-
Notifications
You must be signed in to change notification settings - Fork 3k
otp scan PRs for vulnerabilities #9790
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
otp scan PRs for vulnerabilities #9790
Conversation
CT Test Results 38 files 1 003 suites 7h 25m 36s ⏱️ Results for commit 75454be. ♻️ This comment has been updated with latest results. To speed up review, make sure that you have read Contributing to Erlang/OTP and that all checks pass. See the TESTING and DEVELOPMENT HowTo guides for details about how to run test locally. Artifacts
// Erlang/OTP Github Action Bot |
From what I can tell only our github actions dependencies are scanned by this right now, is that correct? Will it in the future be able to use the information in the sbom created in the job you are adding this step to? or is this check only for github actions? |
I think you are right @garazdawi Summary
I have tested that it works by manually hand-picking previous commit that fixed a known vulnerability reported to on github repos. Information sent
Result
|
86a4478
to
c10c255
Compare
The vendor vulnerability scanning now fails because I changed the vendor.json |
4f13738
to
f74a0f5
Compare
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
007ae7f
to
982b107
Compare
I have updated the scripts and this is the end result, using OSV for vulnerability scanning.
|
9c412cb
to
9a8d637
Compare
07936d8
to
9a8d637
Compare
d1ce4bc
to
f8bdd68
Compare
This is the expected result whenever there is a CVE found. Checking OpenVex statements in 'vex/otp-28.openvex.json'...
OpenVex statements found.
Exiting known vulnerabilities already open:
- github.com/madler/zlib: CVE-2023-45853
- github.com/PCRE2Project/pcre2: OSV-2025-300
- github.com/wxWidgets/wxWidgets: CVE-2024-58249
[Vulnerability] Contact OTP team.
The following CVEs must be checked in OpenVex statements for master:
- github.com/openssl/openssl: CVE-2025-4575 What it says is that it has detected a possible CVE for which the OTP team has not created a VEX statement, thus, it is not clear if ErlangOTP is affected. They way to proceed is to inform OTP team, OTP team pushes a VEX statement about it, and the PR should be re-run (which will pick up the latest I have removed all the SARIF generation because it was producing more issues than anything else, and instead we use OpenVex as source of truth to confirm if we are affected by CVEs. |
The current PR will fail in the reusable workflow because it looks for |
99a543f
to
d6ee2c5
Compare
cb9133b
to
2ef8b43
Compare
- perform vulnerability analysis on a pull requests basis and on a scheduled basis. - adds the option `osv-scan` to `otp-compliance.es` to submit requests to OSV API. - filter CVEs found based on VEX statements - creation of reusable Github workflow to allow direct calls (workflow_call) and gh triggering events (workflow_dispatch). - add script to generate OpenVex statements based on ErlangOTP release tree, i.e., generates statements for OTP versions and OTP applications
2ef8b43
to
75454be
Compare
GH should fix actions/dependency-review-action#923 for us to get alerts about dependencies.