search

rubysec / ruby-advisory-db

A database of vulnerable Ruby Gems
https://rubysec.com
Other
1.01k stars 218 forks source link

Run `rake sync_github_advisories` as a scheduled workflow #537

Open ddalcino opened 1 year ago

ddalcino commented 1 year ago

I noticed that a significant fraction of the commit history of this project looks like automated changes on the part of the rake sync_github_advisories task. Yesterday, while the maintainers were dealing with #536, I had the impression that running this task manually was a burdensome chore. I think that this task could be made easier using a Github Actions workflow.

If you are interested, I can contribute a PR for a workflow that will automatically run the rake task and submit a PR if any new advisories were added. This workflow could be triggered manually by clicking a button in the Github UI, or it could run on a schedule like a cron job.

Please let me know what you think.

reedloden commented 1 year ago

Please feel free to contribute a workflow. I will note that the current script isn't as easy as it might seem. Still a lot of manual work to take the output and get the advisories in order.

ddalcino commented 1 year ago

I've attempted to get this working in https://github.com/ddalcino/ruby-advisory-db/tree/sync_github_advisories, but I keep running into credential problems. I can run the rake sync_github_advisories task locally, using the same github API token that I'm using in the workflow, and the task runs successfully. However, in a GitHub workflow, I get Github GraphQL credential problems. I don't understand what's going on here, and I'm not sure what to look for in the documentation.

Here's the stack trace from this build: https://github.com/ddalcino/ruby-advisory-db/actions/runs/4109381580/jobs/7091810877

Run bundle exec rake sync_github_advisories
  bundle exec rake sync_github_advisories
  shell: /usr/bin/bash -e {0}
  env:
    GH_API_TOKEN: 
rake aborted!
GitHub::GraphQLAPIClient::GitHubGraphQLAPIError: GitHub GraphQL request to https://api.github.com/graphql failed: {"message":"Bad credentials","documentation_url":"https://docs.github.com/graphql"}
/home/runner/work/ruby-advisory-db/ruby-advisory-db/lib/github_advisory_sync.rb:77:in `github_graphql_query'
/home/runner/work/ruby-advisory-db/ruby-advisory-db/lib/github_advisory_sync.rb:114:in `block in retrieve_all_rubygem_vulnerabilities'
/home/runner/work/ruby-advisory-db/ruby-advisory-db/lib/github_advisory_sync.rb:111:in `times'
/home/runner/work/ruby-advisory-db/ruby-advisory-db/lib/github_advisory_sync.rb:111:in `retrieve_all_rubygem_vulnerabilities'
/home/runner/work/ruby-advisory-db/ruby-advisory-db/lib/github_advisory_sync.rb:95:in `all_rubygem_advisories'
/home/runner/work/ruby-advisory-db/ruby-advisory-db/lib/github_advisory_sync.rb:19:in `sync'
/home/runner/work/ruby-advisory-db/ruby-advisory-db/Rakefile:18:in `block in <top (required)>'
/opt/hostedtoolcache/Ruby/3.2.0/x64/bin/bundle:25:in `load'
/opt/hostedtoolcache/Ruby/3.2.0/x64/bin/bundle:25:in `<main>'
Tasks: TOP => sync_github_advisories
reedloden commented 1 year ago

Try using ${{ secrets.GITHUB_TOKEN }}. The default token should have privileges enough.

ddalcino commented 1 year ago

I have added the secrets.GITHUB_TOKEN, so the sync step is now:

      - name: Sync with Github Advisories
        env:
          GH_API_TOKEN: ${{ secrets.GH_API_TOKEN }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: bundle exec rake sync_github_advisories

... and I'm still seeing the same 'Bad credentials' error:

Run bundle exec rake sync_github_advisories
  bundle exec rake sync_github_advisories
  shell: /usr/bin/bash -e {0}
  env:
    GH_API_TOKEN: 
    GITHUB_TOKEN: ***
rake aborted!
GitHub::GraphQLAPIClient::GitHubGraphQLAPIError: GitHub GraphQL request to https://api.github.com/graphql failed: {"message":"Bad credentials","documentation_url":"https://docs.github.com/graphql"}
/home/runner/work/ruby-advisory-db/ruby-advisory-db/lib/github_advisory_sync.rb:77:in `github_graphql_query'
/home/runner/work/ruby-advisory-db/ruby-advisory-db/lib/github_advisory_sync.rb:114:in `block in retrieve_all_rubygem_vulnerabilities'
/home/runner/work/ruby-advisory-db/ruby-advisory-db/lib/github_advisory_sync.rb:111:in `times'
/home/runner/work/ruby-advisory-db/ruby-advisory-db/lib/github_advisory_sync.rb:111:in `retrieve_all_rubygem_vulnerabilities'
/home/runner/work/ruby-advisory-db/ruby-advisory-db/lib/github_advisory_sync.rb:95:in `all_rubygem_advisories'
/home/runner/work/ruby-advisory-db/ruby-advisory-db/lib/github_advisory_sync.rb:19:in `sync'
/home/runner/work/ruby-advisory-db/ruby-advisory-db/Rakefile:18:in `block in <top (required)>'
/opt/hostedtoolcache/Ruby/3.2.1/x64/bin/bundle:25:in `load'
/opt/hostedtoolcache/Ruby/3.2.1/x64/bin/bundle:25:in `<main>'
Tasks: TOP => sync_github_advisories
(See full trace by running task with --trace)
Getting page 1 of GitHub Vulnerabilities
Executing GraphQL request: RUBYGEM_VULNERABILITIES_WITH_GITHUB_ADVISORIES. Request variables:
---
first: 100
gem_name: 

Initializing GitHub API connection to URL: https://api.github.com/graphql
Got response code: 401
reedloden commented 1 year ago

I meant this:

      - name: Sync with Github Advisories
        env:
          GH_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: bundle exec rake sync_github_advisories

GH_API_TOKEN is needed here: https://github.com/rubysec/ruby-advisory-db/blob/38305c67e0b70b1ddc115b0518a6dabedec70a1e/lib/github_advisory_sync.rb#L172-L181

But the value will come from secrets.GITHUB_TOKEN.