PromucFlow_constructor/scripts/scout_vulnerabilities_data.sh

#!/bin/bash

#Check required environment variables
required_vars=("DB_HOST" "DB_NAME" "DB_USER" "DB_PWD")
for var in "${required_vars[@]}"; do
  if [ -z "${!var}" ] || [[ "${!var}" == "your_${var,,}" ]]; then
    echo "Error: Required environment variable $var is missing or not set correctly."
    exit 1
  fi
done

DB_HOST="${DB_HOST}"
DB_NAME="${DB_NAME}"
DB_USER="${DB_USER}"
DB_PWD="${DB_PWD}"

# Assign the parameters from the workflow
IMAGE="$1"
GITHUB_PR_ID="$2"
GITHUB_PR_LINK="$3"
GITHUB_RUN_ID="$4"
OLD_VULN_FILE="${5:-vulnerability_base_data.csv}"

# Function to install Docker Scout
install_docker_scout() {
    echo "Installing Docker Scout..."
    local attempts=0
    while [ $attempts -lt 3 ]; do
        echo "Attempt $((attempts + 1))..."
        curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh
        sh install-scout.sh &> install_scout_log.txt
        if [ $? -eq 0 ]; then
            echo "Docker Scout installed successfully."
            return 0
        fi
        echo "Attempt $((attempts + 1)) failed. Check install_scout_log.txt for details."
        ((attempts++))
        sleep 2
    done
    echo "Error: Docker Scout installation failed after $attempts attempts."
    exit 1
}

# Check if Docker is installed
if ! command -v docker &> /dev/null; then
    echo "Error: Docker is not installed. Please install Docker and try again."
    exit 1
fi

# Ensure Docker is running
if ! systemctl is-active --quiet docker; then
    echo "Starting Docker..."
    sudo systemctl start docker
fi

# Check if Docker Scout is installed
if ! command -v scout &> /dev/null; then
    install_docker_scout
fi

# Prepare the output CSV file
CSV_OUTPUT_FILE="scout_vulnerabilities.csv"
rm -f "$CSV_OUTPUT_FILE"

# Extract the product name from the image name
case "$IMAGE" in
    *appsmith/appsmith-ce:*) product_name="CE" ;;
    *appsmith/appsmith-ee:*) product_name="EE" ;;
    *appsmith/cloud-services:*) product_name="CLOUD" ;;
    *) product_name="UNKNOWN" ;;
esac

# Fetch vulnerabilities and format the output correctly
docker scout cves "$IMAGE" | grep -E "✗ |CVE-" | awk -v product_name="$product_name" -F' ' '
{
    # Check for valid vulnerability data and format it correctly
    if ($2 != "" && $3 ~ /^CVE-/) {
        # Extract severity level, CVE ID and format output correctly
        print $3","product_name",""SCOUT"","$2
    }
}' | sort -u > "$CSV_OUTPUT_FILE"

# Check if the CSV output file is empty
[ -s "$CSV_OUTPUT_FILE" ] || echo "No vulnerabilities found for image: $IMAGE" > "$CSV_OUTPUT_FILE"

# Compare new vulnerabilities against old vulnerabilities
echo "Comparing new vulnerabilities with existing vulnerabilities in $OLD_VULN_FILE..."
if [ -s "$OLD_VULN_FILE" ]; then
    awk -F, 'NR==FNR {seen[$1","$2","$3","$4]; next} !($1","$2","$3","$4 in seen)' "$OLD_VULN_FILE" "$CSV_OUTPUT_FILE" > "scout_vulnerabilities_diff.csv"
else
    echo "$OLD_VULN_FILE is empty. All new vulnerabilities will be included."
    cp "$CSV_OUTPUT_FILE" "scout_vulnerabilities_diff.csv"
fi

# Output for verification
echo "Fetching passed data..."
cat "$OLD_VULN_FILE"
echo ""
echo "Fetching new data..."
cat "$CSV_OUTPUT_FILE"
echo ""
echo "Fetching diff..."
cat "scout_vulnerabilities_diff.csv"
echo ""

# Insert new vulnerabilities into the PostgreSQL database using psql
insert_vulns_into_db() {
  local count=0
  local query_file="insert_vulns.sql"
  echo "BEGIN;" > "$query_file"  # Start the transaction

  # Create an associative array to hold existing entries from the database
  declare -A existing_entries

  # Fetch existing vulnerabilities from the database to avoid duplicates
  psql -t -c "SELECT vurn_id, product, scanner_tool, priority FROM vulnerability_tracking WHERE scanner_tool = 'SCOUT'" "postgresql://$DB_USER:$DB_PWD@$DB_HOST/$DB_NAME" | while IFS='|' read -r db_vurn_id db_product db_scanner_tool db_priority; do
    existing_entries["$db_product,$db_scanner_tool,$db_vurn_id"]="$db_priority"
  done

  while IFS=, read -r vurn_id product scanner_tool priority; do
    # Skip empty lines
    if [[ -z "$vurn_id" || -z "$priority" || -z "$product" || -z "$scanner_tool" ]]; then
      echo "Skipping empty vulnerability entry"
      continue
    fi

    # Check if the entry already exists
    if [[ -n "${existing_entries["$product,$scanner_tool,$vurn_id"]}" ]]; then
      echo "Entry for $vurn_id already exists in the database. Skipping."
      continue
    fi

    local pr_id="$GITHUB_PR_ID"
    local pr_link="$GITHUB_PR_LINK"
    local created_date=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
    local update_date="$created_date"
    local comments="Initial vulnerability report"
    local owner="John Doe"
    local pod="Security"

    # Escape single quotes in vulnerability ID, product, and priority
    vurn_id=$(echo "$vurn_id" | sed "s/'/''/g")
    priority=$(echo "$priority" | sed "s/'/''/g")
    product=$(echo "$product" | sed "s/'/''/g")
    scanner_tool=$(echo "$scanner_tool" | sed "s/'/''/g")

    # Write each insert query to the SQL file
    echo "INSERT INTO vulnerability_tracking (product, scanner_tool, vurn_id, priority, pr_id, pr_link, github_run_id, created_date, update_date, comments, owner, pod) VALUES ('$product', '$scanner_tool', '$vurn_id', '$priority', '$pr_id', '$pr_link', '$GITHUB_RUN_ID', '$created_date', '$update_date', '$comments', '$owner', '$pod');" >> "$query_file"
    
    ((count++))
  done < "scout_vulnerabilities_diff.csv"

  echo "COMMIT;" >> "$query_file"  # End the transaction
  echo "Queries written to $query_file."

  # Execute the SQL file
  psql -e "postgresql://$DB_USER:$DB_PWD@$DB_HOST/$DB_NAME" -f "$query_file"

  # Check if the execution was successful
  if [ $? -eq 0 ]; then
    echo "Vulnerabilities successfully inserted into the database."
  else
    echo "Error: Failed to insert vulnerabilities. Please check the database connection or query."
    exit 1
  fi
}

# Call the function to generate the insert queries and execute them
if [ -s "scout_vulnerabilities_diff.csv" ]; then
  insert_vulns_into_db
else
  echo "No new vulnerabilities to insert."
fi
chore: Added scout & trivy scan to github workflow (#37022) ## Description Run trivy and scout scanner with image name Fixes #`37036` ## Automation /ok-to-test tags="@tag.IDE" ### :mag: Cypress test results <!-- This is an auto-generated comment: Cypress test results --> > [!TIP] > 🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉 > Workflow run: <https://github.com/appsmithorg/appsmith/actions/runs/11480586298> > Commit: 5ebbcd37ec177c781d8b0be38a83ce695d211c9d > <a href="https://internal.appsmith.com/app/cypress-dashboard/rundetails-65890b3c81d7400d08fa9ee5?branch=master&workflowId=11480586298&attempt=1" target="_blank">Cypress dashboard</a>. > Tags: `@tag.IDE` > Spec: > <hr>Wed, 23 Oct 2024 13:36:44 UTC <!-- end of auto-generated comment: Cypress test results --> ## Communication Should the DevRel and Marketing teams inform users about this change? - [ ] Yes - [x] No <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - New Features - Introduced two new scripts for automated vulnerability scanning of Docker images: `scout_vulnerabilities_data.sh` and `trivy_vulnerabilities_data.sh`. - Added a GitHub Actions workflow to automate vulnerability scanning and update pull requests with results. - Bug Fixes - Improved error handling for missing environment variables in the new scripts. - Documentation - Added details on the new workflow and its steps for user reference. <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2024-10-23 14:31:40 +00:00			`#!/bin/bash`

			`#Check required environment variables`
			`required_vars=("DB_HOST" "DB_NAME" "DB_USER" "DB_PWD")`
			`for var in "${required_vars[@]}"; do`
			`if [ -z "${!var}" ] \|\| [[ "${!var}" == "your_${var,,}" ]]; then`
			`echo "Error: Required environment variable $var is missing or not set correctly."`
			`exit 1`
			`fi`
			`done`

			`DB_HOST="${DB_HOST}"`
			`DB_NAME="${DB_NAME}"`
			`DB_USER="${DB_USER}"`
			`DB_PWD="${DB_PWD}"`

			`# Assign the parameters from the workflow`
			`IMAGE="$1"`
			`GITHUB_PR_ID="$2"`
			`GITHUB_PR_LINK="$3"`
			`GITHUB_RUN_ID="$4"`
			`OLD_VULN_FILE="${5:-vulnerability_base_data.csv}"`

			`# Function to install Docker Scout`
			`install_docker_scout() {`
			`echo "Installing Docker Scout..."`
			`local attempts=0`
			`while [ $attempts -lt 3 ]; do`
			`echo "Attempt $((attempts + 1))..."`
			`curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh`
			`sh install-scout.sh &> install_scout_log.txt`
			`if [ $? -eq 0 ]; then`
			`echo "Docker Scout installed successfully."`
			`return 0`
			`fi`
			`echo "Attempt $((attempts + 1)) failed. Check install_scout_log.txt for details."`
			`((attempts++))`
			`sleep 2`
			`done`
			`echo "Error: Docker Scout installation failed after $attempts attempts."`
			`exit 1`
			`}`

			`# Check if Docker is installed`
			`if ! command -v docker &> /dev/null; then`
			`echo "Error: Docker is not installed. Please install Docker and try again."`
			`exit 1`
			`fi`

			`# Ensure Docker is running`
			`if ! systemctl is-active --quiet docker; then`
			`echo "Starting Docker..."`
			`sudo systemctl start docker`
			`fi`

			`# Check if Docker Scout is installed`
			`if ! command -v scout &> /dev/null; then`
			`install_docker_scout`
			`fi`

			`# Prepare the output CSV file`
			`CSV_OUTPUT_FILE="scout_vulnerabilities.csv"`
			`rm -f "$CSV_OUTPUT_FILE"`

			`# Extract the product name from the image name`
			`case "$IMAGE" in`
			`appsmith/appsmith-ce:) product_name="CE" ;;`
			`appsmith/appsmith-ee:) product_name="EE" ;;`
			`appsmith/cloud-services:) product_name="CLOUD" ;;`
			`*) product_name="UNKNOWN" ;;`
			`esac`

			`# Fetch vulnerabilities and format the output correctly`
			`docker scout cves "$IMAGE" \| grep -E "✗ \|CVE-" \| awk -v product_name="$product_name" -F' ' '`
			`{`
			`# Check for valid vulnerability data and format it correctly`
			`if ($2 != "" && $3 ~ /^CVE-/) {`
			`# Extract severity level, CVE ID and format output correctly`
			`print $3","product_name",""SCOUT"","$2`
			`}`
			`}' \| sort -u > "$CSV_OUTPUT_FILE"`

			`# Check if the CSV output file is empty`
			`[ -s "$CSV_OUTPUT_FILE" ] \|\| echo "No vulnerabilities found for image: $IMAGE" > "$CSV_OUTPUT_FILE"`

			`# Compare new vulnerabilities against old vulnerabilities`
			`echo "Comparing new vulnerabilities with existing vulnerabilities in $OLD_VULN_FILE..."`
			`if [ -s "$OLD_VULN_FILE" ]; then`
			`awk -F, 'NR==FNR {seen[$1","$2","$3","$4]; next} !($1","$2","$3","$4 in seen)' "$OLD_VULN_FILE" "$CSV_OUTPUT_FILE" > "scout_vulnerabilities_diff.csv"`
			`else`
			`echo "$OLD_VULN_FILE is empty. All new vulnerabilities will be included."`
			`cp "$CSV_OUTPUT_FILE" "scout_vulnerabilities_diff.csv"`
			`fi`

			`# Output for verification`
			`echo "Fetching passed data..."`
			`cat "$OLD_VULN_FILE"`
			`echo ""`
			`echo "Fetching new data..."`
			`cat "$CSV_OUTPUT_FILE"`
			`echo ""`
			`echo "Fetching diff..."`
			`cat "scout_vulnerabilities_diff.csv"`
			`echo ""`

			`# Insert new vulnerabilities into the PostgreSQL database using psql`
			`insert_vulns_into_db() {`
			`local count=0`
			`local query_file="insert_vulns.sql"`
			`echo "BEGIN;" > "$query_file" # Start the transaction`

			`# Create an associative array to hold existing entries from the database`
			`declare -A existing_entries`

			`# Fetch existing vulnerabilities from the database to avoid duplicates`
			`psql -t -c "SELECT vurn_id, product, scanner_tool, priority FROM vulnerability_tracking WHERE scanner_tool = 'SCOUT'" "postgresql://$DB_USER:$DB_PWD@$DB_HOST/$DB_NAME" \| while IFS='\|' read -r db_vurn_id db_product db_scanner_tool db_priority; do`
			`existing_entries["$db_product,$db_scanner_tool,$db_vurn_id"]="$db_priority"`
			`done`

			`while IFS=, read -r vurn_id product scanner_tool priority; do`
			`# Skip empty lines`
			`if [[ -z "$vurn_id" \|\| -z "$priority" \|\| -z "$product" \|\| -z "$scanner_tool" ]]; then`
			`echo "Skipping empty vulnerability entry"`
			`continue`
			`fi`

			`# Check if the entry already exists`
			`if [[ -n "${existing_entries["$product,$scanner_tool,$vurn_id"]}" ]]; then`
			`echo "Entry for $vurn_id already exists in the database. Skipping."`
			`continue`
			`fi`

			`local pr_id="$GITHUB_PR_ID"`
			`local pr_link="$GITHUB_PR_LINK"`
			`local created_date=$(date -u +"%Y-%m-%dT%H:%M:%SZ")`
			`local update_date="$created_date"`
			`local comments="Initial vulnerability report"`
			`local owner="John Doe"`
			`local pod="Security"`

			`# Escape single quotes in vulnerability ID, product, and priority`
			`vurn_id=$(echo "$vurn_id" \| sed "s/'/''/g")`
			`priority=$(echo "$priority" \| sed "s/'/''/g")`
			`product=$(echo "$product" \| sed "s/'/''/g")`
			`scanner_tool=$(echo "$scanner_tool" \| sed "s/'/''/g")`

			`# Write each insert query to the SQL file`
			`echo "INSERT INTO vulnerability_tracking (product, scanner_tool, vurn_id, priority, pr_id, pr_link, github_run_id, created_date, update_date, comments, owner, pod) VALUES ('$product', '$scanner_tool', '$vurn_id', '$priority', '$pr_id', '$pr_link', '$GITHUB_RUN_ID', '$created_date', '$update_date', '$comments', '$owner', '$pod');" >> "$query_file"`

			`((count++))`
			`done < "scout_vulnerabilities_diff.csv"`

			`echo "COMMIT;" >> "$query_file" # End the transaction`
			`echo "Queries written to $query_file."`

			`# Execute the SQL file`
			`psql -e "postgresql://$DB_USER:$DB_PWD@$DB_HOST/$DB_NAME" -f "$query_file"`

			`# Check if the execution was successful`
			`if [ $? -eq 0 ]; then`
			`echo "Vulnerabilities successfully inserted into the database."`
			`else`
			`echo "Error: Failed to insert vulnerabilities. Please check the database connection or query."`
			`exit 1`
			`fi`
			`}`

			`# Call the function to generate the insert queries and execute them`
			`if [ -s "scout_vulnerabilities_diff.csv" ]; then`
			`insert_vulns_into_db`
			`else`
			`echo "No new vulnerabilities to insert."`
			`fi`