Add malicious package entries #10272
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Validate OSV" | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| permissions: read-all | |
| jobs: | |
| validate: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 | |
| with: | |
| go-version-file: 'go.mod' | |
| - name: Validate | |
| run: make validate | |
| check-preprocess: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 | |
| with: | |
| go-version-file: 'go.mod' | |
| - name: Check Preprocess | |
| run: make preprocess | |
| check-schema: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 | |
| with: | |
| go-version-file: 'go.mod' | |
| - name: Checkout ossf/osv-schema | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| repository: ossf/osv-schema | |
| ref: ed713ef6511fa4113c89e25ea5e3da5291c6f05d | |
| path: osv-schema | |
| - name: Loosen ID check | |
| # This check allows for "id" to missing or an empty string, which allows | |
| # PRs for new OSV reports to pass validation. If ID is not empty it will | |
| # be validated as per the schema. | |
| run: | | |
| yq -p=json -o=json '.properties.id |= { "oneOf" : [ . , { "type": "string", "pattern": "^$" } ] } | .required |= filter(. != "id")' osv-schema/validation/schema.json > schema.json | |
| - name: Check against schema | |
| run: | | |
| go install github.com/santhosh-tekuri/jsonschema/cmd/[email protected] | |
| find osv -name "MAL-*.json" -exec jv schema.json {} + | |
| no-deletes: | |
| runs-on: ubuntu-latest | |
| if: ${{ github.base_ref != '' }} | |
| steps: | |
| - name: Checkout target | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| ref: ${{ github.base_ref }} | |
| path: existing | |
| - name: Checkout this branch | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| path: changed | |
| - name: Check for deleted reports | |
| run: | | |
| # Extract all the OSV IDs from the existing and changed version of the repo. | |
| find existing/osv -name "MAL-*.json" -exec yq -r '.id' {} + > existing-ids.txt | |
| find changed/osv -name "MAL-*.json" -exec yq -r '.id' {} + > changed-ids.txt | |
| # The following command finds all the IDs that are in existing-ids.txt, but | |
| # not in changed-ids.txt. | |
| # This is acheived by joining the two sets together and returning only | |
| # the IDs that are not in both sets. This will include deleted and added | |
| # IDs. These are then joined with the existing IDs and only the duplicate | |
| # values are returned - outputting the deleted IDs. | |
| REMOVED_IDS=`cat existing-ids.txt changed-ids.txt | sort | uniq -u | cat existing-ids.txt - | sort | uniq -d | paste -sd',' -` | |
| echo "::debug ::Result of check = '$REMOVED_IDS'" | |
| if [ -z "$REMOVED_IDS" ]; then | |
| echo "::notice ::No removed reports detected." | |
| else | |
| echo "### Deleted Reports Detected" >> $GITHUB_STEP_SUMMARY | |
| echo "IDs removed: $REMOVED_IDS" >> $GITHUB_STEP_SUMMARY | |
| echo "::error ::Report(s) deleted." | |
| exit 1 | |
| fi |