File 1104-github-add-OSV-automated-vulnerability-checking.patch of Package erlang
From fe03abb522417de49f09173b7f5845291a224b45 Mon Sep 17 00:00:00 2001
From: Kiko Fernandez-Reyes <kiko@erlang.org>
Date: Mon, 23 Sep 2024 11:23:26 +0200
Subject: [PATCH] github: add OSV automated vulnerability checking
---
.github/workflows/osv-scanner-scheduled.yml | 75 +++++++++++++++++++++
lib/compiler/scripts/smoke-build/mix.lock | 2 +-
lib/compiler/scripts/smoke-mix.exs | 2 +-
3 files changed, 77 insertions(+), 2 deletions(-)
create mode 100644 .github/workflows/osv-scanner-scheduled.yml
diff --git a/.github/workflows/osv-scanner-scheduled.yml b/.github/workflows/osv-scanner-scheduled.yml
new file mode 100644
index 0000000000..59a29ad3f2
--- /dev/null
+++ b/.github/workflows/osv-scanner-scheduled.yml
@@ -0,0 +1,75 @@
+## Runs the Google OSV-scanner utility to detect known vulnerabilities.
+## The scan is run on each PR/push and also periodically on each maintained branch
+name: Open Source Vulnerabilities Scanner
+
+on:
+ pull_request:
+ push:
+ workflow_dispatch:
+ schedule:
+ - cron: 0 1 * * *
+
+permissions:
+ # Required to upload SARIF file to CodeQL.
+ # See: https://github.com/github/codeql-action/issues/2117
+ actions: read
+ # Require writing security events to upload SARIF file to security tab
+ security-events: write
+ # Only need to read contents
+ contents: read
+
+jobs:
+ schedule-scan:
+ runs-on: ubuntu-latest
+ if: github.event_name == 'schedule' && github.repository == 'erlang/otp'
+ # if: github.event_name != 'workflow_dispatch' # used for testing
+ outputs:
+ versions: ${{ steps.get-versions.outputs.versions }}
+ steps:
+ - uses: actions/checkout@v4.1.7
+ - id: get-versions
+ name: Fetch latest 3 OTP versions
+ run: |
+ VSNs=$(grep -E 'OTP-[^.]+[.]0 :' otp_versions.table | awk '{ print $1 '} | head -3 | sed 's/[-.]/ /g' | awk '{print $2}')
+ versions='["maint", "master"'
+ for vsn in $VSNs; do
+ versions="${versions}, \"maint-$vsn\""
+ done
+ versions="${versions}]"
+ echo "versions=${versions}" >> "$GITHUB_OUTPUT"
+
+ run-scheduled-scan:
+ # Fan out and create requests to run OSV on multiple branches.
+ # It always succeed: either it sends requests to branches that
+ # can run 'scan-pr' (if the repo/branch contains this file) or
+ # skips sending the request.
+ needs: schedule-scan
+ runs-on: ubuntu-latest
+ strategy:
+ matrix:
+ type: ${{ fromJson(needs.schedule-scan.outputs.versions) }}
+ fail-fast: false
+ permissions:
+ actions: write
+ steps:
+ - uses: actions/checkout@v4.1.7
+ with:
+ ref: ${{ matrix.type }}
+
+ - name: Trigger Vulnerability Scanning
+ env:
+ GH_TOKEN: ${{ github.token }}
+ if: ${{ hashFiles('.github/workflows/osv-scanner-scheduled.yml') != '' }}
+ run: |
+ gh api \
+ --method POST \
+ -H "Accept: application/vnd.github+json" \
+ -H "X-GitHub-Api-Version: 2022-11-28" \
+ /repos/${{ github.repository }}/actions/workflows/osv-scanner-scheduled.yml/dispatches \
+ -f "ref=${{ matrix.type }}"
+
+ scan-pr:
+ # run-scheduled-scan triggers this job
+ # PRs and pushes trigger this job
+ if: github.event_name != 'schedule'
+ uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v1.8.5"
diff --git a/lib/compiler/scripts/smoke-build/mix.lock b/lib/compiler/scripts/smoke-build/mix.lock
index 9fb83798c4..0745240e9a 100644
--- a/lib/compiler/scripts/smoke-build/mix.lock
+++ b/lib/compiler/scripts/smoke-build/mix.lock
@@ -3,7 +3,7 @@
"goldrush": {:hex, :goldrush, "0.1.9", "f06e5d5f1277da5c413e84d5a2924174182fb108dabb39d5ec548b27424cd106", [:rebar3], [], "hexpm"},
"jsx": {:hex, :jsx, "2.9.0", "d2f6e5f069c00266cad52fb15d87c428579ea4d7d73a33669e12679e203329dd", [:mix, :rebar3], [], "hexpm"},
"lager": {:hex, :lager, "3.8.0", "3402b9a7e473680ca179fc2f1d827cab88dd37dd1e6113090c6f45ef05228a1c", [:rebar3], [{:goldrush, "0.1.9", [hex: :goldrush, repo: "hexpm", optional: false]}], "hexpm"},
- "rabbit_common": {:hex, :rabbit_common, "3.7.18", "4249efdf1fd96a81739ffad675582f980cc55aa0a02217e4907b4cd719c44822", [:make, :rebar3], [{:credentials_obfuscation, "1.1.0", [hex: :credentials_obfuscation, repo: "hexpm", optional: false]}, {:jsx, "2.9.0", [hex: :jsx, repo: "hexpm", optional: false]}, {:lager, "3.8.0", [hex: :lager, repo: "hexpm", optional: false]}, {:ranch, "1.7.1", [hex: :ranch, repo: "hexpm", optional: false]}, {:recon, "2.5.0", [hex: :recon, repo: "hexpm", optional: false]}], "hexpm"},
+ "rabbit_common": {:hex, :rabbit_common, "3.7.20", "da022e3ef71c9932a1aa82a12e01bf5dec71f5ca79497c5c11282a2f2dcb443a", [:make, :rebar3], [{:credentials_obfuscation, "1.1.0", [hex: :credentials_obfuscation, repo: "hexpm", optional: false]}, {:jsx, "2.9.0", [hex: :jsx, repo: "hexpm", optional: false]}, {:lager, "3.8.0", [hex: :lager, repo: "hexpm", optional: false]}, {:ranch, "1.7.1", [hex: :ranch, repo: "hexpm", optional: false]}, {:recon, "2.5.0", [hex: :recon, repo: "hexpm", optional: false]}], "hexpm"},
"ranch": {:hex, :ranch, "1.7.1", "6b1fab51b49196860b733a49c07604465a47bdb78aa10c1c16a3d199f7f8c881", [:rebar3], [], "hexpm"},
"recon": {:hex, :recon, "2.5.0", "2f7fcbec2c35034bade2f9717f77059dc54eb4e929a3049ca7ba6775c0bd66cd", [:mix, :rebar3], [], "hexpm"},
}
diff --git a/lib/compiler/scripts/smoke-mix.exs b/lib/compiler/scripts/smoke-mix.exs
index 0bfb80b53c..db996a7d3b 100644
--- a/lib/compiler/scripts/smoke-mix.exs
+++ b/lib/compiler/scripts/smoke-mix.exs
@@ -63,7 +63,7 @@ defmodule Smoke.MixProject do
{:zotonic_stdlib, "~> 1.0"},
]
'rabbitmq' ->
- [{:rabbit_common, "~> 3.7"}]
+ [{:rabbit_common, "~> 3.7.20"}]
_ ->
[]
end
--
2.43.0