search

google / osv.dev

Open source vulnerability DB and triage service.
https://osv.dev
Apache License 2.0
1.45k stars 173 forks source link

GitHub Actions version matching #2308

Open thepwagner opened 2 weeks ago

thepwagner commented 2 weeks ago

Is your feature request related to a problem? Please describe.

There are 16 entries for ecosystem: GitHub Actions currently in the database, https://osv.dev/list?ecosystem=GitHub+Actions&q=

All entries provide semver-compatible entries

``` $ for vuln in GHSA-7f32-hm4h-w77q GHSA-ghm2-rq8q-wrhc GHSA-mcph-m25j-8j63 GHSA-99jg-r3f4-rpxj GHSA-8v8w-v8xg-79rf GHSA-hw6r-g8gj-2987 GHSA-h3qr-39j9-4r5v GHSA-rg3q-prf8-qxmp GHSA-6q4m-7476-932w GHSA-p756-rfxh-x63h GHSA-2c6m-6gqh-6qg3 GHSA-f9qj-7gh3-mhj4 GHSA-4xqx-pqpj-9fqw GHSA-634p-93h9-92vh GHSA-g86g-chm8-7r2p GHSA-4mgv-m5cm-f9h7; do curl -s "https://api.osv.dev/v1/vulns/$vuln" | jq -c '.affected[0].ranges'; done [{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.1.1"}]}] [{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"17"}]}] [{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"41"}]}] [{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.6.1"}]}] [{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"7.0.7"}]}] [{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}] [{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.4.2"}]}] [{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2"}]}] [{"type":"ECOSYSTEM","events":[{"introduced":"4.0.0"},{"fixed":"4.4.1"}]}] [{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3"}]}] [{"type":"ECOSYSTEM","events":[{"introduced":"2.294.0"},{"fixed":"2.296.2"}]}] [{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.7.5"}]}] [{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.0.1"}]}] [{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1"}]}] [{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.0.19"}]}] [{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.2.0"}]}] ```

I know https://osv.dev/vulnerability/GHSA-7f32-hm4h-w77q exists. I know https://github.com/rlespinasse/github-slug-action/releases/tag/1.0.0 exists, and is affected by the vulnerability. But I can't query to match the two: $ curl -sd '{"package": {"ecosystem":"GitHub Actions", "name":"rlespinasse/github-slug-action"}, "version":"1.0.0"}' https://api.osv.dev/v1/query

Describe the solution you'd like

Treat the GitHub Actions ecosystem as (best effort?) SemVer: https://github.com/google/osv.dev/blob/46c25dafc776d429ac46cb112fb1dffb98b9cc90/osv/ecosystems/_ecosystems.py#L51

Describe alternatives you've considered

Querying by the commit referenced by the 1.0.0 tag: curl -sd '{"package": {"ecosystem":"GitHub Actions", "name":"rlespinasse/github-slug-action"}, "commit":"9671420482a6e4c59c06f2d2d9e0605e941b1287"}' https://api.osv.dev/v1/query This returns https://osv.dev/vulnerability/GHSA-6q4m-7476-932w - which I don't think impacts 1.0.0, and does not return https://osv.dev/vulnerability/GHSA-7f32-hm4h-w77q, which I think does.

I mostly don't understand the implications of this change. Actions may be referred to commit, tag (i.e. where semver would appear) or branch.

Additional context

The official versioning scheme for Actions is here: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsuses Semver is implied/encouraged, but not enforced.

thepwagner commented 2 weeks ago

best effort semver

This might look similar to https://github.com/google/osv.dev/blob/46c25dafc776d429ac46cb112fb1dffb98b9cc90/osv/ecosystems/rubygems.py#L33

G-Rath commented 2 weeks ago

fwiw I asked GitHub about this a while ago when I was looking to support GHA in my CLI and the scanner (which I'll get back to one day 😅), and they said they expect them to be semver on their end

andrewpollock commented 2 weeks ago

@thepwagner feel free to send a PR to s/OrderingUnsupportedEcosystem/SemverEcosystem/ for this ecosystem.

I think the challenges we may then run into will be: