From 98195ac1e41118b43b9c0ed06acce87f8401428f Mon Sep 17 00:00:00 2001
From: mitchell <mitchellb@activestate.com>
Date: Thu, 22 Aug 2024 16:08:41 -0400
Subject: [PATCH] First attempt using intel/cve-bin-tool-action to scan for CVE
 on push.

---
 .github/workflows/scan.yml | 69 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 69 insertions(+)
 create mode 100644 .github/workflows/scan.yml

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
new file mode 100644
index 0000000000..9d1e4f3623
--- /dev/null
+++ b/.github/workflows/scan.yml
@@ -0,0 +1,69 @@
+name: CVE scanner
+on:
+  # You can customize this according to your need.
+  - push
+  - pull_request
+jobs:
+  build_and_scan:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Install State Tool
+        uses: ActiveState/setup-state-tool@v1
+
+      - name: Install Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.22.x
+
+      # Get date utility for caching database.
+      - name: Get Date
+        id: get-date
+        run: |
+          echo "date=$(/bin/date -u "+%Y%m%d")" >> $GITHUB_OUTPUT
+        shell: bash
+      # Let's first download dependencies for this action.
+      - uses: actions/checkout@v2
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.x'
+      # This second step is unnecessary but highly recommended because
+      # It will cache database and saves time redownloading it if database isn't stale.
+      - name: get cached python packages
+        uses: actions/cache@v3
+        with:
+          path: ~/.cache/pip
+          key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}
+          restore-keys: |
+            ${{ runner.os }}-pip-
+      - name: get cached database
+        uses: actions/cache@v3
+        with:
+          path: cache
+          key: Linux-cve-bin-tool-${{ steps.get-date.outputs.date }}
+      - name: Install CVE Binary Tool
+        # We are using latest development version of CVE Binary Tool
+        # because current PyPI version don't have features like config file support,
+        # generating HTML report etc.
+        run: |
+          [[ -e cache ]] && mkdir -p .cache && mv cache ~/.cache/cve-bin-tool
+          pip install git+https://github.com/intel/cve-bin-tool@main
+      # In case you prefer current PyPI version, you need to hard code CLI options
+      # for cve-bin-tool in the action itself and have to use CSV or JSON as output format.
+      # pip install cve-bin-tool
+      - name: build package
+        run: |
+          state run preprocess
+          state run build
+      - name: Scan built package
+        run: cve-bin-tool build -f html -o cve-bin-tool-report.html -x
+        continue-on-error: true
+      # You need to set continue_on_error: true because CVE Binary Tool sets number of cves
+      # as exit code. And GitHub terminates action when process produces
+      # nonzero exit code status.
+      - name: Upload report as an artifact
+        # This will upload generated report as an GitHub artifact which you can download later.
+        uses: actions/upload-artifact@v2
+        with:
+          name: cve_report
+          path: 'cve-bin-tool-report.html'