Cannot run CVEMap inside a CI/CD Pipeline

Question

Cannot run CVEMap inside a CI/CD Pipeline

marcopedrinazzi opened this issue 4 months ago · comments

cvemap version: 0.0.4

Current Behavior:

In my project i want to execute cvemap in a CI/CD pipeline, but it doesnt work. The returned result is empty, im using gitlab-runner 16.8.0 on docker-runner. Why does it happen? I can execute it perfectly in the container but when i use the pipeline it doesnt get data.

The .gitlab-ci.yml im using is (i've omitted parts and simplified it, the idea of my project is to call cvemap from a python script hence the python image, regardless the omissions cvemap cannot obtain any output):

stages:
  - run

run:
  stage: run
  image: python:latest
  script:
    - ./cvemap -json
  rules:
    - when: manual

(Im using a valid api key and i passed it into cvemap following the methods in the documentation (ive omitted it on the screen))

I have tried to install cvemap also with the go installation method and not use the pre-compiled binary but the result is still the same.

I have run cvemap with the -debug -verbose options but the result is still the same as the one in the screenshot

Expected Behavior:

Obtain not an empty output of cvemap

Steps To Reproduce:

Set up the infrastructure with the versions provided, put the binary of cvemap inside the gilab repo and use the .gitlab-ci.yml provided and build.

Anything else:

The screenshot of the current behavior

Marco Pedrinazzi · Answer 1 · Fri Feb 16 2024 22:26:06 GMT+0800 (China Standard Time)

The cause of the issue is the content r.Options.CveIds inside the runner.go file (func (r *Runner) Run()) => In my gitlab environment during the execution somehow it added "" to the content of r.Options.CveIds, I proposed a pull request able to fix the issue. It is to be considered a temporary fix and I suggest further investigations regarding the sanitization of the input

Ramana Reddy · Answer 2 · Sat Feb 17 2024 00:39:48 GMT+0800 (China Standard Time)

Thanks for the report and effort to put in debugging issue @marcopedrinazzi.

Have applied a actual fix here: #92

ci/cd test: https://github.com/RamanaReddy0M/workflow-test/actions/runs/7933440605/job/21662205419

workflow-test.yml

name: 🤖 Run CVEmap

on:
  workflow_dispatch:

jobs:
  run-cvemap:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      # Set up Go 1.21 environment
      - name: Set up Go
        uses: actions/setup-go@v3
        with:
          go-version: '1.21'
      
      # Install cvemap
      - name: Install CVEmap
        run: go install github.com/projectdiscovery/cvemap/cmd/cvemap@15fef78
      
      # Run cvemap with JSON output
      - name: Run CVEmap
        run: |
          echo "Running CVEmap with JSON output"
          cvemap -json
            echo "Running CVEmap without JSON output"
          cvemap -l 5
        env:
          PATH: ${{ github.workspace }}/go/bin:$PATH
          PDCP_API_KEY: ${{ secrets.PDCP_API_KEY }}

@marcopedrinazzi can you also confirm from your side that patch is working?

Marco Pedrinazzi · Answer 3 · Sat Feb 17 2024 01:11:10 GMT+0800 (China Standard Time)

Yes! The patch is working, thank you @RamanaReddy0M