43 lines
1.1 KiB
Bash
43 lines
1.1 KiB
Bash
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
OSV_VERSION="${OSV_VERSION:-v2.3.1}"
|
|
|
|
echo "Installing OSV-Scanner ${OSV_VERSION}..."
|
|
curl -sSL "https://github.com/google/osv-scanner/releases/download/${OSV_VERSION}/osv-scanner_linux_amd64" -o /tmp/osv-scanner
|
|
chmod +x /tmp/osv-scanner
|
|
sudo mv /tmp/osv-scanner /usr/local/bin/osv-scanner
|
|
|
|
echo "Running OSV-Scanner recursively..."
|
|
OSV_JSON="$(mktemp)"
|
|
trap 'rm -f "$OSV_JSON"' EXIT
|
|
|
|
osv-scanner --recursive ./ --format json > "$OSV_JSON" || true
|
|
|
|
if ! command -v jq >/dev/null 2>&1; then
|
|
echo "Error: jq is not installed. Please install jq to parse OSV results."
|
|
exit 1
|
|
fi
|
|
|
|
VULNS=$(jq -r '
|
|
.results[]? |
|
|
.source as $src |
|
|
.vulns[]? |
|
|
select(
|
|
(.database_specific.severity // "" | ascii_upcase | test("HIGH|CRITICAL")) or
|
|
(.severity[]?.score // "" | tostring | split("/")[0] | tonumber? // 0 | . >= 7.0)
|
|
) |
|
|
"\(.id) (source: \($src))"
|
|
' "$OSV_JSON")
|
|
|
|
if [ -n "$VULNS" ]; then
|
|
echo "OSV scan found HIGH/CRITICAL vulnerabilities:"
|
|
echo "$VULNS" | while IFS= read -r line; do
|
|
echo " - $line"
|
|
done
|
|
exit 1
|
|
else
|
|
echo "OSV scan: no HIGH/CRITICAL vulnerabilities found."
|
|
fi
|
|
|