osv.dev icon indicating copy to clipboard operation
osv.dev copied to clipboard
verified publisher icon google

GitHub Actions version matching

Open thepwagner opened this issue 1 year ago • 7 comments

Is your feature request related to a problem? Please describe.

There are 16 entries for ecosystem: GitHub Actions currently in the database, https://osv.dev/list?ecosystem=GitHub+Actions&q=

All entries provide semver-compatible entries 

$ for vuln in GHSA-7f32-hm4h-w77q GHSA-ghm2-rq8q-wrhc GHSA-mcph-m25j-8j63 GHSA-99jg-r3f4-rpxj GHSA-8v8w-v8xg-79rf GHSA-hw6r-g8gj-2987 GHSA-h3qr-39j9-4r5v GHSA-rg3q-prf8-qxmp GHSA-6q4m-7476-932w GHSA-p756-rfxh-x63h GHSA-2c6m-6gqh-6qg3 GHSA-f9qj-7gh3-mhj4 GHSA-4xqx-pqpj-9fqw GHSA-634p-93h9-92vh GHSA-g86g-chm8-7r2p GHSA-4mgv-m5cm-f9h7; do curl -s "https://api.osv.dev/v1/vulns/$vuln" | jq -c '.affected[0].ranges'; done
[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.1.1"}]}]
[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"17"}]}]
[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"41"}]}]
[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.6.1"}]}]
[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"7.0.7"}]}]
[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}]
[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.4.2"}]}]
[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2"}]}]
[{"type":"ECOSYSTEM","events":[{"introduced":"4.0.0"},{"fixed":"4.4.1"}]}]
[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3"}]}]
[{"type":"ECOSYSTEM","events":[{"introduced":"2.294.0"},{"fixed":"2.296.2"}]}]
[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.7.5"}]}]
[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.0.1"}]}]
[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1"}]}]
[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.0.19"}]}]
[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.2.0"}]}]

I know https://osv.dev/vulnerability/GHSA-7f32-hm4h-w77q exists. I know https://github.com/rlespinasse/github-slug-action/releases/tag/1.0.0 exists, and is affected by the vulnerability. But I can't query to match the two: $ curl -sd '{"package": {"ecosystem":"GitHub Actions", "name":"rlespinasse/github-slug-action"}, "version":"1.0.0"}' https://api.osv.dev/v1/query

Describe the solution you'd like

Treat the GitHub Actions ecosystem as (best effort?) SemVer: https://github.com/google/osv.dev/blob/46c25dafc776d429ac46cb112fb1dffb98b9cc90/osv/ecosystems/_ecosystems.py#L51

Describe alternatives you've considered

Querying by the commit referenced by the 1.0.0 tag: curl -sd '{"package": {"ecosystem":"GitHub Actions", "name":"rlespinasse/github-slug-action"}, "commit":"9671420482a6e4c59c06f2d2d9e0605e941b1287"}' https://api.osv.dev/v1/query This returns https://osv.dev/vulnerability/GHSA-6q4m-7476-932w - which I don't think impacts 1.0.0, and does not return https://osv.dev/vulnerability/GHSA-7f32-hm4h-w77q, which I think does.

I mostly don't understand the implications of this change. Actions may be referred to commit, tag (i.e. where semver would appear) or branch.

Additional context

The official versioning scheme for Actions is here: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsuses Semver is implied/encouraged, but not enforced.

thepwagner avatar Jun 12 '24 19:06 thepwagner

best effort semver

This might look similar to https://github.com/google/osv.dev/blob/46c25dafc776d429ac46cb112fb1dffb98b9cc90/osv/ecosystems/rubygems.py#L33

thepwagner avatar Jun 12 '24 19:06 thepwagner

fwiw I asked GitHub about this a while ago when I was looking to support GHA in my CLI and the scanner (which I'll get back to one day 😅), and they said they expect them to be semver on their end

G-Rath avatar Jun 12 '24 19:06 G-Rath

@thepwagner feel free to send a PR to s/OrderingUnsupportedEcosystem/SemverEcosystem/ for this ecosystem.

I think the challenges we may then run into will be:

  • reprocessing the records due to #2018
  • the originating records declaring their ranges as ECOSYSTEM not SEMVER (but if they get changed, that might make the first challenge less of a barrier)
    • If I recall correctly from https://github.com/bitnami/vulndb/issues/336, changing OSV.dev's expectation overrides the range type, which would then not require any record changes at the source, but then takes us back to my first point here 😃

andrewpollock avatar Jun 12 '24 23:06 andrewpollock

This issue has not had any activity for 60 days and will be automatically closed in two weeks

See https://github.com/google/osv.dev/blob/master/CONTRIBUTING.md for how to contribute a PR if you're interested in helping out.

github-actions[bot] avatar Aug 12 '24 00:08 github-actions[bot]

Was this ever fixed? I see @thepwagner closed it on Aug 12, but I can't find a PR from around then that looks like it addresses it.

In my testing, the current non-semver behavior is still causing issues. For example, I expect this to return at least GHSA-4xqx-pqpj-9fqw:

curl -d '{"package": {"name": "gaatlassian/gajira-create"}, "version": "1.0.0", "ecosystem": "GitHub Actions"}' "https://api.osv.dev/v1/query"

but instead it returns a bare response of {}.

woodruffw avatar Oct 10 '24 22:10 woodruffw

Sorry for the confusion: I closed due to the stalebot and I don't have time to contribute a fix.

thepwagner avatar Oct 11 '24 12:10 thepwagner

No problem from me! I appreciate that you filed this in the first place; I spent a few hours trying to figure out what I was doing wrong before I realized others might have hit the same API limitation, and sure enough 🙂

woodruffw avatar Oct 11 '24 13:10 woodruffw