Skip to content

otp scan PRs for vulnerabilities #9790

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
747 changes: 733 additions & 14 deletions .github/scripts/otp-compliance.es

Large diffs are not rendered by default.

37 changes: 33 additions & 4 deletions .github/workflows/main.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -426,6 +426,30 @@ jobs:
docker run otp "erl ${OPTION} -noshell -s init stop"
done

modified-vendor-files:
name: Check if vendor files changed
runs-on: ubuntu-latest
outputs:
vendor-files: ${{ steps.vendor-files.outputs.MODIFIED_FILES != '0' }}
steps:
- name: Get modified vendor files
id: vendor-files
run: |
echo "MODIFIED_FILES=$(git diff --name-only '${{ github.base_ref }}' 'HEAD' | grep 'vendor\.info$' | wc -l || 1)"

# this is a call to a workflow_call
pr-vendor-vulnerability-analysis:
needs: modified-vendor-files
if: ${{ needs.modified-vendor-files.outputs.vendor-files }}
permissions:
security-events: read
name: Vendor Vulnerability Scanning
uses: ./.github/workflows/reusable-vendor-vulnerability-scanner.yml
with:
fail_if_cve: true
version: ${{ github.event_name == 'pull_request' && github.base_ref || github.ref_name }}
# equivalent of ${{ env.BASE_BRANCH }} but reusable-workflows do not allow to pass env.

build:
name: Build Erlang/OTP
runs-on: ubuntu-latest
Expand Down Expand Up @@ -848,18 +872,17 @@ jobs:
fail-on: ${{ github.ref_type == 'tag' && '' || 'violations,issues' }}
sw-version: ${{ env.OTP_SBOM_VERSION }}

vendor-analysis:
name: Vendor Dependency Analysis
vendor-dependency-upload:
name: Vendor Dependency Upload
runs-on: ubuntu-latest
if: github.event_name == 'push'
needs:
- sbom
- pack
if: github.repository == 'erlang/otp'
## Needed to use Github Dependency API
permissions:
contents: write
id-token: write

steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/[email protected]
- uses: ./.github/actions/build-base-image
Expand All @@ -878,7 +901,13 @@ jobs:
--sbom-file /github/bom.spdx.json"

# allows Dependabot to give us alert of the vendor libraries that use semantic versioning
# it also allows dependencies to be looked up from github dependencies
#
# trigger the upload only on merged pull requests
#
#
- name: Upload SBOM to Github Dependency API
if: github.event_name == 'pull_request' && github.event.action == 'closed' && github.event.pull_request.merged == true
uses: advanced-security/spdx-dependency-submission-action@5530bab9ee4bbe66420ce8280624036c77f89746 # ratchet:advanced-security/[email protected]

## If this is an "OTP-*" tag that has been pushed we do some release work
Expand Down
35 changes: 13 additions & 22 deletions .github/workflows/osv-scanner-scheduled.yml
Original file line number Diff line number Diff line change
Expand Up @@ -60,33 +60,24 @@ jobs:
permissions:
actions: write
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/[email protected]
with:
ref: ${{ matrix.type }}

# this call to a workflow_dispatch ref=master is important because
# using ref={{matrix.type}} would trigger the workflow
# reusable-vendor-vulnerability-scanner.yml in that ref/branch. since
# there is no such files in maint-25, maint-26, etc, the result would
# ignore the vulnerability scanning for those branches.
#
# we do not need to fail if there are CVEs in the weekly scheduled reporting,
# thus, fail_if_cve can be false. if set to true, finding a CVE in scheduled scanning
# triggers a failure. this is not needed because sarif=true, which means that
# the results are placed in Github Security via SARIF file
- name: Trigger Vulnerability Scanning
env:
GH_TOKEN: ${{ github.token }}
if: ${{ hashFiles('.github/workflows/osv-scanner-scheduled.yml') != '' }}
REPO: ${{ github.repository }} # in testing cases, this is your fork, e.g., kikofernandez/otp
run: |
gh api \
--method POST \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/repos/${{ github.repository }}/actions/workflows/osv-scanner-scheduled.yml/dispatches \
-f "ref=${{ matrix.type }}"

scan-pr:
# run-scheduled-scan triggers this job
# PRs and pushes trigger this job
if: github.event_name != 'schedule'
permissions:
# Require writing security events to upload SARIF file to security tab
security-events: write
# Required to upload SARIF file to CodeQL.
# See: https://github.com/github/codeql-action/issues/2117
actions: read
contents: read
uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@e69cc6c86b31f1e7e23935bbe7031b50e51082de" # ratchet:google/osv-scanner-action/.github/workflows/[email protected]"
with:
upload-sarif: ${{ github.repository == 'erlang/otp' }}
/repos/${{ github.repository }}/actions/workflows/reusable-vendor-vulnerability-scanner.yml/dispatches \
-f "ref=master" -f "inputs[version]=${{ matrix.type }}" -f "inputs[fail_if_cve]=false"
107 changes: 107 additions & 0 deletions .github/workflows/reusable-vendor-vulnerability-scanner.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@
# %CopyrightBegin%
#
# SPDX-License-Identifier: Apache-2.0
#
# Copyright Ericsson AB 2024-2025. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# %CopyrightEnd%

name: Vendor Vulnerability Scanning
run-name: "[${{ inputs.version }}] Vendor Vulnerability Scanning"
description: 'Vulnerability scanning'

# 'inputs' must be repeated twice for the different use cases.
# there is no current way to share 'inputs' for workflow dispatch
# and call.
#
# version: reference branch to checkout and analyse for CVE.
#
# fail_if_cve: makes the job fail if a CVE is found.
# This is 'true' when analysing PRs, as we prefer a failure to detect that the PR
# introduces a vulnerability.
#

on:
workflow_dispatch:
inputs:
version:
description: 'Reference branch to checkout and analyse'
required: true
default: 'master'
type: 'string'
fail_if_cve:
# The build fails if a CVE is found. This is ok to activate in PRs, but
# does not make sense in scheduled analysis since CVEs will be reported
# in Github Security
description: 'Fail if CVE is found'
required: true
default: false
type: boolean
workflow_call:
inputs:
version:
description: 'Reference branch to checkout and analyse'
required: true
default: 'master'
type: 'string'
fail_if_cve:
# The build fails if a CVE is found. This is ok to activate in PRs, but
# does not make sense in scheduled analysis since CVEs will be reported
# in Github Security.
description: 'Fail if CVE is found'
required: true
default: false
type: boolean

env:
VERSION: ${{ inputs.version }}

jobs:
analysis-vendor-dependencies:
name: "Vulnerability Scanning of Vendor Dependencies"
# This job is always run on the build of a `master` base-image.
# then it copies the branch to be analysed, and scans it.
# the main reason is that maint-25, maint-26, etc do not have this file
# committed into them. thus, a workflow_dispatch or workflow_call would
# not work, and we would not be able to analyse vendor dependecies there.
runs-on: ubuntu-latest
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
permissions:
security-events: read
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/[email protected]
- uses: erlef/setup-beam@5304e04ea2b355f03681464e683d92e3b2f18451 # racket:actions/checkout@v1
with:
otp-version: '28'

- name: 'Analysis of dependencies in ${{ inputs.version }}'
id: analysis
run: |
curl -L \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer ${GH_TOKEN}" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/erlang/otp/contents/.github/scripts/otp-compliance.es \
| jq -r '.content' | base64 -d > otp-compliance.es
git clone -b ${{ env.VERSION }} https://github.com/erlang/otp.git ${{ env.VERSION }}
mkdir -p /home/runner/work/otp/otp/${{ env.VERSION }}/.github/scripts/
chmod +x otp-compliance.es
cp otp-compliance.es \
/home/runner/work/otp/otp/${{ env.VERSION }}/.github/scripts/otp-compliance.es
cd /home/runner/work/otp/otp/${{ env.VERSION }} && \
.github/scripts/otp-compliance.es sbom osv-scan \
--version ${{ inputs.version }} \
--fail_if_cve ${{ inputs.fail_if_cve }}
Loading
Loading