[FP]: CVE-2023-5763 Eclipse Expressly #2598
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: False Positive Ops | |
| on: | |
| issues: | |
| types: [opened, edited, reopened] | |
| permissions: | |
| contents: read | |
| issues: write | |
| jobs: | |
| issue: | |
| runs-on: ubuntu-latest | |
| if: contains(github.event.issue.labels.*.name, 'FP Report') | |
| steps: | |
| - name: Remove Labels | |
| if: contains(github.event.issue.labels.*.name, 'pending more information') | |
| uses: actions/github-script@v7.0.1 | |
| with: | |
| script: | | |
| github.rest.issues.removeLabel({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| name: 'pending more information' | |
| }) | |
| console.log( | |
| await github.rest.issues.listLabelsOnIssue | |
| ({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo | |
| }) | |
| ) | |
| - uses: actions/checkout@v4 | |
| with: | |
| path: odc | |
| - name: Parse False Positive Issue | |
| uses: stefanbuck/github-issue-parser@v3 | |
| id: issue-parser | |
| with: | |
| issue-body: ${{ github.event.issue.body }} | |
| template-path: odc/.github/ISSUE_TEMPLATE/false-positive-report.yml | |
| - uses: actions/setup-node@v4.0.2 | |
| with: | |
| node-version: 14 | |
| - name: Initialize npm | |
| run: | | |
| npm init -y | |
| npm install packageurl-js | |
| - name: Parse Package URL | |
| id: purl-parser | |
| uses: actions/github-script@v7.0.1 | |
| env: | |
| PURL: ${{ fromJSON(steps.issue-parser.outputs.jsonString).purl }} | |
| with: | |
| script: | | |
| try { | |
| const { PackageURL } = require('packageurl-js'); | |
| const pkg = PackageURL.fromString(process.env.PURL.trim().replaceAll(/^`|`$/g,'')); | |
| console.log(pkg); | |
| return pkg; | |
| } catch (ex) { | |
| console.log(ex); | |
| await github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: 'Error parsing package url: ' + process.env.PURL + '.\n\nError: ' + ex + '\n\nPlease correct the package URL - consider copying the package url from the HTML report.' | |
| }) | |
| github.rest.issues.addLabels({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| labels: ['pending more information'] | |
| }) | |
| throw new Error('Invalid package url'); | |
| } | |
| - name: Setup maven fp-project | |
| if: ${{ fromJSON(steps.purl-parser.outputs.result).type == 'maven' }} | |
| env: | |
| GROUPID: ${{ fromJSON(steps.purl-parser.outputs.result).namespace }} | |
| ARTIFACTID: ${{ fromJSON(steps.purl-parser.outputs.result).name }} | |
| VERSION: ${{ fromJSON(steps.purl-parser.outputs.result).version }} | |
| run: | | |
| ver=$(curl -s https://jeremylong.github.io/DependencyCheck/current.txt) | |
| mkdir ./fp-project | |
| cp ${{github.workspace}}/odc/.github/workflows/files/maven-pom.start ./fp-project/pom.xml | |
| echo -n $ver >> ./fp-project/pom.xml | |
| cat ${{github.workspace}}/odc/.github/workflows/files/maven-pom.middle >> ./fp-project/pom.xml | |
| echo "<dependency>" >> ./fp-project/pom.xml | |
| echo " <groupId>$GROUPID</groupId>" >> ./fp-project/pom.xml | |
| echo " <artifactId>$ARTIFACTID</artifactId>" >> ./fp-project/pom.xml | |
| echo " <version>$VERSION</version>" >> ./fp-project/pom.xml | |
| echo "</dependency>" >> ./fp-project/pom.xml | |
| cat ${{github.workspace}}/odc/.github/workflows/files/maven-pom.end >> ./fp-project/pom.xml | |
| cd ./fp-project | |
| ## not ideal as verify would be better then using the docker image... | |
| ##mvn verify | |
| mvn dependency:copy-dependencies --no-transfer-progress --batch-mode | |
| cd .. | |
| - name: Setup npm fp-project | |
| if: ${{ fromJSON(steps.purl-parser.outputs.result).type == 'npm' }} | |
| env: | |
| PACKAGE: ${{ fromJSON(steps.purl-parser.outputs.result).name }}@${{ fromJSON(steps.purl-parser.outputs.result).version }} | |
| run: | | |
| mkdir ./fp-project | |
| cd ./fp-project | |
| npm init -y | |
| npm install "$PACKAGE" | |
| cd .. | |
| - name: Setup dotnet | |
| if: ${{ fromJSON(steps.purl-parser.outputs.result).type == 'nuget' }} | |
| uses: actions/setup-dotnet@v4.0.0 | |
| with: | |
| dotnet-version: '6.0.x' | |
| - name: Setup dotnet fp-project | |
| if: ${{ fromJSON(steps.purl-parser.outputs.result).type == 'nuget' }} | |
| env: | |
| PACKAGE: ${{ fromJSON(steps.purl-parser.outputs.result).name }} | |
| VERSION: ${{ fromJSON(steps.purl-parser.outputs.result).version }} | |
| run: | | |
| dotnet new classlib --language C# --name fp-project --no-update-check | |
| cd fp-project | |
| dotnet add package "$PACKAGE" --version "$VERSION" | |
| dotnet publish | |
| cd .. | |
| - name: "Check for setup complete" | |
| uses: andstor/file-existence-action@v3 | |
| id: check_files | |
| with: | |
| files: "./fp-project" | |
| - name: Run ODC | |
| if: steps.check_files.outputs.files_exists == 'true' | |
| uses: dependency-check/Dependency-Check_Action@main | |
| with: | |
| project: 'fp-test' | |
| path: './fp-project' | |
| format: 'HTML' | |
| args: > | |
| --failOnCVSS 11 | |
| --enableExperimental | |
| - name: Upload FP Report | |
| if: steps.check_files.outputs.files_exists == 'true' | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: FP Report | |
| path: ${{github.workspace}}/reports | |
| - name: Comment on maven issue | |
| if: ${{ fromJSON(steps.purl-parser.outputs.result).type == 'maven' }} | |
| uses: actions/github-script@v7.0.1 | |
| env: | |
| GROUPID: ${{ fromJSON(steps.purl-parser.outputs.result).namespace }} | |
| ARTIFACTID: ${{ fromJSON(steps.purl-parser.outputs.result).name }} | |
| VERSION: ${{ fromJSON(steps.purl-parser.outputs.result).version }} | |
| TYPE: ${{ fromJSON(steps.purl-parser.outputs.result).type }} | |
| CPE: ${{ fromJSON(steps.issue-parser.outputs.jsonString).cpe }} | |
| with: | |
| script: | | |
| var namespace = process.env.GROUPID; | |
| var name = process.env.ARTIFACTID; | |
| var packageType = process.env.TYPE; | |
| var purl = '^pkg:' + packageType; | |
| if(namespace !== null && namespace !== '') { | |
| purl += '/' + namespace.replaceAll('.','\\.'); | |
| } | |
| if(name !== null && name !== '') { | |
| purl += '/' + name.replaceAll('.','\\.'); | |
| } | |
| purl += '@.*$'; | |
| var cpe = process.env.CPE.trim().replaceAll(/^`|`$/g,'').split(':'); | |
| var matchCpe; | |
| if (cpe[1] == '2.3') { | |
| matchcpe = 'cpe:/a:' + cpe[3] + ':' + cpe[4]; | |
| } else { | |
| matchcpe = 'cpe:/a:' + cpe[2] + ':' + cpe[3]; | |
| } | |
| await github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: 'Maven Coordinates\n\n```xml\n<dependency>\n <groupId>' + process.env.GROUPID + '</groupId>\n <artifactId>' + process.env.ARTIFACTID + '</artifactId>\n <version>' + process.env.VERSION + '</version>\n</dependency>\n```\n\n' + | |
| 'Suppression rule:\n```xml\n' + | |
| '<suppress base="true">\n' + | |
| ' <notes><![CDATA[\n' + | |
| ' FP per issue #' + context.issue.number + '\n' + | |
| ' ]]></notes>\n' + | |
| ' <packageUrl regex="true">' + purl + '</packageUrl>\n' + | |
| ' <cpe>' + matchcpe + '</cpe>\n' + | |
| '</suppress>\n```\n\n' + | |
| 'Link to test results: ' + context.serverUrl + '/' + context.repo.owner + '/' + context.repo.repo + '/actions/runs/' + context.runId | |
| }) | |
| github.rest.issues.addLabels({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| labels: ['maven'] | |
| }) | |
| - name: Comment on npm issue | |
| if: ${{ fromJSON(steps.purl-parser.outputs.result).type == 'npm' }} | |
| uses: actions/github-script@v7.0.1 | |
| env: | |
| NAME: ${{ fromJSON(steps.purl-parser.outputs.result).name }} | |
| VERSION: ${{ fromJSON(steps.purl-parser.outputs.result).version }} | |
| TYPE: ${{ fromJSON(steps.purl-parser.outputs.result).type }} | |
| CPE: ${{ fromJSON(steps.issue-parser.outputs.jsonString).cpe }} | |
| with: | |
| script: | | |
| var name = process.env.NAME; | |
| var packageType = process.env.TYPE; | |
| var purl = '^pkg:' + packageType; | |
| if(name !== null && name !== '') { | |
| purl += '/' + name.replaceAll('.','\\.'); | |
| } | |
| purl += '@.*$'; | |
| var cpe = process.env.CPE.trim().replaceAll(/^`|`$/g,'').split(':'); | |
| console.log(cpe); | |
| var matchCpe; | |
| if (cpe[1] == '2.3') { | |
| matchcpe = 'cpe:/a:' + cpe[3] + ':' + cpe[4]; | |
| } else { | |
| matchcpe = 'cpe:/a:' + cpe[2] + ':' + cpe[3]; | |
| } | |
| await github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: 'Npm Coordinates\n\n```shell\nnpm -i ' + process.env.NAME + '@' + process.env.VERSION + '\n```\n\n' + | |
| 'Suppression rule:\n```xml\n' + | |
| '<suppress base="true">\n' + | |
| ' <notes><![CDATA[\n' + | |
| ' FP per issue #' + context.issue.number + '\n' + | |
| ' ]]></notes>\n' + | |
| ' <packageUrl regex="true">' + purl + '</packageUrl>\n' + | |
| ' <cpe>' + matchcpe + '</cpe>\n' + | |
| '</suppress>\n```\n\n' + | |
| 'Link to test results: ' + context.serverUrl + '/' + context.repo.owner + '/' + context.repo.repo + '/actions/runs/' + context.runId | |
| }) | |
| github.rest.issues.addLabels({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| labels: ['npm'] | |
| }) | |
| - name: Comment on dotnet issue | |
| if: ${{ fromJSON(steps.purl-parser.outputs.result).type == 'nuget' }} | |
| uses: actions/github-script@v7.0.1 | |
| env: | |
| NAME: ${{ fromJSON(steps.purl-parser.outputs.result).name }} | |
| VERSION: ${{ fromJSON(steps.purl-parser.outputs.result).version }} | |
| TYPE: ${{ fromJSON(steps.purl-parser.outputs.result).type }} | |
| CPE: ${{ fromJSON(steps.issue-parser.outputs.jsonString).cpe }} | |
| with: | |
| script: | | |
| var name = process.env.NAME; | |
| var packageType = process.env.TYPE; | |
| var purl = '^pkg:' + packageType; | |
| if(name !== null && name !== '') { | |
| purl += '/' + name.replaceAll('.','\\.'); | |
| } | |
| purl += '@.*$'; | |
| var cpe = process.env.CPE.trim().replaceAll(/^`|`$/g,'').split(':'); | |
| var matchCpe; | |
| if (cpe[1] == '2.3') { | |
| matchcpe = 'cpe:/a:' + cpe[3] + ':' + cpe[4]; | |
| } else { | |
| matchcpe = 'cpe:/a:' + cpe[2] + ':' + cpe[3]; | |
| } | |
| await github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: 'Nuget Coordinates\n\n```shell\ndotnet add package ' + process.env.NAME + ' --version ' + process.env.VERSION + '\n```\n\n' + | |
| 'Suppression rule:\n```xml\n' + | |
| '<suppress base="true">\n' + | |
| ' <notes><![CDATA[\n' + | |
| ' FP per issue #' + context.issue.number + '\n' + | |
| ' ]]></notes>\n' + | |
| ' <packageUrl regex="true">' + purl + '</packageUrl>\n' + | |
| ' <cpe>' + matchcpe + '</cpe>\n' + | |
| '</suppress>\n```\n\n' + | |
| 'Link to test results: ' + context.serverUrl + '/' + context.repo.owner + '/' + context.repo.repo + '/actions/runs/' + context.runId | |
| }) | |
| github.rest.issues.addLabels({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| labels: ['dotnet'] | |
| }) | |
| - name: Message failure | |
| if: ${{ failure() }} | |
| uses: actions/github-script@v7.0.1 | |
| with: | |
| script: | | |
| github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: 'Failed to automatically evaluate the false positive. ' + | |
| 'See: ' + context.serverUrl + '/' + context.repo.owner + '/' + context.repo.repo + '/actions/runs/' + context.runId, | |
| }); |