Skip to content

ci: add conditional execution for SBOM workflow on the main repository. #4358

ci: add conditional execution for SBOM workflow on the main repository.

ci: add conditional execution for SBOM workflow on the main repository. #4358

Workflow file for this run

name: Testing
on:
push:
pull_request:
workflow_dispatch:
inputs:
longTests:
description: 'Force run long tests'
required: false
type: boolean
externalSystem:
description: 'Force run tests which rely on external connectivity'
required: false
type: boolean
env:
ACTIONS: 1
LONG_TESTS: 0
EXTERNAL_SYSTEM: 0
nvd_api_key: ${{ secrets.NVD_API_KEY }}
jobs:
docs:
name: Documentation
runs-on: ubuntu-22.04
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
with:
python-version: '3.x'
cache: 'pip'
cache-dependency-path: 'doc/requirements.txt'
- name: Install doc dependencies
run: |
python -m pip install --upgrade pip
python -m pip install --upgrade setuptools
python -m pip install --upgrade wheel
python -m pip install --upgrade -r doc/requirements.txt
- name: Build docs
run: |
cd doc/
sphinx-build -b html . _build
tests:
name: Linux tests
runs-on: ubuntu-22.04
strategy:
matrix:
python: ['3.8', '3.9', '3.11']
timeout-minutes: 60
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
with:
python-version: ${{ matrix.python }}
cache: 'pip'
- name: Get date
id: get-date
run: |
echo "date=$(/bin/date -u "+%Y%m%d")" >> $GITHUB_OUTPUT
echo "yesterday=$(/bin/date -d "-1 day" -u "+%Y%m%d")" >> $GITHUB_OUTPUT
- name: Print Cache Keys
run: |
echo "Today's Cache Key: Linux-cve-bin-tool-${{ steps.get-date.outputs.date }}"
echo "Yesterday's Cache Key: Linux-cve-bin-tool-${{ steps.get-date.outputs.yesterday }}"
- name: Get today's cached database
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
id: todays-cache
with:
path: cache
key: Linux-cve-bin-tool-${{ steps.get-date.outputs.date }}
- name: Get yesterday's cached database if today's is not available
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
if: steps.todays-cache.outputs.cache-hit != 'true'
with:
path: cache
key: Linux-cve-bin-tool-${{ steps.get-date.outputs.yesterday }}
- name: Install cabextract
run: sudo apt-get update && sudo apt-get install cabextract
- name: Install OS dependencies for testing PDF
run: sudo apt-get install build-essential libpoppler-cpp-dev pkg-config python3-dev
- name: Install pdftotext, reportlab and cve-bin-tool
run: |
python -m pip install --upgrade pip
python -m pip install --upgrade setuptools
python -m pip install --upgrade wheel
python -m pip install --upgrade pdftotext
python -m pip install --upgrade reportlab
python -m pip install --upgrade -r dev-requirements.txt
python -m pip install --upgrade .
- name: Try single CLI run of tool
run: |
[[ -e cache ]] && mkdir -p .cache && mv cache ~/.cache/cve-bin-tool
NO_EXIT_CVE_NUM=1 python -m cve_bin_tool.cli test/assets/test-kerberos-5-1.15.1.out
cp -r ~/.cache/cve-bin-tool cache
- name: Run async tests
run: >
pytest -n 4 -v
--ignore=test/test_cli.py
--ignore=test/test_cvedb.py
--ignore=test/test_requirements.py
--ignore=test/test_html.py
--ignore=test/test_json.py
- name: Run synchronous tests
run: >
pytest -v
test/test_cli.py
test/test_cvedb.py
long_tests:
name: Long tests on Python 3.10
runs-on: ubuntu-22.04
timeout-minutes: 90
env:
LONG_TESTS: 1
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
with:
python-version: '3.10'
cache: 'pip'
- name: Get date
id: get-date
run: |
echo "date=$(/bin/date -u "+%Y%m%d")" >> $GITHUB_OUTPUT
echo "yesterday=$(/bin/date -d "-1 day" -u "+%Y%m%d")" >> $GITHUB_OUTPUT
- name: Print Cache Keys
run: |
echo "Today's Cache Key: Linux-cve-bin-tool-${{ steps.get-date.outputs.date }}"
echo "Yesterday's Cache Key: Linux-cve-bin-tool-${{ steps.get-date.outputs.yesterday }}"
- name: Get today's cached database
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
id: todays-cache
with:
path: cache
key: Linux-cve-bin-tool-${{ steps.get-date.outputs.date }}
- name: Get yesterday's cached database if today's is not available
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
if: steps.todays-cache.outputs.cache-hit != 'true'
with:
path: cache
key: Linux-cve-bin-tool-${{ steps.get-date.outputs.yesterday }}
- uses: technote-space/get-diff-action@f27caffdd0fb9b13f4fc191c016bb4e0632844af # v6.1.2
with:
PATTERNS: |
cve_bin_tool/checkers/*.py
test/condensed-downloads/*
FILES: |
cvedb.py
test_scanner.py
test_cli.py
cli.py
- uses: haya14busa/action-cond@1d6e8a12b20cdb4f1954feef9aa475b9c390cab5 # v1.1.1
id: git-diff
with:
cond: ${{ (github.event.inputs.longTests == 'true') || (env.GIT_DIFF != '') }}
if_true: '1'
if_false: '0'
- name: Install cabextract
run: sudo apt-get update && sudo apt-get install cabextract
- name: Install OS dependencies for testing PDF
run: sudo apt-get install build-essential libpoppler-cpp-dev pkg-config python3-dev
- name: Install pdftotext, reportlab and cve-bin-tool
run: |
python -m pip install --upgrade pip
python -m pip install --upgrade setuptools
python -m pip install --upgrade wheel
python -m pip install --upgrade pdftotext
python -m pip install --upgrade reportlab
python -m pip install --upgrade -r dev-requirements.txt
python -m pip install --editable .
- name: Try single CLI run of tool
run: |
[[ -e cache ]] && mkdir -p .cache && mv cache ~/.cache/cve-bin-tool
NO_EXIT_CVE_NUM=1 python -m cve_bin_tool.cli test/assets/test-kerberos-5-1.15.1.out
cp -r ~/.cache/cve-bin-tool cache
- name: Run async tests
env:
LONG_TESTS: ${{ steps.git-diff.outputs.value }}
run: >
pytest --cov --cov-append -n 4 -v
--ignore=test/test_cli.py
--ignore=test/test_cvedb.py
--ignore=test/test_requirements.py
--ignore=test/test_html.py
--ignore=test/test_json.py
- name: Run synchronous tests
env:
LONG_TESTS: ${{ steps.git-diff.outputs.value }}
run: >
pytest -v --cov --cov-append --cov-report=xml
test/test_cli.py
test/test_cvedb.py
- name: Upload code coverage to codecov
uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
with:
files: ./coverage.xml
flags: longtests
name: codecov-umbrella
fail_ci_if_error: false
linux-mayfail:
name: Tests that may fail due to network or HTML
runs-on: ubuntu-22.04
timeout-minutes: 45
env:
EXTERNAL_SYSTEM: 1
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
with:
python-version: '3.10'
cache: 'pip'
- name: Get date
id: get-date
run: |
echo "date=$(/bin/date -u "+%Y%m%d")" >> $GITHUB_OUTPUT
echo "yesterday=$(/bin/date -d "-1 day" -u "+%Y%m%d")" >> $GITHUB_OUTPUT
- name: Print Cache Keys
run: |
echo "Today's Cache Key: Linux-cve-bin-tool-${{ steps.get-date.outputs.date }}"
echo "Yesterday's Cache Key: Linux-cve-bin-tool-${{ steps.get-date.outputs.yesterday }}"
- name: Get today's cached database
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
id: todays-cache
with:
path: cache
key: Linux-cve-bin-tool-${{ steps.get-date.outputs.date }}
- name: Get yesterday's cached database if today's is not available
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
if: steps.todays-cache.outputs.cache-hit != 'true'
with:
path: cache
key: Linux-cve-bin-tool-${{ steps.get-date.outputs.yesterday }}
- uses: technote-space/get-diff-action@f27caffdd0fb9b13f4fc191c016bb4e0632844af # v6.1.2
with:
PATTERNS: |
cve_bin_tool/data_sources/*.py
FILES: |
test_available_fix.py
test_source_osv.py
test_source_gad.py
test_source_nvd.py
test_cli.py
test_nvd_api.py
test_cvedb.py
test_scanner.py
cli.py
nvd_api.py
cvedb.py
- uses: haya14busa/action-cond@1d6e8a12b20cdb4f1954feef9aa475b9c390cab5 # v1.1.1
id: git-diff
with:
cond: ${{ (github.event.inputs.externalSystem == 'true') || (env.GIT_DIFF != '') }}
if_true: '1'
if_false: '0'
- name: Install cve-bin-tool
run: |
python -m pip install --upgrade pip
python -m pip install --upgrade setuptools
python -m pip install --upgrade wheel
python -m pip install --upgrade -r dev-requirements.txt
python -m pip install --editable .
- name: Install playwright dependencies for HTML tests
run: |
python -m playwright install chromium --with-deps
- name: Try single CLI run of tool
run: |
[[ -e cache ]] && mkdir -p .cache && mv cache ~/.cache/cve-bin-tool
NO_EXIT_CVE_NUM=1 python -m cve_bin_tool.cli test/assets/test-kerberos-5-1.15.1.out
cp -r ~/.cache/cve-bin-tool cache
- name: Run all tests which rely on external connectivity
env:
EXTERNAL_SYSTEM: ${{ steps.git-diff.outputs.value }}
run: >
pytest -v
test/test_source_osv.py
test/test_source_gad.py
test/test_source_nvd.py
test/test_nvd_api.py
test/test_cvedb.py
test/test_available_fix.py
- name: Run HTML tests
run: pytest -v -n auto test/test_html.py
- name: Run json tests as they may fail due to NVD data validation issue or download timing
run: >
pytest -v
test/test_json.py
windows_tests:
name: Windows tests
runs-on: windows-latest
timeout-minutes: 90
env:
NO_EXIT_CVE_NUM: 1
PYTHONIOENCODING: 'utf8'
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
with:
python-version: '3.10'
cache: 'pip'
- name: Get date
id: get-date
run: |
echo "DATE=$(get-date -format "yyyyMMdd")" | Out-File -FilePath $env:GITHUB_OUTPUT -Encoding utf8 -Append
echo "YESTERDAY=$(get-date (get-date).addDays(-1) -format "yyyyMMdd")" | Out-File -FilePath $env:GITHUB_OUTPUT -Encoding utf8 -Append
- name: Print Cache Keys
run: |
echo "Today's Cache Key: Linux-cve-bin-tool-${{ steps.get-date.outputs.DATE }}"
echo "Yesterday's Cache Key: Linux-cve-bin-tool-${{ steps.get-date.outputs.YESTERDAY }}"
- name: Get today's cached database
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
id: todays-cache
with:
path: cache
key: Linux-cve-bin-tool-${{ steps.get-date.outputs.DATE }}
enableCrossOsArchive: true
- name: Get yesterday's cached database if today's is not available
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
if: steps.todays-cache.outputs.cache-hit != 'true'
with:
path: cache
key: Linux-cve-bin-tool-${{ steps.get-date.outputs.YESTERDAY }}
enableCrossOsArchive: true
- name: Move cache to ~/.cache/cve-bin-tool
run: |
mkdir '~\.cache'
if (Test-Path -Path cache) { mv cache '~\.cache\cve-bin-tool' }
- name: Install cve-bin-tool
run: |
python -m pip install --upgrade pip
python -m pip install --upgrade setuptools
python -m pip install --upgrade wheel
python -m pip install --upgrade -r dev-requirements.txt
python -m pip install --upgrade .
- name: Try single CLI run of tool
run: |
python -m cve_bin_tool.cli test/assets/test-kerberos-5-1.15.1.out
- name: Run async tests
run: >
pytest -n 4 -v
--ignore=test/test_cli.py
--ignore=test/test_cvedb.py
--ignore=test/test_requirements.py
--ignore=test/test_html.py
--ignore=test/test_json.py
- name: Run synchronous tests
run: >
pytest -v
test/test_cli.py
test/test_cvedb.py
windows_long_tests:
name: Windows long tests
runs-on: windows-latest
timeout-minutes: 120
env:
LONG_TESTS: 1
NO_EXIT_CVE_NUM: 1
PYTHONIOENCODING: 'utf8'
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
with:
python-version: '3.9'
cache: 'pip'
- name: Get date
id: get-date
run: |
echo "DATE=$(get-date -format "yyyyMMdd")" | Out-File -FilePath $env:GITHUB_OUTPUT -Encoding utf8 -Append
echo "YESTERDAY=$(get-date (get-date).addDays(-1) -format "yyyyMMdd")" | Out-File -FilePath $env:GITHUB_OUTPUT -Encoding utf8 -Append
- name: Print Cache Keys
run: |
echo "Today's Cache Key: Linux-cve-bin-tool-${{ steps.get-date.outputs.DATE }}"
echo "Yesterday's Cache Key: Linux-cve-bin-tool-${{ steps.get-date.outputs.YESTERDAY }}"
- name: Get today's cached database
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
id: todays-cache
with:
path: cache
key: Linux-cve-bin-tool-${{ steps.get-date.outputs.DATE }}
enableCrossOsArchive: true
- name: Get yesterday's cached database if today's is not available
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
if: steps.todays-cache.outputs.cache-hit != 'true'
with:
path: cache
key: Linux-cve-bin-tool-${{ steps.get-date.outputs.YESTERDAY }}
enableCrossOsArchive: true
- name: Move cache to ~/.cache/cve-bin-tool
run: |
mkdir '~\.cache'
if (Test-Path -Path cache) { mv cache '~\.cache\cve-bin-tool' }
- name: Install cve-bin-tool
run: |
python -m pip install --upgrade pip
python -m pip install --upgrade setuptools
python -m pip install --upgrade wheel
python -m pip install --upgrade -r dev-requirements.txt
python -m pip install --upgrade .
- name: Try single CLI run of tool
run: |
python -m cve_bin_tool.cli test/assets/test-kerberos-5-1.15.1.out
- name: Run async tests
run: >
pytest --cov --cov-append -n 4 -v
--ignore=test/test_cli.py
--ignore=test/test_cvedb.py
--ignore=test/test_requirements.py
--ignore=test/test_html.py
--ignore=test/test_json.py
- name: Run synchronous tests
run: >
pytest -v --cov --cov-append --cov-report=xml
test/test_cli.py
test/test_cvedb.py
- name: Cache conda
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
env:
# Increase to reset cache if requirements.txt file has not changed
CACHE_NUMBER: 0
with:
path: ~/conda_pkgs_dir
key: ${{ runner.os }}-conda-${{ env.CACHE_NUMBER }}-${{
hashFiles('requirements.txt') }}
- uses: conda-incubator/setup-miniconda@3b0f2504dd76ef23b6d31f291f4913fb60ab5ff3 # v2.2.0
with:
auto-update-conda: true
activate-environment: pdftotext
use-only-tar-bz2: true # IMPORTANT: This needs to be set for caching to work properly!
- name: Install pdftotext, reportlab and cve-bin-tool
run: |
conda install -c conda-forge python=3.9 poppler pdftotext
python -m pip install --upgrade pip
python -m pip install --upgrade setuptools
python -m pip install --upgrade wheel
python -m pip install --upgrade reportlab
python -m pip install --upgrade -r dev-requirements.txt
python -m pip install --upgrade .
- name: Test PDF generation on Windows
run: pytest test/test_output_engine.py -k test_output_pdf --cov --cov-append --cov-report=xml
- name: Upload code coverage to codecov
uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
with:
files: ./coverage.xml
flags: win-longtests
name: codecov-umbrella
fail_ci_if_error: false