vulnerability-action/update_vulns.sh at main · Weichwerke-Heidrich-Software/vulnerability-action · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
#!/bin/bash

set -eou pipefail

perform_update=1
perform_check=1
bom_name=""
bom_version=""

# Parse options
while [[ $# -gt 0 ]]; do
    case "$1" in
        -n|--name)
            bom_name="$2"
            shift 2
            ;;
        --name=*)
            bom_name="${1#*=}"
            shift
            ;;
        -v|--version)
            bom_version="$2"
            shift 2
            ;;
        --version=*)
            bom_version="${1#*=}"
            shift
            ;;
        --skip-update)
            perform_update=0
            shift
            ;;
        --skip-check)
            perform_check=0
            shift
            ;;
        --)
            shift
            break
            ;;
        -*)
            echo "Unknown option: $1"
            exit 1
            ;;
        *)
            bom_file="$1"
            shift
            ;;
    esac
done

bomnipotent_command="bomnipotent_client"
if ! command -v $bomnipotent_command &> /dev/null; then
    bomnipotent_command="bomnipotent_client.exe"
fi
if ! command -v $bomnipotent_command &> /dev/null; then
    echo "Error: The BOMnipotent Client binary is not available in the PATH. Please make sure it is."
    echo "Inside GitHub Actions, you can use Weichwerke-Heidrich-Software/setup-bomnipotent-action to that end."
    echo "https://github.com/marketplace/actions/setup-bomnipotent-client"
    exit 1
fi

if [[ "$perform_update" -eq 1 ]]; then
    # jq is only required to circumvent https://github.com/anchore/grype/issues/2418
    if ! command -v jq &> /dev/null; then
        echo "Error: jq is not installed. Please install jq to process JSON data."
        exit 1
    fi

    if ! command -v grype &> /dev/null; then
        echo "Error: grype is not installed. Please install grype to analyze vulnerabilities."
        exit 1
    fi
fi

bomnipotent_args=()
if [[ -n "$bom_name" ]]; then
    bomnipotent_args+=("--name" "$bom_name")
fi
if [[ -n "$bom_version" ]]; then
    bomnipotent_args+=("--version" "$bom_version")
fi

if [[ "$perform_update" -eq 1 ]]; then
    # Create a unique directory for BOM downloads
    timestamp=$(date +%Y-%m-%d-%H%M%S)
    bomdir="./vulnerability_action_bom_downloads_${timestamp}"
    if [ -d "$bomdir" ]; then
        echo "Error: The directory \"$bomdir\" already exists. This is as unexpected as it is unhandled."
        exit 1
    fi

    # Download BOMs from the server
    "$bomnipotent_command" bom download "${bomnipotent_args[@]}" "$bomdir"

    for file in "$bomdir"/*.cdx.json; do
        # Circumventing https://github.com/anchore/grype/issues/2418
        version=$(jq -r '.metadata.component.version' "$file")
        if [ -z "$version" ] || [ "$version" == "null" ]; then
            echo "Error: Could not extract version from BOM file \"$file\"."
            exit 1
        fi

        vuln_file_path="$file.vulns.json"
        if [ -f "$vuln_file_path" ]; then
            echo "Oh, ok, the file \"$vuln_file_path\" already exists."
            echo "This is unexpected. The script cannot handle this case."
            exit 1
        fi

        # Fetch vulnerabilities for the current BOM
        grype sbom:"$file" --output cyclonedx-json="$vuln_file_path"
        # Update vulnerabilities on the server
        "$bomnipotent_command" vulnerability update $vuln_file_path --version "$version"
    done
else
    echo "Skipping vulnerability update."
fi

if [[ "$perform_check" -eq 1 ]]; then
    "$bomnipotent_command" vulnerability list "${bomnipotent_args[@]}" --unassessed
else
    echo "Skipping vulnerability check."
fi