aws-lambda-runtime-interface-emulator/.github/workflows/check-binaries.yml at eaf70a79e889386f95858f12635574671d88e28e · aws/aws-lambda-runtime-interface-emulator · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
name: Check binaries

on:
  workflow_dispatch:
  schedule:
   - cron: "0 16 * * 1-5"  # min h d Mo DoW / 9am PST M-F

permissions:
  issues: write

jobs:
  check-for-vulnerabilities:
    runs-on: ubuntu-latest
    outputs:
      report_contents: ${{ steps.save-output.outputs.report_contents }}
    steps:
      - name: Setup python
        uses: actions/setup-python@v6
        with:
          python-version: '3.11'
      - name: Checkout code
        uses: actions/checkout@v6
        with:
          ref: main
      - name: Download latest release
        run: |
          mkdir -p bin
          gh release download --pattern 'aws-lambda-rie*' --dir bin
        env:
          GH_TOKEN: ${{ github.token }}
      - name: Run check for vulnerabilities
        id: check-binaries
        run: |
          make check-binaries
      - if: always() && failure()   # `always()` to run even if the previous step failed. Failure means that there are vulnerabilities
        name: Save content of the vulnerabilities report as GitHub output
        id: save-output
        run: |
          report_csv="$(ls -tr output.cve-bin-*.csv 2>/dev/null | tail -n1)"   # last file generated
          if [ -z "$report_csv" ]; then
            echo "No file with vulnerabilities. Probably a failure in previous step."
          else
            echo "Vulnerabilities stored in $report_csv"
          fi
          final_report="${report_csv}.txt"
          awk -F',' '{n=split($10, path, "/"); print $2,$3,$4,$5,path[n]}' "$report_csv" | column -t > "$final_report"   # make the CSV nicer
          echo "report_contents<<EOF" >> "$GITHUB_OUTPUT"
          cat "$final_report"         >> "$GITHUB_OUTPUT"
          echo "EOF"                  >> "$GITHUB_OUTPUT"
      - if: always() && steps.save-output.outputs.report_contents
        name: Build new binaries and check vulnerabilities again
        id: check-new-version
        run: |
          mkdir ./bin2
          mv ./bin/* ./bin2
          make compile-with-docker-all
          latest_version=$(strings bin/aws-lambda-rie* | grep '^go1\.' | sort | uniq)
          echo "latest_version=$latest_version" >> "$GITHUB_OUTPUT"
          make check-binaries
      - if: always() && steps.save-output.outputs.report_contents
        name: Save outputs for the check with the latest build
        id: save-new-version
        run: |
          if [ "${CHECK_OUTCOME}" == "failure" ]; then
            fixed="No"
          else
            fixed="Yes"
          fi
          echo "fixed=$fixed" >> "$GITHUB_OUTPUT"
        env:
          CHECK_OUTCOME: ${{ steps.check-new-version.outcome }}
      - if: always() && steps.save-output.outputs.report_contents
        name: Create GitHub Issue indicating vulnerabilities
        id: create-issue
        run: |
          gh issue create \
            --title "CVEs found in latest RIE release" \
            --body "###  CVEs found in latest RIE release
          \`\`\`
          ${REPORT_CONTENTS}
          \`\`\`

          #### Are these resolved by building with the latest patch version of Go (${LATEST_VERSION})?:
          > **${FIXED}**"
        env:
          GH_TOKEN: ${{ github.token }}
          REPORT_CONTENTS: ${{ steps.save-output.outputs.report_contents }}
          LATEST_VERSION: ${{ steps.check-new-version.outputs.latest_version }}
          FIXED: ${{ steps.save-new-version.outputs.fixed }}