From f7a6a2c86a4f57d9632a983995d4d04117199fc6 Mon Sep 17 00:00:00 2001 From: sbp-bvanb <126502840+sbp-bvanb@users.noreply.github.com> Date: Sat, 13 Jan 2024 14:56:04 +0100 Subject: [PATCH] fix: [#8] Support suppression of all kind of vulnerabilities. (#9) --- action.yml | 4 ++- src/action.sh | 27 +++++++++++-------- ...t-vulnerability-expiry-max-one-month.bats} | 4 +-- ...bats => inspect-vulnerability-expiry.bats} | 2 +- 4 files changed, 22 insertions(+), 15 deletions(-) rename test/{inspect-cve-expiry-max-one-month.bats => inspect-vulnerability-expiry-max-one-month.bats} (72%) rename test/{inspect-cve-expiry.bats => inspect-vulnerability-expiry.bats} (83%) diff --git a/action.yml b/action.yml index cce4b94..c801e20 100644 --- a/action.yml +++ b/action.yml @@ -2,7 +2,9 @@ name: trivyignore-validator description: trivyignore-validator runs: - using: 'composite' + using: "composite" steps: + - run: bash --version + shell: bash - run: ${GITHUB_ACTION_PATH}/src/action.sh shell: bash diff --git a/src/action.sh b/src/action.sh index 45a414a..d78db19 100755 --- a/src/action.sh +++ b/src/action.sh @@ -13,21 +13,26 @@ createEmptyDotTrivyignoreIfAbsent() { exit 0 } -inspectCveExpiry() { +inspectVulnerabilityExpiry() { echo "checking whether an expiry has been attached..." - if ! echo ${1} | grep -qE "^CVE\-.*exp:[0-9]{4}(\-[0-9]{2}){2}$"; then + if ! echo ${1} | grep -qE "^[A-Z]+\-.*exp:[0-9]{4}(\-[0-9]{2}){2}$"; then echo "no expiry associated to: '${1}'. Add it by adding: 'exp:yyyy-mm-dd'" exit 1 fi } -inspectCveExpiryMaxOneMonth() { +inspectVulnerabilityExpiryMaxOneMonth() { echo "checking whether the expiry will take place in one month..." - current=$(echo "${1}" | sed -e "s|CVE\-.*exp:\(.*\)|\1|g") + current=$(echo "${1}" | sed -e "s|^[A-Z]\{3,\}\-.*exp:\(.*\)|\1|g") + if ! echo "${current}" | grep -qE "^[0-9]{4}(\-[0-9]{2}){2}$"; then + echo "extracted date: ${current} is invalid" + exit 1 + fi + max=$(date +"%F" --date="$(date +%F) next month") - if [[ "${current}" > "${max}" ]]; then + if [ "${current}" \> "${max}" ]; then echo "current date: '${current}' in line: '${1}' exceeds" echo "the maximum date of one month. Choose a new date that is" echo "before: ${max}" @@ -35,20 +40,20 @@ inspectCveExpiryMaxOneMonth() { fi } -inspectCveExpiryAndMaxOneMonth() { +inspectVulnerabilityExpiryAndMaxOneMonth() { while read -r line; do - if echo "${line}" | grep -qE "^CVE\-"; then - echo "found a 'CVE-' entry in the ${filename}..."; + if echo "${line}" | grep -qE "^[A-Z]+\-"; then + echo "found a vulnerability entry in the ${filename}..."; - inspectCveExpiry "${line}" - inspectCveExpiryMaxOneMonth "${line}" + inspectVulnerabilityExpiry "${line}" + inspectVulnerabilityExpiryMaxOneMonth "${line}" fi done < "${filename}" } main() { createEmptyDotTrivyignoreIfAbsent - inspectCveExpiryAndMaxOneMonth + inspectVulnerabilityExpiryAndMaxOneMonth } main diff --git a/test/inspect-cve-expiry-max-one-month.bats b/test/inspect-vulnerability-expiry-max-one-month.bats similarity index 72% rename from test/inspect-cve-expiry-max-one-month.bats rename to test/inspect-vulnerability-expiry-max-one-month.bats index be8cbc1..7499860 100644 --- a/test/inspect-cve-expiry-max-one-month.bats +++ b/test/inspect-vulnerability-expiry-max-one-month.bats @@ -1,7 +1,7 @@ setup() { filename=".trivyignore" - echo -en "CVE-123 exp:2124-02-15\nCVE-456 exp:2124-02-16" > "${filename}" + echo -en "DEF-123 exp:2124-02-15\nCVE-456 exp:2124-02-16" > "${filename}" } teardown() { @@ -12,6 +12,6 @@ teardown() { @test "inspect cve expiry max one month" { run ./src/action.sh [ "$status" -eq 1 ] - regex=".*current date: '2124-02-15' in line: 'CVE-123 exp:2124-02-15' exceeds.*the maximum date of one month. Choose a new date that is.*before: .*" + regex=".*current date: '2124-02-15' in line: 'DEF-123 exp:2124-02-15' exceeds.*the maximum date of one month. Choose a new date that is.*before: .*" [[ "$output" =~ $regex ]] } diff --git a/test/inspect-cve-expiry.bats b/test/inspect-vulnerability-expiry.bats similarity index 83% rename from test/inspect-cve-expiry.bats rename to test/inspect-vulnerability-expiry.bats index d10ed82..0887468 100644 --- a/test/inspect-cve-expiry.bats +++ b/test/inspect-vulnerability-expiry.bats @@ -1,7 +1,7 @@ setup() { filename=".trivyignore" - echo -en "CVE-123\nCVE-456 exp:2124-02-16" > "${filename}" + echo -en "CVE-123\nABC-456 exp:2124-02-16" > "${filename}" } teardown() {