Update List #4303
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Update List | |
| on: | |
| push: | |
| branches: [ main ] | |
| pull_request: | |
| branches: [ main ] | |
| workflow_dispatch: | |
| schedule: | |
| - cron: "0 */6 * * *" | |
| jobs: | |
| update-list: | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| ref: ${{ github.event_name == 'pull_request' && github.head_ref || 'main' }} | |
| - name: Cache NVD data | |
| uses: actions/cache@v5 | |
| with: | |
| path: nvd.jsonl | |
| key: nvd-data-${{ github.run_number }} | |
| restore-keys: | | |
| nvd-data- | |
| - uses: actions/setup-python@v6 | |
| with: | |
| python-version: '3.13' | |
| architecture: 'x64' | |
| # Cache pip dependencies | |
| - name: Cache pip dependencies | |
| uses: actions/cache@v5 | |
| with: | |
| path: ~/.cache/pip | |
| key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }} | |
| restore-keys: | | |
| ${{ runner.os }}-pip- | |
| # Install dependencies | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| python -m pip install -r requirements.txt | |
| - name: Grab Needed Data | |
| run: | | |
| set -e # Exit on any error | |
| sudo apt-get update && sudo apt-get install unzip jq -y | |
| # Download EPSS data with retry | |
| for i in {1..3}; do | |
| if wget https://epss.empiricalsecurity.com/epss_scores-current.csv.gz -O epss_scores-current.csv.gz; then | |
| break | |
| elif [ $i -eq 3 ]; then | |
| echo "Failed to download EPSS data after 3 attempts" | |
| exit 1 | |
| else | |
| echo "Attempt $i failed, retrying..." | |
| sleep 5 | |
| fi | |
| done | |
| gzip -f -d epss_scores-current.csv.gz | |
| # Download Metasploit data | |
| curl -sSf https://raw.githubusercontent.com/rapid7/metasploit-framework/master/db/modules_metadata_base.json | \ | |
| jq -r '.[]|{cve:.references[]|select(startswith("CVE-"))}| join(",")' > metasploit.txt || touch metasploit.txt | |
| # Download Nuclei data | |
| curl -sSf https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/main/cves.json | \ | |
| jq -r .ID > nuclei.txt || touch nuclei.txt | |
| # Download CISA KEV data with retry | |
| for i in {1..3}; do | |
| if wget https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv -O known_exploited_vulnerabilities.csv; then | |
| break | |
| elif [ $i -eq 3 ]; then | |
| echo "Failed to download CISA data after 3 attempts" | |
| exit 1 | |
| else | |
| echo "Attempt $i failed, retrying..." | |
| sleep 5 | |
| fi | |
| done | |
| # Download NVD data with retry | |
| for i in {1..3}; do | |
| if wget https://nvd.handsonhacking.org/nvd.jsonl -O nvd.jsonl; then | |
| break | |
| elif [ $i -eq 3 ]; then | |
| echo "WARNING: Failed to download NVD data after 3 attempts" | |
| if [ -f nvd.jsonl ] && [ -s nvd.jsonl ]; then | |
| echo "Using cached NVD data" | |
| else | |
| echo "No cached NVD data available" | |
| exit 1 | |
| fi | |
| else | |
| echo "Attempt $i failed, retrying..." | |
| sleep 5 | |
| fi | |
| done | |
| - name: Lint Python code | |
| run: | | |
| pip install ruff | |
| ruff check patchthisapp.py scripts/ | |
| - name: Smoke test (PR only) | |
| if: github.event_name == 'pull_request' | |
| run: | | |
| touch metasploit.txt nuclei.txt known_exploited_vulnerabilities.csv epss_scores-current.csv nvd.jsonl | |
| python patchthisapp.py --dry-run || true | |
| - name: Run PatchThisApp Python Script | |
| run: | | |
| python patchthisapp.py | |
| - name: Validate output | |
| run: | | |
| if [ ! -f data/data.csv ]; then | |
| echo "ERROR: data/data.csv not generated" | |
| exit 1 | |
| fi | |
| ROW_COUNT=$(tail -n +2 data/data.csv | wc -l) | |
| echo "Output contains $ROW_COUNT CVEs" | |
| if [ "$ROW_COUNT" -lt 1 ]; then | |
| echo "ERROR: Output CSV is empty" | |
| exit 1 | |
| fi | |
| echo "### Vulnerability Data Update" >> $GITHUB_STEP_SUMMARY | |
| echo "- **CVEs processed:** $ROW_COUNT" >> $GITHUB_STEP_SUMMARY | |
| echo "- **Run time:** $(date -u)" >> $GITHUB_STEP_SUMMARY | |
| - name: Commit changes | |
| uses: EndBug/add-and-commit@v10 | |
| with: | |
| default_author: github_actions | |
| add: 'data/ web/' | |
| message: 'Update vulnerability data - ${{ github.event.head_commit.timestamp }}' | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| deploy: | |
| needs: update-list | |
| if: github.ref == 'refs/heads/main' && github.event_name != 'pull_request' | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| contents: read | |
| pages: write | |
| id-token: write | |
| environment: | |
| name: github-pages | |
| url: ${{ steps.deployment.outputs.page_url }} | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| ref: main | |
| - name: Setup Pages | |
| uses: actions/configure-pages@v6 | |
| - name: Upload web folder | |
| uses: actions/upload-pages-artifact@v5 | |
| with: | |
| path: 'web' | |
| - name: Deploy to GitHub Pages | |
| id: deployment | |
| uses: actions/deploy-pages@v5 |