Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GitHub Actions version matching #2308

Open
thepwagner opened this issue Jun 12, 2024 · 3 comments
Open

GitHub Actions version matching #2308

thepwagner opened this issue Jun 12, 2024 · 3 comments
Labels
datasource Requests for new data sources enhancement New feature or request

Comments

@thepwagner
Copy link

thepwagner commented Jun 12, 2024
edited
Loading

Is your feature request related to a problem? Please describe.

There are 16 entries for ecosystem: GitHub Actions currently in the database, https://osv.dev/list?ecosystem=GitHub+Actions&q=

All entries provide semver-compatible entries 

$ for vuln in GHSA-7f32-hm4h-w77q GHSA-ghm2-rq8q-wrhc GHSA-mcph-m25j-8j63 GHSA-99jg-r3f4-rpxj GHSA-8v8w-v8xg-79rf GHSA-hw6r-g8gj-2987 GHSA-h3qr-39j9-4r5v GHSA-rg3q-prf8-qxmp GHSA-6q4m-7476-932w GHSA-p756-rfxh-x63h GHSA-2c6m-6gqh-6qg3 GHSA-f9qj-7gh3-mhj4 GHSA-4xqx-pqpj-9fqw GHSA-634p-93h9-92vh GHSA-g86g-chm8-7r2p GHSA-4mgv-m5cm-f9h7; do curl -s "https://api.osv.dev/v1/vulns/$vuln" | jq -c '.affected[0].ranges'; done
[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.1.1"}]}]
[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"17"}]}]
[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"41"}]}]
[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.6.1"}]}]
[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"7.0.7"}]}]
[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}]
[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.4.2"}]}]
[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2"}]}]
[{"type":"ECOSYSTEM","events":[{"introduced":"4.0.0"},{"fixed":"4.4.1"}]}]
[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3"}]}]
[{"type":"ECOSYSTEM","events":[{"introduced":"2.294.0"},{"fixed":"2.296.2"}]}]
[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.7.5"}]}]
[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.0.1"}]}]
[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1"}]}]
[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.0.19"}]}]
[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.2.0"}]}]

I know https://osv.dev/vulnerability/GHSA-7f32-hm4h-w77q exists.
I know https://github.com/rlespinasse/github-slug-action/releases/tag/1.0.0 exists, and is affected by the vulnerability.
But I can't query to match the two: $ curl -sd '{"package": {"ecosystem":"GitHub Actions", "name":"rlespinasse/github-slug-action"}, "version":"1.0.0"}' https://api.osv.dev/v1/query

Describe the solution you'd like

Treat the GitHub Actions ecosystem as (best effort?) SemVer:

osv.dev/osv/ecosystems/_ecosystems.py

Line 51 in 46c25da

'GitHub Actions': OrderingUnsupportedEcosystem(),

Describe alternatives you've considered

Querying by the commit referenced by the 1.0.0 tag: curl -sd '{"package": {"ecosystem":"GitHub Actions", "name":"rlespinasse/github-slug-action"}, "commit":"9671420482a6e4c59c06f2d2d9e0605e941b1287"}' https://api.osv.dev/v1/query
This returns https://osv.dev/vulnerability/GHSA-6q4m-7476-932w - which I don't think impacts 1.0.0, and does not return https://osv.dev/vulnerability/GHSA-7f32-hm4h-w77q, which I think does.

I mostly don't understand the implications of this change. Actions may be referred to commit, tag (i.e. where semver would appear) or branch.

Additional context

The official versioning scheme for Actions is here: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsuses
Semver is implied/encouraged, but not enforced.
@thepwagner thepwagner added the enhancement New feature or request label Jun 12, 2024
@thepwagner
Copy link
Author

best effort semver

This might look similar to

osv.dev/osv/ecosystems/rubygems.py

Line 33 in 46c25da

def enumerate_versions(self,

@thepwagner thepwagner changed the title Are actions semver? GitHub Actions version matching Jun 12, 2024
@G-Rath
Copy link
Collaborator

G-Rath commented Jun 12, 2024

fwiw I asked GitHub about this a while ago when I was looking to support GHA in my CLI and the scanner (which I'll get back to one day 😅), and they said they expect them to be semver on their end

@andrewpollock
Copy link
Contributor

@thepwagner feel free to send a PR to s/OrderingUnsupportedEcosystem/SemverEcosystem/ for this ecosystem.

I think the challenges we may then run into will be:

@andrewpollock andrewpollock added the datasource Requests for new data sources label Jun 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
datasource Requests for new data sources enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@thepwagner @G-Rath @andrewpollock