Skip to content
name: Validate and Move Vulnerability Submission
on:
pull_request_target:
types:
- closed
jobs:
validate-and-move:
if: ${{ github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'main' }} # Only if merged into main
runs-on: ubuntu-latest
steps:
# Check out the PR branch
- name: Checkout code
uses: actions/checkout@v3
with:
fetch-depth: 2
# Ensure only /input/new.json is modified
- name: Validate modified files
run: |
modified_files=$(git diff --name-only HEAD^1 HEAD)
if [[ "$modified_files" != "input/new.json" ]]; then
echo "modified_files: $modified_files"
echo "Error: Only /input/new.json should be modified."
exit 1
fi
# Validate JSON format and fields
- name: Validate JSON structure
run: |
if ! jq -e '.package_name != null and .patch_versions != null' input/new.json; then
echo "Error: JSON format or required fields are invalid."
exit 1
fi
# Generate new filename
- name: Generate new filename
id: generate-name
run: |
# Extract the current year
current_year=$(date +%Y)
# Find the latest file for the current year, if it exists
latest_file=$(ls vulnerabilities/AIKIDO-${current_year}-*.json 2>/dev/null | sort | tail -n 1)
# Check if any file exists for the current year
if [ -z "$latest_file" ]; then
# Start with 10001 if no file exists for the current year
next_number=10001
else
# Extract the latest number and increment it
next_number=$(basename "$latest_file" .json | awk -F- '{print $3 + 1}')
fi
# Format the new file name
printf -v next_file_name "vulnerabilities/AIKIDO-%s-%05d.json" "$current_year" "$next_number"
echo "file_name=$next_file_name" >> $GITHUB_ENV
# Update last_modified and published fields in input/new.json
- name: Update JSON metadata
run: |
current_date=$(date +%Y-%m-%d)
jq --arg date "$current_date" \
'.last_modified = $date | .published = $date' \
input/new.json > temp.json && mv temp.json input/new.json
git add input/new.json
# Move input/new.json to the new filename
- name: Move new.json to vulnerabilities folder
run: |
cp input/new.json "$file_name"
# Reset input/new.json to the template
- name: Reset input/new.json to template
run: |
echo '{
"package_name": "",
"patch_versions": [],
"vulnerable_ranges": [],
"cwe": [],
"tldr": "",
"doest_this_affect_me": "",
"how_to_fix": "",
"reporter": "",
"vulnerable_to": "",
"related_cve_id": "",
"language": "",
"severity_class": "",
"aikido_score": 0,
"changelog": "",
"package_name_alias": null,
"package_wildcard_ends_in": null,
"package_wildcard_contains": null,
"extra_specific_non_vulnerable_versions": null,
"unaffected_distros": null,
"simplify_version_if_has_patch_part": false
}' > input/new.json
git add input/new.json
# Commit the changes (pre-merge)
- name: Commit changes
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git add "$file_name"
git add input/new.json
git commit -m "Move new vulnerability to $file_name and reset new.json template"
git push origin "HEAD:${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}"