From 4064826f2f4ccf1fc826b4dfe28771cce8675fd4 Mon Sep 17 00:00:00 2001 From: Thomas Roos Date: Wed, 27 Dec 2023 16:33:14 +0000 Subject: [PATCH] add a GitHub action that checks for CVEs on every pull request and nightly --- .github/workflows/auto-update.yml | 2 +- .github/workflows/nightly-cve-check.yml | 81 ++++++++++++++++++ .github/workflows/pr-cve-check.yml | 82 +++++++++++++++++++ .../amazon-ssm-agent_3.2.2086.0.bb | 2 +- 4 files changed, 165 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/nightly-cve-check.yml create mode 100644 .github/workflows/pr-cve-check.yml diff --git a/.github/workflows/auto-update.yml b/.github/workflows/auto-update.yml index 5dade9961..583306f91 100644 --- a/.github/workflows/auto-update.yml +++ b/.github/workflows/auto-update.yml @@ -2,7 +2,7 @@ name: Auto-Recipe-Update on: schedule: - - cron: '0 0 * * 2-5' + - cron: '0 1 * * 2-5' workflow_dispatch: jobs: diff --git a/.github/workflows/nightly-cve-check.yml b/.github/workflows/nightly-cve-check.yml new file mode 100644 index 000000000..f01b3cdb4 --- /dev/null +++ b/.github/workflows/nightly-cve-check.yml @@ -0,0 +1,81 @@ +name: nightly-cve-check + +on: + schedule: + - cron: '0 0 * * *' + workflow_dispatch: +jobs: + nightly-cve-check: + runs-on: ubuntu-latest + steps: + - name: Install required packages to run nighly-cve-check + run: | + sudo apt-get -y install gawk wget git diffstat unzip texinfo gcc build-essential chrpath socat cpio python3 xz-utils zstd liblz4-tool locales + echo "en_US.UTF-8 UTF-8" | sudo tee --append /etc/locale.gen + sudo locale-gen + - name: Checkout meta-aws + uses: actions/checkout@v3 + with: + path: yocto_cve/meta-aws + - name: Checkout meta-oe + uses: actions/checkout@v3 + with: + repository: openembedded/meta-openembedded + path: yocto_cve/meta-openembedded + - name: Checkout poky + run: | + cd yocto_cve/ + git clone git://git.yoctoproject.org/poky --single-branch + - name: Cache sstate + downloads + uses: actions/cache@v3 + with: + path: | + yocto_cve/build/sstate-cache + yocto_cve/build/downloads + key: cache-cve-sstate-downloads + - name: Run CVE check + run: | + cd yocto_cve/ + source poky/oe-init-build-env build + bitbake-layers add-layer ../meta-openembedded/meta-oe + bitbake-layers add-layer ../meta-openembedded/meta-python + bitbake-layers add-layer ../meta-openembedded/meta-networking + bitbake-layers add-layer ../meta-openembedded/meta-multimedia + bitbake-layers add-layer ../meta-aws + echo 'INHERIT += "cve-check"' >> conf/local.conf + bitbake -c cve_check `find ../meta-aws -name *.bb -type f | sed 's!.*/!!' | sed 's!.bb!!' | sed 's!_.*!!' | sort | uniq | sed -z 's/\n/ /g'` + - name: Show cve-summary.json + run: | + cat yocto_cve/build/tmp/log/cve/cve-summary.json + - name: Check results (cve-summary.json) for unpatched CVEs + shell: bash + run: | + jq -e '.package[] | select(.issue[].status | contains ("Unpatched") )' yocto_cve/build/tmp/log/cve/cve-summary.json > unpatched-cves.json; \ + if [ $? -eq 0 ]; then echo "::error::Found unpatched CVEs in packages: $(jq -e '. | select(.issue[].status | contains ("Unpatched") ) | .name' unpatched-cves.json)" && exit 1; fi; \ + if [ $? -eq 4 ] ; then echo "::notice::No unpatched CVEs found" && exit 0; fi; \ + echo "::error::General error" && exit 99 + - name: Generate step summary + if: '!cancelled()' + shell: bash + run: | + if [ -f unpatched-cves.json ]; then + echo -e "# Found unpatched CVE(s) in package(s):" >> $GITHUB_STEP_SUMMARY + cat unpatched-cves.json >> $GITHUB_STEP_SUMMARY + else + echo -e "# No unpatched CVE(s) found" >> $GITHUB_STEP_SUMMARY + fi + echo -e "# CVE-SUMMARY:\n" >> $GITHUB_STEP_SUMMARY + cat yocto_cve/build/tmp/log/cve/cve-summary.json >> $GITHUB_STEP_SUMMARY + - name: Save cve-summary.json + if: '!cancelled()' + uses: actions/upload-artifact@v4 + with: + name: cve-summary.json + path: yocto_cve/build/tmp/log/cve/cve-summary.json + - name: Save cve-summary + if: '!cancelled()' + uses: actions/upload-artifact@v4 + with: + name: cve-summary + path: yocto_cve/build/tmp/log/cve/cve-summary + if-no-files-found: ignore \ No newline at end of file diff --git a/.github/workflows/pr-cve-check.yml b/.github/workflows/pr-cve-check.yml new file mode 100644 index 000000000..e3ef6778e --- /dev/null +++ b/.github/workflows/pr-cve-check.yml @@ -0,0 +1,82 @@ +name: pr-cve-check + +on: + workflow_dispatch: + pull_request: + branches: + - 'master-next' +jobs: + pr-cve-check: + runs-on: ubuntu-latest + steps: + - name: Install required packages to run cve-check + run: | + sudo apt-get -y install gawk wget git diffstat unzip texinfo gcc build-essential chrpath socat cpio python3 xz-utils zstd liblz4-tool locales + echo "en_US.UTF-8 UTF-8" | sudo tee --append /etc/locale.gen + sudo locale-gen + - name: Checkout meta-aws + uses: actions/checkout@v3 + with: + path: yocto_cve/meta-aws + - name: Checkout meta-oe + uses: actions/checkout@v3 + with: + repository: openembedded/meta-openembedded + path: yocto_cve/meta-openembedded + - name: Checkout poky + run: | + cd yocto_cve/ + git clone git://git.yoctoproject.org/poky --single-branch + - name: Cache sstate + downloads + uses: actions/cache@v3 + with: + path: | + yocto_cve/build/sstate-cache + yocto_cve/build/downloads + key: cache-cve-sstate-downloads + - name: Run CVE check + run: | + cd yocto_cve/ + source poky/oe-init-build-env build + bitbake-layers add-layer ../meta-openembedded/meta-oe + bitbake-layers add-layer ../meta-openembedded/meta-python + bitbake-layers add-layer ../meta-openembedded/meta-networking + bitbake-layers add-layer ../meta-openembedded/meta-multimedia + bitbake-layers add-layer ../meta-aws + echo 'INHERIT += "cve-check"' >> conf/local.conf + bitbake -c cve_check `find ../meta-aws -name *.bb -type f | sed 's!.*/!!' | sed 's!.bb!!' | sed 's!_.*!!' | sort | uniq | sed -z 's/\n/ /g'` + - name: Show cve-summary.json + run: | + cat yocto_cve/build/tmp/log/cve/cve-summary.json + - name: Check results (cve-summary.json) for unpatched CVEs + shell: bash + run: | + jq -e '.package[] | select(.issue[].status | contains ("Unpatched") )' yocto_cve/build/tmp/log/cve/cve-summary.json > unpatched-cves.json; \ + if [ $? -eq 0 ]; then echo "::error::Found unpatched CVEs in packages: $(jq -e '. | select(.issue[].status | contains ("Unpatched") ) | .name' unpatched-cves.json)" && exit 1; fi; \ + if [ $? -eq 4 ] ; then echo "::notice::No unpatched CVEs found" && exit 0; fi; \ + echo "::error::General error" && exit 99 + - name: Generate step summary + if: '!cancelled()' + shell: bash + run: | + if [ -f unpatched-cves.json ]; then + echo -e "# Found unpatched CVE(s) in package(s):" >> $GITHUB_STEP_SUMMARY + cat unpatched-cves.json >> $GITHUB_STEP_SUMMARY + else + echo -e "# No unpatched CVE(s) found" >> $GITHUB_STEP_SUMMARY + fi + echo -e "# CVE-SUMMARY:\n" >> $GITHUB_STEP_SUMMARY + cat yocto_cve/build/tmp/log/cve/cve-summary.json >> $GITHUB_STEP_SUMMARY + - name: Save cve-summary.json + if: '!cancelled()' + uses: actions/upload-artifact@v4 + with: + name: cve-summary.json + path: yocto_cve/build/tmp/log/cve/cve-summary.json + - name: Save cve-summary + if: '!cancelled()' + uses: actions/upload-artifact@v4 + with: + name: cve-summary + path: yocto_cve/build/tmp/log/cve/cve-summary + if-no-files-found: ignore \ No newline at end of file diff --git a/recipes-support/amazon-ssm-agent/amazon-ssm-agent_3.2.2086.0.bb b/recipes-support/amazon-ssm-agent/amazon-ssm-agent_3.2.2086.0.bb index 858aba773..c7b504ea6 100644 --- a/recipes-support/amazon-ssm-agent/amazon-ssm-agent_3.2.2086.0.bb +++ b/recipes-support/amazon-ssm-agent/amazon-ssm-agent_3.2.2086.0.bb @@ -1,6 +1,7 @@ SUMMARY = "Amazon SSM Agent" DESCRIPTION = "An agent to enable remote management of your EC2 instances, on-premises servers, or virtual machines (VMs)." HOMEPAGE = "https://github.com/aws/amazon-ssm-agent" +CVE_PRODUCT = "amazon_ssm_agent" LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "\ @@ -93,4 +94,3 @@ do_install () { install -d ${D}${systemd_unitdir}/system/ install -m 644 ${S}/packaging/linux/amazon-ssm-agent.service ${D}${systemd_unitdir}/system/amazon-ssm-agent.service } -