From 50b8cd61bc70eb12bbabd084cc521985bcbb4c1e Mon Sep 17 00:00:00 2001 From: aparnatk53 Date: Thu, 5 Jun 2025 13:18:24 +0530 Subject: [PATCH 1/2] Support for Dependabot Evidence Integration --- .github/dependabot.yml | 6 ++ .../workflows/dependabot-evidence-example.yml | 86 +++++++++++++++++++ examples/dependabot-alerts-example/Dockerfile | 6 ++ examples/dependabot-alerts-example/hello.js | 1 + 4 files changed, 99 insertions(+) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/dependabot-evidence-example.yml create mode 100644 examples/dependabot-alerts-example/Dockerfile create mode 100644 examples/dependabot-alerts-example/hello.js diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..416564c --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,6 @@ +version: 2 +updates: + - package-ecosystem: "docker" + directory: "/examples/dependabot-alerts-example" + schedule: + interval: "daily" diff --git a/.github/workflows/dependabot-evidence-example.yml b/.github/workflows/dependabot-evidence-example.yml new file mode 100644 index 0000000..de32117 --- /dev/null +++ b/.github/workflows/dependabot-evidence-example.yml @@ -0,0 +1,86 @@ +name: dependabot-evidence-example +on: + workflow_dispatch: + push: + branches: + - main + +permissions: + id-token: write + contents: read + +jobs: + dependabot-evidence-example: + runs-on: ubuntu-latest + env: + REPO_NAME: 'dependabot-docker-local' + IMAGE_NAME: 'dependabot-docker-image' + BUILD_NAME: 'dependabot-evidence-eg' + VERSION: ${{ github.run_number }} + REGISTRY_DOMAIN: ${{ vars.REGISTRY_DOMAIN }} + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Setup JFrog CLI + uses: jfrog/setup-jfrog-cli@v4 + env: + JF_URL: ${{ vars.ARTIFACTORY_URL }} + JF_ACCESS_TOKEN: ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }} + + - name: Log in to Artifactory Docker Registry + uses: docker/login-action@v3 + with: + registry: ${{ vars.ARTIFACTORY_URL }} + username: ${{ secrets.JF_USER }} + password: ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }} + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build Docker image and Push to Artifactory + run: | + docker build -f ./examples/dependabot-alerts-example/Dockerfile . --tag $REGISTRY_DOMAIN/$REPO_NAME/$IMAGE_NAME:$VERSION + jf rt docker-push $REGISTRY_DOMAIN/$REPO_NAME/$IMAGE_NAME:$VERSION $REPO_NAME --build-name=$BUILD_NAME --build-number=$VERSION + + - name: Install jq + run: sudo apt-get update && sudo apt-get install -y jq + + - name: Fetch Dependabot Vulnerability Snapshot + id: dependabot_snapshot + env: + GH_TOKEN: ${{ secrets.TOKEN_GIT }} # GitHub Token with 'security_events: read' permission is required + OWNER: ${{ github.repository_owner }} + REPO: ${{ github.event.repository.name }} + run: | + gh api \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "repos/${OWNER}/${REPO}/dependabot/alerts" \ + --jq '[.[] | + { + packageName: .dependency.package.name, + ecosystem: .dependency.package.ecosystem, + vulnerableVersionRange: .security_vulnerability.vulnerable_version_range, + patchedVersion: .security_vulnerability.first_patched_version.identifier, + severity: .security_vulnerability.severity, + ghsaId: .security_advisory.ghsa_id, + cveId: .security_advisory.cve_id, + advisoryUrl: .html_url, + detectedAt: .created_at + } + ]' > result.json + + cat result.json + + - name: Create Dependabot Evidence + run: | + jf evd create \ + --package-name $IMAGE_NAME \ + --package-version $VERSION \ + --package-repo-name $REPO_NAME \ + --key "${{ secrets.TEST_PRVT_KEY }}" \ + --key-alias ${{ secrets.TEST_PUB_KEY_ALIAS }} \ + --predicate ./result.json \ + --predicate-type http://Github.com/Dependabot/static-analysis \ No newline at end of file diff --git a/examples/dependabot-alerts-example/Dockerfile b/examples/dependabot-alerts-example/Dockerfile new file mode 100644 index 0000000..64d6eb7 --- /dev/null +++ b/examples/dependabot-alerts-example/Dockerfile @@ -0,0 +1,6 @@ +# Use an outdated version of the Node.js image +FROM node:10 + +COPY ./examples/dependabot-alerts-example/hello.js . + +CMD ["node", "hello.js"] \ No newline at end of file diff --git a/examples/dependabot-alerts-example/hello.js b/examples/dependabot-alerts-example/hello.js new file mode 100644 index 0000000..4f3ac02 --- /dev/null +++ b/examples/dependabot-alerts-example/hello.js @@ -0,0 +1 @@ +console.log('Hello World!') \ No newline at end of file From 67a518072b3ee1a1292cdf9c5a8f1887fde5ef3a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 5 Jun 2025 08:47:56 +0000 Subject: [PATCH 2/2] Bump node from 10 to 24 in /examples/dependabot-alerts-example Bumps node from 10 to 24. --- updated-dependencies: - dependency-name: node dependency-version: '24' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- examples/dependabot-alerts-example/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/dependabot-alerts-example/Dockerfile b/examples/dependabot-alerts-example/Dockerfile index 64d6eb7..d52bd3a 100644 --- a/examples/dependabot-alerts-example/Dockerfile +++ b/examples/dependabot-alerts-example/Dockerfile @@ -1,5 +1,5 @@ # Use an outdated version of the Node.js image -FROM node:10 +FROM node:24 COPY ./examples/dependabot-alerts-example/hello.js .