||||||||||||||||||||||
python -m pip install --upgrade pip | ||||||||||||||||||||||
python -m pip install --upgrade setuptools | ||||||||||||||||||||||
python -m pip install --upgrade wheel | ||||||||||||||||||||||
python -m pip install --upgrade -r dev-requirements.txt | ||||||||||||||||||||||
python -m pip install --upgrade . | ||||||||||||||||||||||
|
||||||||||||||||||||||
- name: Try single CLI run of tool | ||||||||||||||||||||||
if: env.sbom != 'true' | ||||||||||||||||||||||
run: | | ||||||||||||||||||||||
[[ -e cache ]] && mkdir -p .cache && mv cache ~/.cache/cve-bin-tool | ||||||||||||||||||||||
NO_EXIT_CVE_NUM=1 python -m cve_bin_tool.cli test/assets/test-kerberos-5-1.15.1.out | ||||||||||||||||||||||
cp -r ~/.cache/cve-bin-tool cache | ||||||||||||||||||||||
|
||||||||||||||||||||||
Comment on lines
+54
to
+60
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
We only need to keep the cache copy line here. |
||||||||||||||||||||||
- name: Get changed files in checkers directory | ||||||||||||||||||||||
id: changed-files | ||||||||||||||||||||||
run: | | ||||||||||||||||||||||
files=$(git diff --name-only ${{ github.sha }} ${{ github.event.before }} | grep '^cve_bin_tool/checkers/' | xargs) | ||||||||||||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is generating an error when run and I don't know offhand what to do with it, so you're on your own for fixing it:
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yepp. I tried changing the depth of the checkout code to 0 and it fetched all the checker files. I'm not able to fetch only the changed .py files in checkers. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We're using https://github.com/technote-space/get-diff-action on some of our other workflows; don't know if it'll be better but maybe worth a shot? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @joydeep049 I am not sure how comparing commits is better then just comparing branches, i think you can give it a try, not sure of the top its best way to do it but it should work, alternatively you can try get-diff-action as @terriko mentioned but on my first glance i think it only check changes between commits so you have to read a little, hope it helps:
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @mastersans Thanx! I'll try this! If it doesn't work then @terriko anyways said in the meet she would give it a look next week. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yeah, but one branch can have multiple commit so why not just check branches for the difference. |
||||||||||||||||||||||
echo "::set-output name=files::$files" | ||||||||||||||||||||||
shell: bash | ||||||||||||||||||||||
|
||||||||||||||||||||||
- name: Run Python script | ||||||||||||||||||||||
run: | | ||||||||||||||||||||||
IFS=' ' read -r -a files <<< "${{ steps.changed-files.outputs.files }}" | ||||||||||||||||||||||
for file in "${files[@]}"; do | ||||||||||||||||||||||
python cve_bin_tool/ci_pre_checker.py "$file" | ||||||||||||||||||||||
done | ||||||||||||||||||||||
shell: bash | ||||||||||||||||||||||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
# Copyright (C) 2024 Intel Corporation | ||
# SPDX-License-Identifier: GPL-3.0-or-later | ||
|
||
""" | ||
|
||
Test for checker-action github action. | ||
Below code is meant to mimic a checker, except it contains bogus VENDOR_PRODUCT. | ||
The test in the CI should fail. | ||
|
||
|
||
-- Joydeep Tripathy (joydeep049) | ||
""" | ||
|
||
from __future__ import annotations | ||
|
||
from cve_bin_tool.checkers import Checker | ||
|
||
|
||
class TestPreCheckerChecker(Checker): | ||
CONTAINS_PATTERNS: list[str] = [] | ||
FILENAME_PATTERNS: list[str] = [] | ||
VERSION_PATTERNS = [] | ||
VENDOR_PRODUCT = [("apc", "something")] |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
# Copyright (C) 2021 Intel Corporation | ||
# SPDX-License-Identifier: GPL-3.0-or-later | ||
"""Testing script for checkers-action.yml""" | ||
import ast | ||
import sqlite3 | ||
import sys | ||
from pathlib import Path | ||
|
||
OLD_CACHE_DIR = Path("~").expanduser() / ".cache" / "cve-bin-tool" / "cve.db" | ||
|
||
|
||
def extract_vendor_product(file_path): | ||
"""Extract {vendor,product} pairs from given checker file""" | ||
vendor_product = None | ||
print(file_path) | ||
with open(file_path) as file: | ||
inside_vendor_product = False | ||
vendor_product_str = "" | ||
for line in file: | ||
if "VENDOR_PRODUCT" in line: | ||
inside_vendor_product = True | ||
if inside_vendor_product: | ||
print("inside_vendor_product") | ||
vendor_product_str += line.strip() | ||
if line.strip().endswith("]"): | ||
break | ||
if vendor_product_str: | ||
print(vendor_product_str) | ||
vendor_product = ast.literal_eval(vendor_product_str.split("=")[1].strip()) | ||
return vendor_product | ||
|
||
|
||
def query_database(file_path): | ||
"""Query the database and check whether all the {vendor,product} pairs have associated CVEs""" | ||
vendor_product = extract_vendor_product(file_path) | ||
dbcon = sqlite3.connect(OLD_CACHE_DIR) | ||
cursor = dbcon.cursor() | ||
for vendor, product in vendor_product: | ||
cursor.execute( | ||
"SELECT count(*) FROM cve_range WHERE vendor = ? AND product = ?", | ||
(vendor, product), | ||
) | ||
result = cursor.fetchall() | ||
# Failing Workflow | ||
if result[0] == 0: | ||
sys.exit(1) | ||
# Indicate Success | ||
sys.exit(0) | ||
|
||
|
||
# Caller Code | ||
file_path = sys.argv[1] | ||
print(OLD_CACHE_DIR) | ||
query_database(file_path) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you were given some bad advice above: since your script doesn't actually call anything out of cve-bin-tool you shouldn't need to install it or run it, merely copy the database to the expected location. If you had any dependencies in your script that weren't python packages you could install them here (example below), but probably you just want to remove this section.