otp scan PRs for vulnerabilities

- perform vulnerability analysis on a pull requests basis and on a
  scheduled basis.

- adds the option `osv-scan` to `otp-compliance.es` to submit requests
  to OSV API.

- adds hard-coded VEX filter to ignore CVEs for which OTP is not
  vulnerable, using the last three releases that we maintain.

- creation of reusable Github workflow to allow direct
  calls (workflow_call) and gh triggering events (workflow_dispatch).

Author: kikofernandez

.github/scripts/otp-compliance.es

@@ -217,7 +217,19 @@ cli() ->
                                      > .github/scripts/otp-compliance.es sbom vendor --sbom-file otp.spdx.json
                                      """,
                                  arguments => [ sbom_option()],
-                                 handler => fun sbom_vendor/1}
+                                 handler => fun sbom_vendor/1},
+
+                          "osv-scan" =>
+                              #{ help =>
+                                     """
+                                     Performs vulnerability scanning on vendor libraries
+
+                                     Example:
+
+                                     > .github/scripts/otp-compliance.es sbom osv-scan
+                                     """,
+                                 arguments => [ versions_file()],
+                                 handler => fun osv_scan/1}
                          }},
              "explore" =>
                  #{  help => """
@@ -317,6 +329,11 @@ sbom_option() ->
       default => "bom.spdx.json",
       long => "-sbom-file"}.
 
+versions_file() ->
+    #{name => version,
+      type => binary,
+      long => "-version"}.
+
 ntia_checker() ->
     #{name => ntia_checker,
       type => boolean,
@@ -1207,6 +1224,216 @@ generate_vendor_purl(Package) ->
             [create_externalRef_purl(Description, <<Purl/binary, "@", Vsn/binary>>)]
     end.
 
+osv_scan(#{version := Version}) ->
+    application:ensure_all_started([ssl, inets]),
+    OSVQuery = vendor_by_version(Version),
+
+    io:format("[OSV] Information sent~n~s~n", [json:format(OSVQuery)]),
+
+    OSV = json:encode(OSVQuery),
+
+    Format = "application/x-www-form-urlencoded",
+    URI = "https://api.osv.dev/v1/querybatch",
+    Content = {URI, [], Format, OSV},
+    Result = httpc:request(post, Content, [], []),
+    Vulns =
+        case Result of
+            {ok,{{_, 200,_}, _Headers, Body}} ->
+                #{~"results" := OSVResults} = json:decode(erlang:list_to_binary(Body)),
+                Vulnerabilities = lists:filter(fun (#{~"vulns" := _Ids}) -> true; (_) -> false end, OSVResults),
+                case Vulnerabilities of
+                    [] ->
+                        [];
+                    _ ->
+                        NameVulnerabilities = lists:zip(osv_names(OSVQuery), OSVResults),
+                        lists:filtermap(fun ({Name, #{~"vulns" := Ids}}) ->
+                                                {true, {Name, [Id || #{~"id" := Id} <- Ids]}};
+                                            (_) ->
+                                                false
+                                        end, NameVulnerabilities)
+                end;
+            {error, Error} ->
+                {error, [URI, Error]}
+        end,
+    Vulns1 = ignore_vex_cves(Vulns),
+    FormattedVulns = format_vulnerabilities(Vulns1),
+    report_vulnerabilities(FormattedVulns).
+
+%% TODO: fix by reading VEX files from erlang/vex or repo containing VEX files
+ignore_vex_cves(Vulns) ->
+    lists:foldl(fun ({~"github.com/wxWidgets/wxWidgets", _CVEs}, Acc) ->
+                        %% OTP cannot be vulnerable to wxwidgets because
+                        %% we only take documentation.
+                        Acc;
+                    ({Name, CVEs}, Acc) ->
+                        case maps:get(Name, non_vulnerable_cves(), not_found) of
+                            not_found ->
+                                [{Name, CVEs} | Acc];
+                            NonCVEs ->
+                                case CVEs -- NonCVEs of
+                                    [] ->
+                                        Acc;
+                                    Vs ->
+                                        [{Name, Vs} | Acc]
+                                end
+                        end
+                end, [], Vulns).
+
+non_vulnerable_cves() ->
+    #{ ~"github.com/madler/zlib" => [~"CVE-2023-45853"],
+       ~"github.com/openssl/openssl" =>
+           [~"CVE-2024-12797", ~"CVE-2023-6129", ~"CVE-2023-6237", ~"CVE-2024-0727",
+            ~"CVE-2024-13176", ~"CVE-2024-2511", ~"CVE-2024-4603", ~"CVE-2024-4741",
+            ~"CVE-2024-5535", ~"CVE-2024-6119", ~"CVE-2024-9143"],
+       ~"github.com/PCRE2Project/pcre2" => [~"OSV-2025-300"]}.
+
+
+format_vulnerabilities({error, ErrorContext}) ->
+    {error, ErrorContext};
+format_vulnerabilities(ExistingVulnerabilities) when is_list(ExistingVulnerabilities) ->
+    lists:map(fun ({N, Ids}) ->
+                      io_lib:format("- ~s: ~s~n", [N, lists:join(",", Ids)])
+              end, ExistingVulnerabilities).
+
+report_vulnerabilities([]) ->
+    io:format("[OSV] No vulnerabilities found.~n");
+report_vulnerabilities({error, [URI, Error]}) ->
+    fail("[OSV] POST request to ~p errors: ~p", [URI, Error]);
+report_vulnerabilities(FormatVulns) ->
+    fail("[OSV] There are existing vulnerabilities:~n~s", [FormatVulns]).
+
+osv_names(#{~"queries" := Packages}) ->
+    lists:map(fun osv_names/1, Packages);
+osv_names(#{~"package" := #{~"name" := Name }}) ->
+    Name.
+
+generate_osv_query(Packages) ->
+    #{~"queries" => lists:foldl(fun generate_osv_query/2, [], Packages)}.
+generate_osv_query(#{~"versionInfo" := Vsn, ~"ecosystem" := Ecosystem, ~"name" := Name}, Acc) ->
+    Package = #{~"package" => #{~"name" => Name, ~"ecosystem" => Ecosystem}, ~"version" => Vsn},
+    [Package | Acc];
+generate_osv_query(#{~"sha" := SHA, ~"downloadLocation" := Location}, Acc) ->
+    case string:prefix(Location, ~"https://") of
+        nomatch ->
+            Acc;
+        URI ->
+            Package = #{~"package" => #{~"name" => URI}, ~"commit" => SHA},
+            [Package | Acc]
+    end;
+generate_osv_query(_, Acc) ->
+    Acc.
+
+vendor_by_version(~"maint-25") ->
+    [#{~"package" =>
+           #{~"commit"=> ~"21767c654d31d2dccdde4330529775c6c5fd5389",
+             ~"name"=> ~"github.com/madler/zlib"}},
+     #{~"package" =>
+           #{~"commit"=> ~"23ddf56b00f47d8aa0c82ad225e4b3a92661da7e",
+             ~"name"=> ~"github.com/asmjit/asmjit"}},
+     #{~"package" =>
+           #{ ~"commit"=> ~"e745bad3b1d05b5b19ec652d68abb37865ffa454",
+              ~"name"=> ~"github.com/microsoft/STL"}},
+     #{~"package" =>
+           #{~"commit"=> ~"844864ac213bdbf1fb57e6f51c653b3d90af0937",
+             ~"name"=> ~"github.com/ulfjack/ryu"}},
+     #{~"package"=>
+           #{ ~"commit"=> ~"01d5e2318405362b4de5e670c90d9b40a351d053",
+              ~"name"=> ~"github.com/openssl/openssl"
+            }},
+     #{~"package"=> % 8.45, not offial but the official sourceforge is not available
+          #{~"commit"=> ~"3934406b50b8c2a4e2fc7362ed8026224ac90828",
+            ~"name"=> ~"github.com/nektro/pcre-8.45"}},
+     #{~"package"=> % 3.1.4
+           #{ ~"commit"=> ~"01d5e2318405362b4de5e670c90d9b40a351d053",
+              ~"name"=> ~"github.com/openssl/openssl"}},
+     #{~"package"=>
+           #{~"ecosystem"=> ~"npm",
+             ~"name"=> ~"tablesorter",
+             ~"version"=> ~"2.32"}},
+     #{~"package"=>
+           #{~"ecosystem"=> ~"npm",
+             ~"name"=> ~"jquery",
+             ~"version"=> ~"3.7.1"}},
+     #{~"package"=> % ok
+           #{~"commit"=> ~"dc585039bbd426829e3433002023a93f9bedd0c2",
+             ~"name"=> ~"github.com/wxWidgets/wxWidgets"}}
+    ];
+vendor_by_version(~"maint-26") ->
+    [#{~"package"=> %% v1.2.13
+           #{~"commit"=> ~"04f42ceca40f73e2978b50e93806c2a18c1281fc",
+             ~"name"=> ~"github.com/madler/zlib"
+            }},
+     #{~"package"=>
+           #{~"commit"=> ~"915186f6c5c2f5a4638e5cb97ccc23d741521a64",
+             ~"name"=> ~"github.com/asmjit/asmjit"
+            }},
+     #{~"package"=>
+           #{~"commit"=> ~"e745bad3b1d05b5b19ec652d68abb37865ffa454",
+             ~"name"=> ~"github.com/microsoft/STL"}},
+     #{~"package"=>
+           #{~"commit"=> ~"844864ac213bdbf1fb57e6f51c653b3d90af0937",
+             ~"name"=> ~"github.com/ulfjack/ryu"}},
+     #{~"package"=> % 3.1.4
+         #{~"commit"=> ~"01d5e2318405362b4de5e670c90d9b40a351d053",
+           ~"name"=> ~"github.com/openssl/openssl"}},
+    #{~"package"=> % 8.45, not offial but the official sourceforge is not available
+          #{~"commit"=> ~"3934406b50b8c2a4e2fc7362ed8026224ac90828",
+            ~"name"=> ~"github.com/nektro/pcre-8.45"}},
+    #{~"package"=> % 3.1.4
+          #{~"commit"=> ~"01d5e2318405362b4de5e670c90d9b40a351d053",
+            ~"name"=> ~"github.com/openssl/openssl"}},
+    #{~"package"=>
+          #{~"ecosystem"=> ~"npm",
+            ~"name"=> ~"tablesorter",
+            ~"version"=> ~"2.32"}},
+    #{~"package"=>
+          #{~"ecosystem"=> ~"npm",
+            ~"name"=> ~"jquery",
+            ~"version"=> ~"3.7.1"}},
+    #{~"package"=>
+          #{~"commit"=> ~"dc585039bbd426829e3433002023a93f9bedd0c2",
+            ~"name"=> ~"github.com/wxWidgets/wxWidgets"}}
+    ];
+vendor_by_version(~"maint-27") ->
+    [#{~"package"=> %% v1.2.13
+           #{~"commit"=> ~"04f42ceca40f73e2978b50e93806c2a18c1281fc",
+             ~"name"=> ~"github.com/madler/zlib"}},
+     #{~"package"=>
+           #{~"commit"=> ~"a465fe71ab3d0e224b2b4bd0fac69ae68ab9239d",
+             ~"name"=> ~"github.com/asmjit/asmjit"
+            }},
+     #{~"package"=>
+           #{~"commit"=> ~"e745bad3b1d05b5b19ec652d68abb37865ffa454",
+             ~"name"=> ~"github.com/microsoft/STL"}},
+     #{~"package"=>
+           #{~"commit"=> ~"844864ac213bdbf1fb57e6f51c653b3d90af0937",
+             ~"name"=> ~"github.com/ulfjack/ryu"}},
+     #{~"package"=>  % 3.1.4
+           #{~"commit"=> ~"01d5e2318405362b4de5e670c90d9b40a351d053",
+             ~"name"=> ~"github.com/openssl/openssl"}},
+     #{~"package"=> % 8.45, not offial but the official sourceforge is not available
+           #{~"commit"=> ~"3934406b50b8c2a4e2fc7362ed8026224ac90828",
+             ~"name"=> ~"github.com/nektro/pcre-8.45"}},
+     #{~"package"=> % 3.1.4
+          #{~"commit"=> ~"01d5e2318405362b4de5e670c90d9b40a351d053",
+            ~"name"=> ~"github.com/openssl/openssl"}},
+     #{~"package"=>
+          #{~"ecosystem"=> ~"npm",
+            ~"name"=> ~"tablesorter",
+            ~"version"=> ~"2.32"}},
+     #{~"package"=>
+          #{~"ecosystem"=> ~"npm",
+            ~"name"=> ~"jquery",
+            ~"version"=> ~"3.7.1"}},
+     #{~"package"=>
+           #{~"commit"=> ~"dc585039bbd426829e3433002023a93f9bedd0c2",
+             ~"name"=> ~"github.com/wxWidgets/wxWidgets"}}
+    ];
+vendor_by_version(_) ->
+    VendorSrcFiles = find_vendor_src_files("."),
+    Packages = generate_vendor_info_package(VendorSrcFiles),
+    generate_osv_query(Packages).
+
 cleanup_path(<<"./", Path/binary>>) when is_binary(Path) -> Path;
 cleanup_path(Path) when is_binary(Path) -> Path.
 
@@ -1559,7 +1786,7 @@ root_vendor_packages() ->
 minimum_vendor_packages() ->
     %% self-contained
     root_vendor_packages() ++
-        [~"tcl", ~"ryu_to_chars", ~"json-test-suite", ~"openssl", ~"Autoconf", ~"wx", ~"jquery", ~"jquery-tablesorter"].
+        [~"tcl", ~"ryu_to_chars", ~"json-test-suite", ~"openssl", ~"Autoconf", ~"wx", ~"jquery", ~"tablesorter"].
 
 test_copyright_not_empty(#{~"packages" := Packages}) ->
     true = lists:all(fun (#{~"copyrightText" := Copyright}) -> Copyright =/= ~"" end, Packages),

.github/workflows/main.yaml

@@ -426,6 +426,15 @@ jobs:
                 docker run otp "erl ${OPTION} -noshell -s init stop"
             done
 
+  # this is a call to a workflow_call
+  pr-vendor-vulnerability-analysis:
+    name: Vendor Vulnerability Scanning
+    needs: pack
+    uses: ./.github/workflows/reusable-vendor-vulnerability-scanner.yml
+    with:
+      version: ${{ github.event_name == 'pull_request' && github.base_ref || github.ref_name }}
+      # equivalent of ${{ env.BASE_BRANCH }} but reusable-workflows do not allow to pass env.
+
   build:
     name: Build Erlang/OTP
     runs-on: ubuntu-latest
@@ -807,6 +816,10 @@ jobs:
             path: ${{ env.SCAN_RESULT_CACHE_PATH }}
             key: ${{ steps.ort-cache.outputs.cache-primary-key }}
 
+      - name: Copy PreSBOM
+        run: |
+         cp /home/runner/.ort/ort-results/bom.spdx.json /home/runner/.ort/ort-results/pre-bom.spdx.json
+
       - name: Process SBOM
         run: |
           docker run -v $PWD/:/github -v $HOME:$HOME otp \
@@ -848,10 +861,9 @@ jobs:
             fail-on: ${{ github.ref_type == 'tag' && '' || '' }} # 'violations,issues' }}
             sw-version: ${{ env.OTP_SBOM_VERSION }}
 
-  vendor-analysis:
-    name: Vendor Dependency Analysis
+  vendor-dependency-upload:
+    name: Vendor Dependency Upload
     runs-on: ubuntu-latest
-    if: github.event_name == 'push'
     needs:
         - sbom
         - pack
@@ -879,6 +891,7 @@ jobs:
 
       # allows Dependabot to give us alert of the vendor libraries that use semantic versioning
       - name: Upload SBOM to Github Dependency API
+        if: github.event_name == 'push'
         uses: advanced-security/spdx-dependency-submission-action@5530bab9ee4bbe66420ce8280624036c77f89746 # ratchet:advanced-security/[email protected]
 
   ## If this is an "OTP-*" tag that has been pushed we do some release work

.github/workflows/osv-scanner-scheduled.yml

@@ -64,29 +64,26 @@ jobs:
         with:
           ref: ${{ matrix.type }}
 
+      # this is a call to a workflow_dispatch ref=master is important because
+      # using ref={{matrix.type}} would trigger the workflow
+      # reusable-vendor-vulnerability-scanner.yml in that ref/branch. since
+      # there is no such files in maint-25, maint-26, etc, the result would
+      # ignore the vulnerability scanning for those branches.
+      #
+      # During manual testing, triggering this event before the pack job (in
+      # main.yml) is finished will result in an error, due to not being able to
+      # fetch from the cache. In the scheduled case (common case), there should
+      # be already a cache build and this is not an issue.
+      #
       - name: Trigger Vulnerability Scanning
         env:
           GH_TOKEN: ${{ github.token }}
-        if: ${{ hashFiles('.github/workflows/osv-scanner-scheduled.yml') != '' }}
+          REPO : erlang/otp # in testing cases, this is your fork, e.g., kikofernandez/otp
+        if: ${{ hashFiles('.github/workflows/reusable-vendor-vulnerability-scanner.yml') != '' }}
         run: |
           gh api \
             --method POST \
             -H "Accept: application/vnd.github+json" \
             -H "X-GitHub-Api-Version: 2022-11-28" \
-            /repos/${{ github.repository }}/actions/workflows/osv-scanner-scheduled.yml/dispatches \
-            -f "ref=${{ matrix.type }}"
-
-  scan-pr:
-    # run-scheduled-scan triggers this job
-    # PRs and pushes trigger this job
-    if: github.event_name != 'schedule'
-    permissions:
-        # Require writing security events to upload SARIF file to security tab
-        security-events: write
-        # Required to upload SARIF file to CodeQL.
-        # See: https://github.com/github/codeql-action/issues/2117
-        actions: read
-        contents: read
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@e69cc6c86b31f1e7e23935bbe7031b50e51082de" # ratchet:google/osv-scanner-action/.github/workflows/[email protected]
-    with:
-        upload-sarif: ${{ github.repository == 'erlang/otp' }}
+            /repos/${{ env.REPO }}/actions/workflows/reusable-vendor-vulnerability-scanner.yml/dispatches \
+            -f "ref=master" -f "inputs[version]=${{ matrix.type }}"