Add workflows to generate and maintain VEX entries

.github/workflows/check_cve.yml

@@ -0,0 +1,44 @@
+# SPDX-License-Identifier: Apache-2.0
+name: Check CVEs
+run-name: Check CVEs for ${{ inputs.sbom_file }}
+on:
+  workflow_dispatch:
+    inputs:
+      sbom_file:
+        description: 'Path to the SBOM file'
+        required: true
+        default: "sboms/solr-9.10.0.json"
+        type: string
+
+# No permissions by default, permissions are granted at the job level
+permissions: { }
+
+jobs:
+  check_cve:
+    runs-on: ubuntu-latest
+    permissions:
+      actions: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1
+
+      - name: Set up Python
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # 6.1.0
+        with:
+          python-version: '3.12'
+          cache: 'pip'
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
+
+      - name: Generate VEX entries for new CVEs
+        env:
+          SBOM_FILE: ${{ github.event.inputs.sbom_file }}
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          python scripts/check_cve.py "$SBOM_FILE" | while read -r inputs; do
+            gh workflow run generate_vex.yml --json <<<"$inputs"
+          done

.github/workflows/generate_vex.yml

@@ -0,0 +1,64 @@
+# SPDX-License-Identifier: Apache-2.0
+name: Generate VEX
+run-name: Generate VEX for ${{ inputs.cve_id }}
+on:
+  workflow_dispatch:
+    inputs:
+      sbom_file:
+        description: 'Path to the SBOM file'
+        required: true
+        type: string
+      artifact_purl:
+        description: 'PURL of the vulnerable artifact'
+        required: true
+        type: string
+      cve_id:
+        description: 'CVE identifier'
+        required: true
+        type: string
+
+# No permissions by default, permissions are granted at the job level
+permissions: { }
+
+jobs:
+  generate_vex:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 6.0.1
+
+      - name: Set up Python
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # 6.1.0
+        with:
+          python-version: '3.12'
+          cache: 'pip'
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
+
+      - name: Generate VEX Document
+        env:
+          SBOM_FILE: ${{ github.event.inputs.sbom_file }}
+          ARTIFACT_PURL: ${{ github.event.inputs.artifact_purl }}
+          CVE_ID: ${{ github.event.inputs.cve_id }}
+        run: |
+          python scripts/generate_vex.py "$SBOM_FILE" "$ARTIFACT_PURL" "$CVE_ID"
+
+      - name: Commit changes
+        env:
+          CVE_ID: ${{ github.event.inputs.cve_id }}
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "github-actions[bot]@users.noreply.github.com"
+          git checkout -b vex/${CVE_ID}
+          git add vex-input vexplanation
+          git commit -F "$RUNNER_TEMP/commit-message.md"
+          git push --set-upstream origin vex/${CVE_ID}
+          gh pr create --base main --fill-first

plugins/vex/vex.py

@@ -1,22 +1,31 @@
 import os
-import sys
 import json
 from re import sub
 from uuid import UUID, uuid5
 from hashlib import md5
+from pathlib import Path
 from pelican import signals
 from jsonschema import validate
 import jsonref
 
+def __get_vex_input():
+    input_dir = Path("vex-input")
+    vex_input = []
+    if not input_dir.exists():
+        raise FileNotFoundError("`vex-input` folder not found")
+    for path in sorted(input_dir.glob('*.json')):
+        with path.open('r', encoding='utf-8') as f:
+            data = json.load(f)
+            vex_input.append(data)
+    return vex_input
+
 def pelican_init(pelicanobj):
-    with open('vex-input.json', 'r') as input:
-        vex_input = json.loads(input.read())
+    vex_input = __get_vex_input()
 
     # Our own input format - feel free to change as needed,
     # but remember to also update this plugin and the templates in
     # /themes/solr/templates/security.html
     with open('plugins/vex/schema/vex-input.schema.json', 'r') as file:
-        from pathlib import Path
         loaded = jsonref.load(file, base_uri=Path('./plugins/vex/schema/base').absolute().as_uri())
         validate(vex_input, loaded)
 
@@ -72,10 +81,12 @@ def pelican_init(pelicanobj):
     with open('%s/solr.vex.json' % output_path, 'w') as out:
         json.dump(vex, out, indent=2)
 
+
 def generator_initialized(generator):
-    generator.context["vex"] = json.load(open('vex-input.json'))
+    generator.context["vex"] = __get_vex_input()
     generator.context["sub"] = sub
 
+
 def register():
     """Plugin registration"""
     signals.initialized.connect(pelican_init)

requirements.txt

@@ -15,3 +15,9 @@ livereload~=2.6.3
 
 # Patch for bug https://github.com/pallets/markupsafe/issues/284
 markupsafe~=2.1.5
+
+# VEX generation
+cyclonedx-python-lib==11.5.0
+packageurl-python==0.17.6
+git+https://github.com/vex-generation-toolset/vex-generation-service.git@feat/make-python-package
+PyGithub==2.8.1