@@ -40,19 +40,29 @@ jobs:
4040 run : |
4141 set -euo pipefail
4242 IFS=$'\n\t'
43+ # The scan results JSON can be very large (potentially exceeding the
44+ # command-line / ARG_MAX length limit if passed as an argument or as
45+ # an env var expanded on the command line), so the workflow-level
46+ # expansion is written straight to a file via a quoted heredoc.
47+ # The quoted delimiter prevents any runtime shell expansion of
48+ # the JSON contents.
4349 cat > "${RUNNER_TEMP}/new_results.json" <<'__OSV_NEW_RESULTS_EOF__'
4450 ${{ needs.osv-scanner-pr.outputs.new-results }}
4551 __OSV_NEW_RESULTS_EOF__
4652 cat > "${RUNNER_TEMP}/old_results.json" <<'__OSV_OLD_RESULTS_EOF__'
4753 ${{ needs.osv-scanner-pr.outputs.old-results }}
4854 __OSV_OLD_RESULTS_EOF__
55+ # Fail if any vulnerability present in the new results is absent from
56+ # the old results, i.e. the PR introduces it. Read via process
57+ # substitution rather than a pipe so the rc assignment is not lost in
58+ # a subshell, and use a fixed-string match for the exact vuln id.
4959 rc=0
50- jq -r '.results[].packages[].vulnerabilities[].id' "${RUNNER_TEMP}/new_results.json" | while read -r vid; do
51- if grep -q -L -e "\"${vid}\"" "${RUNNER_TEMP}/old_results.json"; then
52- rc=$((rc+1))
53- >&2 echo "error: PR introduces new vulnerabilities ${vid} (see step 'scan > osv-scanner-pr > Run osv-scanner-reporter' for details)"
60+ while read -r vid; do
61+ if ! grep -qF -e "\"${vid}\"" "${RUNNER_TEMP}/old_results.json"; then
62+ rc=1
63+ >&2 echo "error: PR introduces new vulnerability ${vid} (see step 'scan > osv-scanner-pr > Run osv-scanner-reporter' for details)"
5464 fi
55- done
56- if [ "${rc}" -gt 0 ]; then
57- exit "${rc}"
65+ done < <(jq -r '.results[]?.packages[]?.vulnerabilities[]?.id' "${RUNNER_TEMP}/new_results.json")
66+ if [ "${rc}" -ne 0 ]; then
67+ exit 1
5868 fi
0 commit comments