otp scan PRs for vulnerabilities

- perform vulnerability analysis on a pull requests basis and on a
  scheduled basis.

- adds the option `osv-scan` to `otp-compliance.es` to submit requests
  to OSV API.

- adds hard-coded VEX filter to ignore CVEs for which OTP is not
  vulnerable, using the last three releases that we maintain.

- creation of reusable Github workflow to allow direct
  calls (workflow_call) and gh triggering events (workflow_dispatch).

Author: kikofernandez

.github/scripts/otp-compliance.es

@@ -220,7 +220,19 @@ cli() ->
                                      > .github/scripts/otp-compliance.es sbom vendor --sbom-file otp.spdx.json
                                      """,
                                  arguments => [ sbom_option()],
-                                 handler => fun sbom_vendor/1}
+                                 handler => fun sbom_vendor/1},
+
+                          "osv-scan" =>
+                              #{ help =>
+                                     """
+                                     Performs vulnerability scanning on vendor libraries
+
+                                     Example:
+
+                                     > .github/scripts/otp-compliance.es sbom osv-scan
+                                     """,
+                                 arguments => [ versions_file(), sarif_option() ],
+                                 handler => fun osv_scan/1}
                          }},
              "explore" =>
                  #{  help => """
@@ -320,6 +332,17 @@ sbom_option() ->
       default => "bom.spdx.json",
       long => "-sbom-file"}.
 
+versions_file() ->
+    #{name => version,
+      type => binary,
+      long => "-version"}.
+
+sarif_option() ->
+    #{name => sarif,
+      type => boolean,
+      default => true,
+      long => "-sarif"}.
+
 ntia_checker() ->
     #{name => ntia_checker,
       type => boolean,
@@ -1297,6 +1320,270 @@ generate_vendor_purl(Package) ->
             [create_externalRef_purl(Description, <<Purl/binary, "@", Vsn/binary>>)]
     end.
 
+osv_scan(#{version := Version, sarif := Sarif}) ->
+    application:ensure_all_started([ssl, inets]),
+    OSVQuery = vendor_by_version(Version),
+
+    io:format("[OSV] Information sent~n~s~n", [json:format(OSVQuery)]),
+
+    OSV = json:encode(OSVQuery),
+
+    Format = "application/x-www-form-urlencoded",
+    URI = "https://api.osv.dev/v1/querybatch",
+    Content = {URI, [], Format, OSV},
+    Result = httpc:request(post, Content, [], []),
+    Vulns =
+        case Result of
+            {ok,{{_, 200,_}, _Headers, Body}} ->
+                #{~"results" := OSVResults} = json:decode(erlang:list_to_binary(Body)),
+                Vulnerabilities = lists:filter(fun (#{~"vulns" := _Ids}) -> true; (_) -> false end, OSVResults),
+                case Vulnerabilities of
+                    [] ->
+                        [];
+                    _ ->
+                        NameVulnerabilities = lists:zip(osv_names(OSVQuery), OSVResults),
+                        lists:filtermap(fun ({Name, #{~"vulns" := Ids}}) ->
+                                                {true, {Name, [Id || #{~"id" := Id} <- Ids]}};
+                                            (_) ->
+                                                false
+                                        end, NameVulnerabilities)
+                end;
+            {error, Error} ->
+                {error, [URI, Error]}
+        end,
+    Vulns1 = ignore_vex_cves(Vulns),
+    ok = generate_sarif(Sarif, Vulns1),
+    FormattedVulns = format_vulnerabilities(Vulns1),
+    report_vulnerabilities(FormattedVulns).
+
+generate_sarif(false, _Vulns) ->
+    io:format("[SARIF] No sarif file generated~n~n"),
+    ok;
+generate_sarif(true, Vulns) ->
+    SarifFilename = "results.sarif",
+
+    {ok, Cwd} = file:get_cwd(),
+    io:format("[SARIF] Generating Sarif: ~s~n", [Cwd ++ "/" ++ SarifFilename]),
+    io:format("ok~n~n"),
+
+    Sarif = json:format(generate_sarif(Vulns)),
+    file:write_file(SarifFilename, Sarif).
+
+generate_sarif(Vulns) ->
+    #{ ~"version" => ~"2.1.0",
+         ~"$schema" => ~"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
+         ~"runs" =>
+             [ #{
+                 ~"tool" =>
+                     #{ ~"driver" =>
+                            #{ ~"informationUri" => ~"https://github.com/erlang/otp/scripts/otp-compliance.es",
+                               ~"name" => ~"otp-compliance",
+                               ~"rules" =>
+                                   [ #{ ~"id" => ~"CVE-OTP-VENDOR",
+                                        ~"name" => ~"CVEInDependency",
+                                        ~"shortDescription" =>
+                                            #{ ~"text" => ~"CVE found in dependency" },
+                                        ~"fullDescription" =>
+                                            #{
+                                              ~"text" => ~"CVE found in OTP runtime dependency"
+                                             }
+                                      }],
+                               ~"version" => ~"1.0"
+                             }
+                      },
+                 ~"results" =>
+                     [ #{
+                         ~"ruleId" => ~"CVE-OTP-VENDOR",
+                         ~"ruleIndex" => 0, % matches rule object that should apply
+                         ~"level" => ~"warning",
+                         ~"message" => #{ ~"text" => error_to_text({Dependency, CVE}) },
+                         ~"locations" =>
+                             [ #{ ~"physicalLocation" =>
+                                      #{ ~"artifactLocation" =>
+                                             #{ ~"uri" => Dependency }}}
+                             ]
+                        } || {Dependency, CVEs} <- Vulns, CVE <- CVEs],
+                 ~"artifacts" =>
+                     [ #{ ~"location" => #{ ~"uri" => Dependency},
+                          ~"length" => -1
+                        } || {Dependency, _} <- Vulns]
+                }]
+       }.
+
+error_to_text({Dependency, Vuln}) ->
+    <<"Dependency ", Dependency/binary, " has ", Vuln/binary>>.
+
+%% TODO: fix by reading VEX files from erlang/vex or repo containing VEX files
+ignore_vex_cves(Vulns) ->
+    lists:foldl(fun ({~"github.com/wxWidgets/wxWidgets", _CVEs}, Acc) ->
+                        %% OTP cannot be vulnerable to wxwidgets because
+                        %% we only take documentation.
+                        Acc;
+                    ({Name, CVEs}, Acc) ->
+                        case maps:get(Name, non_vulnerable_cves(), not_found) of
+                            not_found ->
+                                [{Name, CVEs} | Acc];
+                            NonCVEs ->
+                                case CVEs -- NonCVEs of
+                                    [] ->
+                                        Acc;
+                                    Vs ->
+                                        [{Name, Vs} | Acc]
+                                end
+                        end
+                end, [], Vulns).
+
+non_vulnerable_cves() -> #{}.
+    %% #{ ~"github.com/madler/zlib" => [~"CVE-2023-45853"],
+    %%    ~"github.com/openssl/openssl" =>
+    %%        [~"CVE-2024-12797", ~"CVE-2023-6129", ~"CVE-2023-6237", ~"CVE-2024-0727",
+    %%         ~"CVE-2024-13176", ~"CVE-2024-2511", ~"CVE-2024-4603", ~"CVE-2024-4741",
+    %%         ~"CVE-2024-5535", ~"CVE-2024-6119", ~"CVE-2024-9143"],
+    %%    ~"github.com/PCRE2Project/pcre2" => [~"OSV-2025-300"]}.
+
+
+format_vulnerabilities({error, ErrorContext}) ->
+    {error, ErrorContext};
+format_vulnerabilities(ExistingVulnerabilities) when is_list(ExistingVulnerabilities) ->
+    lists:map(fun ({N, Ids}) ->
+                      io_lib:format("- ~s: ~s~n", [N, lists:join(",", Ids)])
+              end, ExistingVulnerabilities).
+
+report_vulnerabilities([]) ->
+    io:format("[OSV] No vulnerabilities found.~n");
+report_vulnerabilities({error, [URI, Error]}) ->
+    fail("[OSV] POST request to ~p errors: ~p", [URI, Error]);
+report_vulnerabilities(FormatVulns) ->
+    io:format("[OSV] There are existing vulnerabilities:~n~s", [FormatVulns]).
+
+osv_names(#{~"queries" := Packages}) ->
+    lists:map(fun osv_names/1, Packages);
+osv_names(#{~"package" := #{~"name" := Name }}) ->
+    Name.
+
+generate_osv_query(Packages) ->
+    #{~"queries" => lists:foldl(fun generate_osv_query/2, [], Packages)}.
+generate_osv_query(#{~"versionInfo" := Vsn, ~"ecosystem" := Ecosystem, ~"name" := Name}, Acc) ->
+    Package = #{~"package" => #{~"name" => Name, ~"ecosystem" => Ecosystem}, ~"version" => Vsn},
+    [Package | Acc];
+generate_osv_query(#{~"sha" := SHA, ~"downloadLocation" := Location}, Acc) ->
+    case string:prefix(Location, ~"https://") of
+        nomatch ->
+            Acc;
+        URI ->
+            Package = #{~"package" => #{~"name" => URI}, ~"commit" => SHA},
+            [Package | Acc]
+    end;
+generate_osv_query(_, Acc) ->
+    Acc.
+
+%% when we no longer need to maintain maint-27, we can remove
+%% this hard-coded commits and versions.
+vendor_by_version(~"maint-25") ->
+    #{~"queries" =>
+          [#{~"commit"=> ~"21767c654d31d2dccdde4330529775c6c5fd5389",
+             ~"package" => #{~"name"=> ~"github.com/madler/zlib"}},
+
+           #{~"commit"=> ~"23ddf56b00f47d8aa0c82ad225e4b3a92661da7e",
+             ~"package" => #{~"name"=> ~"github.com/asmjit/asmjit"}},
+
+           #{ ~"commit"=> ~"e745bad3b1d05b5b19ec652d68abb37865ffa454",
+              ~"package" => #{~"name"=> ~"github.com/microsoft/STL"}},
+
+           #{~"commit"=> ~"844864ac213bdbf1fb57e6f51c653b3d90af0937",
+             ~"package" => #{~"name"=> ~"github.com/ulfjack/ryu"}},
+
+           #{ ~"commit"=> ~"01d5e2318405362b4de5e670c90d9b40a351d053",
+              ~"package"=> #{~"name"=> ~"github.com/openssl/openssl"}},
+
+           #{ % 8.45, not offial but the official sourceforge is not available
+             ~"commit"=> ~"3934406b50b8c2a4e2fc7362ed8026224ac90828",
+             ~"package"=> #{~"name"=> ~"github.com/nektro/pcre-8.45"}},
+
+           #{~"commit"=> ~"dc585039bbd426829e3433002023a93f9bedd0c2",
+             ~"package"=> #{~"name"=> ~"github.com/wxWidgets/wxWidgets"}},
+
+           #{~"version"=> ~"2.32",
+             ~"package"=> #{~"ecosystem"=> ~"npm",
+                            ~"name"=> ~"tablesorter"}},
+
+           #{~"version"=> ~"3.7.1",
+             ~"package"=> #{~"ecosystem"=> ~"npm",
+                            ~"name"=> ~"jquery"}}
+          ]};
+vendor_by_version(~"maint-26") ->
+    #{~"queries" =>
+          [#{%% v1.2.13
+             ~"commit"=> ~"04f42ceca40f73e2978b50e93806c2a18c1281fc",
+             ~"package"=> #{~"name"=> ~"github.com/madler/zlib"}},
+
+           #{~"commit"=> ~"915186f6c5c2f5a4638e5cb97ccc23d741521a64",
+             ~"package"=> #{~"name"=> ~"github.com/asmjit/asmjit"}},
+
+           #{~"commit"=> ~"e745bad3b1d05b5b19ec652d68abb37865ffa454",
+             ~"package"=> #{~"name"=> ~"github.com/microsoft/STL"}},
+
+           #{~"commit"=> ~"844864ac213bdbf1fb57e6f51c653b3d90af0937",
+             ~"package"=> #{~"name"=> ~"github.com/ulfjack/ryu"}},
+
+           #{% 3.1.4
+             ~"commit"=> ~"01d5e2318405362b4de5e670c90d9b40a351d053",
+             ~"package"=> #{~"name"=> ~"github.com/openssl/openssl"}},
+
+           #{% 8.45, not offial but the official sourceforge is not available
+             ~"commit"=> ~"3934406b50b8c2a4e2fc7362ed8026224ac90828",
+             ~"package"=> #{~"name"=> ~"github.com/nektro/pcre-8.45"}},
+
+           #{~"commit"=> ~"dc585039bbd426829e3433002023a93f9bedd0c2",
+             ~"package"=> #{~"name"=> ~"github.com/wxWidgets/wxWidgets"}},
+
+           #{~"version"=> ~"2.32",
+             ~"package"=> #{~"ecosystem"=> ~"npm",
+                            ~"name"=> ~"tablesorter"}},
+
+           #{~"version"=> ~"3.7.1",
+             ~"package"=> #{~"ecosystem"=> ~"npm",
+                            ~"name"=> ~"jquery"}}
+          ]};
+vendor_by_version(~"maint-27") ->
+    #{~"queries" =>
+          [#{ %% v1.2.13
+             ~"commit"=> ~"04f42ceca40f73e2978b50e93806c2a18c1281fc",
+             ~"package"=> #{~"name"=> ~"github.com/madler/zlib"}},
+
+           #{~"commit"=> ~"a465fe71ab3d0e224b2b4bd0fac69ae68ab9239d",
+             ~"package"=> #{ ~"name"=> ~"github.com/asmjit/asmjit"}},
+
+           #{~"commit"=> ~"e745bad3b1d05b5b19ec652d68abb37865ffa454",
+             ~"package"=> #{~"name"=> ~"github.com/microsoft/STL"}},
+
+           #{~"commit"=> ~"844864ac213bdbf1fb57e6f51c653b3d90af0937",
+             ~"package"=>#{~"name"=> ~"github.com/ulfjack/ryu"}},
+
+           #{  % 3.1.4
+             ~"commit"=> ~"01d5e2318405362b4de5e670c90d9b40a351d053",
+             ~"package"=> #{~"name"=> ~"github.com/openssl/openssl"}},
+
+           #{% 8.45, not offial but the official sourceforge is not available
+             ~"commit"=> ~"3934406b50b8c2a4e2fc7362ed8026224ac90828",
+             ~"package"=> #{ ~"name"=> ~"github.com/nektro/pcre-8.45"}},
+
+           #{~"commit"=> ~"dc585039bbd426829e3433002023a93f9bedd0c2",
+             ~"package"=>#{~"name"=> ~"github.com/wxWidgets/wxWidgets"}},
+
+           #{~"version"=> ~"2.32",
+             ~"package"=> #{~"ecosystem"=> ~"npm",
+                            ~"name"=> ~"tablesorter"}},
+
+           #{~"version"=> ~"3.7.1",
+             ~"package"=> #{~"ecosystem"=> ~"npm",
+                            ~"name"=> ~"jquery"}}
+          ]};
+vendor_by_version(_) ->
+    VendorSrcFiles = find_vendor_src_files("."),
+    Packages = generate_vendor_info_package(VendorSrcFiles),
+    generate_osv_query(Packages).
+
 cleanup_path(<<"./", Path/binary>>) when is_binary(Path) -> Path;
 cleanup_path(Path) when is_binary(Path) -> Path.
 
@@ -1672,7 +1959,7 @@ root_vendor_packages() ->
 minimum_vendor_packages() ->
     %% self-contained
     root_vendor_packages() ++
-        [~"tcl", ~"STL", ~"json-test-suite", ~"openssl", ~"Autoconf", ~"wx", ~"jquery", ~"jquery-tablesorter"].
+        [~"tcl", ~"STL", ~"json-test-suite", ~"openssl", ~"Autoconf", ~"wx", ~"jquery", ~"tablesorter"].
 
 test_copyright_not_empty(#{~"packages" := Packages}) ->
     true = lists:all(fun (#{~"copyrightText" := Copyright}) -> Copyright =/= ~"" end, Packages),

.github/workflows/main.yaml

@@ -426,6 +426,15 @@ jobs:
                 docker run otp "erl ${OPTION} -noshell -s init stop"
             done
 
+  # this is a call to a workflow_call
+  pr-vendor-vulnerability-analysis:
+    name: Vendor Vulnerability Scanning
+    uses: ./.github/workflows/reusable-vendor-vulnerability-scanner.yml
+    with:
+      sarif: false
+      version: ${{ github.event_name == 'pull_request' && github.base_ref || github.ref_name }}
+      # equivalent of ${{ env.BASE_BRANCH }} but reusable-workflows do not allow to pass env.
+
   build:
     name: Build Erlang/OTP
     runs-on: ubuntu-latest
@@ -848,18 +857,17 @@ jobs:
             fail-on: ${{ github.ref_type == 'tag' && '' || 'violations,issues' }}
             sw-version: ${{ env.OTP_SBOM_VERSION }}
 
-  vendor-analysis:
-    name: Vendor Dependency Analysis
+  vendor-dependency-upload:
+    name: Vendor Dependency Upload
     runs-on: ubuntu-latest
-    if: github.event_name == 'push'
     needs:
         - sbom
         - pack
+    if: github.repository == 'erlang/otp'
     ## Needed to use Github Dependency API
     permissions:
       contents: write
       id-token: write
-
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/[email protected]
       - uses: ./.github/actions/build-base-image
@@ -878,7 +886,9 @@ jobs:
               --sbom-file /github/bom.spdx.json"
 
       # allows Dependabot to give us alert of the vendor libraries that use semantic versioning
+      # it also allows dependencies to be looked up from github dependencies
       - name: Upload SBOM to Github Dependency API
+        if: github.event_name == 'push'
         uses: advanced-security/spdx-dependency-submission-action@5530bab9ee4bbe66420ce8280624036c77f89746 # ratchet:advanced-security/[email protected]
 
   ## If this is an "OTP-*" tag that has been pushed we do some release work