Skip to content
nightly-cve-check

nightly-cve-check #694

Sign in to view logs

nightly-cve-check

nightly-cve-check #694

Workflow file for this run

.github/workflows/nightly-cve-check.yml at bc8880e
name: nightly-cve-check
on:
workflow_dispatch:
schedule:
- cron: '0 0 * * *'
permissions:
contents: read
jobs:
nightly-cve-check:
runs-on: ubuntu-22.04
steps:
- name: Install required packages to run nighly-cve-check
run: |
sudo apt-get -y install gawk wget git diffstat unzip texinfo gcc build-essential chrpath socat cpio python3 xz-utils zstd liblz4-tool locales
echo "en_US.UTF-8 UTF-8" | sudo tee --append /etc/locale.gen
sudo locale-gen
- name: Checkout meta-aws
uses: actions/checkout@v3
with:
path: meta-aws
- name: Checkout BitBake
run: git clone https://git.openembedded.org/bitbake -b master
- name: Setup Source Override
run: |
cd meta-aws
META_AWS_REV=$(git rev-parse HEAD)
cd ..
cat > meta-aws-override.json << EOF
{
"sources": {
"meta-aws": {
"git-remote": {
"remotes": {
"origin": {
"uri": "file://${{ github.workspace }}/meta-aws"
}
},
"rev": "${META_AWS_REV}"
},
"path": "meta-aws"
}
},
"version": "1.0"
}
EOF
- name: Initialize Build Environment
run: |
bitbake/bin/bitbake-setup init --non-interactive \
--source-overrides meta-aws-override.json \
${{ github.workspace }}/meta-aws/.github/workflows/poky-with-meta-aws.conf.json \
poky distro/poky-altcfg machine/qemux86-64
- name: Cache sstate + downloads
uses: actions/cache@v3
with:
path: |
~/bitbake-builds/poky-with-meta-aws-poky-distro_poky-altcfg-machine_qemux86-64/build/sstate-cache
~/bitbake-builds/poky-with-meta-aws-poky-distro_poky-altcfg-machine_qemux86-64/build/downloads
key: cache-cve-sstate-downloads
- name: Run CVE check
run: |
source ~/bitbake-builds/poky-with-meta-aws-poky-distro_poky-altcfg-machine_qemux86-64/build/init-build-env
echo 'INHERIT += "cve-check"' >> conf/local.conf
bitbake -c cve_check `find ${{ github.workspace }}/meta-aws -name *.bb -type f | sed 's!.*/!!' | sed 's!.bb!!' | sed 's!_.*!!' | sort | uniq | sed -z 's/\n/ /g'`
- name: Show cve-summary.json
run: |
cat ~/bitbake-builds/poky-with-meta-aws-poky-distro_poky-altcfg-machine_qemux86-64/build/tmp/log/cve/cve-summary.json
- name: Check results (cve-summary.json) for unpatched CVEs
shell: bash {0}
run: |
# find unpatched cvs and always exit 0 to not fail the step, but store return value
jq -e '.package[] | select(.issue[].status | contains ("Unpatched") )' ~/bitbake-builds/poky-with-meta-aws-poky-distro_poky-altcfg-machine_qemux86-64/build/tmp/log/cve/cve-summary.json > cve-unpatched.json ; ret=$?; true
if [ $ret -eq 0 ]; then
echo "::error::Found unpatched CVEs in packages: $(jq -e '. | select(.issue[].status | contains ("Unpatched") ) | .name' cve-unpatched.json)"
exit 1
elif [ $ret -eq 4 ]; then
echo "::notice::No unpatched CVEs found"
exit 0
else
echo "::error::General error"
exit 99
fi
- name: Generate step summary
if: '!cancelled()'
run: |
if [ -s cve-unpatched.json ]; then
echo -e "# Found unpatched CVE(s) in package(s):" >> $GITHUB_STEP_SUMMARY
cat cve-unpatched.json >> $GITHUB_STEP_SUMMARY
else
echo -e "# No unpatched CVE(s) found" >> $GITHUB_STEP_SUMMARY
fi
echo -e "# CVE-SUMMARY:\n" >> $GITHUB_STEP_SUMMARY
cat ~/bitbake-builds/poky-with-meta-aws-poky-distro_poky-altcfg-machine_qemux86-64/build/tmp/log/cve/cve-summary.json >> $GITHUB_STEP_SUMMARY
- name: Save cve-summary.json
if: '!cancelled()'
uses: actions/upload-artifact@v4
with:
name: cve-summary.json
path: ~/bitbake-builds/poky-with-meta-aws-poky-distro_poky-altcfg-machine_qemux86-64/build/tmp/log/cve/cve-summary.json
- name: Save cve-summary
if: '!cancelled()'
uses: actions/upload-artifact@v4
with:
name: cve-summary
path: ~/bitbake-builds/poky-with-meta-aws-poky-distro_poky-altcfg-machine_qemux86-64/build/tmp/log/cve/cve-summary
if-no-files-found: ignore
- name: Save cve-unpatched.json
if: '!cancelled()'
uses: actions/upload-artifact@v4
with:
name: cve-unpatched.json
path: cve-unpatched.json
if-no-files-found: ignore