Cannot run CVEMap inside a CI/CD Pipeline
marcopedrinazzi opened this issue · comments
cvemap version: 0.0.4
Current Behavior:
In my project i want to execute cvemap in a CI/CD pipeline, but it doesnt work. The returned result is empty, im using gitlab-runner 16.8.0 on docker-runner. Why does it happen? I can execute it perfectly in the container but when i use the pipeline it doesnt get data.
The .gitlab-ci.yml
im using is (i've omitted parts and simplified it, the idea of my project is to call cvemap from a python script hence the python image, regardless the omissions cvemap cannot obtain any output):
stages:
- run
run:
stage: run
image: python:latest
script:
- ./cvemap -json
rules:
- when: manual
(Im using a valid api key and i passed it into cvemap following the methods in the documentation (ive omitted it on the screen))
I have tried to install cvemap also with the go installation method and not use the pre-compiled binary but the result is still the same.
I have run cvemap with the -debug -verbose
options but the result is still the same as the one in the screenshot
Expected Behavior:
Obtain not an empty output of cvemap
Steps To Reproduce:
Set up the infrastructure with the versions provided, put the binary of cvemap inside the gilab repo and use the .gitlab-ci.yml provided and build.
Anything else:
The cause of the issue is the content r.Options.CveIds inside the runner.go
file (func (r *Runner) Run()
) => In my gitlab environment during the execution somehow it added "" to the content of r.Options.CveIds, I proposed a pull request able to fix the issue. It is to be considered a temporary fix and I suggest further investigations regarding the sanitization of the input
Thanks for the report and effort to put in debugging issue @marcopedrinazzi.
Have applied a actual fix here: #92
ci/cd test: https://github.com/RamanaReddy0M/workflow-test/actions/runs/7933440605/job/21662205419
workflow-test.yml
name: 🤖 Run CVEmap
on:
workflow_dispatch:
jobs:
run-cvemap:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
# Set up Go 1.21 environment
- name: Set up Go
uses: actions/setup-go@v3
with:
go-version: '1.21'
# Install cvemap
- name: Install CVEmap
run: go install github.com/projectdiscovery/cvemap/cmd/cvemap@15fef78
# Run cvemap with JSON output
- name: Run CVEmap
run: |
echo "Running CVEmap with JSON output"
cvemap -json
echo "Running CVEmap without JSON output"
cvemap -l 5
env:
PATH: ${{ github.workspace }}/go/bin:$PATH
PDCP_API_KEY: ${{ secrets.PDCP_API_KEY }}
@marcopedrinazzi can you also confirm from your side that patch is working?
Yes! The patch is working, thank you @RamanaReddy0M