From 3e78ba6c4caf96d4a0f0631a355a5dbe17155baf Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 11 Jan 2022 15:31:18 -0500 Subject: [PATCH] Add list updating workflow and configuration Add the GitHub Actions workflow that will process the YAML files that contain cisagov controlled software information and generate a final Markdown file. The required template and Python requirements are included as well. --- .github/workflows/update_software_list.yml | 113 +++++++++++++++++++++ config/SOFTWARE-LIST.tpl.md | 20 ++++ config/requirements.txt | 1 + 3 files changed, 134 insertions(+) create mode 100644 .github/workflows/update_software_list.yml create mode 100644 config/SOFTWARE-LIST.tpl.md create mode 100644 config/requirements.txt diff --git a/.github/workflows/update_software_list.yml b/.github/workflows/update_software_list.yml new file mode 100644 index 0000000..6350ccc --- /dev/null +++ b/.github/workflows/update_software_list.yml @@ -0,0 +1,113 @@ +--- +name: Update the software list + +on: + push: + branches: + - develop + +env: + PIP_CACHE_DIR: ~/.cache/pip + TESTING_BRANCH_BASE: testing/update_software_list + +jobs: + setup: + runs-on: ubuntu-latest + outputs: + # Commit author information for git + git_author: ${{ steps.git-config.outputs.author }} + git_email: ${{ steps.git-config.outputs.email }} + git_user: ${{ steps.git-config.outputs.user }} + # The name of the branch used for testing + testing_branch: ${{ steps.testing-branch.outputs.name }} + steps: + - id: git-config + run: | + echo "::set-output name=author::$GIT_USER <$GIT_EMAIL>" + echo "::set-output name=email::$GIT_EMAIL" + echo "::set-output name=user::$GIT_USER" + env: + GIT_EMAIL: ${{ fromJson(secrets.GIT_AUTHOR_INFORMATION).user.email }} + GIT_USER: ${{ fromJson(secrets.GIT_AUTHOR_INFORMATION).user.name }} + - id: testing-branch + run: echo "::set-output name=name::$BASE_BRANCH/$COMMIT_SHA" + env: + BASE_BRANCH: ${{ env.TESTING_BRANCH_BASE }} + COMMIT_SHA: ${{ github.sha }} + generate_list_update: + runs-on: ubuntu-latest + needs: setup + outputs: + # If changes are detected then a commit will have been pushed + updated_list: ${{ steps.commit-for-testing.outputs.changes_detected }} + # Don't run if we're seeing an update push + if: github.actor != needs.setup.outputs.git_user + steps: + - uses: actions/checkout@v2 + with: + token: ${{ secrets.CISAGOVBOT_PAT }} + - id: setup-python + uses: actions/setup-python@v2 + with: + python-version: "3.10" + - uses: actions/cache@v2 + env: + BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\ + py${{ steps.setup-python.outputs.python-version }}-" + with: + path: | + ${{ env.PIP_CACHE_DIR }} + key: "${{ env.BASE_CACHE_KEY }}\ + ${{ hashFiles('.github/workflows/update_software_list.yml') }}-\ + ${{ hashFiles('config/requirements.txt') }}" + restore-keys: | + ${{ env.BASE_CACHE_KEY }} + - name: Update Python base packages + run: python -m pip install --upgrade pip setuptools wheel + - name: Install dependencies + run: pip install --upgrade --requirement config/requirements.txt + - name: Create the branch for test validation + run: git switch --create ${{ needs.setup.outputs.testing_branch }} + - name: Update the comprehensive cisagov YAML file + run: normalize-yml --cisagov-format data/cisagov_*.yml > data/cisagov.yml + - name: Generate a normalized YAML file from all source YAML files + run: normalize-yml data/cisagov.yml > normalized.yml + - name: Generate a Markdown table from the normalized YAML file + run: yml2md normalized.yml > table_data.md + - name: Generate a new software list from the updated data + run: md-from-template config/SOFTWARE-LIST.tpl.md table_data.md > SOFTWARE-LIST.md + - id: commit-for-testing + uses: stefanzweifel/git-auto-commit-action@v4 + with: + branch: ${{ needs.setup.outputs.testing_branch }} + commit_message: Update the software list + commit_user_name: ${{ needs.setup.outputs.git_user }} + commit_user_email: ${{ needs.setup.outputs.git_email }} + commit_author: ${{ needs.setup.outputs.git_author }} + file_pattern: SOFTWARE-LIST.md data/cisagov.yml + merge_list_update: + runs-on: ubuntu-latest + needs: + - setup + - generate_list_update + if: needs.generate_list_update.outputs.updated_list == 'true' + steps: + - uses: actions/checkout@v2 + with: + token: ${{ secrets.CISAGOVBOT_PAT }} + - name: Configure git + run: | + git config user.name "${{ needs.setup.outputs.git_user }}" + git config user.email "${{ needs.setup.outputs.git_email }}" + - uses: lewagon/wait-on-check-action@v1.0.0 + with: + check-name: lint + ref: ${{ needs.setup.outputs.testing_branch }} + repo-token: ${{ github.token }} + - name: Merge the testing branch + run: | + git fetch + git merge origin/${{ needs.setup.outputs.testing_branch }} + git push + - name: Cleanup testing branch + run: git push --delete origin ${{ needs.setup.outputs.testing_branch }} diff --git a/config/SOFTWARE-LIST.tpl.md b/config/SOFTWARE-LIST.tpl.md new file mode 100644 index 0000000..f25ffc9 --- /dev/null +++ b/config/SOFTWARE-LIST.tpl.md @@ -0,0 +1,20 @@ +# CISA Log4j (CVE-2021-44228) Affected Vendor & Software List # + +## Status Descriptions ## + +| Status | Description | +| ------ | ----------- | +| Unknown | Status unknown. Default choice. | +| Affected | Reported to be affected by CVE-2021-44228. | +| Not Affected | Reported to NOT be affected by CVE-2021-44228 and no further action necessary. | +| Fixed | Patch and/or mitigations available (see provided links). | +| Under Investigation | Vendor investigating status. | + +## Software List ## + +This list was initially populated using information from the following sources: + +- Kevin Beaumont +- SwitHak + +{{software_markdown_table}} diff --git a/config/requirements.txt b/config/requirements.txt new file mode 100644 index 0000000..e5b41a2 --- /dev/null +++ b/config/requirements.txt @@ -0,0 +1 @@ +https://github.com/cisagov/log4j-md-yml/archive/v1.1.0.tar.gz