search

intel / cve-bin-tool

The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 200 common, vulnerable components (openssl, libpng, libxml2, expat and others), or if you know the components used, you can get a list of known vulnerabilities associated with an SBOM or a list of components and versions.
https://cve-bin-tool.readthedocs.io/en/latest/
GNU General Public License v3.0
1.21k stars 460 forks source link

ci: don't generate sboms on forks #3322

Closed terriko closed 1 year ago

terriko commented 1 year ago

Description

Currently, I'm getting a bunch of messages saying that sbom generation failed on a few people's forks. I suspect that we need to change the workflow file so that it only runs the sbom updates on the main repo.

Version/platform info

Running in any particular CI environment we should know about? Github Actions

terriko commented 1 year ago

Took a quick look at this to fill in enough info to mark it as beginner friendly.

The changes will need to go into the update sbom workflow config, which can be found here: https://github.com/intel/cve-bin-tool/blob/main/.github/workflows/sbom.yml

To run something only on the main repo you can use the following logic:

if: github.repository == 'intel/cve-bin-tool'

You can see how that works in the update-cache job here: https://github.com/intel/cve-bin-tool/blob/main/.github/workflows/update-cache.yml

So basically, edit the sbom.yml file to include that if line in the appropriate place, similar to what you find in update-cache.yml.

terriko commented 1 year ago

And because I marked this as a good first issue, here's the new contributor tips:

Short tips for new contributors:

Claiming issues:

rudrakshkarpe commented 1 year ago

I look forward to work on this issue!