-
Notifications
You must be signed in to change notification settings - Fork 2
109 lines (89 loc) · 3.74 KB
/
osv-2022.0.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
name: Run OSV-Scanner on 2022.0
on:
schedule:
- cron: '0 3 * * *'
workflow_dispatch:
jobs:
osv:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout the code
uses: actions/checkout@v4
with:
ref: 'v2022.0'
- name: Checkout osv configuration
uses: actions/checkout@v4
with:
repository: pimcore/workflows-collection-public
path: tools
sparse-checkout: |
osv/2020-0.toml
sparse-checkout-cone-mode: false
- name: Set up PHP
uses: shivammathur/setup-php@v2
with:
php-version: '8.1'
- name: Install jq
run: sudo apt-get install jq
- name: Install OSV-Scanner
run : sudo snap install osv-scanner
- name: Install SSH Key # this is necessary for Composer to be able to clone source from pimcore/ee-pimcore
uses: shimataro/ssh-key-action@v2
with:
key: ${{ secrets.SSH_PRIVATE_KEY_PIMCORE_DEPLOYMENTS_USER }}
known_hosts: ".... we add this in the next step ;-)"
- name: "Add authentication for private pimcore packages"
run: |
composer config repositories.private-packagist composer https://repo.pimcore.com/github-actions/
composer config --global --auth http-basic.repo.pimcore.com github-actions ${{ secrets.COMPOSER_PIMCORE_REPO_PACKAGIST_TOKEN }}
- name: Read and modify composer.json
id: update_composer
run: |
original_content=$(cat composer.json)
for conflict in $(echo "$original_content" | jq -r '.conflict | to_entries[] | @base64'); do
_jq() {
echo ${conflict} | base64 --decode | jq -r ${1}
}
package_name=$(_jq '.key')
composer require "$package_name:*" --no-update
done
- name: Allow SBOM Plugin
run: composer config --no-plugins allow-plugins.cyclonedx/cyclonedx-php-composer true
- name: Install SBOM Plugin
run: composer require cyclonedx/cyclonedx-php-composer
- name: CREATE SBOM
run: composer CycloneDX:make-sbom --output-file=sbom.json --output-format=json
- name: Run OSV-Scanner
id: osvscanner
run: osv-scanner --sbom=sbom.json --output=osv-results.txt --config=tools/osv/2020-0.toml
- name: Upload SBOM as an artifact on failure
if: ${{ failure() && steps.osvscanner.conclusion == 'failure' }}
uses: actions/upload-artifact@v4
with:
name: osv-2022.0
path: osv-results.txt
- name: Get new vulnerabilities
if: ${{ failure() && steps.osvscanner.conclusion == 'failure' }}
id: get_vulnerabilities
run: |
VULNERABILITIES_ENV=$(grep '^| ' osv-results.txt | cut -d'|' -f2,5,6)
echo "VULNERABILITIES_ENV<<EOF" >> $GITHUB_ENV
echo "$VULNERABILITIES_ENV" >> $GITHUB_ENV
echo "EOF" >> $GITHUB_ENV
- name: Send results of checks to Microsoft Teams
if: ${{ failure() && steps.osvscanner.conclusion == 'failure' }}
uses: aliencube/[email protected]
with:
webhook_uri: ${{ secrets.TEAMS_COMPOSER_VULNERABILITY_URI }}
title: ${{ github.repository }} - 2020.0 vulnerabilities report
summary: ${{github.server_url}}/${{github.repository}}/actions/runs/${{github.run_id}}
text: |
Please check the following link for details:
${{github.server_url}}/${{github.repository}}/actions/runs/${{github.run_id}}
**Vulnerabilities found:**
```
${{ env.VULNERABILITIES_ENV }}
```
If the list is too long, please refer to the link above.