otp scan PRs for vulnerabilities

.github/workflows/main.yaml

@@ -456,6 +456,31 @@ jobs:
                 docker run otp "erl ${OPTION} -noshell -s init stop"
             done
 
+  modified-vendor-files:
+    name: Check if vendor files changed
+    runs-on: ubuntu-latest
+    outputs:
+      vendor-files: ${{ steps.vendor-files.outputs.MODIFIED_FILES != '0' }}
+    steps:
+      - name: Get modified vendor files
+        id: vendor-files
+        run: |
+          echo "MODIFIED_FILES=$(git diff --name-only '${{ github.base_ref }}' 'HEAD' | grep 'vendor\.info$' | wc -l || 1)"
+
+  # this is a call to a workflow_call
+  pr-vendor-vulnerability-analysis:
+    needs: modified-vendor-files
+    if: ${{ needs.modified-vendor-files.outputs.vendor-files != 0 && github.event_name == 'pull_request'}}
+    permissions:
+      security-events: read
+    name: Vendor Vulnerability Scanning
+    uses: ./.github/workflows/reusable-vendor-vulnerability-scanner.yml
+    with:
+      fail_if_cve: true
+      checkout: false
+      version: ${{ github.event_name == 'pull_request' && github.base_ref || github.ref_name }}
+      # equivalent of ${{ env.BASE_BRANCH }} but reusable-workflows do not allow to pass env.
+
   build:
     name: Build Erlang/OTP
     runs-on: ubuntu-latest
@@ -929,18 +954,17 @@ jobs:
             fail-on: ${{ github.ref_type == 'tag' && '' || 'violations,issues' }}
             sw-version: ${{ env.OTP_SBOM_VERSION }}
 
-  vendor-analysis:
-    name: Vendor Dependency Analysis
+  vendor-dependency-upload:
+    name: Vendor Dependency Upload
     runs-on: ubuntu-latest
-    if: github.event_name == 'push'
     needs:
         - sbom
         - pack
+    if: github.repository == 'erlang/otp'
     ## Needed to use Github Dependency API
     permissions:
       contents: write
       id-token: write
-
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/[email protected]
       - uses: ./.github/actions/build-base-image
@@ -959,7 +983,13 @@ jobs:
               --sbom-file /github/bom.spdx.json"
 
       # allows Dependabot to give us alert of the vendor libraries that use semantic versioning
+      # it also allows dependencies to be looked up from github dependencies
+      #
+      # trigger the upload only on merged pull requests
+      #
+      #
       - name: Upload SBOM to Github Dependency API
+        if: github.event_name == 'pull_request' && github.event.action == 'closed' && github.event.pull_request.merged == true
         uses: advanced-security/spdx-dependency-submission-action@5530bab9ee4bbe66420ce8280624036c77f89746 # ratchet:advanced-security/[email protected]
 
   ## If this is an "OTP-*" tag that has been pushed we do some release work

.github/workflows/osv-scanner-scheduled.yml

@@ -24,7 +24,6 @@ name: Open Source Vulnerabilities Scanner
 
 on:
   pull_request:
-  push:
   workflow_dispatch:
   schedule:
     - cron: 0 1 * * *
@@ -60,33 +59,20 @@ jobs:
     permissions:
       actions: write
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/[email protected]
-        with:
-          ref: ${{ matrix.type }}
-
+      # this call to a workflow_dispatch ref=master is important because
+      # using ref={{matrix.type}} would trigger the workflow
+      # reusable-vendor-vulnerability-scanner.yml in that ref/branch. since
+      # there is no such files in maint-25, maint-26, etc, the result would
+      # ignore the vulnerability scanning for those branches.
+      #
       - name: Trigger Vulnerability Scanning
         env:
           GH_TOKEN: ${{ github.token }}
-        if: ${{ hashFiles('.github/workflows/osv-scanner-scheduled.yml') != '' }}
+          REPO: ${{ github.repository }} # in testing cases, this is your fork, e.g., kikofernandez/otp
         run: |
           gh api \
             --method POST \
             -H "Accept: application/vnd.github+json" \
             -H "X-GitHub-Api-Version: 2022-11-28" \
-            /repos/${{ github.repository }}/actions/workflows/osv-scanner-scheduled.yml/dispatches \
-            -f "ref=${{ matrix.type }}"
-
-  scan-pr:
-    # run-scheduled-scan triggers this job
-    # PRs and pushes trigger this job
-    if: github.event_name != 'schedule'
-    permissions:
-        # Require writing security events to upload SARIF file to security tab
-        security-events: write
-        # Required to upload SARIF file to CodeQL.
-        # See: https://github.com/github/codeql-action/issues/2117
-        actions: read
-        contents: read
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@e69cc6c86b31f1e7e23935bbe7031b50e51082de" # ratchet:google/osv-scanner-action/.github/workflows/[email protected]"
-    with:
-        upload-sarif: ${{ github.repository == 'erlang/otp' }}
+            /repos/${{ github.repository }}/actions/workflows/reusable-vendor-vulnerability-scanner.yml/dispatches \
+            -f 'ref=master' -f "inputs[checkout]=true" -f "inputs[version]=${{ matrix.type }}" -f "inputs[fail_if_cve]=true"

.github/workflows/reusable-vendor-vulnerability-scanner.yml

@@ -0,0 +1,120 @@
+# %CopyrightBegin%
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright Ericsson AB 2024-2025. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# %CopyrightEnd%
+
+name: Vendor Vulnerability Scanning
+run-name: "[${{ inputs.version }}] Vendor Vulnerability Scanning"
+description: 'Vulnerability scanning'
+
+# 'inputs' must be repeated twice for the different use cases.
+# there is no current way to share 'inputs' for workflow dispatch
+# and call.
+#
+# version: reference branch to checkout and analyse for CVE.
+#
+# fail_if_cve: makes the job fail if a CVE is found.
+#        This is 'true' when analysing PRs, as we prefer a failure to detect that the PR
+#        introduces a vulnerability.
+#
+
+on:
+  workflow_dispatch:
+    inputs:
+      # this option is needed for scheduled scans. on pull requests (`main.yaml`)
+      # the PR already contains a branch on which to run and there is a known
+      # base_ref. on scheduled runs of this job, `base_ref` does not exist and
+      # we need to specify which repo branch to checkout.
+      checkout:
+        description: 'Checkout branch in version?'
+        required: false
+        default: false
+        type: boolean
+      version:
+        description: 'Reference branch to fetch OpenVEX statements'
+        required: true
+        default: 'master'
+        type: 'string'
+      fail_if_cve:
+        description: 'Fail if CVE is found'
+        required: true
+        default: false
+        type: boolean
+  workflow_call:
+    inputs:
+      # this option is needed for scheduled scans. on pull requests (`main.yaml`)
+      # the PR already contains a branch on which to run and there is a known
+      # base_ref. on scheduled runs of this job, `base_ref` does not exist and
+      # we need to specify which repo branch to checkout.
+      checkout:
+        description: 'Checkout branch in version?'
+        required: false
+        default: false
+        type: boolean
+      version:
+        description: 'Reference branch to fetch OpenVEX statements'
+        required: true
+        default: 'master'
+        type: 'string'
+      fail_if_cve:
+        description: 'Fail if CVE is found'
+        required: true
+        default: false
+        type: boolean
+
+env:
+  VERSION: ${{ inputs.version }}
+
+jobs:
+  analysis-vendor-dependencies:
+    name: "Vulnerability Scanning of Vendor Dependencies"
+    # This job always fetches otp-compliance escript from `master`.
+    # internally, the job downloads OpenVEX statements from `vex` folder.
+    # the main reason is that maint-25, maint-26, etc do not have this file
+    # committed into them. thus, a workflow_dispatch or workflow_call would
+    # not work, and we would not be able to analyse vendor dependecies there.
+    runs-on: ubuntu-latest
+    env:
+      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    permissions:
+      security-events: read
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/[email protected]
+        with:
+          ref: ${{ inputs.checkout && inputs.version || ''}} # '' = default branch
+
+      - uses: erlef/setup-beam@5304e04ea2b355f03681464e683d92e3b2f18451 # racket:actions/checkout@v1
+        with:
+          otp-version: '28'
+
+      - name: 'Analysis of dependencies from OpenVEX in ${{ inputs.version }}'
+        id: analysis
+        run: |
+          curl -L \
+               -H "Accept: application/vnd.github+json" \
+               -H "Authorization: Bearer ${GH_TOKEN}" \
+               -H "X-GitHub-Api-Version: 2022-11-28" \
+               https://api.github.com/repos/erlang/otp/contents/.github/scripts/otp-compliance.es \
+               | jq -r '.content' | base64 -d > otp-compliance.es
+          chmod +x otp-compliance.es
+          cp otp-compliance.es /home/runner/work/otp/otp/.github/scripts/otp-compliance.es
+          cd /home/runner/work/otp/otp && \
+          mkdir -p vex && \
+          .github/scripts/otp-compliance.es sbom osv-scan \
+               --version ${{ inputs.version }} \
+               --fail_if_cve ${{ inputs.fail_if_cve }}