-
Notifications
You must be signed in to change notification settings - Fork 3.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: Added scout & trivy scan to github workflow #37022
Conversation
WalkthroughThe pull request introduces two new scripts, Changes
Assessment against linked issues
Possibly related PRs
Suggested labels
Suggested reviewers
🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
Documentation and Community
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 9
🧹 Outside diff range and nitpick comments (2)
.github/workflows/test-vurnabilities-data.yml (1)
15-16
: Update checkout action to latest versionThe checkout action can be updated to v4 for latest features and security fixes.
- uses: actions/checkout@v3 + uses: actions/checkout@v4scripts/scout_vulnerabilities_data.sh (1)
98-98
: Correct typo in log messageThe message "Fetching passed data..." should be "Fetching past data..." to accurately describe the action.
Apply this diff to correct the typo:
-echo "Fetching passed data..." +echo "Fetching past data..."
📜 Review details
Configuration used: .coderabbit.yaml
Review profile: CHILL
📒 Files selected for processing (2)
- .github/workflows/test-vurnabilities-data.yml (1 hunks)
- scripts/scout_vulnerabilities_data.sh (1 hunks)
🧰 Additional context used
🪛 yamllint
.github/workflows/test-vurnabilities-data.yml
[error] 22-22: trailing spaces
(trailing-spaces)
[error] 27-27: trailing spaces
(trailing-spaces)
[error] 102-102: trailing spaces
(trailing-spaces)
[warning] 106-106: wrong indentation: expected 10 but found 12
(indentation)
[error] 109-109: trailing spaces
(trailing-spaces)
[error] 124-124: no new line character at the end of file
(new-line-at-end-of-file)
🪛 Shellcheck
scripts/scout_vulnerabilities_data.sh
[warning] 136-136: Declare and assign separately to avoid masking return values.
(SC2155)
🔇 Additional comments (2)
.github/workflows/test-vurnabilities-data.yml (1)
35-38
: Review database credentials usageUsing Cypress database credentials for vulnerability tracking seems inappropriate. Consider:
- Creating dedicated credentials for vulnerability tracking
- Using a separate database instance for security data
Let's verify if these credentials are used elsewhere:
scripts/scout_vulnerabilities_data.sh (1)
117-117
: Verify the correct column name 'vurn_id' in the databaseThe column name 'vurn_id' may be a typo. Please verify if it should be 'vuln_id' to match standard terminology.
# Run Scout vulnerability data script | ||
- name: Run Scout vulnerability data script | ||
if: always() | ||
env: | ||
DB_HOST: ${{ secrets.CYPRESS_DB_HOST }} | ||
DB_NAME: ${{ secrets.CYPRESS_DB_NAME }} | ||
DB_USER: ${{ secrets.CYPRESS_DB_USER }} | ||
DB_PWD: ${{ secrets.CYPRESS_DB_PWD }} | ||
GITHUB_PR_ID: ${{ github.event.pull_request.number }} | ||
GITHUB_PR_LINK: ${{ github.event.pull_request.html_url }} | ||
GITHUB_RUN_ID: ${{ github.run_id }} | ||
run: | | ||
chmod +x scripts/scout_vulnerabilities_data.sh | ||
./scripts/scout_vulnerabilities_data.sh "${{ inputs.image_name }}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Review PR environment variables usage
Since this is a manually triggered workflow (workflow_dispatch
), the PR-related environment variables (GITHUB_PR_ID
and GITHUB_PR_LINK
) will be undefined as they're only available in PR-triggered workflows.
Consider:
- Making these variables optional in the script
- Adding appropriate checks in
scout_vulnerabilities_data.sh
- Documenting when these variables will be available
Also, add a newline at the end of the file.
🧰 Tools
🪛 yamllint
[error] 124-124: no new line character at the end of file
(new-line-at-end-of-file)
name: Run Vulnerability Data Script with Parameters and Update PR | ||
|
||
on: | ||
workflow_dispatch: | ||
inputs: | ||
image_name: | ||
description: 'Docker image name to scan' | ||
required: true | ||
default: 'appsmith/appsmith-ce:release' | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fix typo in workflow filename
The workflow filename contains a typo: "vurnabilities" should be "vulnerabilities". This should be corrected for better maintainability.
Rename the file from:
- .github/workflows/test-vurnabilities-data.yml
+ .github/workflows/test-vulnerabilities-data.yml
- name: Upload Vulnerability Data | ||
uses: actions/upload-artifact@v3 | ||
with: | ||
name: vulnerability-data | ||
path: | | ||
vulnerability_base_data.csv | ||
vulnerability_base_data.txt | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fix YAML indentation
The path
field indentation should be 10 spaces to match the YAML structure.
with:
name: vulnerability-data
- path: |
- vulnerability_base_data.csv
- vulnerability_base_data.txt
+ path: |
+ vulnerability_base_data.csv
+ vulnerability_base_data.txt
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
- name: Upload Vulnerability Data | |
uses: actions/upload-artifact@v3 | |
with: | |
name: vulnerability-data | |
path: | | |
vulnerability_base_data.csv | |
vulnerability_base_data.txt | |
- name: Upload Vulnerability Data | |
uses: actions/upload-artifact@v3 | |
with: | |
name: vulnerability-data | |
path: | | |
vulnerability_base_data.csv | |
vulnerability_base_data.txt |
🧰 Tools
🪛 yamllint
[warning] 106-106: wrong indentation: expected 10 but found 12
(indentation)
[error] 109-109: trailing spaces
(trailing-spaces)
[ -s "$CSV_OUTPUT_FILE" ] || echo "No vulnerabilities found for image: appsmith/appsmith-ce:release" > "$CSV_OUTPUT_FILE" | ||
|
||
# Check if the CSV output file is empty | ||
[ -s "$CSV_OUTPUT_FILE" ] || echo "No vulnerabilities found for image: $IMAGE" > "$CSV_OUTPUT_FILE" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Consolidate redundant checks for empty output file
The checks at lines 82 and 85 are redundant and may overwrite each other's output. Combine them into a single check to ensure the correct message is displayed.
Apply this diff to fix the redundancy:
-[ -s "$CSV_OUTPUT_FILE" ] || echo "No vulnerabilities found for image: appsmith/appsmith-ce:release" > "$CSV_OUTPUT_FILE"
[ -s "$CSV_OUTPUT_FILE" ] || echo "No vulnerabilities found for image: $IMAGE" > "$CSV_OUTPUT_FILE"
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
[ -s "$CSV_OUTPUT_FILE" ] || echo "No vulnerabilities found for image: appsmith/appsmith-ce:release" > "$CSV_OUTPUT_FILE" | |
# Check if the CSV output file is empty | |
[ -s "$CSV_OUTPUT_FILE" ] || echo "No vulnerabilities found for image: $IMAGE" > "$CSV_OUTPUT_FILE" | |
# Check if the CSV output file is empty | |
[ -s "$CSV_OUTPUT_FILE" ] || echo "No vulnerabilities found for image: $IMAGE" > "$CSV_OUTPUT_FILE" |
|
||
local pr_id="$GITHUB_PR_ID" | ||
local pr_link="$GITHUB_PR_LINK" | ||
local created_date=$(date -u +"%Y-%m-%dT%H:%M:%SZ") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Separate declaration and assignment to avoid masking return values
Declaring and assigning created_date
in the same command can mask return values. Separate the declaration and assignment as per ShellCheck SC2155.
Apply this diff to fix the issue:
-local created_date=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+local created_date
+created_date=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
local created_date=$(date -u +"%Y-%m-%dT%H:%M:%SZ") | |
local created_date | |
created_date=$(date -u +"%Y-%m-%dT%H:%M:%SZ") |
🧰 Tools
🪛 Shellcheck
[warning] 136-136: Declare and assign separately to avoid masking return values.
(SC2155)
priority=$(echo "$priority" | sed "s/'/''/g") | ||
product=$(echo "$product" | sed "s/'/''/g") | ||
scanner_tool=$(echo "$scanner_tool" | sed "s/'/''/g") | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Escape all variables in SQL statements to prevent SQL injection
Variables like $comments
, $owner
, and $pod
are not escaped and could contain special characters. Ensure all variables used in the SQL statement are properly escaped.
Apply this diff to enhance security:
# Escape single quotes in vulnerability ID, product, and priority
vurn_id=$(echo "$vurn_id" | sed "s/'/''/g")
priority=$(echo "$priority" | sed "s/'/''/g")
product=$(echo "$product" | sed "s/'/''/g")
scanner_tool=$(echo "$scanner_tool" | sed "s/'/''/g")
+ comments=$(echo "$comments" | sed "s/'/''/g")
+ owner=$(echo "$owner" | sed "s/'/''/g")
+ pod=$(echo "$pod" | sed "s/'/''/g")
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
priority=$(echo "$priority" | sed "s/'/''/g") | |
product=$(echo "$product" | sed "s/'/''/g") | |
scanner_tool=$(echo "$scanner_tool" | sed "s/'/''/g") | |
priority=$(echo "$priority" | sed "s/'/''/g") | |
product=$(echo "$product" | sed "s/'/''/g") | |
scanner_tool=$(echo "$scanner_tool" | sed "s/'/''/g") | |
comments=$(echo "$comments" | sed "s/'/''/g") | |
owner=$(echo "$owner" | sed "s/'/''/g") | |
pod=$(echo "$pod" | sed "s/'/''/g") |
psql -t -c "SELECT vurn_id, product, scanner_tool, priority FROM vulnerability_tracking WHERE scanner_tool = 'SCOUT'" "postgresql://$DB_USER:$DB_PWD@$DB_HOST/$DB_NAME" | while IFS='|' read -r db_vurn_id db_product db_scanner_tool db_priority; do | ||
existing_entries["$db_product,$db_scanner_tool,$db_vurn_id"]="$db_priority" | ||
done | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fix variable scoping issue due to subshell in pipeline
The associative array existing_entries
may not be populated correctly because the while
loop runs in a subshell created by the pipe. Refactor the code to avoid this issue.
Apply this diff to fix the scoping issue:
- psql -t -c "SELECT vurn_id, product, scanner_tool, priority FROM vulnerability_tracking WHERE scanner_tool = 'SCOUT'" "postgresql://$DB_USER:$DB_PWD@$DB_HOST/$DB_NAME" | while IFS='|' read -r db_vurn_id db_product db_scanner_tool db_priority; do
+ while IFS='|' read -r db_vurn_id db_product db_scanner_tool db_priority; do
existing_entries["$db_product,$db_scanner_tool,$db_vurn_id"]="$db_priority"
- done
+ done < <(psql -t -c "SELECT vurn_id, product, scanner_tool, priority FROM vulnerability_tracking WHERE scanner_tool = 'SCOUT'" "postgresql://$DB_USER:$DB_PWD@$DB_HOST/$DB_NAME")
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
psql -t -c "SELECT vurn_id, product, scanner_tool, priority FROM vulnerability_tracking WHERE scanner_tool = 'SCOUT'" "postgresql://$DB_USER:$DB_PWD@$DB_HOST/$DB_NAME" | while IFS='|' read -r db_vurn_id db_product db_scanner_tool db_priority; do | |
existing_entries["$db_product,$db_scanner_tool,$db_vurn_id"]="$db_priority" | |
done | |
while IFS='|' read -r db_vurn_id db_product db_scanner_tool db_priority; do | |
existing_entries["$db_product,$db_scanner_tool,$db_vurn_id"]="$db_priority" | |
done < <(psql -t -c "SELECT vurn_id, product, scanner_tool, priority FROM vulnerability_tracking WHERE scanner_tool = 'SCOUT'" "postgresql://$DB_USER:$DB_PWD@$DB_HOST/$DB_NAME") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 9
🧹 Outside diff range and nitpick comments (4)
.github/workflows/test-vurnabilities-data.yml (1)
15-16
: Update actions/checkout to v4.The latest version includes performance improvements and security fixes.
- uses: actions/checkout@v3 + uses: actions/checkout@v4scripts/scout_vulnerabilities_data.sh (2)
12-15
: Remove redundant variable assignmentsThe assignments on lines 12-15 are assigning variables to themselves, which is unnecessary unless there's a specific reason.
138-139
: Replace hardcodedowner
andpod
with configurable variablesCurrently,
owner
andpod
are hardcoded values. Consider parameterizing these to make the script more flexible.scripts/trivy_vulnerabilities_data.sh (1)
183-183
: Makeowner
configurable instead of hardcodedThe
owner
is currently set to"John Doe"
. Consider making it configurable or deriving it from an environment variable or parameter.Modify the line to:
-local owner="John Doe" +local owner="${OWNER:-John Doe}"This allows the script to use an
OWNER
environment variable if set, defaulting to"John Doe"
otherwise.
📜 Review details
Configuration used: .coderabbit.yaml
Review profile: CHILL
📒 Files selected for processing (3)
- .github/workflows/test-vurnabilities-data.yml (1 hunks)
- scripts/scout_vulnerabilities_data.sh (1 hunks)
- scripts/trivy_vulnerabilities_data.sh (1 hunks)
🧰 Additional context used
🪛 yamllint
.github/workflows/test-vurnabilities-data.yml
[error] 22-22: trailing spaces
(trailing-spaces)
[error] 27-27: trailing spaces
(trailing-spaces)
[error] 102-102: trailing spaces
(trailing-spaces)
[warning] 106-106: wrong indentation: expected 10 but found 12
(indentation)
[error] 109-109: trailing spaces
(trailing-spaces)
[error] 143-143: no new line character at the end of file
(new-line-at-end-of-file)
[error] 143-143: trailing spaces
(trailing-spaces)
🪛 Shellcheck
scripts/scout_vulnerabilities_data.sh
[warning] 135-135: Declare and assign separately to avoid masking return values.
(SC2155)
scripts/trivy_vulnerabilities_data.sh
[warning] 38-38: The surrounding quotes actually unquote this. Remove or escape them.
(SC2027)
[warning] 180-180: Declare and assign separately to avoid masking return values.
(SC2155)
🔇 Additional comments (1)
.github/workflows/test-vurnabilities-data.yml (1)
1-10
: LGTM: Workflow configuration is well-structured.The workflow configuration with manual trigger and Docker image input parameter is properly defined.
# Run Scout vulnerability data script | ||
- name: Run Scout vulnerability data script | ||
if: always() | ||
env: | ||
DB_HOST: ${{ secrets.CYPRESS_DB_HOST }} | ||
DB_NAME: ${{ secrets.CYPRESS_DB_NAME }} | ||
DB_USER: ${{ secrets.CYPRESS_DB_USER }} | ||
DB_PWD: ${{ secrets.CYPRESS_DB_PWD }} | ||
run: | | ||
chmod +x scripts/scout_vulnerabilities_data.sh | ||
./scripts/scout_vulnerabilities_data.sh \ | ||
"${{ inputs.image_name }}" \ | ||
"${{ github.event.pull_request.number }}" \ | ||
"${{ github.event.pull_request.html_url }}" \ | ||
"${{ github.run_id }}" | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add error handling for script execution.
The script execution should include error handling and status checks.
run: |
chmod +x scripts/scout_vulnerabilities_data.sh
- ./scripts/scout_vulnerabilities_data.sh \
+ if ! ./scripts/scout_vulnerabilities_data.sh \
"${{ inputs.image_name }}" \
"${{ github.event.pull_request.number }}" \
"${{ github.event.pull_request.html_url }}" \
- "${{ github.run_id }}"
+ "${{ github.run_id }}"; then
+ echo "Scout vulnerability scan failed"
+ exit 1
+ fi
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
# Run Scout vulnerability data script | |
- name: Run Scout vulnerability data script | |
if: always() | |
env: | |
DB_HOST: ${{ secrets.CYPRESS_DB_HOST }} | |
DB_NAME: ${{ secrets.CYPRESS_DB_NAME }} | |
DB_USER: ${{ secrets.CYPRESS_DB_USER }} | |
DB_PWD: ${{ secrets.CYPRESS_DB_PWD }} | |
run: | | |
chmod +x scripts/scout_vulnerabilities_data.sh | |
./scripts/scout_vulnerabilities_data.sh \ | |
"${{ inputs.image_name }}" \ | |
"${{ github.event.pull_request.number }}" \ | |
"${{ github.event.pull_request.html_url }}" \ | |
"${{ github.run_id }}" | |
# Run Scout vulnerability data script | |
- name: Run Scout vulnerability data script | |
if: always() | |
env: | |
DB_HOST: ${{ secrets.CYPRESS_DB_HOST }} | |
DB_NAME: ${{ secrets.CYPRESS_DB_NAME }} | |
DB_USER: ${{ secrets.CYPRESS_DB_USER }} | |
DB_PWD: ${{ secrets.CYPRESS_DB_PWD }} | |
run: | | |
chmod +x scripts/scout_vulnerabilities_data.sh | |
if ! ./scripts/scout_vulnerabilities_data.sh \ | |
"${{ inputs.image_name }}" \ | |
"${{ github.event.pull_request.number }}" \ | |
"${{ github.event.pull_request.html_url }}" \ | |
"${{ github.run_id }}"; then | |
echo "Scout vulnerability scan failed" | |
exit 1 | |
fi |
- name: Run Trivy vulnerability data script | ||
if: always() | ||
env: | ||
DB_HOST: ${{ secrets.CYPRESS_DB_HOST }} | ||
DB_NAME: ${{ secrets.CYPRESS_DB_NAME }} | ||
DB_USER: ${{ secrets.CYPRESS_DB_USER }} | ||
DB_PWD: ${{ secrets.CYPRESS_DB_PWD }} | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
run: | | ||
echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin | ||
chmod +x scripts/trivy_vulnerabilities_data.sh | ||
./scripts/trivy_vulnerabilities_data.sh \ | ||
"${{ inputs.image_name }}" \ | ||
"${{ github.event.pull_request.number }}" \ | ||
"${{ github.event.pull_request.html_url }}" \ | ||
"${{ github.run_id }}" | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Enhance Trivy scan reliability.
- Add error handling for Docker login and script execution
- Add newline at end of file
run: |
- echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
+ if ! echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin; then
+ echo "Failed to login to GitHub Container Registry"
+ exit 1
+ fi
chmod +x scripts/trivy_vulnerabilities_data.sh
- ./scripts/trivy_vulnerabilities_data.sh \
+ if ! ./scripts/trivy_vulnerabilities_data.sh \
"${{ inputs.image_name }}" \
"${{ github.event.pull_request.number }}" \
"${{ github.event.pull_request.html_url }}" \
- "${{ github.run_id }}"
+ "${{ github.run_id }}"; then
+ echo "Trivy vulnerability scan failed"
+ exit 1
+ fi
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
- name: Run Trivy vulnerability data script | |
if: always() | |
env: | |
DB_HOST: ${{ secrets.CYPRESS_DB_HOST }} | |
DB_NAME: ${{ secrets.CYPRESS_DB_NAME }} | |
DB_USER: ${{ secrets.CYPRESS_DB_USER }} | |
DB_PWD: ${{ secrets.CYPRESS_DB_PWD }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | | |
echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin | |
chmod +x scripts/trivy_vulnerabilities_data.sh | |
./scripts/trivy_vulnerabilities_data.sh \ | |
"${{ inputs.image_name }}" \ | |
"${{ github.event.pull_request.number }}" \ | |
"${{ github.event.pull_request.html_url }}" \ | |
"${{ github.run_id }}" | |
- name: Run Trivy vulnerability data script | |
if: always() | |
env: | |
DB_HOST: ${{ secrets.CYPRESS_DB_HOST }} | |
DB_NAME: ${{ secrets.CYPRESS_DB_NAME }} | |
DB_USER: ${{ secrets.CYPRESS_DB_USER }} | |
DB_PWD: ${{ secrets.CYPRESS_DB_PWD }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | | |
if ! echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin; then | |
echo "Failed to login to GitHub Container Registry" | |
exit 1 | |
fi | |
chmod +x scripts/trivy_vulnerabilities_data.sh | |
if ! ./scripts/trivy_vulnerabilities_data.sh \ | |
"${{ inputs.image_name }}" \ | |
"${{ github.event.pull_request.number }}" \ | |
"${{ github.event.pull_request.html_url }}" \ | |
"${{ github.run_id }}"; then | |
echo "Trivy vulnerability scan failed" | |
exit 1 | |
fi | |
🧰 Tools
🪛 yamllint
[error] 143-143: no new line character at the end of file
(new-line-at-end-of-file)
[error] 143-143: trailing spaces
(trailing-spaces)
- name: Fetch vulnerability data | ||
id: vulnerability_data | ||
env: | ||
DB_HOST: ${{ secrets.CYPRESS_DB_HOST }} | ||
DB_NAME: ${{ secrets.CYPRESS_DB_NAME }} | ||
DB_USER: ${{ secrets.CYPRESS_DB_USER }} | ||
DB_PWD: ${{ secrets.CYPRESS_DB_PWD }} | ||
uses: actions/github-script@v7 | ||
with: | ||
script: | | ||
const { Pool } = require("pg"); | ||
const fs = require('fs'); | ||
const path = require('path'); | ||
const { DB_HOST, DB_NAME, DB_USER, DB_PWD } = process.env; | ||
|
||
const pool = new Pool({ | ||
user: DB_USER, | ||
host: DB_HOST, | ||
database: DB_NAME, | ||
password: DB_PWD, | ||
port: 5432, | ||
connectionTimeoutMillis: 60000, | ||
}); | ||
|
||
(async () => { | ||
const client = await pool.connect(); | ||
try { | ||
// Fetch vurn_id, product, scanner_tool, and priority from the database | ||
const result = await client.query(`SELECT vurn_id, product, scanner_tool, priority FROM vulnerability_tracking`); | ||
console.log('Vulnerability Data:', result.rows); | ||
|
||
// Extract relevant fields from the result | ||
const extractedData = result.rows.map(({ vurn_id, product, scanner_tool, priority }) => ({ | ||
vurn_id, | ||
product, | ||
scanner_tool, | ||
priority | ||
})); | ||
console.log('Extracted Vulnerability Data:', extractedData); | ||
|
||
// Prepare CSV content | ||
const csvContent = [ | ||
['vurn_id', 'product', 'scanner_tool', 'priority'], // Add priority column header | ||
...extractedData.map(row => [row.vurn_id, row.product, row.scanner_tool, row.priority]) | ||
] | ||
.map(e => e.join(',')) // Join columns | ||
.join('\n'); // Join rows | ||
|
||
// Write to CSV file in workspace | ||
const csvFilePath = path.join(process.env.GITHUB_WORKSPACE, 'vulnerability_base_data.csv'); | ||
fs.writeFileSync(csvFilePath, csvContent); | ||
console.log(`Data successfully written to ${csvFilePath}`); | ||
|
||
// Prepare TXT content | ||
const txtContent = extractedData | ||
.map(row => `vurn_id: ${row.vurn_id}, product: ${row.product}, scanner_tool: ${row.scanner_tool}, priority: ${row.priority}`) | ||
.join('\n'); // Join rows | ||
|
||
// Write to TXT file in workspace | ||
const txtFilePath = path.join(process.env.GITHUB_WORKSPACE, 'vulnerability_base_data.txt'); | ||
fs.writeFileSync(txtFilePath, txtContent); | ||
console.log(`Data successfully written to ${txtFilePath}`); | ||
|
||
client.release(); | ||
return extractedData; // Return the extracted data | ||
} catch (err) { | ||
console.error('Error fetching vulnerability data:', err); | ||
client.release(); | ||
} | ||
})(); | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Address potential database connection and I/O issues.
- Replace synchronous file operations with async versions
- Ensure pool is properly closed in all scenarios
- Add proper error propagation
- fs.writeFileSync(csvFilePath, csvContent);
+ await fs.promises.writeFile(csvFilePath, csvContent);
- fs.writeFileSync(txtFilePath, txtContent);
+ await fs.promises.writeFile(txtFilePath, txtContent);
} catch (err) {
console.error('Error fetching vulnerability data:', err);
client.release();
+ throw err;
} finally {
+ await pool.end();
}
Committable suggestion was skipped due to low confidence.
🧰 Tools
🪛 yamllint
[error] 102-102: trailing spaces
(trailing-spaces)
if ! systemctl is-active --quiet docker; then | ||
echo "Starting Docker..." | ||
sudo systemctl start docker | ||
fi |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🛠️ Refactor suggestion
Improve Docker daemon check for better compatibility
Using systemctl
may not work on all systems. Consider checking if Docker is running by attempting to communicate with it directly.
Apply this diff to enhance the Docker check:
if ! systemctl is-active --quiet docker; then
echo "Starting Docker..."
sudo systemctl start docker
fi
+if ! docker info > /dev/null 2>&1; then
+ echo "Docker is not running. Please start Docker and try again."
+ exit 1
+fi
Committable suggestion was skipped due to low confidence.
curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh | ||
sh install-scout.sh &> install_scout_log.txt |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Check curl
exit status before executing the script
Ensure that the curl
command successfully downloads the script before attempting to execute it.
Apply this diff to enhance error handling:
curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh
+if [ $? -ne 0 ]; then
+ echo "Failed to download Docker Scout install script."
+ ((attempts++))
+ sleep 2
+ continue
+fi
sh install-scout.sh &> install_scout_log.txt
Committable suggestion was skipped due to low confidence.
psql -t -c "SELECT vurn_id, product, scanner_tool, priority FROM vulnerability_tracking WHERE scanner_tool = 'TRIVY'" "postgresql://$DB_USER:$DB_PWD@$DB_HOST/$DB_NAME" | while IFS='|' read -r db_vurn_id db_product db_scanner_tool db_priority; do | ||
existing_entries["$db_product,$db_scanner_tool,$db_vurn_id"]="$db_priority" | ||
done |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Correct typo from vurn_id
to vuln_id
The term vurn_id
seems to be a typo. It should be vuln_id
to accurately represent "vulnerability ID." Update the variable names and database fields accordingly.
Apply these changes:
-SELECT vurn_id, product, scanner_tool, priority FROM vulnerability_tracking WHERE scanner_tool = 'TRIVY'
+SELECT vuln_id, product, scanner_tool, priority FROM vulnerability_tracking WHERE scanner_tool = 'TRIVY'
Update variable names and the insert statement:
-echo "INSERT INTO vulnerability_tracking (product, scanner_tool, vurn_id, priority, pr_id, pr_link, github_run_id, created_date, update_date, comments, owner, pod) VALUES ('$product', '$scanner_tool', '$vurn_id', '$priority', '$pr_id', '$pr_link', '$GITHUB_RUN_ID', '$created_date', '$update_date', '$comments', '$owner', '$pod');" >> "$query_file"
+echo "INSERT INTO vulnerability_tracking (product, scanner_tool, vuln_id, priority, pr_id, pr_link, github_run_id, created_date, update_date, comments, owner, pod) VALUES ('$product', '$scanner_tool', '$vuln_id', '$priority', '$pr_id', '$pr_link', '$GITHUB_RUN_ID', '$created_date', '$update_date', '$comments', '$owner', '$pod');" >> "$query_file"
Ensure all instances of vurn_id
are updated throughout the script.
Also applies to: 165-196, 193-193
|
||
local pr_id="$GITHUB_PR_ID" | ||
local pr_link="$GITHUB_PR_LINK" | ||
local created_date=$(date -u +"%Y-%m-%dT%H:%M:%SZ") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Avoid masking return values by separating declaration and assignment
Declaring and assigning local created_date
in the same line can mask return values in some shells. Separate the declaration and assignment for better compatibility.
Here’s the corrected code:
-local created_date=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+local created_date
+created_date=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
local created_date=$(date -u +"%Y-%m-%dT%H:%M:%SZ") | |
local created_date | |
created_date=$(date -u +"%Y-%m-%dT%H:%M:%SZ") |
🧰 Tools
🪛 Shellcheck
[warning] 180-180: Declare and assign separately to avoid masking return values.
(SC2155)
|
||
# Fetch the latest release dynamically instead of hardcoding | ||
TRIVY_VERSION=$(curl -s https://api.github.com/repos/aquasecurity/trivy/releases/latest | grep '"tag_name"' | sed -E 's/.*"v([^"]+)".*/\1/') | ||
TRIVY_URL="https://github.com/aquasecurity/trivy/releases/download/v$TRIVY_VERSION/trivy_"$TRIVY_VERSION"_Linux-64bit.tar.gz" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fix unintentional unquoting in TRIVY_URL
assignment
The mixing of quotes in this line can lead to unexpected behavior due to unintentional unquoting. Update the assignment to ensure the variable is correctly quoted.
Apply this fix:
-TRIVY_URL="https://github.com/aquasecurity/trivy/releases/download/v$TRIVY_VERSION/trivy_"$TRIVY_VERSION"_Linux-64bit.tar.gz"
+TRIVY_URL="https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz"
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
TRIVY_URL="https://github.com/aquasecurity/trivy/releases/download/v$TRIVY_VERSION/trivy_"$TRIVY_VERSION"_Linux-64bit.tar.gz" | |
TRIVY_URL="https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" |
🧰 Tools
🪛 Shellcheck
[warning] 38-38: The surrounding quotes actually unquote this. Remove or escape them.
(SC2027)
psql -t -c "SELECT vurn_id, product, scanner_tool, priority FROM vulnerability_tracking WHERE scanner_tool = 'TRIVY'" "postgresql://$DB_USER:$DB_PWD@$DB_HOST/$DB_NAME" | while IFS='|' read -r db_vurn_id db_product db_scanner_tool db_priority; do | ||
existing_entries["$db_product,$db_scanner_tool,$db_vurn_id"]="$db_priority" | ||
done | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🛠️ Refactor suggestion
Enhance parsing of existing database entries
When reading existing entries from the database, special characters could disrupt parsing. Use a delimiter less likely to appear in the data.
Update the psql
command to use a tab delimiter:
-psql -t -c "SELECT vuln_id, product, scanner_tool, priority FROM vulnerability_tracking WHERE scanner_tool = 'TRIVY'" "postgresql://$DB_USER:$DB_PWD@$DB_HOST/$DB_NAME" | while IFS='|' read -r db_vuln_id db_product db_scanner_tool db_priority; do
+psql -A -F $'\t' -t -c "SELECT vuln_id, product, scanner_tool, priority FROM vulnerability_tracking WHERE scanner_tool = 'TRIVY'" "postgresql://$DB_USER:$DB_PWD@$DB_HOST/$DB_NAME" | while IFS=$'\t' read -r db_vuln_id db_product db_scanner_tool db_priority; do
This reduces the risk of parsing errors due to unexpected characters in the data.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
psql -t -c "SELECT vurn_id, product, scanner_tool, priority FROM vulnerability_tracking WHERE scanner_tool = 'TRIVY'" "postgresql://$DB_USER:$DB_PWD@$DB_HOST/$DB_NAME" | while IFS='|' read -r db_vurn_id db_product db_scanner_tool db_priority; do | |
existing_entries["$db_product,$db_scanner_tool,$db_vurn_id"]="$db_priority" | |
done | |
psql -A -F $'\t' -t -c "SELECT vurn_id, product, scanner_tool, priority FROM vulnerability_tracking WHERE scanner_tool = 'TRIVY'" "postgresql://$DB_USER:$DB_PWD@$DB_HOST/$DB_NAME" | while IFS=$'\t' read -r db_vurn_id db_product db_scanner_tool db_priority; do | |
existing_entries["$db_product,$db_scanner_tool,$db_vurn_id"]="$db_priority" | |
done | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 4
📜 Review details
Configuration used: .coderabbit.yaml
Review profile: CHILL
📒 Files selected for processing (1)
- .github/workflows/test-vulnerabilities-data.yml (1 hunks)
🧰 Additional context used
🪛 yamllint
.github/workflows/test-vulnerabilities-data.yml
[error] 22-22: trailing spaces
(trailing-spaces)
[error] 27-27: trailing spaces
(trailing-spaces)
[error] 102-102: trailing spaces
(trailing-spaces)
[error] 109-109: trailing spaces
(trailing-spaces)
[error] 143-143: no new line character at the end of file
(new-line-at-end-of-file)
[error] 143-143: trailing spaces
(trailing-spaces)
🔇 Additional comments (2)
.github/workflows/test-vulnerabilities-data.yml (2)
103-109
: LGTM!The artifact upload is properly configured and uses the latest version of the action.
🧰 Tools
🪛 yamllint
[error] 109-109: trailing spaces
(trailing-spaces)
111-142
:⚠️ Potential issueEnhance security and reliability of vulnerability scans
Several improvements needed:
- Separate database credentials for each scanner
- Add timeout limits
- Validate scan results
Apply these changes:
- name: Run Scout vulnerability data script if: always() + timeout-minutes: 30 env: - DB_HOST: ${{ secrets.CYPRESS_DB_HOST }} + DB_HOST: ${{ secrets.SCOUT_DB_HOST }} # ... rest of env vars ... - name: Run Trivy vulnerability data script if: always() + timeout-minutes: 30 env: - DB_HOST: ${{ secrets.CYPRESS_DB_HOST }} + DB_HOST: ${{ secrets.TRIVY_DB_HOST }} # ... rest of env vars ...
uses: actions/setup-node@v3 | ||
with: | ||
node-version: '20' | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fix YAML formatting issues
Remove trailing spaces and add newline at end of file.
# Remove trailing spaces from lines 22, 27, 102, 109
# Add newline at end of file (line 143)
Also applies to: 27-27, 102-102, 109-109, 143-143
🧰 Tools
🪛 yamllint
[error] 22-22: trailing spaces
(trailing-spaces)
|
||
jobs: | ||
run-and-update-pr: | ||
runs-on: ubuntu-latest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🛠️ Refactor suggestion
Pin Ubuntu version for stability
Using ubuntu-latest
may lead to unexpected issues when GitHub updates the runner image.
- runs-on: ubuntu-latest
+ runs-on: ubuntu-22.04
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
runs-on: ubuntu-latest | |
runs-on: ubuntu-22.04 |
on: | ||
workflow_dispatch: | ||
inputs: | ||
image_name: | ||
description: 'Docker image name to scan' | ||
required: true | ||
default: 'appsmith/appsmith-ce:release' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🛠️ Refactor suggestion
Add validation for Docker image name format
Consider adding a pattern validation to ensure the image_name follows Docker naming conventions.
inputs:
image_name:
description: 'Docker image name to scan'
required: true
default: 'appsmith/appsmith-ce:release'
+ pattern: '^[a-z0-9]+(?:[._-][a-z0-9]+)*\/[a-z0-9]+(?:[._-][a-z0-9]+)*(?::[a-z0-9]+(?:[._-][a-z0-9]+)*)?$'
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
on: | |
workflow_dispatch: | |
inputs: | |
image_name: | |
description: 'Docker image name to scan' | |
required: true | |
default: 'appsmith/appsmith-ce:release' | |
on: | |
workflow_dispatch: | |
inputs: | |
image_name: | |
description: 'Docker image name to scan' | |
required: true | |
default: 'appsmith/appsmith-ce:release' | |
pattern: '^[a-z0-9]+(?:[._-][a-z0-9]+)*\/[a-z0-9]+(?:[._-][a-z0-9]+)*(?::[a-z0-9]+(?:[._-][a-z0-9]+)*)?$' |
(async () => { | ||
const client = await pool.connect(); | ||
try { | ||
// Fetch vurn_id, product, scanner_tool, and priority from the database | ||
const result = await client.query(`SELECT vurn_id, product, scanner_tool, priority FROM vulnerability_tracking`); | ||
console.log('Vulnerability Data:', result.rows); | ||
|
||
// Extract relevant fields from the result | ||
const extractedData = result.rows.map(({ vurn_id, product, scanner_tool, priority }) => ({ | ||
vurn_id, | ||
product, | ||
scanner_tool, | ||
priority | ||
})); | ||
console.log('Extracted Vulnerability Data:', extractedData); | ||
|
||
// Prepare CSV content | ||
const csvContent = [ | ||
['vurn_id', 'product', 'scanner_tool', 'priority'], // Add priority column header | ||
...extractedData.map(row => [row.vurn_id, row.product, row.scanner_tool, row.priority]) | ||
] | ||
.map(e => e.join(',')) // Join columns | ||
.join('\n'); // Join rows | ||
|
||
// Write to CSV file in workspace | ||
const csvFilePath = path.join(process.env.GITHUB_WORKSPACE, 'vulnerability_base_data.csv'); | ||
fs.writeFileSync(csvFilePath, csvContent); | ||
console.log(`Data successfully written to ${csvFilePath}`); | ||
|
||
// Prepare TXT content | ||
const txtContent = extractedData | ||
.map(row => `vurn_id: ${row.vurn_id}, product: ${row.product}, scanner_tool: ${row.scanner_tool}, priority: ${row.priority}`) | ||
.join('\n'); // Join rows | ||
|
||
// Write to TXT file in workspace | ||
const txtFilePath = path.join(process.env.GITHUB_WORKSPACE, 'vulnerability_base_data.txt'); | ||
fs.writeFileSync(txtFilePath, txtContent); | ||
console.log(`Data successfully written to ${txtFilePath}`); | ||
|
||
client.release(); | ||
return extractedData; // Return the extracted data | ||
} catch (err) { | ||
console.error('Error fetching vulnerability data:', err); | ||
client.release(); | ||
} | ||
})(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Critical: Fix resource leaks and error handling
Several issues need attention:
- The pool is never closed, leading to connection leaks
- Large result sets could cause memory issues
- Errors are logged but not propagated, potentially hiding failures
Apply these fixes:
(async () => {
const client = await pool.connect();
try {
// Fetch vurn_id, product, scanner_tool, and priority from the database
- const result = await client.query(`SELECT vurn_id, product, scanner_tool, priority FROM vulnerability_tracking`);
+ const result = await client.query(`
+ SELECT vurn_id, product, scanner_tool, priority
+ FROM vulnerability_tracking
+ LIMIT 1000
+ `);
// ... rest of the code ...
client.release();
return extractedData;
} catch (err) {
console.error('Error fetching vulnerability data:', err);
client.release();
+ throw err;
} finally {
+ await pool.end();
}
})();
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
(async () => { | |
const client = await pool.connect(); | |
try { | |
// Fetch vurn_id, product, scanner_tool, and priority from the database | |
const result = await client.query(`SELECT vurn_id, product, scanner_tool, priority FROM vulnerability_tracking`); | |
console.log('Vulnerability Data:', result.rows); | |
// Extract relevant fields from the result | |
const extractedData = result.rows.map(({ vurn_id, product, scanner_tool, priority }) => ({ | |
vurn_id, | |
product, | |
scanner_tool, | |
priority | |
})); | |
console.log('Extracted Vulnerability Data:', extractedData); | |
// Prepare CSV content | |
const csvContent = [ | |
['vurn_id', 'product', 'scanner_tool', 'priority'], // Add priority column header | |
...extractedData.map(row => [row.vurn_id, row.product, row.scanner_tool, row.priority]) | |
] | |
.map(e => e.join(',')) // Join columns | |
.join('\n'); // Join rows | |
// Write to CSV file in workspace | |
const csvFilePath = path.join(process.env.GITHUB_WORKSPACE, 'vulnerability_base_data.csv'); | |
fs.writeFileSync(csvFilePath, csvContent); | |
console.log(`Data successfully written to ${csvFilePath}`); | |
// Prepare TXT content | |
const txtContent = extractedData | |
.map(row => `vurn_id: ${row.vurn_id}, product: ${row.product}, scanner_tool: ${row.scanner_tool}, priority: ${row.priority}`) | |
.join('\n'); // Join rows | |
// Write to TXT file in workspace | |
const txtFilePath = path.join(process.env.GITHUB_WORKSPACE, 'vulnerability_base_data.txt'); | |
fs.writeFileSync(txtFilePath, txtContent); | |
console.log(`Data successfully written to ${txtFilePath}`); | |
client.release(); | |
return extractedData; // Return the extracted data | |
} catch (err) { | |
console.error('Error fetching vulnerability data:', err); | |
client.release(); | |
} | |
})(); | |
(async () => { | |
const client = await pool.connect(); | |
try { | |
// Fetch vurn_id, product, scanner_tool, and priority from the database | |
const result = await client.query(` | |
SELECT vurn_id, product, scanner_tool, priority | |
FROM vulnerability_tracking | |
LIMIT 1000 | |
`); | |
console.log('Vulnerability Data:', result.rows); | |
// Extract relevant fields from the result | |
const extractedData = result.rows.map(({ vurn_id, product, scanner_tool, priority }) => ({ | |
vurn_id, | |
product, | |
scanner_tool, | |
priority | |
})); | |
console.log('Extracted Vulnerability Data:', extractedData); | |
// Prepare CSV content | |
const csvContent = [ | |
['vurn_id', 'product', 'scanner_tool', 'priority'], // Add priority column header | |
...extractedData.map(row => [row.vurn_id, row.product, row.scanner_tool, row.priority]) | |
] | |
.map(e => e.join(',')) // Join columns | |
.join('\n'); // Join rows | |
// Write to CSV file in workspace | |
const csvFilePath = path.join(process.env.GITHUB_WORKSPACE, 'vulnerability_base_data.csv'); | |
fs.writeFileSync(csvFilePath, csvContent); | |
console.log(`Data successfully written to ${csvFilePath}`); | |
// Prepare TXT content | |
const txtContent = extractedData | |
.map(row => `vurn_id: ${row.vurn_id}, product: ${row.product}, scanner_tool: ${row.scanner_tool}, priority: ${row.priority}`) | |
.join('\n'); // Join rows | |
// Write to TXT file in workspace | |
const txtFilePath = path.join(process.env.GITHUB_WORKSPACE, 'vulnerability_base_data.txt'); | |
fs.writeFileSync(txtFilePath, txtContent); | |
console.log(`Data successfully written to ${txtFilePath}`); | |
client.release(); | |
return extractedData; // Return the extracted data | |
} catch (err) { | |
console.error('Error fetching vulnerability data:', err); | |
client.release(); | |
throw err; | |
} finally { | |
await pool.end(); | |
} | |
})(); |
Description
Run trivy and scout scanner with image name
Fixes #
37036
Automation
/ok-to-test tags="@tag.IDE"
🔍 Cypress test results
Tip
🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
Workflow run: https://github.com/appsmithorg/appsmith/actions/runs/11480586298
Commit: 5ebbcd3
Cypress dashboard.
Tags:
@tag.IDE
Spec:
Wed, 23 Oct 2024 13:36:44 UTC
Communication
Should the DevRel and Marketing teams inform users about this change?
Summary by CodeRabbit
New Features
scout_vulnerabilities_data.sh
andtrivy_vulnerabilities_data.sh
.Bug Fixes
Documentation