-
Notifications
You must be signed in to change notification settings - Fork 1
158 lines (155 loc) · 6.56 KB
/
build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
name: Build and Upload vdb5
on:
schedule:
- cron: "0 */6 * * *"
workflow_dispatch:
env:
REGISTRY: ghcr.io
IMAGE_NAME: appthreat/vdb
jobs:
builder:
runs-on: ubuntu-latest
permissions:
contents: write
packages: write
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v4
with:
repository: AppThreat/vulnerability-db
path: vulnerability-db
ref: 'v5.8.2'
- uses: actions/checkout@v4
with:
repository: AppThreat/vuln-list
path: vuln-list
fetch-depth: '1'
- uses: oras-project/setup-oras@v1
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.12'
- name: Trim CI agent
run: |
chmod +x contrib/free_disk_space.sh
./contrib/free_disk_space.sh
- name: setup nydus
run: |
curl -LO https://github.com/dragonflyoss/nydus/releases/download/v2.2.4/nydus-static-v2.2.4-linux-amd64.tgz
tar -xvf nydus-static-v2.2.4-linux-amd64.tgz
chmod +x nydus-static/*
mv nydus-static/* /usr/local/bin/
rm -rf nydus-static-v2.2.4-linux-amd64.tgz nydus-static
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install setuptools wheel twine build
cd vulnerability-db && pip install ".[dev]"
- name: Build and upload db - 2018
run: |
mkdir vdb_data vdb_cache rafs_out
rm -rf ./vuln-list/kevc ./vuln-list/mariner ./vuln-list/cvrf/suse/suse
zip -q -r vuln-list.zip ./vuln-list/
mv vuln-list.zip vdb_cache/
rm -rf ./vuln-list/
python vulnerability-db/vdb/cli.py --cache-os
ls -lh vdb_data
ls -lh vdb_cache
cd vdb_data
tar -cvzf data.vdb5.tar.gz data.vdb5
tar -cvzf data.index.vdb5.tar.gz data.index.vdb5
tar -cvJf data.vdb5.tar.xz data.vdb5
tar -cvJf data.index.vdb5.tar.xz data.index.vdb5
echo $GITHUB_TOKEN | oras login ghcr.io -u $GITHUB_USERNAME --password-stdin
oras push ghcr.io/$IMAGE_NAME:v5 \
--config ../config.json:application/vnd.oras.config.v1+json \
--annotation-file ../annotations.json \
./data.vdb5:application/vnd.appthreat.vdb.layer.v1+tar \
./data.index.vdb5:application/vnd.appthreat.vdb.layer.v1+tar
oras push ghcr.io/appthreat/vdbgz:v5 \
--artifact-type application/vnd.oras.config.v1+json \
./data.vdb5.tar.gz:application/vnd.appthreat.vdb.layer.v1+tar \
./data.index.vdb5.tar.gz:application/vnd.appthreat.vdb.layer.v1+tar
oras push ghcr.io/appthreat/vdbxz:v5 \
--artifact-type application/vnd.oras.config.v1+json \
./data.vdb5.tar.xz:application/vnd.appthreat.vdb.layer.v1+tar \
./data.index.vdb5.tar.xz:application/vnd.appthreat.vdb.layer.v1+tar
cd ..
nydus-image create -t dir-rafs --blob-id appthreat-vdb-v5 --blob rafs_out/data.rafs --bootstrap rafs_out/meta.rafs vdb_data --repeatable
cd rafs_out
oras push ghcr.io/$IMAGE_NAME:v5-rafs \
--config ../config.json:application/vnd.oras.config.v1+json \
--annotation-file ../annotations.json \
./data.rafs:application/vnd.appthreat.vdb-rafs.layer.v1+tar \
./meta.rafs:application/vnd.appthreat.vdb-rafs.layer.v1+tar
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PYTHONPATH: vulnerability-db
VDB_HOME: vdb_data
VDB_CACHE: vdb_cache
GITHUB_PAGE_COUNT: 10
NVD_START_YEAR: 2018
GITHUB_USERNAME: ${{ github.actor }}
- uses: actions/checkout@v4
with:
repository: AppThreat/vuln-list
path: vuln-list2
fetch-depth: '1'
- name: Build and upload db - 2014
run: |
cd $GITHUB_WORKSPACE
rm -rf vdb_data vdb_cache rafs_out
mkdir vdb_data vdb_cache rafs_out
rm -rf ./vuln-list2/kevc ./vuln-list2/mariner ./vuln-list2/cvrf/suse/suse
zip -q -r vuln-list.zip ./vuln-list2/
mv vuln-list.zip vdb_cache/
rm -rf ./vuln-list2/
python vulnerability-db/vdb/cli.py --cache-os
ls -lh vdb_data
ls -lh vdb_cache
cd vdb_data
tar -cvzf data.vdb5.tar.gz data.vdb5
tar -cvzf data.index.vdb5.tar.gz data.index.vdb5
tar -cvJf data.vdb5.tar.xz data.vdb5
tar -cvJf data.index.vdb5.tar.xz data.index.vdb5
echo $GITHUB_TOKEN | oras login ghcr.io -u $GITHUB_USERNAME --password-stdin
oras push ghcr.io/appthreat/vdb-10y:v5 \
--artifact-type application/vnd.oras.config.v1+json \
./data.vdb5:application/vnd.appthreat.vdb.layer.v1+tar \
./data.index.vdb5:application/vnd.appthreat.vdb.layer.v1+tar
oras push ghcr.io/appthreat/vdbgz-10y:v5 \
--artifact-type application/vnd.oras.config.v1+json \
./data.vdb5.tar.gz:application/vnd.appthreat.vdb.layer.v1+tar \
./data.index.vdb5.tar.gz:application/vnd.appthreat.vdb.layer.v1+tar
oras push ghcr.io/appthreat/vdbxz-10y:v5 \
--artifact-type application/vnd.oras.config.v1+json \
./data.vdb5.tar.xz:application/vnd.appthreat.vdb.layer.v1+tar \
./data.index.vdb5.tar.xz:application/vnd.appthreat.vdb.layer.v1+tar
cd ..
nydus-image create -t dir-rafs --blob-id appthreat-vdb-10y-v5 --blob rafs_out/data.rafs --bootstrap rafs_out/meta.rafs vdb_data --repeatable
cd rafs_out
oras push ghcr.io/appthreat/vdb-10y:v5-rafs \
--artifact-type application/vnd.oras.config.v1+json \
./data.rafs:application/vnd.appthreat.vdb-rafs.layer.v1+tar \
./meta.rafs:application/vnd.appthreat.vdb-rafs.layer.v1+tar
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PYTHONPATH: vulnerability-db
VDB_HOME: vdb_data
VDB_CACHE: vdb_cache
GITHUB_PAGE_COUNT: 20
NVD_START_YEAR: 2014
GITHUB_USERNAME: ${{ github.actor }}
# - name: Release public ecr
# run: |
# cd vdb_data
# aws ecr-public get-login-password --region us-east-1 | oras login -u AWS --password-stdin public.ecr.aws
# oras push public.ecr.aws/$IMAGE_NAME:v5 \
# --artifact-type application/vnd.oras.config.v1+json \
# ./data.vdb5:application/vnd.appthreat.vdb.layer.v1+tar \
# ./data.index.vdb5:application/vnd.appthreat.vdb.layer.v1+tar
# env:
# REGISTRY: public.ecr.aws
# AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
# AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
# AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}