Generate CVE #31615
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Generate CVE | |
| on: | |
| push: | |
| branches: | |
| - main | |
| schedule: | |
| - cron: "*/30 * * * *" | |
| workflow_dispatch: | |
| inputs: | |
| clean: | |
| description: 'Download fresh feeds from NVD. Any value other than "false" will trigger a clean download.' | |
| required: true | |
| default: "false" | |
| permissions: | |
| contents: write | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| VULNCHECK_API_KEY: ${{ secrets.VULNCHECK_API_KEY }} | |
| VULNERABILITIES_CLEAN: ${{ github.event.inputs.clean || 'false' }} | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 180 | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout Repo | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| with: | |
| ref: main | |
| - name: Import GPG Key | |
| uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0 | |
| with: | |
| gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} | |
| passphrase: ${{ secrets.GPG_PASSPHRASE }} | |
| git_user_signingkey: true | |
| git_commit_gpgsign: true | |
| - name: Checkout Fleet | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| with: | |
| repository: fleetdm/fleet | |
| fetch-depth: 1 | |
| ref: main | |
| path: fleet | |
| - name: Setup Go | |
| uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 | |
| with: | |
| cache: false | |
| go-version: "^1.25.7" | |
| - name: Generate NVD Feeds | |
| run: | | |
| cd fleet | |
| go mod download | |
| go run cmd/cve/generate.go --db_dir ./cvefeed --debug | |
| - name: Build goval-dictionary and ensure destination dir exists | |
| run: | | |
| cd fleet/third_party/goval-dictionary | |
| make build | |
| mkdir -p ../../cvefeed | |
| - name: Pull Amazon Linux 1 vulnerabilities | |
| run: for i in {1..3}; do fleet/third_party/goval-dictionary/goval-dictionary fetch amazon 1 --dbpath ./fleet/cvefeed/amzn_01.sqlite3 && s=0 && break || s=$? && sleep 2; done; (exit $s) | |
| - name: Pull Amazon Linux 2 vulnerabilities | |
| run: for i in {1..3}; do fleet/third_party/goval-dictionary/goval-dictionary fetch amazon 2 --dbpath ./fleet/cvefeed/amzn_02.sqlite3 && s=0 && break || s=$? && sleep 2; done; (exit $s) | |
| - name: Pull Amazon Linux 2022 vulnerabilities | |
| run: for i in {1..3}; do fleet/third_party/goval-dictionary/goval-dictionary fetch amazon 2022 --dbpath ./fleet/cvefeed/amzn_2022.sqlite3 && s=0 && break || s=$? && sleep 2; done; (exit $s) | |
| - name: Pull Amazon Linux 2023 vulnerabilities | |
| run: for i in {1..3}; do fleet/third_party/goval-dictionary/goval-dictionary fetch amazon 2023 --dbpath ./fleet/cvefeed/amzn_2023.sqlite3 && s=0 && break || s=$? && sleep 2; done; (exit $s) | |
| - name: Pull RHEL 5 vulnerabilities | |
| run: for i in {1..3}; do fleet/third_party/goval-dictionary/goval-dictionary fetch redhat 5 --dbpath ./fleet/cvefeed/rhel_05.sqlite3 && s=0 && break || s=$? && sleep 2; done; (exit $s) | |
| - name: Pull RHEL 6 vulnerabilities | |
| run: for i in {1..3}; do fleet/third_party/goval-dictionary/goval-dictionary fetch redhat 6 --dbpath ./fleet/cvefeed/rhel_06.sqlite3 && s=0 && break || s=$? && sleep 2; done; (exit $s) | |
| - name: Pull RHEL 7 vulnerabilities | |
| run: for i in {1..3}; do fleet/third_party/goval-dictionary/goval-dictionary fetch redhat 7 --dbpath ./fleet/cvefeed/rhel_07.sqlite3 && s=0 && break || s=$? && sleep 2; done; (exit $s) | |
| - name: Pull RHEL 8 vulnerabilities | |
| run: for i in {1..3}; do fleet/third_party/goval-dictionary/goval-dictionary fetch redhat 8 --dbpath ./fleet/cvefeed/rhel_08.sqlite3 && s=0 && break || s=$? && sleep 2; done; (exit $s) | |
| - name: Pull RHEL 9 vulnerabilities | |
| run: for i in {1..3}; do fleet/third_party/goval-dictionary/goval-dictionary fetch redhat 9 --dbpath ./fleet/cvefeed/rhel_09.sqlite3 && s=0 && break || s=$? && sleep 2; done; (exit $s) | |
| - name: Validate NVD Feeds | |
| run: | | |
| cd fleet | |
| go run cmd/cve/validate/main.go --db_dir ./cvefeed --debug | |
| - name: Compress goval sqlite files | |
| run: xz ./fleet/cvefeed/*.sqlite3 | |
| - name: Current date | |
| id: date | |
| run: | | |
| echo "date=$(date +'%Y%m%d%H%M')" >> $GITHUB_OUTPUT | |
| - name: Tag | |
| run: | | |
| git tag -a cve-${{ steps.date.outputs.date }} -m "release ${{ steps.date.outputs.date }}" | |
| git push origin cve-${{ steps.date.outputs.date }} | |
| - name: Release | |
| uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15 | |
| with: | |
| files: | | |
| fleet/cvefeed/* | |
| tag_name: cve-${{ steps.date.outputs.date }} | |
| target_commitish: main | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Delete Old Releases | |
| uses: dev-drprasad/delete-older-releases@5494cd8b61c31b3c7a15f6267901195ec7df64e8 # v0.3.2 | |
| with: | |
| delete_tag_pattern: ^cve-.* | |
| keep_latest: 144 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |