This GitHub Actions workflow automates the process of checking specified CVEs against the dependencies of a given GitHub Enterprise Server (GHES) version.
Example Report
Vulnerability Report for GHES v.3.13.6
======================================
CVE: CVE-2015-9284
Source: GitHub
WARNING: omniauth 1.9.2 is vulnerable (Affected range: <= 1.9.2)
References:
https://cveawg.mitre.org/api/cve/CVE-2015-9284
https://github.com/advisories?query=CVE-2015-9284
CVE: CVE-2023-50387
Source: mitre.org
CWE: CWE-400
- CWE-400: Uncontrolled Resource Consumption
Affected: ISC BIND
Fixed in ISC BIND: 9.16.48, 9.18.24, 9.19.21
References:
https://cveawg.mitre.org/api/cve/CVE-2023-50387
https://github.com/advisories?query=CVE-2023-50387
https://cwe.mitre.org/data/definitions/400.html
CVE: CVE-2024-28103
Source: GitHub
WARNING: actionpack 7.2.0.alpha.3621eef is vulnerable (Affected range: = 7.2.0.beta1)
References:
https://cveawg.mitre.org/api/cve/CVE-2024-28103
https://github.com/advisories?query=CVE-2024-28103
CVE: CVE-2024-9539
Source: mitre.org
CWE: CWE-79
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Fixed in versions: 3.14.2, 3.13.5, 3.12.10, 3.11.16..
References:
https://cveawg.mitre.org/api/cve/CVE-2024-9539
https://github.com/advisories?query=CVE-2024-9539
https://cwe.mitre.org/data/definitions/79.html
Note: For CVEs sourced from mitre.org, please review the details manually as package information may be incomplete.
Packages marked vulnerable when their version looks good might be due to being installed in multiple locations.Key Features:
- Automated Dependency Analysis: Parses and extracts package names and versions from the GHES dependency metadata without manual intervention.
- Comprehensive CVE Checking: Checks each specified CVE against the extracted dependencies using GitHub's Security Advisory GraphQL API.
- MITRE.org Advisory Integration: For CVEs not listed in GitHub advisories, provides direct links to MITRE.org's security advisories, ensuring no vulnerability goes unnoticed.
- CWE (Common Weakness Enumeration) Support: Automatically extracts and displays CWE identifiers and descriptions from CVE data, providing deeper insight into the underlying security weaknesses.
- Detailed Reporting: Generates a clear and concise vulnerability report summarizing the findings, which is uploaded as an artifact for easy access and review.
Usage Instructions:
To use this workflow, trigger it manually in your repository via the GitHub Actions tab and provide the required inputs:
- GHES Version (
version): Specify the GHES version you want to check (e.g.,4.2.0). - CVEs/CWEs to Check (
identifiers): Enter a comma-separated list of CVE and/or CWE identifiers you wish to assess (e.g.,CVE-2021-34527,CWE-79,CVE-2021-44228). The workflow accepts:- CVE IDs (e.g.,
CVE-2023-50387) - directly checks the specified CVE - CWE IDs (e.g.,
CWE-79) - searches for CVEs associated with that weakness and checks them - Mixed input - you can specify both CVEs and CWEs in the same input
- CVE IDs (e.g.,
- Include CWE (
include_cwe): Optional. Choose whether to include CWE (Common Weakness Enumeration) details in the report (default:true). When enabled, the report will include CWE identifiers and descriptions extracted from the CVE data.
Download the report from the summary page.
Prerequisites and Notes:
- Uses
GITHUB_TOKENfor authenticating with GitHub's Security Advisory API. - I have found some packages are marked vulnerable when their version looks good due to being installed in multiple locations.
- This tool is to be used as an aid. Please double-check all the work!
By incorporating this workflow into your security practices, you can enhance the efficiency and effectiveness of your vulnerability management for GitHub Enterprise Server deployments.
Testing:
For comprehensive testing and validation of the CWE functionality:
- See TEST_GUIDE.md for detailed testing instructions
- See TESTING_SUMMARY.md for quick reference
- Run
python3 validate_cwe_logic.pyfor offline validation - Run
python3 test_cwe_stress.pyfor integration testing (requires network) - Use the Test CWE Functionality GitHub Actions workflow for comprehensive batch testing across GHES versions 3.16-3.19