PromucFlow_constructor/.github/workflows/test-vulnerabilities-data.yml

name: Run Vulnerability Data Script with Parameters and Update PR

on:
  workflow_dispatch:
    inputs:
      image_name:
        description: 'Docker image name to scan'
        required: true
        default: 'appsmith/appsmith-ce:release'

jobs:
  run-and-update-pr:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3

      - name: Set up Node.js
        uses: actions/setup-node@v3
        with:
          node-version: '20'
      
      - name: Login to DockerHub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_HUB_USERNAME }}
          password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}    

      - name: Install pg
        run: npm install pg

      - name: Fetch vulnerability data
        id: vulnerability_data
        env:
          DB_HOST: ${{ secrets.CYPRESS_DB_HOST }}
          DB_NAME: ${{ secrets.CYPRESS_DB_NAME }}
          DB_USER: ${{ secrets.CYPRESS_DB_USER }}
          DB_PWD: ${{ secrets.CYPRESS_DB_PWD }}
        uses: actions/github-script@v7
        with:
          script: |
            const { Pool } = require("pg");
            const fs = require('fs');
            const path = require('path');
            const { DB_HOST, DB_NAME, DB_USER, DB_PWD } = process.env;

            const pool = new Pool({
              user: DB_USER,
              host: DB_HOST,
              database: DB_NAME,
              password: DB_PWD,
              port: 5432,
              connectionTimeoutMillis: 60000,
            });

            (async () => {
              const client = await pool.connect();
              try {
                // Fetch vurn_id, product, scanner_tool, and priority from the database
                const result = await client.query(`SELECT vurn_id, product, scanner_tool, priority FROM vulnerability_tracking`);
                console.log('Vulnerability Data:', result.rows);

                // Extract relevant fields from the result
                const extractedData = result.rows.map(({ vurn_id, product, scanner_tool, priority }) => ({
                  vurn_id,
                  product,
                  scanner_tool,
                  priority
                }));
                console.log('Extracted Vulnerability Data:', extractedData);

                // Prepare CSV content
                const csvContent = [
                  ['vurn_id', 'product', 'scanner_tool', 'priority'],  // Add priority column header
                  ...extractedData.map(row => [row.vurn_id, row.product, row.scanner_tool, row.priority])
                ]
                .map(e => e.join(',')) // Join columns
                .join('\n'); // Join rows

                // Write to CSV file in workspace
                const csvFilePath = path.join(process.env.GITHUB_WORKSPACE, 'vulnerability_base_data.csv');
                fs.writeFileSync(csvFilePath, csvContent);
                console.log(`Data successfully written to ${csvFilePath}`);

                // Prepare TXT content
                const txtContent = extractedData
                  .map(row => `vurn_id: ${row.vurn_id}, product: ${row.product}, scanner_tool: ${row.scanner_tool}, priority: ${row.priority}`)
                  .join('\n'); // Join rows

                // Write to TXT file in workspace
                const txtFilePath = path.join(process.env.GITHUB_WORKSPACE, 'vulnerability_base_data.txt');
                fs.writeFileSync(txtFilePath, txtContent);
                console.log(`Data successfully written to ${txtFilePath}`);

                client.release();
                return extractedData; // Return the extracted data
              } catch (err) {
                console.error('Error fetching vulnerability data:', err);
                client.release();
              }
            })();
                          
      - name: Upload Vulnerability Data
        uses: actions/upload-artifact@v3
        with:
          name: vulnerability-data
          path: |
            vulnerability_base_data.csv
            vulnerability_base_data.txt                  

      # Run Scout vulnerability data script
      - name: Run Scout vulnerability data script
        if: always()
        env:
          DB_HOST: ${{ secrets.CYPRESS_DB_HOST }}
          DB_NAME: ${{ secrets.CYPRESS_DB_NAME }}
          DB_USER: ${{ secrets.CYPRESS_DB_USER }}
          DB_PWD: ${{ secrets.CYPRESS_DB_PWD }}
        run: |
          chmod +x scripts/scout_vulnerabilities_data.sh
          ./scripts/scout_vulnerabilities_data.sh \
            "${{ inputs.image_name }}" \
            "${{ github.event.pull_request.number }}" \
            "${{ github.event.pull_request.html_url }}" \
            "${{ github.run_id }}"          

      - name: Run Trivy vulnerability data script
        if: always()
        env:
          DB_HOST: ${{ secrets.CYPRESS_DB_HOST }}
          DB_NAME: ${{ secrets.CYPRESS_DB_NAME }}
          DB_USER: ${{ secrets.CYPRESS_DB_USER }}
          DB_PWD: ${{ secrets.CYPRESS_DB_PWD }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
          chmod +x scripts/trivy_vulnerabilities_data.sh
          ./scripts/trivy_vulnerabilities_data.sh \
            "${{ inputs.image_name }}" \
            "${{ github.event.pull_request.number }}" \
            "${{ github.event.pull_request.html_url }}" \
            "${{ github.run_id }}"