1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
|
---
name: Upload SDL Evidence
permissions: read-all
on:
workflow_dispatch:
inputs:
summary_artifact:
description: 'Summary_Artifact Zip File Name'
type: string
required: true
label:
description: 'SDL-E label (tag) for uploads'
type: string
required: true
sdle_project:
description: 'SDL-E Project ID'
type: string
required: true
sdle_user:
description: 'SDL-E User ID'
type: string
required: true
output_prefix:
description: 'Prefix to add to output artifacts'
required: true
default: ''
type: string
workflow_call:
inputs:
summary_artifact:
description: 'Summary_Artifact Zip File Name'
type: string
required: true
label:
description: 'SDL-E label (tag) for uploads'
type: string
required: true
sdle_project:
description: 'SDL-E Project ID'
type: string
required: true
sdle_user:
description: 'SDL-E User ID'
type: string
required: true
output_prefix:
description: 'Prefix to add to output artifacts'
required: true
default: ''
type: string
secrets:
SDLE_API_KEY:
description: 'SDL-E Api Key for User'
required: true
jobs:
upload_files:
runs-on: [self-hosted, linux]
steps:
- name: Cleanup workspace
run: sudo rm -rf ..?* .[!.]* *
- name: Checkout Repository
uses: actions/checkout@v4
with:
path: source
- name: Download Release Summary
uses: actions/download-artifact@v4
with:
name: tools-release-summary
path: artifacts
- name: Move artifacts to target directory
run: |
mv artifacts/* source/.github/workflows/sdl/
ls -al source/.github/workflows/sdl/sdl/tools
- name: Build Docker image
run: >
docker build "source/.github/workflows/sdl"
-f "source/.github/workflows/sdl/Dockerfile.ubuntu.sdl"
-t vpl_sdl:ubuntu
- name: Upload SDL evidence
run: |
# note: quotes around 'EOL' prevent bash variable
# expansion while writing file.
cat <<'EOL' > upload.sh
#!/bin/bash
ls source/.github/workflows/sdl
FILE_PATH="source/.github/workflows/sdl/sdl/tools"
function publish() {
TASK="$1"
EVIDENCE="$2"
python3 source/.github/workflows/sdl/evidence_upload.py \
--api_key "${{ secrets.SDLE_API_KEY }}" \
--user_id ${{ inputs.sdle_user }} \
--project_id ${{ inputs.sdle_project }} \
--task_id ${TASK} \
--file_paths ${FILE_PATH}/${EVIDENCE} \
--label ${{ inputs.label }} \
--output_prefix ${{ inputs.output_prefix }}
}
publish CT7 CT7-KnownVulnerabilities/vulns.csv
publish CT7 CT7-KnownVulnerabilities/results.pdf
publish CT36 CT36-RegisterComponents/components.csv
publish CT37 CT37-MalwareScan/source-report.txt
publish CT37 CT37-MalwareScan/windows-report.txt
publish CT39 CT39-StaticAnalysis/linux-coverity.json
publish CT39 CT39-StaticAnalysis/linux-cvss_report.pdf
publish CT39 CT39-StaticAnalysis/linux-security_report.pdf
publish CT39 CT39-StaticAnalysis/windows-coverity.json
publish CT39 CT39-StaticAnalysis/windows-cvss_report.pdf
publish CT39 CT39-StaticAnalysis/windows-security_report.pdf
publish CT40 CT40-SecurityValidation/linux.csv
publish CT40 CT40-SecurityValidation/windows.csv
publish CT151 CT151-CompilerFlags/SSCB_SCAN_results-Windows.html
publish CT151 CT151-CompilerFlags/SSCB_SCAN_results-Linux.html
publish CT247 CT247-Trivy/trivy-report.csv
EOL
chmod a+x upload.sh
ls -l
pwd
docker run --rm -v $(pwd):/tmp/work -w /tmp/work \
vpl_sdl:ubuntu ./upload.sh
- name: Cleanup workspace
run: sudo rm -rf ..?* .[!.]* *
|
