CVE Scanner GitHub Action

kniraj

Niraj Kamdar

Posted on September 3, 2020

CVE Scanner GitHub Action

My Workflow

I have created a GitHub action to scan CVEs(Common Vulnerabilities and Exposures) from binary packages. My action uses cve-bin-tool to scan CVEs from binary packages and generates a detailed report and upload it as an artifact which can be downloaded anytime. I am also using actions/cache to reduce the runtime of the action.

If you are a developer who develops binary packages and libraries then I recommend integrating this action as a part of your CI pipeline so that you will get to know about common vulnerabilities found in the libraries you are using, and take actions to mitigate it.

The most recommended way to fix a given CVE is to upgrade the package to a non-vulnerable version. Ideally, a CVE is only made public after a fix is available, although this is not always the case. If this is not possible for some reason, search for the CVE number to get information on possible workarounds and patches that could be backported to other versions. Note that neither workarounds nor backported fixes can be detected by this tool, so your binary will continue to show up as vulnerable even though it may now be safely mitigated and result in a false positive. To avoid this problem, I recommend classifying CVE as Mitigated. See User Manual of the cve-bin-tool for more details.

Submission Category:

Maintainer Must-Haves

Yaml File or Link to Code

name: CVE scanner
on:
#    You can customize this according to your need.
  - push
  - pull_request
jobs:
  build_and_scan:
    runs-on: ubuntu-latest
    steps:
    # Get date utility for caching database.
      - name: Get Date
        id: get-date
        run: |
          echo "::set-output name=date::$(/bin/date -u "+%Y%m%d")"
        shell: bash
    #  Let's first download dependencies for this action.
      - uses: actions/checkout@v2
      - name: Set up Python
        uses: actions/setup-python@v2
        with:
          python-version: 3.8
    #  This second step is unnecessary but highly recommended because
    #  it will cache database and saves time redownloading it
    #  if database isn't stale.
      - name: get cached python packages
        uses: actions/cache@v2
        with:
          path: ~/.cache/pip
          key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}
          restore-keys: |
            ${{ runner.os }}-pip-
      - name: get cached database
        uses: actions/cache@v2
        with:
          path: ~/.cache/cve-bin-tool
          key: ${{ runner.os }}-cve-bin-tool-${{ steps.get-date.outputs.date }}
      - name: Install CVE Binary Tool
#          We are using the latest development version of cve-bin-tool
#          because current PyPI version don't have features like
#          config file support, generating an HTML report, etc.
        run: pip install git+https://github.com/intel/cve-bin-tool@master
#          In case you prefer current PyPI version, 
#          you need to hard code CLI options
#          for cve-bin-tool in the action itself and 
#          have to use CSV or JSON as output format.
      - name: build package
#          Here, we are building a Python wheel for this example.
#          You need to replace this with your build process.
        run: |
          pip install wheel
          python setup.py bdist_wheel
      - name: Scan built package
#          Now, we will scan the built wheel 
#          which is situated in "/dist" directory
#          Python stores built packages in /dist directory.
#          You need to replace it with the directory
#          where you have stored built package
        run: cve-bin-tool dist -f html -o cve-bin-tool-report.html -x
#          Alternatively if you have written config file
#          for cve-bin-tool you can use the following command
#          cve-bin-tool -C path/to/cve_bin_tool_config.toml
        continue-on-error: true
#          You need to set continue_on_error: true because 
#          CVE Binary Tool sets the number of product with CVEs
#          as exit code. And GitHub terminate the action 
#          when the process produces nonzero exit code status.
      - name: Upload report as an artifact
#        This will upload the generated report as 
#        a GitHub artifact which you can download later.
        uses: actions/upload-artifact@v2
        with:
          name: cve_report
          path: 'cve-bin-tool-report.html'
Enter fullscreen mode Exit fullscreen mode

Additional Resources / Info

I have also contributed this action to the cve-bin-tool. You can also find this in the how-to-guides directory of the official cve-bin-tool repository.

You can also see my pull-request to cve-bin-tool for this action here and discussion on the associated issue here.

I have also tested this action on my other project and it is working fine. You can see an example run of the action here.

💖 💪 🙅 🚩
kniraj
Niraj Kamdar

Posted on September 3, 2020

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related

CVE Scanner GitHub Action
actionshackathon CVE Scanner GitHub Action

September 3, 2020