name: CVE Database Update
on:
schedule:
- cron: '0 9 * * *'
workflow_dispatch:
inputs:
days_back:
description: 'Number of days to look back for CVEs'
required: false
default: '90'
permissions:
contents: write
pull-requests: write
env:
PYTHON_VERSION: '3.11'
jobs:
update-cve-database:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v7
with:
fetch-depth: 0
- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Run CVE update script
env:
NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
run: |
python scripts/update-cve-database.py
- name: Check for changes
id: check-changes
run: |
if git diff --quiet data/cve-database.json; then
echo "changed=false" >> $GITHUB_OUTPUT
else
echo "changed=true" >> $GITHUB_OUTPUT
echo "Database has been updated"
fi
- name: Get new CVE count
id: cve-count
if: steps.check-changes.outputs.changed == 'true'
run: |
# Count new CVE entries
OLD_COUNT=$(git show HEAD:data/cve-database.json | jq '.entries | length')
NEW_COUNT=$(jq '.entries | length' data/cve-database.json)
DIFF=$((NEW_COUNT - OLD_COUNT))
echo "new_count=$DIFF" >> $GITHUB_OUTPUT
echo "total_count=$NEW_COUNT" >> $GITHUB_OUTPUT
# Get new CVE IDs for PR description
NEW_CVES=$(git diff data/cve-database.json | grep '+"id":' | sed 's/.*"id": "\([^"]*\)".*/\1/' | tr '\n' ', ' | sed 's/,$//')
echo "new_cves=$NEW_CVES" >> $GITHUB_OUTPUT
- name: Install Rust toolchain
if: steps.check-changes.outputs.changed == 'true'
uses: dtolnay/rust-toolchain@stable
- name: Bump patch version
id: bump-version
if: steps.check-changes.outputs.changed == 'true'
run: |
# Get current version from Cargo.toml
CURRENT_VERSION=$(grep '^version = ' Cargo.toml | head -1 | sed 's/version = "\(.*\)"/\1/')
echo "current_version=$CURRENT_VERSION" >> $GITHUB_OUTPUT
# Parse major.minor.patch
MAJOR=$(echo $CURRENT_VERSION | cut -d. -f1)
MINOR=$(echo $CURRENT_VERSION | cut -d. -f2)
PATCH=$(echo $CURRENT_VERSION | cut -d. -f3)
# Increment patch version
NEW_PATCH=$((PATCH + 1))
NEW_VERSION="${MAJOR}.${MINOR}.${NEW_PATCH}"
echo "new_version=$NEW_VERSION" >> $GITHUB_OUTPUT
# Update Cargo.toml
sed -i "s/^version = \"${CURRENT_VERSION}\"/version = \"${NEW_VERSION}\"/" Cargo.toml
# Update Cargo.lock
cargo update -p cc-audit
echo "Bumped version from $CURRENT_VERSION to $NEW_VERSION"
- name: Create Pull Request
id: create-pr
if: steps.check-changes.outputs.changed == 'true'
uses: peter-evans/create-pull-request@v8
with:
token: ${{ secrets.GITHUB_TOKEN }}
commit-message: |
fix(cve): update CVE database (v${{ steps.bump-version.outputs.new_version }})
Add ${{ steps.cve-count.outputs.new_count }} new CVE(s)
Total entries: ${{ steps.cve-count.outputs.total_count }}
Version: ${{ steps.bump-version.outputs.current_version }} → ${{ steps.bump-version.outputs.new_version }}
branch: fix/cve-database-update
delete-branch: true
title: "fix(cve): Update CVE database (+${{ steps.cve-count.outputs.new_count }} entries) [v${{ steps.bump-version.outputs.new_version }}]"
body: |
## CVE Database Update
This PR updates the CVE database with newly discovered vulnerabilities.
### Changes
- **New CVEs added**: ${{ steps.cve-count.outputs.new_count }}
- **Total entries**: ${{ steps.cve-count.outputs.total_count }}
- **New CVE IDs**: ${{ steps.cve-count.outputs.new_cves }}
- **Version bump**: `${{ steps.bump-version.outputs.current_version }}` → `${{ steps.bump-version.outputs.new_version }}`
---
*This PR was automatically generated by the CVE Database Update workflow.*
labels: |
dependencies
security
automated
- name: Enable auto-merge
if: steps.create-pr.outputs.pull-request-number
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh pr merge ${{ steps.create-pr.outputs.pull-request-number }} \
--auto --squash