Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/appatalks/ghes-cve-check

Automate investigating CVE Look-ups against GitHub Enterprise Server (GHES)
https://github.com/appatalks/ghes-cve-check

check cve ghes

Last synced: 3 months ago
JSON representation

Automate investigating CVE Look-ups against GitHub Enterprise Server (GHES)

Awesome Lists containing this project

README 

        
# GHES Vulnerability Checker



This GitHub Actions workflow automates the process of checking specified CVEs against the dependencies of a given GitHub Enterprise Server (GHES) version. 



Example Report



```bash

Vulnerability Report for GHES v.3.13.6

======================================



CVE: CVE-2015-9284

Source: GitHub

WARNING: omniauth 1.9.2 is vulnerable (Affected range: <= 1.9.2)

References:

https://cveawg.mitre.org/api/cve/CVE-2015-9284

https://github.com/advisories?query=CVE-2015-9284



CVE: CVE-2023-50387

Source: mitre.org

Details undetermined. Update to latest patch release.

References:

https://cveawg.mitre.org/api/cve/CVE-2023-50387

https://github.com/advisories?query=CVE-2023-50387



CVE: CVE-2024-28103

Source: GitHub

WARNING: actionpack 7.2.0.alpha.3621eef is vulnerable (Affected range: = 7.2.0.beta1)

References:

https://cveawg.mitre.org/api/cve/CVE-2024-28103

https://github.com/advisories?query=CVE-2024-28103



CVE: CVE-2024-9539

Source: mitre.org

Fixed in versions: 3.14.2, 3.13.5, 3.12.10, 3.11.16..

References:

https://cveawg.mitre.org/api/cve/CVE-2024-9539

https://github.com/advisories?query=CVE-2024-9539



Note: For CVEs sourced from mitre.org, please review the details manually as package information may be incomplete.

      Packages marked vulnerable when their version looks good might be due to being installed in multiple locations.

```



**Key Features:**



- **Automated Dependency Analysis**: Parses and extracts package names and versions from the GHES dependency metadata without manual intervention.

- **Comprehensive CVE Checking**: Checks each specified CVE against the extracted dependencies using GitHub's Security Advisory GraphQL API.

- **MITRE.org Advisory Integration**: For CVEs not listed in GitHub advisories, provides direct links to MITRE.org's security advisories, ensuring no vulnerability goes unnoticed.

- **Detailed Reporting**: Generates a clear and concise vulnerability report summarizing the findings, which is uploaded as an artifact for easy access and review.



**Usage Instructions:**



- [Understanding GitHub Actions](https://docs.github.com/en/enterprise-cloud@latest/actions/about-github-actions/understanding-github-actions)



To use [this workflow](.github/workflows/ghes-cve-check.yml), trigger it manually in your repository via the GitHub Actions tab and provide the required inputs:



- **GHES Version (`version`)**: Specify the GHES version you want to check (e.g., `4.2.0`).

- **CVEs to Check (`cves`)**: Enter a comma-separated list of CVE identifiers you wish to assess (e.g., `CVE-2021-34527,CVE-2021-44228`).



Download the report from the summary page.



**Prerequisites and Notes:**



- Uses `GITHUB_TOKEN` for authenticating with GitHub's Security Advisory API.

- I have found some packages are marked vulnerable when their version looks good due to being installed in multiple locations.

- This tool is to be used as an aid. Please double-check all the work!



By incorporating this workflow into your security practices, you can enhance the efficiency and effectiveness of your vulnerability management for GitHub Enterprise Server deployments.