From efd77dd397d51bdd34042f0b0e4cd4292e7831ea Mon Sep 17 00:00:00 2001
From: David Spenler <david.spenler@arcticwolf.com>
Date: Mon, 2 Jun 2025 13:29:11 +0000
Subject: [PATCH 1/5] Add snyk scan workflow

---
 .github/workflows/run-snyk-scan.yaml | 76 ++++++++++++++++++++++++++++
 apt-requirements.in                  |  8 +++
 2 files changed, 84 insertions(+)
 create mode 100644 .github/workflows/run-snyk-scan.yaml
 create mode 100644 apt-requirements.in

diff --git a/.github/workflows/run-snyk-scan.yaml b/.github/workflows/run-snyk-scan.yaml
new file mode 100644
index 0000000..d6de5a9
--- /dev/null
+++ b/.github/workflows/run-snyk-scan.yaml
@@ -0,0 +1,76 @@
+name: Run Snyk Security Scan
+on:
+  pull_request:
+    branches: [master]
+    types: [labeled, unlabeled, opened, edited, reopened, synchronize, ready_for_review]
+
+jobs:
+  run-snyk-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '16'
+
+      - name: Install Snyk CLI
+        run: npm install -g snyk
+
+      - name: Authenticate Snyk
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        run: snyk auth $SNYK_TOKEN
+
+      - name: Install dependencies
+        run: cat apt-requirements.in | xargs sudo apt install 
+
+
+      - name: Build the Tools
+        # Ensure that the dependencies are up to date by building the tools; if this fails, so does the entire job
+        run: make
+
+      - name: Run Snyk Test and Save Results
+        # If vulnerabilities are found, the program returns with 1, which we must ignore
+        run: |
+          snyk test --unmanaged --severity-threshold=high --json > snyk-results.json || true
+          CWD=$(pwd)
+          cd /usr/include && snyk test --unmanaged --severity-threshold=high --json > $CWD/include-snyk-results.json || true
+          cd /usr/local/include && snyk test --unmanaged --severity-threshold=high --json > $CWD/local-include-snyk-results.json || true
+
+      - name: Block Pull Request if Old Vulnerabilities Found
+        run: |
+           for results in "" "include-" "local-include-"; do
+             # Parse vulnerabilities from Snyk results
+             jq -c '.vulnerabilities[] | select(.severity == "high" or .severity == "critical")' "$results"snyk-results.json > filtered-vulnerabilities.json
+   
+             # Check each vulnerability's disclosure date
+             found_old_vulnerabilities=false
+   
+             current_date=$(date --utc +%Y-%m-%d)
+   
+             while IFS= read -r vulnerability; do
+               # Extract the disclosure date
+               disclosure_date=$(echo "$vulnerability" | jq -r '.disclosureTime')
+   
+               # Calculate the difference in days
+               days_since_disclosure=$(( ( $(date --utc --date="$current_date" +%s) - $(date --utc --date="$disclosure_date" +%s) ) / 86400 ))
+   
+               # If the vulnerability is older than 30 days, block the PR
+               if [ "$days_since_disclosure" -gt 30 ]; then
+                 found_old_vulnerabilities=true
+                 echo "Vulnerability older than 30 days: $vulnerability"
+               fi
+   
+             done < filtered-vulnerabilities.json
+           done
+
+           # Fail the workflow if old vulnerabilities are found
+           if [ "$found_old_vulnerabilities" = true ]; then
+             echo "Critical or high vulnerabilities older than 30 days were found! Blocking merge."
+             exit 1
+           else
+             echo "No vulnerabilities older than 30 days were found. Proceeding."
+           fi
diff --git a/apt-requirements.in b/apt-requirements.in
new file mode 100644
index 0000000..7cc7da3
--- /dev/null
+++ b/apt-requirements.in
@@ -0,0 +1,8 @@
+gcc
+gnu-efi
+help2man
+libfile-slurp-perl
+libssl-dev
+make
+openssl
+sbsigntool

From 6b95980ec3904c5a95004df45739335c60033c87 Mon Sep 17 00:00:00 2001
From: David Spenler <david.spenler@arcticwolf.com>
Date: Tue, 10 Jun 2025 15:25:18 +0000
Subject: [PATCH 2/5] test

---
 .github/workflows/run-snyk-scan.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/run-snyk-scan.yaml b/.github/workflows/run-snyk-scan.yaml
index d6de5a9..f95623e 100644
--- a/.github/workflows/run-snyk-scan.yaml
+++ b/.github/workflows/run-snyk-scan.yaml
@@ -40,6 +40,10 @@ jobs:
           cd /usr/include && snyk test --unmanaged --severity-threshold=high --json > $CWD/include-snyk-results.json || true
           cd /usr/local/include && snyk test --unmanaged --severity-threshold=high --json > $CWD/local-include-snyk-results.json || true
 
+          cat $CWD/snyk-results.json
+          cat $CWD/include-snyk-results.json
+          cat $CWD/local-include-snyk-results.json
+
       - name: Block Pull Request if Old Vulnerabilities Found
         run: |
            for results in "" "include-" "local-include-"; do

From 4dcb712b2c5f709d2f8d29c3fff35a1323d1529f Mon Sep 17 00:00:00 2001
From: David Spenler <david.spenler@arcticwolf.com>
Date: Tue, 10 Jun 2025 15:27:56 +0000
Subject: [PATCH 3/5] test

---
 .github/workflows/run-snyk-scan.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/run-snyk-scan.yaml b/.github/workflows/run-snyk-scan.yaml
index f95623e..f685acb 100644
--- a/.github/workflows/run-snyk-scan.yaml
+++ b/.github/workflows/run-snyk-scan.yaml
@@ -40,8 +40,11 @@ jobs:
           cd /usr/include && snyk test --unmanaged --severity-threshold=high --json > $CWD/include-snyk-results.json || true
           cd /usr/local/include && snyk test --unmanaged --severity-threshold=high --json > $CWD/local-include-snyk-results.json || true
 
+          echo snyk-results.json:
           cat $CWD/snyk-results.json
+          echo include-snyk-results.json:
           cat $CWD/include-snyk-results.json
+          echo local-include-snyk-results.json:
           cat $CWD/local-include-snyk-results.json
 
       - name: Block Pull Request if Old Vulnerabilities Found

From a2719f38e32b953bd98f2e0717adf27fad5c64b9 Mon Sep 17 00:00:00 2001
From: David Spenler <david.spenler@arcticwolf.com>
Date: Tue, 10 Jun 2025 15:32:58 +0000
Subject: [PATCH 4/5] test

---
 .github/workflows/run-snyk-scan.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/run-snyk-scan.yaml b/.github/workflows/run-snyk-scan.yaml
index f685acb..7718fdd 100644
--- a/.github/workflows/run-snyk-scan.yaml
+++ b/.github/workflows/run-snyk-scan.yaml
@@ -49,6 +49,7 @@ jobs:
 
       - name: Block Pull Request if Old Vulnerabilities Found
         run: |
+           cd $CWD
            for results in "" "include-" "local-include-"; do
              # Parse vulnerabilities from Snyk results
              jq -c '.vulnerabilities[] | select(.severity == "high" or .severity == "critical")' "$results"snyk-results.json > filtered-vulnerabilities.json

From 2f88804febe46eee4d76ce3d35b812a44f38584f Mon Sep 17 00:00:00 2001
From: David Spenler <david.spenler@arcticwolf.com>
Date: Tue, 10 Jun 2025 15:36:42 +0000
Subject: [PATCH 5/5] test

---
 .github/workflows/run-snyk-scan.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/run-snyk-scan.yaml b/.github/workflows/run-snyk-scan.yaml
index 7718fdd..e454928 100644
--- a/.github/workflows/run-snyk-scan.yaml
+++ b/.github/workflows/run-snyk-scan.yaml
@@ -49,7 +49,11 @@ jobs:
 
       - name: Block Pull Request if Old Vulnerabilities Found
         run: |
+           pwd
+           ls
            cd $CWD
+           pwd
+           ls
            for results in "" "include-" "local-include-"; do
              # Parse vulnerabilities from Snyk results
              jq -c '.vulnerabilities[] | select(.severity == "high" or .severity == "critical")' "$results"snyk-results.json > filtered-vulnerabilities.json