Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:Ledest:erlang:24
erlang
1104-github-add-OSV-automated-vulnerability-che...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 1104-github-add-OSV-automated-vulnerability-checking.patch of Package erlang
From fe03abb522417de49f09173b7f5845291a224b45 Mon Sep 17 00:00:00 2001 From: Kiko Fernandez-Reyes <kiko@erlang.org> Date: Mon, 23 Sep 2024 11:23:26 +0200 Subject: [PATCH] github: add OSV automated vulnerability checking --- .github/workflows/osv-scanner-scheduled.yml | 75 +++++++++++++++++++++ lib/compiler/scripts/smoke-build/mix.lock | 2 +- lib/compiler/scripts/smoke-mix.exs | 2 +- 3 files changed, 77 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/osv-scanner-scheduled.yml diff --git a/.github/workflows/osv-scanner-scheduled.yml b/.github/workflows/osv-scanner-scheduled.yml new file mode 100644 index 0000000000..59a29ad3f2 --- /dev/null +++ b/.github/workflows/osv-scanner-scheduled.yml @@ -0,0 +1,75 @@ +## Runs the Google OSV-scanner utility to detect known vulnerabilities. +## The scan is run on each PR/push and also periodically on each maintained branch +name: Open Source Vulnerabilities Scanner + +on: + pull_request: + push: + workflow_dispatch: + schedule: + - cron: 0 1 * * * + +permissions: + # Required to upload SARIF file to CodeQL. + # See: https://github.com/github/codeql-action/issues/2117 + actions: read + # Require writing security events to upload SARIF file to security tab + security-events: write + # Only need to read contents + contents: read + +jobs: + schedule-scan: + runs-on: ubuntu-latest + if: github.event_name == 'schedule' && github.repository == 'erlang/otp' + # if: github.event_name != 'workflow_dispatch' # used for testing + outputs: + versions: ${{ steps.get-versions.outputs.versions }} + steps: + - uses: actions/checkout@v4.1.7 + - id: get-versions + name: Fetch latest 3 OTP versions + run: | + VSNs=$(grep -E 'OTP-[^.]+[.]0 :' otp_versions.table | awk '{ print $1 '} | head -3 | sed 's/[-.]/ /g' | awk '{print $2}') + versions='["maint", "master"' + for vsn in $VSNs; do + versions="${versions}, \"maint-$vsn\"" + done + versions="${versions}]" + echo "versions=${versions}" >> "$GITHUB_OUTPUT" + + run-scheduled-scan: + # Fan out and create requests to run OSV on multiple branches. + # It always succeed: either it sends requests to branches that + # can run 'scan-pr' (if the repo/branch contains this file) or + # skips sending the request. + needs: schedule-scan + runs-on: ubuntu-latest + strategy: + matrix: + type: ${{ fromJson(needs.schedule-scan.outputs.versions) }} + fail-fast: false + permissions: + actions: write + steps: + - uses: actions/checkout@v4.1.7 + with: + ref: ${{ matrix.type }} + + - name: Trigger Vulnerability Scanning + env: + GH_TOKEN: ${{ github.token }} + if: ${{ hashFiles('.github/workflows/osv-scanner-scheduled.yml') != '' }} + run: | + gh api \ + --method POST \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + /repos/${{ github.repository }}/actions/workflows/osv-scanner-scheduled.yml/dispatches \ + -f "ref=${{ matrix.type }}" + + scan-pr: + # run-scheduled-scan triggers this job + # PRs and pushes trigger this job + if: github.event_name != 'schedule' + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v1.8.5" diff --git a/lib/compiler/scripts/smoke-build/mix.lock b/lib/compiler/scripts/smoke-build/mix.lock index 9fb83798c4..0745240e9a 100644 --- a/lib/compiler/scripts/smoke-build/mix.lock +++ b/lib/compiler/scripts/smoke-build/mix.lock @@ -3,7 +3,7 @@ "goldrush": {:hex, :goldrush, "0.1.9", "f06e5d5f1277da5c413e84d5a2924174182fb108dabb39d5ec548b27424cd106", [:rebar3], [], "hexpm"}, "jsx": {:hex, :jsx, "2.9.0", "d2f6e5f069c00266cad52fb15d87c428579ea4d7d73a33669e12679e203329dd", [:mix, :rebar3], [], "hexpm"}, "lager": {:hex, :lager, "3.8.0", "3402b9a7e473680ca179fc2f1d827cab88dd37dd1e6113090c6f45ef05228a1c", [:rebar3], [{:goldrush, "0.1.9", [hex: :goldrush, repo: "hexpm", optional: false]}], "hexpm"}, - "rabbit_common": {:hex, :rabbit_common, "3.7.18", "4249efdf1fd96a81739ffad675582f980cc55aa0a02217e4907b4cd719c44822", [:make, :rebar3], [{:credentials_obfuscation, "1.1.0", [hex: :credentials_obfuscation, repo: "hexpm", optional: false]}, {:jsx, "2.9.0", [hex: :jsx, repo: "hexpm", optional: false]}, {:lager, "3.8.0", [hex: :lager, repo: "hexpm", optional: false]}, {:ranch, "1.7.1", [hex: :ranch, repo: "hexpm", optional: false]}, {:recon, "2.5.0", [hex: :recon, repo: "hexpm", optional: false]}], "hexpm"}, + "rabbit_common": {:hex, :rabbit_common, "3.7.20", "da022e3ef71c9932a1aa82a12e01bf5dec71f5ca79497c5c11282a2f2dcb443a", [:make, :rebar3], [{:credentials_obfuscation, "1.1.0", [hex: :credentials_obfuscation, repo: "hexpm", optional: false]}, {:jsx, "2.9.0", [hex: :jsx, repo: "hexpm", optional: false]}, {:lager, "3.8.0", [hex: :lager, repo: "hexpm", optional: false]}, {:ranch, "1.7.1", [hex: :ranch, repo: "hexpm", optional: false]}, {:recon, "2.5.0", [hex: :recon, repo: "hexpm", optional: false]}], "hexpm"}, "ranch": {:hex, :ranch, "1.7.1", "6b1fab51b49196860b733a49c07604465a47bdb78aa10c1c16a3d199f7f8c881", [:rebar3], [], "hexpm"}, "recon": {:hex, :recon, "2.5.0", "2f7fcbec2c35034bade2f9717f77059dc54eb4e929a3049ca7ba6775c0bd66cd", [:mix, :rebar3], [], "hexpm"}, } diff --git a/lib/compiler/scripts/smoke-mix.exs b/lib/compiler/scripts/smoke-mix.exs index 0bfb80b53c..db996a7d3b 100644 --- a/lib/compiler/scripts/smoke-mix.exs +++ b/lib/compiler/scripts/smoke-mix.exs @@ -63,7 +63,7 @@ defmodule Smoke.MixProject do {:zotonic_stdlib, "~> 1.0"}, ] 'rabbitmq' -> - [{:rabbit_common, "~> 3.7"}] + [{:rabbit_common, "~> 3.7.20"}] _ -> [] end -- 2.43.0
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
