2019-11-18 19:48:52 +01:00
|
|
|
name: CI
|
|
|
|
|
2020-01-10 13:19:36 +01:00
|
|
|
on: [push, pull_request]
|
2019-11-18 19:48:52 +01:00
|
|
|
|
|
|
|
jobs:
|
|
|
|
build:
|
|
|
|
|
|
|
|
runs-on: ubuntu-latest
|
|
|
|
|
|
|
|
steps:
|
|
|
|
- uses: actions/checkout@v1
|
|
|
|
- name: install prerequisites
|
2019-12-10 19:16:58 +01:00
|
|
|
run: sudo apt-get update && sudo apt-get install -y shellcheck jq sqlite3 iucode-tool
|
2019-11-18 19:48:52 +01:00
|
|
|
- name: shellcheck
|
|
|
|
run: shellcheck -s sh spectre-meltdown-checker.sh
|
|
|
|
- name: check indentation
|
|
|
|
run: |
|
|
|
|
if [ $(grep -cPv "^\t*\S|^$" spectre-meltdown-checker.sh) != 0 ]; then
|
|
|
|
echo "Badly indented lines found:"
|
|
|
|
grep -nPv "^\t*\S|^$" spectre-meltdown-checker.sh
|
|
|
|
exit 1
|
|
|
|
else
|
|
|
|
echo "Indentation seems correct."
|
|
|
|
fi
|
|
|
|
- name: check direct execution
|
|
|
|
run: |
|
2020-06-09 22:50:48 +02:00
|
|
|
expected=15
|
2019-11-18 19:48:52 +01:00
|
|
|
nb=$(sudo ./spectre-meltdown-checker.sh --batch json | jq '.[]|.CVE' | wc -l)
|
|
|
|
if [ "$nb" -ne "$expected" ]; then
|
|
|
|
echo "Invalid number of CVEs reported: $nb instead of $expected"
|
|
|
|
exit 1
|
|
|
|
else
|
|
|
|
echo "OK $nb CVEs reported"
|
|
|
|
fi
|
|
|
|
- name: check docker-compose run execution
|
|
|
|
run: |
|
2020-06-09 22:55:25 +02:00
|
|
|
expected=15
|
2019-11-18 19:48:52 +01:00
|
|
|
docker-compose build
|
|
|
|
nb=$(docker-compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
|
|
|
|
if [ "$nb" -ne "$expected" ]; then
|
|
|
|
echo "Invalid number of CVEs reported: $nb instead of $expected"
|
|
|
|
exit 1
|
|
|
|
else
|
|
|
|
echo "OK $nb CVEs reported"
|
|
|
|
fi
|
|
|
|
- name: check docker run execution
|
|
|
|
run: |
|
2020-06-09 22:55:25 +02:00
|
|
|
expected=15
|
2019-11-18 19:48:52 +01:00
|
|
|
docker build -t spectre-meltdown-checker .
|
|
|
|
nb=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
|
|
|
|
if [ "$nb" -ne "$expected" ]; then
|
|
|
|
echo "Invalid number of CVEs reported: $nb instead of $expected"
|
|
|
|
exit 1
|
|
|
|
else
|
|
|
|
echo "OK $nb CVEs reported"
|
|
|
|
fi
|
2019-12-10 19:16:58 +01:00
|
|
|
- name: check fwdb update
|
|
|
|
run: |
|
|
|
|
nbtmp1=$(find /tmp 2>/dev/null | wc -l)
|
|
|
|
./spectre-meltdown-checker.sh --update-fwdb; ret=$?
|
|
|
|
if [ "$ret" != 0 ]; then
|
|
|
|
echo "Non-zero return value: $ret"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
nbtmp2=$(find /tmp 2>/dev/null | wc -l)
|
|
|
|
if [ "$nbtmp1" != "$nbtmp2" ]; then
|
|
|
|
echo "Left temporary files!"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
if ! [ -e ~/.mcedb ]; then
|
|
|
|
echo "No .mcedb file found after updating fwdb"
|
|
|
|
exit 1
|
|
|
|
fi
|