xeol-io / xeol-action Goto Github PK

XEOL is succesfully identifying EOL versions, but not failing the GitHub action when --fail-on-eol-found is true

The following output is shown in the Run xeol-io/[email protected] step

Run xeol-io/[email protected]
/usr/bin/chmod +x /home/runner/work/_temp/648ec04b-47db-44d5-a28e-52b3b9[15](https://github.com/mapbox/thing-for-you/actions/runs/6943289188/job/18888033942?pr=131#step:9:16)74ef
/home/runner/work/_temp/648ec04b-47db-44d5-a28e-52b3b91574ef -b /home/runner/work/_temp/648ec04b-47db-44d5-a28e-52b3b91574ef_xeol v0.9.3
[info] checking github for release tag='v0.9.3' 
[info] fetching release script for tag='v0.9.3' 
[info] checking github for release tag='v0.9.3' 
[info] using release tag='v0.9.3' version='0.9.3' os='linux' arch='amd64' 
[info] installed /home/runner/work/_temp/648ec04b-47db-44d5-a28e-52b3b91574ef_xeol/xeol 
xeol output...
  Executing: xeol -o table --fail-on-eol-found localbuild/testimage:latest
NAME    VERSION  EOL         DAYS EOL  TYPE   
Ubuntu  18.04    2023-05-31  174       os      
node    14.15.4  2023-04-30  205       binary

Is it expected the GH Action will "Pass" and continue forward even though EOL has been found?

I have built a test with the following Yaml in GithubActions, but it does not detect it well.
xeol-io/xeol has been recently supported, so it works correctly, but the results are different in Actions.

ScanFromImage

name: "TestWorkFlow Syft/XEOL"

on:
  workflow_dispatch:
    inputs:
      repo:
        description: 'ImageRepo'
        required: true
        type: string
      tag:
        description: 'ImageTag'
        required: true
        type: string
      regions:
        description: 'support regions'
        required: true
        type: string
        default: us-west-2

permissions:
  id-token: write
  contents: read

jobs:
  TestWorkflow:
    name: "TestWorkFLow Syft Grype XEOL"
    runs-on: ubuntu-latest
    steps:
    - name: Configure AWS Credentials
      uses: aws-actions/configure-aws-credentials@v3
      with:
        role-to-assume: "ASSUMEROLE ARN FROM Secrets"
        aws-region: ${{ inputs.regions }}
    - name: ECR Login
      id: login-ecr
      uses: aws-actions/amazon-ecr-login@v1
    - name: ECR IMAGE PULL
      id: imageid
      env:
        ENDPOINT: ${{ inputs.repo }}
        TAGNAME: ${{ inputs.tag }}
      run: |
        echo $ENDPOINT:$TAGNAME
        docker pull $ENDPOINT:$TAGNAME
    - name: Syft
      uses: anchore/sbom-action@v0
      with:
        image: ${{ inputs.repo }}:${{ inputs.tag }}
        format: spdx-json
        artifact-name: sbom.spdx.json
        output-file: "sbom.spdx.json"
    - name: XEOL
      uses: noqcks/[email protected]
      with:
        image: ${{ inputs.repo }}:${{ inputs.tag }}
        fail-build: false

Result

Run noqcks/[email protected]
  with:
    image: 34[2] imagename:rel-v.20220715-1358
    fail-build: false
    output-format: table
  env:
    AWS_DEFAULT_REGION: us-west-2
    AWS_REGION: us-west-2
    AWS_ACCESS_KEY_ID: ***
    AWS_SECRET_ACCESS_KEY: ***
    AWS_SESSION_TOKEN: ***
    ANCHORE_SBOM_ACTION_PRIOR_ARTIFACT: sbom.spdx.json
/usr/bin/chmod +x /home/runner/work/_temp/8[3](https://github.com/myrepo/actions/runs/6465183770/job/17550930783#step:8:3)580c[4](https://github.com/myrepo/actions/runs/6465183770/job/17550930783#step:8:4)7-120a-4bff-a7b3-fae13a936a1d
/home/runner/work/_temp/83[5](https://github.com/myrepo/actions/runs/6465183770/job/17550930783#step:8:5)80c47-120a-4bff-a7b3-fae13a93[6](https://github.com/myrepo/actions/runs/6465183770/job/17550930783#step:8:6)a1d -b /home/runner/work/_temp/83580c4[7](https://github.com/myrepo/actions/runs/6465183770/job/17550930783#step:8:7)-120a-4bff-a7b3-fae13a936a1d_xeol v0.2.0
[info] checking github for release tag='v0.2.0' 
[info] fetching release script for tag='v0.2.0' 
[info] checking github for release tag='v0.2.0' 
[info] using release tag='v0.2.0' version='0.2.0' os='linux' arch='amd64' 
[info] installed /home/runner/work/_temp/[8](https://github.com/myrepo/actions/runs/6465183770/job/17550930783#step:8:8)3580c47-120a-4bff-a7b3-fae13a[9](https://github.com/myrepo/actions/runs/6465183770/job/17550930783#step:8:9)36a1d_xeol/xeol 
xeol output...
No eol software found

Running a scan from a Syft-generated SBOM produced the same results

Cause

It appears that you are downloading and using an older (v0.2.0) Xeol.
Are there any plans to update this action?
If not, I will consider incorporating Xeol myself.

I implemented GitHubAction in the following form, but it did not output JSON.

- name: Run XEOL mw/sw EOL scanner from sbom file and Output file
  uses: noqcks/[email protected]
  id: xeol
  with:
    sbom: "sbom.spdx.json"
    output-format: json
    fail-build: false

- name: Test Outputs
  run: | 
    echo ${{ steps.xeol.outputs.json }}

Outputs are blank

I think it is because the command is as follows, and in xeol, even the JSON option is standard output.

xeol output...
  Executing: xeol -o json sbom:sbom.spdx.json

When I ran the same command locally, the JSON file was not created but became stdout , so I assumed it was the same behavior.

When building a large docker image (5.8GB in this case), the XEOL step produces the following error:

• failed to catalog: unable to load image: unable to use DockerDaemon source: unable to save image tar: Error response from daemon: write /var/lib/docker/tmp/docker-export-2345671101/blobs/sha256/2p923584c6accaac8a0970283aa856e8a8729f7c5183bb549b19a5c08c7: no space left on device

Is there a known way around this? I'm wondering if this is just a GitHub runner memory limitation rather than some other constraint, but want to confirm.

Found the same issue referenced here.

Upon using this action, the summary section of the workflow always provides the following annotation:

Node.js 16 actions are deprecated. Please update the following actions to use Node.js 20: xeol-io/[email protected]. For more information see: https://github.blog/changelog/2023-09-22-github-actions-transitioning-from-node-16-to-node-20/.

Is there any timeline to upgrading from Node 16?

If a repository has multiple Dockerfiles, I'd be interested to know if this action in its current state could scan all of them in one go without specifying the location each file in the build steps.

For example, if I have ./Dockerfile and ./some-folder/Dockerfile, I'd like to automatically find all instances of Dockerfiles, save them off in an array/matrix and have XEOL scan through each one.

I believe this would be incredibly useful at scale.

GitHub Actions are limited in their ability to run recursively, i.e. I can't just throw and run this action in a bash script loop (at least I haven't found a way). With this current limitation, the scan action itself would need to readily accept the input.
In the meantime, I'll see how clever I can get to make this work.

Let me know your thoughts.