Scanner release vulnerability update #1341
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Scanner release vulnerability update | |
| on: | |
| schedule: | |
| - cron: "0 */3 * * *" | |
| workflow_dispatch: | |
| jobs: | |
| read-release-versions: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| matrix: ${{ steps.output-matrix.outputs.matrix }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Generate matrix JSON | |
| id: output-matrix | |
| run: | | |
| EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) | |
| echo "matrix<<$EOF" >> "$GITHUB_OUTPUT" | |
| ./.github/workflows/scripts/scanner-output-release-versions.sh | tee -a "$GITHUB_OUTPUT" | |
| echo "$EOF" >> "$GITHUB_OUTPUT" | |
| upload-release-vulnerabilities: | |
| needs: read-release-versions | |
| runs-on: ubuntu-latest | |
| container: | |
| image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.3.69 | |
| volumes: | |
| # The updater makes heavy use of /tmp files. | |
| - /tmp:/tmp | |
| strategy: | |
| # If one of the versions fails, it should not stop others from succeeding. | |
| fail-fast: false | |
| # The updater is memory intensive, so only run one at a time. | |
| max-parallel: 1 | |
| matrix: | |
| include: ${{ fromJson(needs.read-release-versions.outputs.matrix).versions }} | |
| env: | |
| ROX_PRODUCT_VERSION: ${{ matrix.version }} | |
| ROX_PRODUCT_TAG: ${{ matrix.tag }} | |
| steps: | |
| - name: Recover docker image cache space | |
| run: | | |
| df --si / | |
| docker system prune --force --all | |
| df --si / | |
| shell: bash | |
| - name: Authenticate with Google Cloud | |
| uses: google-github-actions/auth@v2 | |
| with: | |
| credentials_json: ${{ secrets.GOOGLE_SA_STACKROX_HUB_VULN_DUMP_UPLOADER }} | |
| - name: Set up Cloud SDK | |
| uses: google-github-actions/setup-gcloud@v2 | |
| - name: Update vulnerabilities | |
| env: | |
| STACKROX_NVD_API_KEY: ${{ secrets.NVD_API_KEY }} | |
| STACKROX_NVD_API_CALL_INTERVAL: 6s | |
| run: | | |
| DOWNLOAD_URL="https://github.com/stackrox/stackrox/archive/refs/tags/${{ env.ROX_PRODUCT_TAG }}.zip" | |
| FILE_NAME=$(basename "$DOWNLOAD_URL") | |
| if ! wget "$DOWNLOAD_URL" -O "$FILE_NAME"; then | |
| echo "Download failed. Terminating current matrix step." | |
| exit 1 | |
| fi | |
| unzip "$FILE_NAME" -d "${FILE_NAME}-dir" | |
| cd "${FILE_NAME}-dir/stackrox-"* | |
| if [ ! -d "scanner" ]; then | |
| echo "Scanner directory not found. Terminating current matrix step." | |
| exit 1 | |
| fi | |
| # Do not use the make target, as there may be some incompatibilities. | |
| # See https://github.com/stackrox/stackrox/pull/9227. | |
| # Similarly, any updates to the Go version may require go.mod updates. | |
| # Just run go mod tidy and hope for the best. | |
| go mod tidy | |
| cd scanner | |
| go build -trimpath -o bin/updater ./cmd/updater | |
| go clean -cache -modcache | |
| mkdir ${{ env.ROX_PRODUCT_VERSION }} | |
| # Run updater per release/product version. | |
| case "${{ env.ROX_PRODUCT_VERSION }}" in | |
| 4.4.*) | |
| ./bin/updater -output-dir="${{ env.ROX_PRODUCT_VERSION }}" | |
| ;; | |
| *) | |
| ./bin/updater export --split bundles | |
| zip ${{ env.ROX_PRODUCT_VERSION }}/vulnerabilities.zip bundles/*.json.zst | |
| ;; | |
| esac | |
| # Upload all bundles. | |
| gsutil cp -r "${{ env.ROX_PRODUCT_VERSION }}" "gs://definitions.stackrox.io/v4/vulnerability-bundles" | |
| send-notification: | |
| needs: | |
| - read-release-versions | |
| - upload-release-vulnerabilities | |
| runs-on: ubuntu-latest | |
| if: failure() | |
| steps: | |
| - name: Send Slack notification on workflow failure | |
| run: | | |
| curl -X POST -H 'Content-type: application/json' --data '{"text":"<${{github.server_url}}/${{github.repository}}/actions/runs/${{github.run_id}}|Workflow ${{ github.workflow }}> failed in repository ${{ github.repository }}: Failed to update vulnerabilities"}' ${{ secrets.SLACK_ONCALL_SCANNER_WEBHOOK }} |