From a7ebdccb49e39d962e9306424474100fd44fe1ce Mon Sep 17 00:00:00 2001 From: Nicola Coretti Date: Mon, 23 Oct 2023 09:23:03 +0200 Subject: [PATCH] Add basic outline for security issues tool & action --- .github/actions/security-issues/action.yml | 62 ++++++++++++++++++++++ exasol/toolbox/tools/security_issues.py | 49 +++++++++++++++++ pyproject.toml | 1 + 3 files changed, 112 insertions(+) create mode 100644 .github/actions/security-issues/action.yml create mode 100644 exasol/toolbox/tools/security_issues.py diff --git a/.github/actions/security-issues/action.yml b/.github/actions/security-issues/action.yml new file mode 100644 index 000000000..0d3c603d8 --- /dev/null +++ b/.github/actions/security-issues/action.yml @@ -0,0 +1,62 @@ +name: 'SIA' +description: 'The Security Issues Action creates github issues for open security issues in the repository' + +# TODOs & Ideas +# * Change format to official CVE schema +# * Change action to support all kinds of formats +# * Add custom/additional details on ticket creation (e.g. dependency tree) + +inputs: + + scan-command: + description: 'Command which creates a security report for the repository' + required: true + default: "mvn org.sonatype.ossindex.maven:ossindex-maven-plugin:audit org.sonatype.ossindex.maven:ossindex-maven-plugin:audit-aggregate -Dossindex.reportFile=security-issues.json" + + scan-output: + description: 'Output file generated by the scan-command' + required: true + default: "security-issues.json" + + input-converter: + description: 'Converter to apply on the scan-output before processing' + required: false + # passthrough in case of None + default: maven + +runs: + + using: "composite" + steps: + + - name: Setup Python (${{ inputs.python-version}}) + uses: actions/setup-python@v4 + with: + python-version: ${{ inputs.python-version }} + + # Pin this to specifically released verison + - name: Install Python Toolbox / Security tool + run: | + pip install 'git+https://github.com/exasol/python-toolbox.git@security-issues-action' + + - name: Install Python Toolbox / Security Issues tool + run: | + scan-command > $scan-output + + - name: Run scan-command + run: | + scan-command > $scan-output + + - name: Run input-converter + run: | + security-issues convert maven < $scan-output > issues.json + + - name: Filter Existing Issues (Open & Closed) + run: | + security-issues filter github < scan.json > issues.json + # This could be added in the future + # tbx security-issues filter exclusions < issues.json > filtered-pt2.json + + - name: Create Issues for + run: | + security-issues create github < issues.json diff --git a/exasol/toolbox/tools/security_issues.py b/exasol/toolbox/tools/security_issues.py new file mode 100644 index 000000000..251bd248d --- /dev/null +++ b/exasol/toolbox/tools/security_issues.py @@ -0,0 +1,49 @@ +import difflib +import io +from contextlib import ExitStack +from pathlib import Path +from typing import ( + Any, + Mapping, + Union, +) + +import importlib_resources as resources +import typer +from rich.columns import Columns +from rich.console import Console +from rich.syntax import Syntax + +stdout = Console() +stderr = Console(stderr=True) + +CLI = typer.Typer() + + +def _workflows() -> Mapping[str, Any]: + pkg = "exasol.toolbox.templates.github.workflows" + + def _normalize(name: str) -> str: + name, ext = name.split(".") + return name + + return {_normalize(w.name): w for w in resources.files(pkg).iterdir()} # type: ignore + + +@CLI.command(name="convert") +def convert() -> None: + pass + + +@CLI.command(name="filter") +def filter() -> None: + pass + + +@CLI.command(name="create") +def create() -> None: + pass + + +if __name__ == "__main__": + CLI() diff --git a/pyproject.toml b/pyproject.toml index 23e4e7f77..5fcc30e32 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -102,3 +102,4 @@ ignore_errors = true [tool.poetry.scripts] tbx = 'exasol.toolbox.tools.tbx:CLI' +security-issues = 'exasol.toolbox.tools.security_issues:CLI'