Merge branch 'kiko/github/osv-security-vulnerability-scan' into maint

* kiko/github/osv-security-vulnerability-scan: github: add OSV automated vulnerability checking
erlang · Oct 17, 2024 · 97b672a · 97b672a
2 parents 33f3604 + fe03abb
commit 97b672a
Show file tree

Hide file tree

Showing 3 changed files with 77 additions and 2 deletions.
diff --git a/.github/workflows/osv-scanner-scheduled.yml b/.github/workflows/osv-scanner-scheduled.yml
@@ -0,0 +1,75 @@
+## Runs the Google OSV-scanner utility to detect known vulnerabilities.
+## The scan is run on each PR/push and also periodically on each maintained branch
+name: Open Source Vulnerabilities Scanner
+
+on:
+  pull_request:
+  push:
+  workflow_dispatch:
+  schedule:
+    - cron: 0 1 * * *
+
+permissions:
+  # Required to upload SARIF file to CodeQL.
+  # See: https://github.com/github/codeql-action/issues/2117
+  actions: read
+  # Require writing security events to upload SARIF file to security tab
+  security-events: write
+  # Only need to read contents
+  contents: read
+
+jobs:
+  schedule-scan:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'schedule' && github.repository == 'erlang/otp'
+    # if: github.event_name != 'workflow_dispatch' # used for testing
+    outputs:
+       versions: ${{ steps.get-versions.outputs.versions }}
+    steps:
+      - uses: actions/checkout@v4.1.7
+      - id: get-versions
+        name: Fetch latest 3 OTP versions
+        run: |
+          VSNs=$(grep -E 'OTP-[^.]+[.]0 :' otp_versions.table | awk '{ print $1 '} | head -3 | sed 's/[-.]/ /g' | awk '{print $2}')
+          versions='["maint", "master"'
+          for vsn in $VSNs; do
+            versions="${versions}, \"maint-$vsn\""
+          done
+          versions="${versions}]"
+          echo "versions=${versions}" >> "$GITHUB_OUTPUT"
+
+  run-scheduled-scan:
+    # Fan out and create requests to run OSV on multiple branches.
+    # It always succeed: either it sends requests to branches that
+    # can run 'scan-pr' (if the repo/branch contains this file) or
+    # skips sending the request.
+    needs: schedule-scan
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        type: ${{ fromJson(needs.schedule-scan.outputs.versions) }}
+      fail-fast: false
+    permissions:
+      actions: write
+    steps:
+      - uses: actions/checkout@v4.1.7
+        with:
+          ref: ${{ matrix.type }}
+
+      - name: Trigger Vulnerability Scanning
+        env:
+          GH_TOKEN: ${{ github.token }}
+        if: ${{ hashFiles('.github/workflows/osv-scanner-scheduled.yml') != '' }}
+        run: |
+          gh api \
+            --method POST \
+            -H "Accept: application/vnd.github+json" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            /repos/${{ github.repository }}/actions/workflows/osv-scanner-scheduled.yml/dispatches \
+            -f "ref=${{ matrix.type }}"
+
+  scan-pr:
+    # run-scheduled-scan triggers this job
+    # PRs and pushes trigger this job
+    if: github.event_name != 'schedule'
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v1.8.5"
diff --git a/lib/compiler/scripts/smoke-build/mix.lock b/lib/compiler/scripts/smoke-build/mix.lock
@@ -3,7 +3,7 @@
   "goldrush": {:hex, :goldrush, "0.1.9", "f06e5d5f1277da5c413e84d5a2924174182fb108dabb39d5ec548b27424cd106", [:rebar3], [], "hexpm"},
   "jsx": {:hex, :jsx, "2.9.0", "d2f6e5f069c00266cad52fb15d87c428579ea4d7d73a33669e12679e203329dd", [:mix, :rebar3], [], "hexpm"},
   "lager": {:hex, :lager, "3.8.0", "3402b9a7e473680ca179fc2f1d827cab88dd37dd1e6113090c6f45ef05228a1c", [:rebar3], [{:goldrush, "0.1.9", [hex: :goldrush, repo: "hexpm", optional: false]}], "hexpm"},
-  "rabbit_common": {:hex, :rabbit_common, "3.7.18", "4249efdf1fd96a81739ffad675582f980cc55aa0a02217e4907b4cd719c44822", [:make, :rebar3], [{:credentials_obfuscation, "1.1.0", [hex: :credentials_obfuscation, repo: "hexpm", optional: false]}, {:jsx, "2.9.0", [hex: :jsx, repo: "hexpm", optional: false]}, {:lager, "3.8.0", [hex: :lager, repo: "hexpm", optional: false]}, {:ranch, "1.7.1", [hex: :ranch, repo: "hexpm", optional: false]}, {:recon, "2.5.0", [hex: :recon, repo: "hexpm", optional: false]}], "hexpm"},
+  "rabbit_common": {:hex, :rabbit_common, "3.7.20", "da022e3ef71c9932a1aa82a12e01bf5dec71f5ca79497c5c11282a2f2dcb443a", [:make, :rebar3], [{:credentials_obfuscation, "1.1.0", [hex: :credentials_obfuscation, repo: "hexpm", optional: false]}, {:jsx, "2.9.0", [hex: :jsx, repo: "hexpm", optional: false]}, {:lager, "3.8.0", [hex: :lager, repo: "hexpm", optional: false]}, {:ranch, "1.7.1", [hex: :ranch, repo: "hexpm", optional: false]}, {:recon, "2.5.0", [hex: :recon, repo: "hexpm", optional: false]}], "hexpm"},
   "ranch": {:hex, :ranch, "1.7.1", "6b1fab51b49196860b733a49c07604465a47bdb78aa10c1c16a3d199f7f8c881", [:rebar3], [], "hexpm"},
   "recon": {:hex, :recon, "2.5.0", "2f7fcbec2c35034bade2f9717f77059dc54eb4e929a3049ca7ba6775c0bd66cd", [:mix, :rebar3], [], "hexpm"},
 }
diff --git a/lib/compiler/scripts/smoke-mix.exs b/lib/compiler/scripts/smoke-mix.exs
@@ -63,7 +63,7 @@ defmodule Smoke.MixProject do
 	  {:zotonic_stdlib, "~> 1.0"},
 	]
       'rabbitmq' ->
-	[{:rabbit_common, "~> 3.7"}]
+	[{:rabbit_common, "~> 3.7.20"}]
       _ ->
 	[]
     end