test cve fix workflow

kryanbeane · kryanbeane · commit c796d9517465 · 2026-02-04T15:06:25.000+01:00
diff --git a/.github/renovate-cve-config.js b/.github/renovate-cve-config.js
@@ -0,0 +1,78 @@
+// =============================================================================
+// Renovate CVE Remediation Configuration - CodeFlare Operator
+// =============================================================================
+// This config is used by the CVE Remediation Controller to create fix PRs
+// for Go module vulnerabilities.
+//
+// Environment variables from workflow:
+// - RENOVATE_TARGET_REPO: Repository to create PR in
+// - RENOVATE_BASE_BRANCH: Branch to target (the cve-fix branch)
+// - RENOVATE_PACKAGE_NAME: Vulnerable Go module to update
+// - RENOVATE_CVE_ID: CVE identifier
+// - RENOVATE_ISSUE_NUMBER: Tracking issue number
+// - RENOVATE_ISSUE_REPO: Repository with the tracking issue
+// =============================================================================
+
+const prBody = `## Security Update
+
+This PR fixes **${process.env.RENOVATE_CVE_ID || 'CVE'}** by updating \`${process.env.RENOVATE_PACKAGE_NAME || 'package'}\`.
+
+**Tracking Issue:** ${process.env.RENOVATE_ISSUE_REPO || ''}#${process.env.RENOVATE_ISSUE_NUMBER || ''}
+
+---
+*Created by [CVE Remediation Controller](https://github.com/project-codeflare/codeflare-operator/blob/main/.github/workflows/cve-controller.yml)*
+`;
+
+module.exports = {
+  platform: 'github',
+  onboarding: false,
+  requireConfig: 'ignored',
+
+  // Target repo and branch
+  repositories: [process.env.RENOVATE_TARGET_REPO].filter(Boolean),
+  baseBranches: [process.env.RENOVATE_BASE_BRANCH].filter(Boolean),
+
+  // Go module manager
+  enabledManagers: ['gomod'],
+
+  // Only update the vulnerable package
+  packageRules: [
+    {
+      // Enable updates for the vulnerable package
+      matchPackagePatterns: [process.env.RENOVATE_PACKAGE_NAME].filter(Boolean),
+      enabled: true,
+      recreateWhen: 'always',
+      rebaseWhen: 'behind-base-branch',
+      prPriority: 99,
+      labels: ['security', 'cve-fix', process.env.RENOVATE_CVE_ID].filter(Boolean),
+    },
+    {
+      // Disable everything else
+      matchPackagePatterns: ['*'],
+      excludePackagePatterns: [process.env.RENOVATE_PACKAGE_NAME].filter(Boolean),
+      enabled: false,
+    },
+  ],
+
+  // PR configuration
+  prTitle: `fix(security): Update ${process.env.RENOVATE_PACKAGE_NAME || 'package'} [${process.env.RENOVATE_CVE_ID || 'CVE'}]`,
+  prBody: prBody,
+  branchPrefix: 'cve-fix/',
+  branchName: `cve-fix/${process.env.RENOVATE_CVE_ID || 'cve'}-${(process.env.RENOVATE_PACKAGE_NAME || 'pkg').split('/').pop()}`.toLowerCase().replace(/[^a-z0-9-/]/g, '-'),
+
+  // No dashboard needed for targeted CVE fixes
+  dependencyDashboard: false,
+
+  // No rate limits for security fixes
+  prHourlyLimit: 0,
+  prConcurrentLimit: 0,
+  branchConcurrentLimit: 0,
+
+  // Commit message format
+  commitMessagePrefix: 'fix(security):',
+
+  // Go-specific settings
+  postUpdateOptions: ['gomodTidy'],
+
+  logLevel: process.env.LOG_LEVEL || 'info',
+};
diff --git a/.github/workflows/cve-controller.yml b/.github/workflows/cve-controller.yml
@@ -0,0 +1,292 @@
+# =============================================================================
+# CVE Remediation Controller - CodeFlare Operator
+# =============================================================================
+# This workflow scans the codeflare-operator repository for a specific CVE and
+# creates a Renovate PR to fix the vulnerable dependency.
+#
+# Target: red-hat-data-services/codeflare-operator (downstream only)
+# Since codeflare-operator is only shipped in older versions, we only need to
+# fix downstream release branches, not main/midstream.
+#
+# Usage:
+# 1. Create a GitHub issue to track the CVE
+# 2. Trigger this workflow with:
+#    - cve_id: The CVE to check for (e.g., CVE-2024-12345)
+#    - issue_number: The tracking issue number
+#    - release_tag: The release to check (e.g., v1.14.0)
+# 3. The workflow will:
+#    - Create a fix branch: cve-fix/<cve-id>-<release-tag>
+#    - Scan the release for the CVE using govulncheck
+#    - If not affected: comment and close the issue
+#    - If affected: create a Renovate PR to fix the dependency
+#
+# PAT Requirements:
+# The CVE_CONTROLLER_PAT secret needs repo scope for PR creation
+# =============================================================================
+
+name: CVE Remediation Controller
+
+on:
+  workflow_dispatch:
+    inputs:
+      cve_id:
+        description: 'CVE identifier (e.g., CVE-2024-12345)'
+        required: true
+        type: string
+      issue_number:
+        description: 'GitHub Issue ID to update with status'
+        required: true
+        type: string
+      release_tag:
+        description: 'Release tag to base the fix branch from (e.g., v1.14.0)'
+        required: true
+        type: string
+      # -------------------------------------------------------------------------
+      # Override inputs for testing with forks
+      # -------------------------------------------------------------------------
+      repo_override:
+        description: 'Override target repo for testing (e.g., your-username/codeflare-operator)'
+        required: false
+        type: string
+      issue_repo_override:
+        description: 'Override issue repo for testing (e.g., your-username/codeflare-operator)'
+        required: false
+        type: string
+
+# Ensure only one CVE remediation runs at a time per CVE/release combination
+concurrency:
+  group: cve-operator-${{ github.event.inputs.cve_id }}-${{ github.event.inputs.release_tag }}
+  cancel-in-progress: false
+
+env:
+  # Default repository - downstream only for codeflare-operator
+  TARGET_REPO: ${{ inputs.repo_override || 'red-hat-data-services/codeflare-operator' }}
+  ISSUE_REPO: ${{ inputs.issue_repo_override || inputs.repo_override || 'red-hat-data-services/codeflare-operator' }}
+
+jobs:
+  # ===========================================================================
+  # Job 1: Scan for CVE
+  # ===========================================================================
+  scan:
+    name: Scan for CVE
+    runs-on: ubuntu-latest
+    outputs:
+      vulnerable: ${{ steps.scan.outputs.vulnerable }}
+      package_name: ${{ steps.scan.outputs.package_name }}
+      fix_branch: ${{ steps.branch.outputs.fix_branch }}
+
+    steps:
+      # -----------------------------------------------------------------------
+      # Step 1: Generate branch name from CVE and release tag
+      # Format: cve-fix/<cve-id>-<release-tag>
+      # -----------------------------------------------------------------------
+      - name: Generate fix branch name
+        id: branch
+        run: |
+          # Create branch name: cve-fix/CVE-2024-12345-v1.14.0
+          CVE_ID="${{ inputs.cve_id }}"
+          RELEASE_TAG="${{ inputs.release_tag }}"
+
+          # Sanitize for branch name (lowercase, replace invalid chars)
+          FIX_BRANCH="cve-fix/${CVE_ID}-${RELEASE_TAG}"
+          FIX_BRANCH=$(echo "$FIX_BRANCH" | tr '[:upper:]' '[:lower:]' | sed 's/[^a-z0-9./-]/-/g')
+
+          echo "fix_branch=${FIX_BRANCH}" >> $GITHUB_OUTPUT
+          echo "Generated fix branch: ${FIX_BRANCH}"
+
+      # -----------------------------------------------------------------------
+      # Step 2: Create branch from release tag
+      # -----------------------------------------------------------------------
+      - name: Create fix branch from release tag
+        run: |
+          FIX_BRANCH="${{ steps.branch.outputs.fix_branch }}"
+          RELEASE_TAG="${{ inputs.release_tag }}"
+
+          echo "Creating branch ${FIX_BRANCH} from tag ${RELEASE_TAG}"
+
+          git clone https://x-access-token:${{ secrets.CVE_CONTROLLER_PAT }}@github.com/${{ env.TARGET_REPO }}.git repo
+          cd repo
+
+          git config user.email "cve-controller@github.com"
+          git config user.name "CVE Controller"
+
+          # Check if branch already exists
+          if git ls-remote --heads origin "${FIX_BRANCH}" | grep -q .; then
+            echo "Branch ${FIX_BRANCH} already exists, will use existing branch"
+          else
+            echo "Creating new branch from tag ${RELEASE_TAG}"
+            git fetch --tags
+            git checkout tags/${RELEASE_TAG} -b "${FIX_BRANCH}"
+            git push origin "${FIX_BRANCH}"
+          fi
+
+      # -----------------------------------------------------------------------
+      # Step 3: Checkout the fix branch
+      # -----------------------------------------------------------------------
+      - name: Checkout fix branch
+        uses: actions/checkout@v4
+        with:
+          repository: ${{ env.TARGET_REPO }}
+          ref: ${{ steps.branch.outputs.fix_branch }}
+          token: ${{ secrets.CVE_CONTROLLER_PAT }}
+          fetch-depth: 0
+
+      # -----------------------------------------------------------------------
+      # Step 4: Setup Go and install govulncheck
+      # -----------------------------------------------------------------------
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: './go.mod'
+
+      - name: Install govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@latest
+
+      # -----------------------------------------------------------------------
+      # Step 5: Scan for CVE using govulncheck
+      # -----------------------------------------------------------------------
+      - name: Scan for CVE
+        id: scan
+        run: |
+          set +e
+
+          CVE_ID="${{ inputs.cve_id }}"
+          VULNERABLE="false"
+          PACKAGE_NAME=""
+
+          echo "=== Scanning for ${CVE_ID} ==="
+
+          # Run govulncheck and capture JSON output
+          # govulncheck automatically respects vendor directory if present
+          # The output is streaming JSON - one JSON object per line
+          echo "Running govulncheck..."
+          govulncheck -json ./... > /tmp/govulncheck-output.json 2>&1 || true
+
+          echo "Full output saved to /tmp/govulncheck-output.json"
+
+          # Search for the CVE in the output
+          # govulncheck outputs streaming JSON with 'osv' field containing OSV entries
+          # The OSV id is typically GO-XXXX-XXXX, while CVE IDs are in aliases
+          # We need to parse each line as a separate JSON object
+          MATCH=$(cat /tmp/govulncheck-output.json | \
+            jq -c "select(.osv != null) | .osv | select(.id == \"${CVE_ID}\" or (.aliases // [] | index(\"${CVE_ID}\") != null))" 2>/dev/null | \
+            head -1 || echo "")
+
+          if [ -n "$MATCH" ] && [ "$MATCH" != "null" ] && [ "$MATCH" != "" ]; then
+            VULNERABLE="true"
+            # Extract the affected module name from the OSV record
+            # For Go, the affected field contains module info under package.name
+            PACKAGE_NAME=$(echo "$MATCH" | jq -r '.affected[0].package.name // "unknown"' 2>/dev/null | head -1)
+
+            # Debug output
+            echo "Found vulnerability!"
+            echo "OSV ID: $(echo "$MATCH" | jq -r '.id')"
+            echo "Aliases: $(echo "$MATCH" | jq -r '.aliases // [] | join(", ")')"
+            echo "Affected Package: $PACKAGE_NAME"
+          fi
+
+          echo "vulnerable=${VULNERABLE}" >> $GITHUB_OUTPUT
+          echo "package_name=${PACKAGE_NAME}" >> $GITHUB_OUTPUT
+          echo "timestamp=$(date -u +%Y-%m-%dT%H:%M:%SZ)" >> $GITHUB_OUTPUT
+
+          echo "=== Scan Complete. Vulnerable: ${VULNERABLE} ==="
+
+      # -----------------------------------------------------------------------
+      # Step 6: Report results
+      # -----------------------------------------------------------------------
+      - name: Comment - Not Vulnerable
+        if: steps.scan.outputs.vulnerable == 'false'
+        run: |
+          gh issue comment ${{ inputs.issue_number }} \
+            --repo ${{ env.ISSUE_REPO }} \
+            --body "## ✅ CVE Scan Result: Not Vulnerable
+
+          | Field | Value |
+          |-------|-------|
+          | CVE | ${{ inputs.cve_id }} |
+          | Release Tag | ${{ inputs.release_tag }} |
+          | Fix Branch | ${{ steps.branch.outputs.fix_branch }} |
+          | Scan Time | ${{ steps.scan.outputs.timestamp }} |
+
+          The CVE was **not detected** in the dependencies for this release.
+
+          Closing this issue."
+
+          gh issue close ${{ inputs.issue_number }} --repo ${{ env.ISSUE_REPO }} --reason "not planned"
+        env:
+          GH_TOKEN: ${{ secrets.CVE_CONTROLLER_PAT }}
+
+      - name: Comment - Vulnerable
+        if: steps.scan.outputs.vulnerable == 'true'
+        run: |
+          gh issue comment ${{ inputs.issue_number }} \
+            --repo ${{ env.ISSUE_REPO }} \
+            --body "## ⚠️ CVE Scan Result: Vulnerable
+
+          | Field | Value |
+          |-------|-------|
+          | CVE | ${{ inputs.cve_id }} |
+          | Release Tag | ${{ inputs.release_tag }} |
+          | Fix Branch | ${{ steps.branch.outputs.fix_branch }} |
+          | Affected Package | \`${{ steps.scan.outputs.package_name }}\` |
+
+          Triggering Renovate to create a fix PR..."
+        env:
+          GH_TOKEN: ${{ secrets.CVE_CONTROLLER_PAT }}
+
+  # ===========================================================================
+  # Job 2: Create Fix PR
+  # ===========================================================================
+  fix:
+    name: Create Fix PR
+    needs: scan
+    if: needs.scan.outputs.vulnerable == 'true'
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout (for Renovate config)
+        uses: actions/checkout@v4
+
+      - name: Run Renovate
+        uses: renovatebot/github-action@v46.0.1
+        with:
+          configurationFile: .github/renovate-cve-config.js
+          token: ${{ secrets.CVE_CONTROLLER_PAT }}
+        env:
+          RENOVATE_TARGET_REPO: ${{ env.TARGET_REPO }}
+          RENOVATE_BASE_BRANCH: ${{ needs.scan.outputs.fix_branch }}
+          RENOVATE_PACKAGE_NAME: ${{ needs.scan.outputs.package_name }}
+          RENOVATE_CVE_ID: ${{ inputs.cve_id }}
+          RENOVATE_ISSUE_NUMBER: ${{ inputs.issue_number }}
+          RENOVATE_ISSUE_REPO: ${{ env.ISSUE_REPO }}
+          RENOVATE_COMPONENT: codeflare-operator
+          RENOVATE_SCAN_TYPE: go
+          LOG_LEVEL: debug
+
+      - name: Comment - PR Created
+        run: |
+          gh issue comment ${{ inputs.issue_number }} \
+            --repo ${{ env.ISSUE_REPO }} \
+            --body "## 🔧 Fix PR Initiated
+
+          | Field | Value |
+          |-------|-------|
+          | Package | \`${{ needs.scan.outputs.package_name }}\` |
+          | Fix Branch | ${{ needs.scan.outputs.fix_branch }} |
+          | CVE | ${{ inputs.cve_id }} |
+
+          Renovate has been triggered. Check the repository for the new PR."
+        env:
+          GH_TOKEN: ${{ secrets.CVE_CONTROLLER_PAT }}
+
+      - name: Comment on failure
+        if: failure()
+        run: |
+          gh issue comment ${{ inputs.issue_number }} \
+            --repo ${{ env.ISSUE_REPO }} \
+            --body "## ❌ Fix PR Failed
+
+          Renovate failed to create a PR. Check the workflow logs:
+          ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+        env:
+          GH_TOKEN: ${{ secrets.CVE_CONTROLLER_PAT }}
