Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Validate and Move Vulnerability Submission | |
on: | |
pull_request_target: | |
types: | |
- closed | |
jobs: | |
validate-and-move: | |
if: ${{ github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'main' }} # Only if merged into main | |
runs-on: ubuntu-latest | |
steps: | |
# Check out the PR branch | |
- name: Checkout code | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 2 | |
# Ensure only /input/new.json is modified | |
- name: Validate modified files | |
run: | | |
modified_files=$(git diff --name-only HEAD^1 HEAD) | |
if [[ "$modified_files" != "input/new.json" ]]; then | |
echo "modified_files: $modified_files" | |
echo "Error: Only /input/new.json should be modified." | |
exit 1 | |
fi | |
# Validate JSON format and fields | |
- name: Validate JSON structure | |
run: | | |
if ! jq -e '.package_name != null and .patch_versions != null' input/new.json; then | |
echo "Error: JSON format or required fields are invalid." | |
exit 1 | |
fi | |
# Generate new filename | |
- name: Generate new filename | |
id: generate-name | |
run: | | |
# Extract the current year | |
current_year=$(date +%Y) | |
# Find the latest file for the current year, if it exists | |
latest_file=$(ls vulnerabilities/AIKIDO-${current_year}-*.json 2>/dev/null | sort | tail -n 1) | |
# Check if any file exists for the current year | |
if [ -z "$latest_file" ]; then | |
# Start with 10001 if no file exists for the current year | |
next_number=10001 | |
else | |
# Extract the latest number and increment it | |
next_number=$(basename "$latest_file" .json | awk -F- '{print $3 + 1}') | |
fi | |
# Format the new file name | |
printf -v next_file_name "vulnerabilities/AIKIDO-%s-%05d.json" "$current_year" "$next_number" | |
echo "file_name=$next_file_name" >> $GITHUB_ENV | |
# Update last_modified and published fields in input/new.json | |
- name: Update JSON metadata | |
run: | | |
current_date=$(date +%Y-%m-%d) | |
jq --arg date "$current_date" \ | |
'.last_modified = $date | .published = $date' \ | |
input/new.json > temp.json && mv temp.json input/new.json | |
git add input/new.json | |
# Move input/new.json to the new filename | |
- name: Move new.json to vulnerabilities folder | |
run: | | |
cp input/new.json "$file_name" | |
# Reset input/new.json to the template | |
- name: Reset input/new.json to template | |
run: | | |
echo '{ | |
"package_name": "", | |
"patch_versions": [], | |
"vulnerable_ranges": [], | |
"cwe": [], | |
"tldr": "", | |
"doest_this_affect_me": "", | |
"how_to_fix": "", | |
"reporter": "", | |
"vulnerable_to": "", | |
"related_cve_id": "", | |
"language": "", | |
"severity_class": "", | |
"aikido_score": 0, | |
"changelog": "", | |
"package_name_alias": null, | |
"package_wildcard_ends_in": null, | |
"package_wildcard_contains": null, | |
"extra_specific_non_vulnerable_versions": null, | |
"unaffected_distros": null, | |
"simplify_version_if_has_patch_part": false | |
}' > input/new.json | |
git add input/new.json | |
# Commit the changes (pre-merge) | |
- name: Commit changes | |
run: | | |
git config user.name "github-actions[bot]" | |
git config user.email "github-actions[bot]@users.noreply.github.com" | |
git add "$file_name" | |
git add input/new.json | |
git commit -m "Move new vulnerability to $file_name and reset new.json template" | |
git push origin "HEAD:${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" |