Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve CVE scan Github Actions job #2424

Closed
terriko opened this issue Dec 7, 2022 · 2 comments · Fixed by #2475
Closed

Improve CVE scan Github Actions job #2424

terriko opened this issue Dec 7, 2022 · 2 comments · Fixed by #2475

Comments

@terriko
Copy link
Contributor

terriko commented Dec 7, 2022

Current output of our CVE-scain github action:

 =============================== warnings summary ===============================
../../../../../opt/hostedtoolcache/Python/3.11.0/x64/lib/python3.11/site-packages/_pytest/config/__init__.py:1294
  /opt/hostedtoolcache/Python/3.11.0/x64/lib/python3.11/site-packages/_pytest/config/__init__.py:1294: PytestConfigWarning: Unknown config option: asyncio_mode
  
    self._warn_or_fail_if_strict(f"Unknown config option: {key}\n")

-- Docs: https://docs.pytest.org/en/stable/how-to/capture-warnings.html
=========================== short test summary info ============================
FAILED test/test_requirements.py::test_requirements - AssertionError: assert 'Unexplored' in ['Mitigated', 'Ignored']
==================== 1 failed, 1 passed, 1 warning in 4.69s ====================

It's helpfully telling us that we have a unexplored potential CVE in a component but it's not telling me what component it's in. Let's improve that output so it's easier to tell at a glance what needs upgrading. (You can tell from the scan output above this, but it'd be really nifty if we could have it assert product names instead of triage types.)

@terriko terriko changed the title Improve CVE scan Improve CVE scan Github Actions job Dec 7, 2022
@Rexbeast2
Copy link
Contributor

@terriko
I would like to work on this issue. I am unclear what we have to do in this issue. Could you guide me on this.

@terriko
Copy link
Contributor Author

terriko commented Dec 19, 2022

I don't know what the best solution here would look like so I can't offer a lot of guidance, but I can help you get started! The code is in test/test_requirements.py :

    with open(OUTPUT_JSON) as f:
        output_json = json.load(f)
        for entry in output_json:
            assert entry["remarks"] in ["Mitigated", "Ignored"]

We want that assert line to give a more useful error message. We're using pytest, which actually has the ability to add more human readable messages, here's the segment of the docs that's probably relevant: https://docs.pytest.org/en/7.1.x/how-to/assert.html You'll have to figure out how to make it tell you the name of the component (which should be in entry).

This will be hard to test if we don't have any known vulnerabilities in the component list, but you could probably inject a fake one into the json right in the code above for testing, or you could add one to the triage or edit the requirements files to add a vulnerable component for testing. (Don't forget to remove any vulnerable stuff before making a PR! But you might want to take screenshots to show what the output will look like before you remove it.)

Hope that can get you started!

terriko pushed a commit that referenced this issue Jan 3, 2023
* fixes #2424 

Signed-off-by: ayush_gitk <ayushsharmaa101@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants