Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: specify api token for nvd vulnerability scan #113

Merged
merged 2 commits into from
Feb 21, 2024
Merged

ci: specify api token for nvd vulnerability scan #113

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ef7d5d7
ci: specify api token for nvd vulnerability scan
lread Feb 21, 2024
1a5d4b1
fix typo
lread Feb 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion .github/workflows/nvd_scanner.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ on:

jobs:
build:

environment: nvd
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
Expand All @@ -35,4 +35,6 @@ jobs:
key: nvd-cache-we-are-happy-to-share-across-branches-${{ steps.get-date.outputs.date }}

- name: Run NVD Scanner
env:
NVD_API_TOKEN: ${{ secrets.NVD_API_TOKEN }}
run: bb nvd-scan
6 changes: 4 additions & 2 deletions doc/02-developer-guide.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -124,9 +124,11 @@ Or to run both: `bb lint`

=== Vulnerability scanning
We automatically scan for vulnerabilities in our dependencies on CI.
If you want to run this work locally:
If you want to run this work locally, you can for example:

[source,shell]
----
bb nvd-scan
NVD_API_TOKEN=your-token-here bb nvd-scan
----

Replace `your-token-here` with your personal nvd api token which you can easily request from https://nvd.nist.gov/developers/request-an-api-key.
4 changes: 4 additions & 0 deletions doc/03-maintainer-guide.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,10 @@ CI - We use GitHub Actions for this project

Clojars secrets are protected under the `publish` environment which is only referenced by `publish.yml`.

The nvd api token is stored under the `nvd` environment and refernced by `nvd_scanner.yml`.
Should you need to update the token, you can request one here: https://nvd.nist.gov/developers/request-an-api-key.
If you are using gmail, you can request a unique token for clj-yaml CI by including `+clj-yaml` in your email address, ex. `bob@gmail.com` becomes `bob+clj-yaml@gmail.com`.

== Expected Oddities

When publishing, you will see both the `tests` workflow triggered and the `publish` workflow triggered (which also invokes the `tests` workflow).
Expand Down
7 changes: 7 additions & 0 deletions nvd_check_helper_project/suppressions.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,4 +27,11 @@
]]> </notes>
<cve>CVE-2021-4235</cve>
</suppress>
<suppress>
<notes><![CDATA[
This CVE is described as: In Clojure before 1.9.0, classes can be used to construct a serialized object that executes arbitrary code upon deserialization. This is relevant if a server deserializes untrusted objects.
False positive; clj-yaml does not depend on a specific version of Clojure.
]]> </notes>
<cve>CVE-2017-20189</cve>
</suppress>
</suppressions>
Loading