Sudo-Ivan
4923619b51
- Updated the 'checkout' action to version 4 for consistency across workflows. - Added a 'Setup Go' step to initialize the Go environment using the latest action version. - Modified the OSV scan script to generalize vulnerability reporting, removing specific severity checks for a broader output.
39 lines
951 B
Bash
39 lines
951 B
Bash
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
OSV_VERSION="${OSV_VERSION:-v2.3.1}"
|
|
|
|
echo "Installing OSV-Scanner ${OSV_VERSION}..."
|
|
curl -sSL "https://github.com/google/osv-scanner/releases/download/${OSV_VERSION}/osv-scanner_linux_amd64" -o /tmp/osv-scanner
|
|
chmod +x /tmp/osv-scanner
|
|
sudo mv /tmp/osv-scanner /usr/local/bin/osv-scanner
|
|
|
|
echo "Running OSV-Scanner recursively..."
|
|
OSV_JSON="$(mktemp)"
|
|
trap 'rm -f "$OSV_JSON"' EXIT
|
|
|
|
osv-scanner --recursive ./ --format json > "$OSV_JSON" || true
|
|
|
|
if ! command -v jq >/dev/null 2>&1; then
|
|
echo "Error: jq is not installed. Please install jq to parse OSV results."
|
|
exit 1
|
|
fi
|
|
|
|
VULNS=$(jq -r '
|
|
.results[]? |
|
|
.source as $src |
|
|
.vulns[]? |
|
|
"\(.id) (source: \($src))"
|
|
' "$OSV_JSON")
|
|
|
|
if [ -n "$VULNS" ]; then
|
|
echo "OSV scan found vulnerabilities:"
|
|
echo "$VULNS" | while IFS= read -r line; do
|
|
echo " - $line"
|
|
done
|
|
exit 1
|
|
else
|
|
echo "OSV scan: no vulnerabilities found."
|
|
fi
|
|
|