patchthisapp/.github/workflows/patchthis.yml at main · RogoLabs/patchthisapp · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
name: Update List
on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]
  workflow_dispatch:
  schedule:
    - cron: "0 */6 * * *"

jobs:
  update-list:
    runs-on: ubuntu-24.04
    permissions:
      contents: write
      pull-requests: write
    steps:
    - uses: actions/checkout@v6
      with:
        ref: ${{ github.event_name == 'pull_request' && github.head_ref || 'main' }}
    - name: Cache NVD data
      uses: actions/cache@v5
      with:
        path: nvd.jsonl
        key: nvd-data-${{ github.run_number }}
        restore-keys: |
          nvd-data-
    - uses: actions/setup-python@v6
      with:
        python-version: '3.13'
        architecture: 'x64'

    # Cache pip dependencies
    - name: Cache pip dependencies
      uses: actions/cache@v5
      with:
        path: ~/.cache/pip
        key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}
        restore-keys: |
          ${{ runner.os }}-pip-

    # Install dependencies
    - name: Install dependencies
      run: |
        python -m pip install --upgrade pip
        python -m pip install -r requirements.txt

    - name: Grab Needed Data
      run: |
        set -e  # Exit on any error
        sudo apt-get update && sudo apt-get install unzip jq -y

        # Download EPSS data with retry
        for i in {1..3}; do
          if wget https://epss.empiricalsecurity.com/epss_scores-current.csv.gz -O epss_scores-current.csv.gz; then
            break
          elif [ $i -eq 3 ]; then
            echo "Failed to download EPSS data after 3 attempts"
            exit 1
          else
            echo "Attempt $i failed, retrying..."
            sleep 5
          fi
        done
        gzip -f -d epss_scores-current.csv.gz

        # Download Metasploit data
        curl -sSf https://raw.githubusercontent.com/rapid7/metasploit-framework/master/db/modules_metadata_base.json | \
          jq -r '.[]|{cve:.references[]|select(startswith("CVE-"))}| join(",")' > metasploit.txt || touch metasploit.txt

        # Download Nuclei data
        curl -sSf https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/main/cves.json | \
          jq -r .ID > nuclei.txt || touch nuclei.txt

        # Download CISA KEV data with retry
        for i in {1..3}; do
          if wget https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv -O known_exploited_vulnerabilities.csv; then
            break
          elif [ $i -eq 3 ]; then
            echo "Failed to download CISA data after 3 attempts"
            exit 1
          else
            echo "Attempt $i failed, retrying..."
            sleep 5
          fi
        done

        # Download NVD data with retry
        for i in {1..3}; do
          if wget https://nvd.handsonhacking.org/nvd.jsonl -O nvd.jsonl; then
            break
          elif [ $i -eq 3 ]; then
            echo "WARNING: Failed to download NVD data after 3 attempts"
            if [ -f nvd.jsonl ] && [ -s nvd.jsonl ]; then
              echo "Using cached NVD data"
            else
              echo "No cached NVD data available"
              exit 1
            fi
          else
            echo "Attempt $i failed, retrying..."
            sleep 5
          fi
        done

    - name: Lint Python code
      run: |
        pip install ruff
        ruff check patchthisapp.py scripts/

    - name: Smoke test (PR only)
      if: github.event_name == 'pull_request'
      run: |
        touch metasploit.txt nuclei.txt known_exploited_vulnerabilities.csv epss_scores-current.csv nvd.jsonl
        python patchthisapp.py --dry-run || true

    - name: Run PatchThisApp Python Script
      run: |
         python patchthisapp.py

    - name: Validate output
      run: |
        if [ ! -f data/data.csv ]; then
          echo "ERROR: data/data.csv not generated"
          exit 1
        fi
        ROW_COUNT=$(tail -n +2 data/data.csv | wc -l)
        echo "Output contains $ROW_COUNT CVEs"
        if [ "$ROW_COUNT" -lt 1 ]; then
          echo "ERROR: Output CSV is empty"
          exit 1
        fi
        echo "### Vulnerability Data Update" >> $GITHUB_STEP_SUMMARY
        echo "- **CVEs processed:** $ROW_COUNT" >> $GITHUB_STEP_SUMMARY
        echo "- **Run time:** $(date -u)" >> $GITHUB_STEP_SUMMARY

    - name: Commit changes
      uses: EndBug/add-and-commit@v10
      with:
          default_author: github_actions
          add: 'data/ web/'
          message: 'Update vulnerability data - ${{ github.event.head_commit.timestamp }}'
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  deploy:
    needs: update-list
    if: github.ref == 'refs/heads/main' && github.event_name != 'pull_request'
    runs-on: ubuntu-24.04
    permissions:
      contents: read
      pages: write
      id-token: write
    environment:
      name: github-pages
      url: ${{ steps.deployment.outputs.page_url }}
    steps:
      - uses: actions/checkout@v6
        with:
          ref: main
      - name: Setup Pages
        uses: actions/configure-pages@v6
      - name: Upload web folder
        uses: actions/upload-pages-artifact@v5
        with:
          path: 'web'
      - name: Deploy to GitHub Pages
        id: deployment
        uses: actions/deploy-pages@v5