Merge virusTotal

nvdaes · May 27, 2024 · 1330530 · 1330530
1 parent 720c8d3
commit 1330530
Show file tree

Hide file tree

Showing 3 changed files with 145 additions and 5 deletions.
diff --git a/.github/workflows/checkAndSubmitAddonMetadata.yml b/.github/workflows/checkAndSubmitAddonMetadata.yml
@@ -15,6 +15,9 @@ on:
       issueTitle:
         required: true
         type: string
+    secrets:
+      virusTotalApiKey:
+        required: true
 
 jobs:
   getAddonId:
@@ -225,11 +228,103 @@ jobs:
       uses: peter-evans/close-issue@v3
       with:
         issue-number: ${{ inputs.issueNumber }}
-  codeQL-analysis:
+
+  virusTotal-analysis:
     needs: createPullRequest
+    runs-on: windows-latest
+    strategy:
+      matrix:
+        python-version: [ 3.11 ]
+    permissions:
+      contents: read
+      issues: write
+    env:
+      API_KEY: ${{ secrets.virusTotalApiKey }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Download add-on metadata
+        uses: actions/download-artifact@v4
+        with:
+          name: addonMetadata
+      - name: Install virusTotal
+        run: choco install vt-cli
+      - name: Set Virus Total analysis status
+        id: setVirusTotalAnalysisStatus
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const setVirusTotalAnalysisStatus = require('./.github/workflows/virusTotalAnalysis.js')
+            setVirusTotalAnalysisStatus({core})
+      - name: Upload results
+        id: uploadResults
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: VirusTotal
+          path: vt.json
+          overwrite: true
+      - name: Upload manual approval
+        id: uploadManualApproval
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: manualApproval
+          path: reviewedAddons.json
+          overwrite: true
+      - name: Warn if analysis fails
+        if: failure()
+        uses: peter-evans/create-or-update-comment@v4
+        with:
+          issue-number: ${{ inputs.issueNumber }}
+          body: |
+            VirusTotal has flagged this add-on as malicious.
+            You can open this link and [see the results of the analysis](${{ steps.setVirusTotalAnalysisStatus.outputs.analysisUrl }}).
+            Please contact the flagged security vendors to get them to review and unflag the false positive.
+            Please ask here or email info@nvaccess.org if you need assistance with this process.
+  codeQL-analysis:
+    needs: [createPullRequest]
     uses: ./.github/workflows/codeql-analysis.yml
+  createManualApproval:
+    needs: [getAddonId, virusTotal-analysis, codeQL-analysis]
+    if: ${{ always() && contains(join(needs.*.result, ','), 'failure') }}
+    runs-on: windows-latest
+    strategy:
+      matrix:
+        python-version: [ 3.11 ]
+    permissions:
+      contents: write
+      issues: write
+      pull-requests: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          merge-multiple: true
+      - name: Create pull request
+        id: cpr
+        uses: peter-evans/create-pull-request@v6
+        with:
+          add-paths: reviewedAddons.json
+          title: Add reviewed add-on (${{ needs.getAddonId.outputs.addonId }})
+          branch: reviewedAddon${{ github.event.issue.number }}
+          commit-message: Add reviewed add-on (${{ needs.getAddonId.outputs.addonId }})
+          body: |
+            This add-on needs to be reviewed by NV Access due to analysis failure.
+            Review ${{ inputs.issueNumber }} for more information.
+          author: github-actions <github-actions@github.com>
+          delete-branch: true
+      - name: Request to keep issue opened
+        uses: peter-evans/create-or-update-comment@v4
+        with:
+          issue-number: ${{ inputs.issueNumber }}
+          body: |
+            Please, don't close this issue.
+            Wait until #${{ steps.cpr.outputs.pull-request-number }} is merged.
   mergeToMaster:
-    needs: [getAddonId, createPullRequest, codeQL-analysis]
+    needs: [getAddonId, createPullRequest, codeQL-analysis, virusTotal-analysis]
     permissions:
       contents: write
       pull-requests: write

diff --git a/.github/workflows/sendJsonFile.yml b/.github/workflows/sendJsonFile.yml
@@ -81,16 +81,21 @@ jobs:
         cd datastore
         git config user.name github-actions
         git config user.email github-actions@github.com
-        git checkout -b ${{ github.event.issue.user.login }}${{ steps.get-data.outputs.issueNumber }}
-        git pull
+        git checkout -b ${{ github.event.sender.login }}${{ steps.get-data.outputs.issueNumber }}
         git add .
         git commit -m "Submit add-on"
-        git push origin ${{ github.event.issue.user.login }}${{ steps.get-data.outputs.issueNumber }}
+        git push origin ${{ github.event.sender.login }}${{ steps.get-data.outputs.issueNumber }}
     - name: Upload add-on
       uses: actions/upload-artifact@v4
       with:
         name: addon
         path: addon.nvda-addon
+    - name: Install VirusTotal
+      run: choco install vt-cli
+    - name: Scan add-on with VirusTotal    
+      env:
+        API_KEY: ${{ secrets.virusTotalApiKey }}
+      run: vt scan file -k $env:API_KEY addon.nvda-addon
   call-workflow-passing-data:
     needs: check-addon
     uses: ./.github/workflows/checkAndSubmitAddonMetadata.yml
@@ -99,3 +104,5 @@ jobs:
       issueAuthorId: ${{ github.event.issue.user.id }}
       issueAuthorName: ${{ github.event.issue.user.login }}
       issueTitle: ${{ github.event.issue.title }}
+    secrets:
+      virusTotalApiKey: ${{ secrets.virusTotalApiKey }}
diff --git a/.github/workflows/virusTotalAnalysis.js b/.github/workflows/virusTotalAnalysis.js
@@ -0,0 +1,38 @@
+module.exports = ({core}) => {
+  const fs = require('fs');
+  const { exec } = require('child_process');
+  const addonMetadataContents = fs.readFileSync('addonMetadata.json');
+  const addonMetadata = JSON.parse(addonMetadataContents);
+  const addonId = addonMetadata.addonId;
+  core.setOutput('addonId', addonId);
+  const sha256 = addonMetadata.sha256;
+  const analysisUrl = `https://www.virustotal.com/gui/file/${sha256}`;
+  console.log(analysisUrl);
+  core.setOutput('analysisUrl', analysisUrl);
+  const reviewedAddonsContents = fs.readFileSync('reviewedAddons.json');
+  const reviewedAddonsData = JSON.parse(reviewedAddonsContents);
+  if (reviewedAddonsData[addonId] !== undefined && reviewedAddonsData[addonId].includes(sha256)) {
+    core.info('VirusTotal analysis skipped');
+    return;
+  }
+  exec(`vt file ${sha256} -k ${process.env.API_KEY} --format json`, (err, stdout, stderr) => {
+    console.log(`err: ${err}`);
+    console.log(`stdout: ${stdout}`);
+    console.log(`stderr: ${stderr}`);
+    const vtData = JSON.parse(stdout);
+    fs.writeFileSync('vt.json', stdout);
+    const stats = vtData[0]["last_analysis_stats"];
+    const malicious = stats.malicious;
+    if (malicious === 0) {
+      core.info('VirusTotal analysis succeeded');
+      return;
+    }
+    if (reviewedAddonsData[addonId] === undefined) {
+      reviewedAddonsData[addonId] = [];
+    }
+    reviewedAddonsData[addonId].push(sha256);
+    stringified = JSON.stringify(reviewedAddonsData, null, 2);
+    fs.writeFileSync('reviewedAddons.json', stringified);
+    core.setFailed('VirusTotal analysis failed');
+  });
+};