intel · johnandersen777 · May 26, 2021 · Mar 24, 2021 · Mar 25, 2021 · Mar 29, 2021
diff --git a/.github/workflows/pythonapp.yml b/.github/workflows/pythonapp.yml
@@ -237,3 +237,42 @@ jobs:
           pytest -v
           test/test_cvedb.py
           test/test_cli.py
+
+  cve_scan:
+    name: CVE Scan on dependencies
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Get Date
+        id: get-date
+        run: |
+          echo "::set-output name=date::$(/bin/date -u "+%Y%m%d")"
+        shell: bash
+      - uses: actions/checkout@v2
+      - name: Set up Python
+        uses: actions/setup-python@v1
+        with:
+          python-version: 3.8
+      - name: get cached python packages
+        uses: actions/cache@v2
+        with:
+          path: ~/.cache/pip
+          key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}
+          restore-keys: |
+            ${{ runner.os }}-pip-
+      - name: get cached database
+        uses: actions/cache@v2
+        with:
+          path: ~/.cache/cve-bin-tool
+          key: ${{ runner.os }}-cve-bin-tool-${{ steps.get-date.outputs.date }}
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
+          pip install -r doc/requirements.txt
+      - name: Create cache requirements.csv with versions
+        run: |
+          python requirements_csv.py
+      - name: Run CVE Binary tool against requirements.csv and HTML report dependencies
+        run: |
+          python -m cve_bin_tool.cli --input-file ~/.cache/cve-bin-tool/requirements.csv
diff --git a/cve_bin_tool/output_engine/html_reports/js/dependencies.csv b/cve_bin_tool/output_engine/html_reports/js/dependencies.csv
@@ -0,0 +1,4 @@
+vendor,product
+getbootstrap,bootstrap
+jquery,jquery
+plotly,plotly.js
diff --git a/doc/requirements.csv b/doc/requirements.csv
@@ -0,0 +1,4 @@
+vendor,product
+rtfd_not_in_db,recommonmark
+sphinx-doc_not_in_db,sphinx
+ryanfox_not_in_db,sphinx_markdown_tables
diff --git a/requirements.csv b/requirements.csv
@@ -0,0 +1,19 @@
+vendor,product
+plot,plotly
+pocoo,jinja2
+aiohttp_project,aiohttp
+pyyaml,pyyaml
+reportlab,reportlab
+pytest_not_in_db,pytest
+pytest_not_in_db,pytest-xdist
+pytest_not_in_db,pytest-cov
+pytest_not_in_db,pytest-asyncio
+pycqa_not_in_db,isort
+willmcgugan_not_in_db,rich
+crummy_not_in_db,beautifulsoup4
+aio-libs_not_in_db,aiohttp
+uiri_not_in_db,toml
+jsonschema_not_in_db,jsonschema
+python_not_in_db,py
+srossross_not_in_db,rpmfile
+indygreg_not_in_db,zstandard
diff --git a/requirements_csv.py b/requirements_csv.py
@@ -0,0 +1,63 @@
+# Copyright (C) 2021 Intel Corporation
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Script to add versions to requirements.csv
+
+import csv
+import os
+import re
+from importlib.metadata import version
+
+REQ_CSV = os.path.abspath(os.path.join(os.path.dirname(__file__), "requirements.csv"))
+DOC_CSV = os.path.abspath(
+    os.path.join(os.path.dirname(__file__), "doc", "requirements.csv")
+)
+CACHE_CSV = os.path.join(
+    os.path.expanduser("~"), ".cache", "cve-bin-tool", "requirements.csv"
+)
+HTML_DEP_PATH = os.path.abspath(
+    os.path.join(
+        os.path.dirname(__file__), "cve_bin_tool", "output_engine", "html_reports", "js"
+    )
+)
+HTML_DEP_CSV = os.path.join(HTML_DEP_PATH, "dependencies.csv")
+
+
+def get_cache_csv_data(file):
+    data = []
+    with open(file, "r") as f:
+        r = csv.reader(f)
+        next(r)
+        for row in r:
+            if file is HTML_DEP_CSV:
+                file_name = (
+                    "{}/{}".format(HTML_DEP_PATH, row[1])
+                    if ".js" in row[1]
+                    else "{}/{}.js".format(HTML_DEP_PATH, row[1])
+                )
+                with open(file_name) as f:
+                    file_content = f.read()
+                    html_dep_version = re.search(
+                        r"v([0-9]+\.[0-9]+\.[0-9]+)", file_content
+                    ).group(1)
+                    data.append((row[0], row[1], html_dep_version))
+            else:
+                if "_not_in_db" not in row[0]:
+                    data.append((row[0], row[1], version(row[1])))
+        return data
+
+
+cache_csv_data = (
+    get_cache_csv_data(REQ_CSV)
+    + get_cache_csv_data(DOC_CSV)
+    + get_cache_csv_data(HTML_DEP_CSV)
+)
+
+# writes a cache CSV file
+with open(CACHE_CSV, "w") as f:
+    writer = csv.writer(f)
+    fieldnames = ["vendor", "product", "version"]
+    writer = csv.writer(f)
+    writer.writerow(fieldnames)
+    for row in cache_csv_data:
+        writer.writerow(row)