-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathalerts_summary.sh
138 lines (134 loc) · 4.93 KB
/
alerts_summary.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
#!/bin/bash
dependency_tree_summary () {
mvn -ntp dependency:tree -Dverbose=true -DoutputFile="dependency-tree.txt"
if [[ "$INPUT_VERBOSE" == true ]]; then
cat dependency-tree.txt
fi
{
echo "### $INPUT_DIRECTORY$1"
echo "<details>"
echo ""
echo "\`\`\`"
cat dependency-tree.txt
echo "\`\`\`"
echo "</details>"
echo ""
} >> "$GITHUB_STEP_SUMMARY"
}
vulnerabilities_summary () {
tempManifestPath="$1"
tempManifestPath="${tempManifestPath#github/workspace/}"
if [[ "$INPUT_VERBOSE" == true ]]; then
echo "tempManifestPath: $tempManifestPath"
fi
mapfile -t info_pack < <(jq -r --arg MANIFEST "$tempManifestPath" '.[] | select(.dependency.manifest_path == $MANIFEST and .state == "open") | (.number|tostring) + "|" + .security_vulnerability.package.name + "|" + .security_vulnerability.severity + "|" + .security_advisory.ghsa_id + "|" + .security_advisory.cve_id + "|" + .security_vulnerability.first_patched_version.identifier + "|"' <<< "$2")
for i in "${info_pack[@]}"
do
IFS='|' read -r -a array_i <<< "$i"
tempPath="/${1/'pom.xml'/''}"
cd "$tempPath" || exit
if [[ "$INPUT_VERBOSE" == true ]]; then
echo "Moved to: $tempPath"
fi
dep_level=$(mvn -ntp dependency:tree -DoutputType=dot -Dincludes="${array_i[1]}" | grep -e "->" | cut -d ">" -f 2 | cut -d '"' -f 2 | cut -d ":" -f 1-2)
IFS=' ' read -r -a dependency_level <<< "$dep_level"
array_i+=("${dependency_level[0]}")
table_row="| "
counter=0
for j in "${array_i[@]}"
do
if [[ $counter == 0 ]]; then
table_row+="[$j](https://github.com/$GITHUB_REPOSITORY/security/dependabot/$j) | "
counter=$((counter+1))
elif [[ $counter == 1 ]]; then
table_row+="$j | "
counter=$((counter+1))
elif [[ $counter == 2 ]]; then
if [[ $j == "critical" ]] || [[ $j == "high" ]]; then
table_row+="‼️ $j | "
else
table_row+="$j | "
fi
counter=$((counter+1))
elif [[ $counter == 3 ]]; then
table_row+="$j | "
counter=$((counter+1))
elif [[ $counter == 4 ]]; then
if [[ $j = "null" ]]; then
table_row+=" | "
else
table_row+="$j | "
fi
counter=$((counter+1))
elif [[ $counter == 5 ]]; then
table_row+="$j | "
counter=$((counter+1))
elif [[ $counter == 6 ]]; then
table_row+="$j | "
counter=$((counter+1))
else
continue
fi
done
echo "$table_row" >> "$GITHUB_STEP_SUMMARY"
if [[ "$INPUT_VERBOSE" == true ]]; then
echo "CVE Table"
echo "$table_row"
fi
done
}
# $1 - "project.clj" or "deps.edn"
if [[ -n $INPUT_DIRECTORY ]]; then
if [[ "$INPUT_VERBOSE" == true ]]; then
echo "Moving to $GITHUB_WORKSPACE$INPUT_DIRECTORY"
fi
cd "$GITHUB_WORKSPACE$INPUT_DIRECTORY" || exit
fi
if [[ "$INPUT_VERBOSE" == true ]]; then
echo "Finding all $1 files"
fi
mapfile -t array < <(find . -name "$1")
if [[ $1 == "project.clj" ]]; then
echo "## Dependency Tree" >> "$GITHUB_STEP_SUMMARY"
fi
if [[ $INPUT_INCLUDE_SUBDIRECTORIES != true ]]; then
if [[ $1 == "project.clj" ]] && [[ "${array[*]}" == *"./project.clj"* ]]; then
array=("./project.clj")
elif [[ $1 == "deps.edn" ]] && [[ "${array[*]}" == *"./deps.edn"* ]]; then
array=("./deps.edn")
else
array=()
fi
fi
vul_page=$(cat /tmp/dependabot_alerts.json)
for i in "${array[@]}"
do
if [[ "$INPUT_VERBOSE" == true ]]; then
echo "Creating the dependency tree for $i"
fi
i=${i/.}
cljdir=$GITHUB_WORKSPACE$INPUT_DIRECTORY${i//\/$1}
if [[ $1 == "project.clj" ]]; then
cd "${cljdir}/projectclj" || exit
dependency_tree_summary "$i"
db_path="${cljdir}/projectclj/pom.xml"
db_path=${db_path:1}
{
echo "| Number | Package | Severity | GHSA | CVE | Patched in | Dependency level |"
echo "| --- | --- | --- | --- | --- | --- | --- |"
} >> "$GITHUB_STEP_SUMMARY"
vulnerabilities_summary "$db_path" "$vul_page"
echo "" >> "$GITHUB_STEP_SUMMARY"
else
cd "${cljdir}/depsedn" || exit
dependency_tree_summary "$i"
db_path="${cljdir}/depsedn/pom.xml"
db_path=${db_path:1}
{
echo "| Number | Package | Severity | GHSA | CVE | Patched in | Dependency level |"
echo "| --- | --- | --- | --- | --- | --- | --- |"
} >> "$GITHUB_STEP_SUMMARY"
vulnerabilities_summary "$db_path" "$vul_page"
echo "" >> "$GITHUB_STEP_SUMMARY"
fi
done