Vulnerability Scan #1054
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Vulnerability Scan | |
| on: | |
| schedule: | |
| - cron: "5 0 * * *" | |
| push: | |
| branches: | |
| - master | |
| jobs: | |
| build: | |
| environment: nvd | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Java | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: 'temurin' | |
| java-version: 21 | |
| - name: Install Clojure Tools | |
| uses: DeLaGuardo/[email protected] | |
| with: | |
| cli: 'latest' | |
| bb: 'latest' | |
| - name: Generate Cache Key File | |
| run: | | |
| # We are using RELEASE for deps, grab current versions for CI cache key | |
| mkdir -p target | |
| VERSION_NVD_CLOJURE=$(curl -s --fail https://clojars.org/api/artifacts/nvd-clojure/nvd-clojure | jq -r '.recent_versions[0].version') | |
| VERSION_DEPENDENCY_CHECK=$(curl -s --fail 'https://search.maven.org/solrsearch/select?q=g:org.owasp+AND+a:dependency-check-core&core=gav&rows=1&wt=json' | jq '.response.docs[0].v') | |
| echo "nvd-clojure=${VERSION_NVD_CLOJURE}" > target/ci-versions.txt | |
| echo "dependency-check=${VERSION_DEPENDENCY_CHECK}" >> target/ci-versions.txt | |
| cat target/ci-versions.txt | |
| working-directory: nvd_check_helper_project | |
| - name: Restore NVD DB & Clojure Deps Cache | |
| # nvd caches its db under ~/.m2/repository/org/owasp so that it can | |
| # conveniently be cached with deps | |
| uses: actions/cache/restore@v4 | |
| with: | |
| path: | | |
| ~/.m2/repository | |
| ~/.deps.clj | |
| ~/.gitlibs | |
| # because we are using a RELEASE version of nvd-clojure | |
| # we also include its version | |
| key: | | |
| nvd-${{ hashFiles( | |
| 'nvd_check_helper_project/target/ci-versions.txt', | |
| 'nvd_check_helper_project/deps.edn', | |
| 'nvd_check_helper_project/bb.edn', | |
| 'bb.edn') }} | |
| restore-keys: | | |
| nvd- | |
| - name: Download Clojure deps | |
| run: clojure -X:deps prep | |
| working-directory: nvd_check_helper_project | |
| - name: Run NVD Scanner | |
| env: | |
| NVD_API_TOKEN: ${{ secrets.NVD_API_TOKEN }} | |
| run: bb nvd-scan | |
| - name: Save NVD DB & Clojure Deps Cache | |
| if: always() # always cache regardless of outcome of nvd scan | |
| uses: actions/cache/save@v4 | |
| with: | |
| path: | | |
| ~/.m2/repository | |
| ~/.deps.clj | |
| ~/.gitlibs | |
| # we tack on github.run_id to uniquely identify the cache | |
| # the next cache restore will find the best (and most current) match | |
| key: | | |
| nvd-${{ hashFiles( | |
| 'nvd_check_helper_project/target/ci-versions.txt', | |
| 'nvd_check_helper_project/deps.edn', | |
| 'nvd_check_helper_project/bb.edn', | |
| 'bb.edn') }}-${{ github.run_id }} |