Scanner NVD update #854
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Scanner NVD update | |
on: | |
pull_request: | |
types: | |
- opened | |
- reopened | |
- synchronize | |
schedule: | |
- cron: '0 */6 * * *' | |
workflow_dispatch: | |
jobs: | |
fetch-nvd-feeds: | |
runs-on: ubuntu-latest | |
if: > | |
github.event_name == 'schedule' || | |
github.event_name == 'workflow_dispatch' || | |
(github.event_name == 'pull_request' && | |
contains(github.event.pull_request.labels.*.name, 'pr-update-scanner-nvd')) | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Set up Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: '3.10' | |
- name: Fetch NVD Feeds | |
env: | |
SCANNER_NVD_API_KEY: ${{ secrets.NVD_API_KEY }} | |
SCANNER_NVD_URL: https://services.nvd.nist.gov/rest/json/cves/2.0 | |
run: | | |
set -eu | |
dir=$(mktemp -d) | |
python3 .github/workflows/scripts/scanner-update-nvd-feeds.py "$dir" | |
for f in "$dir"/*.nvd.json; do | |
if jq . "$f" >/dev/null 2>&1; then | |
echo "Validating and adding '$f' to nvd-feeds.zip" | |
zip -j nvd-feeds.zip "$f" | |
else | |
echo "Error: Invalid JSON file '$f'" | |
exit 1 | |
fi | |
done | |
- uses: ./.github/actions/upload-artifact-with-retry | |
with: | |
name: nvd-feeds | |
path: nvd-feeds.zip | |
if-no-files-found: error | |
fetch-nvd-api: | |
runs-on: ubuntu-latest | |
if: > | |
github.event_name == 'schedule' || | |
github.event_name == 'workflow_dispatch' || | |
(github.event_name == 'pull_request' && | |
contains(github.event.pull_request.labels.*.name, 'pr-update-scanner-nvd')) | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Set up Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: '3.10' | |
- name: Fetch NVD API | |
env: | |
SCANNER_NVD_API_KEY: ${{ secrets.NVD_API_KEY }} | |
SCANNER_NVD_URL: https://services.nvd.nist.gov/rest/json/cves/2.0 | |
run: | | |
set -eu | |
dir=$(mktemp -d) | |
python3 .github/workflows/scripts/scanner-update-nvd-api.py "$dir" | |
for f in "$dir"/*.nvd.json; do | |
if jq . "$f" >/dev/null 2>&1; then | |
echo "Validating and adding '$f' to nvd-api.zip" | |
zip -j nvd-api.zip "$f" | |
else | |
echo "Error: Invalid JSON file '$f'" | |
exit 1 | |
fi | |
done | |
- uses: ./.github/actions/upload-artifact-with-retry | |
with: | |
name: nvd-api | |
path: nvd-api.zip | |
if-no-files-found: error | |
upload-nvd-feeds: | |
needs: | |
- fetch-nvd-feeds | |
runs-on: ubuntu-latest | |
if: github.event_name != 'pull_request' | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.ref }} | |
- uses: ./.github/actions/download-artifact-with-retry | |
with: | |
name: nvd-feeds | |
path: . | |
- name: Authenticate with Google Cloud | |
uses: google-github-actions/auth@v2 | |
with: | |
credentials_json: ${{ secrets.GOOGLE_SA_STACKROX_HUB_VULN_DUMP_UPLOADER }} | |
- name: Set up Cloud SDK | |
uses: google-github-actions/setup-gcloud@v2 | |
- name: Upload NVD Feeds to Google Cloud Storage | |
run: | | |
gsutil cp nvd-feeds.zip "gs://definitions.stackrox.io/v4/nvd/nvd-feeds.zip" | |
upload-nvd-api: | |
needs: | |
- fetch-nvd-api | |
runs-on: ubuntu-latest | |
if: github.event_name != 'pull_request' | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.ref }} | |
- uses: ./.github/actions/download-artifact-with-retry | |
with: | |
name: nvd-api | |
path: . | |
- name: Authenticate with Google Cloud | |
uses: google-github-actions/auth@v2 | |
with: | |
credentials_json: ${{ secrets.GOOGLE_SA_STACKROX_HUB_VULN_DUMP_UPLOADER }} | |
- name: Set up Cloud SDK | |
uses: google-github-actions/setup-gcloud@v2 | |
- name: Upload NVD API to Google Cloud Storage | |
run: | |
gsutil cp nvd-api.zip "gs://definitions.stackrox.io/v4/nvd/nvd-api.zip" | |
send-notification: | |
needs: | |
- upload-nvd-feeds | |
- upload-nvd-api | |
runs-on: ubuntu-latest | |
if: failure() | |
steps: | |
- name: Send Slack notification on workflow failure | |
run: | | |
curl -X POST -H 'Content-type: application/json' --data '{"text":"<${{github.server_url}}/${{github.repository}}/actions/runs/${{github.run_id}}|Workflow ${{ github.workflow }}> failed in repository ${{ github.repository }}: Failed to update NVD CVEs"}' ${{ secrets.SLACK_ONCALL_SCANNER_WEBHOOK }} |