GSoC 2023 Idea: add github actions with "fancy" reporting

[terriko]

• Interested in GSoC? Get started here: GSoC 2023: Start Here #2230

cve-bin-tool: Add GitHub action including "fancy" reporting and triage integration

Project description

It would be neat if we could run scans as a github action and have cve-bin-tool generate reports into the security tab with results, similar to what we see with dependabot and ossf scorecard. I've added the gsoc label because I think maybe we could put together enough to make a viable gsoc project out of this.

Here's a brain dump of some possible ways this could work:

1. Create and maintain an official github action for cve-bin-tool that could be run against an SBOM or as a repo scan. (we may have an initial implementation before you start, but it'll be very basic).
2. Integrate cve reporting into the Security tab, including something more like the html/pdf reports with links, but possibly split up as separate issues for triage. (See picture in comments if you're not sure what the security tab looks like right now)
3. Make automatic pull requests for updating components in language-specific lists (e.g. requirements.txt). We'll likely have to do this separately for each language we support. It should work similarly to what we get from dependabot. You can see a dependabot pull request here -- note the commands are collapsed so you might have to click to open and see how it works.
4. Consider options for recommending binary upgrades. I don't think we can do the equivalent upgrade but we should see if there's info we could automatically look up that would actually be helpful or not.
5. Consider options for upgrading from an SBOM. Presumably nothing is installed from the sbom since currently most SBOMs are generated after the fact and not used like requirements.txt files. But maybe having ideal version info is still useful? Or adding some sort of triage/vex explaining which things need to be updated and why?
6. Make sure we get and store triage appropriately, maybe even making a file so triage done through the web interface can be re-used easily? (maybe an option to make pull requests to a triage directory, since people may want the triage to be private?) 7,. Can we do something like the dependabot commands that allow us to ignore minor versions and the like?
7. Consider options for making sure the SBOM stays in sync with a directory scan.
8. Actually generate an SBOM through cve-bin-tool and keep it up to date through regular scans. This could be stored in the main repo if desired, or maybe have a private version in the security tab that includes triage data that may not (yet) be public.
9. Make a little badge and consider whether we want to provide (optional) score or public reporting?

CVE Binary Tool works in a similar space to dependabot, but potentially has some advantages that would make it nice for people to use:

• Dependabot only works on pinned dependencies, cve-bin-tool can handle non-pinned ones as well
• cve-bin-tool can do binary scanning
• cve-bin-tool can do sbom scanning in multiple formats
• cve-bin-tool will likely be able to do more sbom/vex output by the time this project starts

So it would be pretty neat to have it as an option that could be enabled in the same way.

Related reading

• https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github
• https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates

Skills

• python
• Github Actions (you can likely learn this once you get started)
• understanding of triage of security issues would be helpful
• understanding of SBOMs or license management would be helpful

Difficulty level

• medium
• The initial work here should be relatively straightforward, but be warned that none of the mentors has extensive experience writing github actions so you'll be learning the capabilities together and will have to do a lot of your own reading.

Project Length

• 175 or 350 hours.
• for a 175 hour project I'd expect to have a github action somewhat comparable to what we get from dependabot: CVE reporting in the security tab, the ability to do some basic triage, and maybe some of the other features. (it would still be slightly more than dependabot as we can handle binaries and non-pinned versions for python).
• At 350hours we would want to have more SBOM integration, more triage capabilities, more auto-upgrade options, and probably closer to the full list of ideas explored for feasibility (but maybe not implemented).
• If you're available to do a 350hr project, please choose that one -- I think there's a lot of interesting work to do here. We could potentially take two contributors and split the project, one to do the main cve-scanning action and another to work on sbom-related actions, but I think it would probably be easier to have a single contributor do both.

GSoC Participants Only

This issue is a potential project idea for GSoC 2023, and is reserved for completion by a selected GSoC contributor. Please do not work on it outside of that program. If you'd like to apply to do it through GSoC, please start by reading #2230 .

[terriko]

I've added the gsoc label because I think maybe we could put together enough to make a viable gsoc project out of this, but I won't put it on the actual list until it's a bit more well described above.

[johnandersen777]

• https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github

[terriko]

For those who maybe haven't used dependabot, here's what it looks like on our repository.

Now cve-bin-tool is an "interesting" repo to scan, because our test/ directory is filled with files that look like vulnerable code. Dependabot can't handle binaries but it can scan the language lists we use for testing the language parser, so you can see that I've gone around and marked a lot of those as "vulnerable code is not actually used." Currently I have to do this for every single time it finds something, there's no way to skip directories or files that I know will have regular issues. With the pull requests (you can see them linked on the right in the screenshot) it looks like they've maybe added the ability for me to skip specific dependencies for major/minor versions so that might mean eventually I'll be able to ignore all the test data by telling dependabot about each one as it comes up.

So I guess I'll add "make it possible to skip directories / skip files / skip specific dependencies" to the feature wishlist for this one.

[terriko]

okay, edited the top post to get this well-described enough to put on the gsoc list, so I'm going to go ahead and add it there.

[terriko]

This was completed in summer 2023 and can now be closed.