Run OSV-Scanner on 2022.0 #85
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Run OSV-Scanner on 2022.0 | |
| on: | |
| schedule: | |
| - cron: '0 3 * * *' | |
| workflow_dispatch: | |
| jobs: | |
| osv: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout the code | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: 'v2022.0' | |
| - name: Checkout osv configuration | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: pimcore/workflows-collection-public | |
| path: tools | |
| sparse-checkout: | | |
| osv/2020-0.toml | |
| sparse-checkout-cone-mode: false | |
| - name: Set up PHP | |
| uses: shivammathur/setup-php@v2 | |
| with: | |
| php-version: '8.1' | |
| - name: Install jq | |
| run: sudo apt-get install jq | |
| - name: Install OSV-Scanner | |
| run : sudo snap install osv-scanner | |
| - name: Install SSH Key # this is necessary for Composer to be able to clone source from pimcore/ee-pimcore | |
| uses: shimataro/ssh-key-action@v2 | |
| with: | |
| key: ${{ secrets.SSH_PRIVATE_KEY_PIMCORE_DEPLOYMENTS_USER }} | |
| known_hosts: ".... we add this in the next step ;-)" | |
| - name: "Add authentication for private pimcore packages" | |
| run: | | |
| composer config repositories.private-packagist composer https://repo.pimcore.com/github-actions/ | |
| composer config --global --auth http-basic.repo.pimcore.com github-actions ${{ secrets.COMPOSER_PIMCORE_REPO_PACKAGIST_TOKEN }} | |
| - name: Read and modify composer.json | |
| id: update_composer | |
| run: | | |
| original_content=$(cat composer.json) | |
| for conflict in $(echo "$original_content" | jq -r '.conflict | to_entries[] | @base64'); do | |
| _jq() { | |
| echo ${conflict} | base64 --decode | jq -r ${1} | |
| } | |
| package_name=$(_jq '.key') | |
| composer require "$package_name:*" --no-update | |
| done | |
| - name: Allow SBOM Plugin | |
| run: composer config --no-plugins allow-plugins.cyclonedx/cyclonedx-php-composer true | |
| - name: Install SBOM Plugin | |
| run: composer require cyclonedx/cyclonedx-php-composer | |
| - name: CREATE SBOM | |
| run: composer CycloneDX:make-sbom --output-file=sbom.json --output-format=json | |
| - name: Run OSV-Scanner | |
| id: osvscanner | |
| run: osv-scanner --sbom=sbom.json --output=osv-results.txt --config=tools/osv/2020-0.toml | |
| - name: Upload SBOM as an artifact on failure | |
| if: ${{ failure() && steps.osvscanner.conclusion == 'failure' }} | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: osv-2022.0 | |
| path: osv-results.txt | |
| - name: Get new vulnerabilities | |
| if: ${{ failure() && steps.osvscanner.conclusion == 'failure' }} | |
| id: get_vulnerabilities | |
| run: | | |
| VULNERABILITIES_ENV=$(grep '^| ' osv-results.txt | cut -d'|' -f2,5,6) | |
| echo "VULNERABILITIES_ENV<<EOF" >> $GITHUB_ENV | |
| echo "$VULNERABILITIES_ENV" >> $GITHUB_ENV | |
| echo "EOF" >> $GITHUB_ENV | |
| - name: Send results of checks to Microsoft Teams | |
| if: ${{ failure() && steps.osvscanner.conclusion == 'failure' }} | |
| uses: aliencube/[email protected] | |
| with: | |
| webhook_uri: ${{ secrets.TEAMS_COMPOSER_VULNERABILITY_URI }} | |
| title: ${{ github.repository }} - 2020.0 vulnerabilities report | |
| summary: ${{github.server_url}}/${{github.repository}}/actions/runs/${{github.run_id}} | |
| text: | | |
| Please check the following link for details: | |
| ${{github.server_url}}/${{github.repository}}/actions/runs/${{github.run_id}} | |
| **Vulnerabilities found:** | |
| ``` | |
| ${{ env.VULNERABILITIES_ENV }} | |
| ``` | |
| If the list is too long, please refer to the link above. |