gnezim/clawsec
1
0
Fork 0
mirror of https://github.com/prompt-security/clawsec.git synced 2026-06-18 16:01:21 +03:00
Code Issues Packages Projects Releases Wiki Activity

chore: update NVD/GHSA advisories - 27 NVD new, 20 NVD updated (#274)

Browse Source 
* chore: update NVD/GHSA advisories - 27 NVD new, 20 NVD updated

Automated update from NVD CVE and GHSA advisory feeds.
Keywords: openclaw, nanoclaw, hermes, picoclaw
Poll window: 2026-06-14T07:33:37Z to 2026-06-17T07:44:37.000Z

* fix(skill-release): ignore generated advisory mirror updates

---------

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: David Abutbul <David.a@prompt.security>
This commit is contained in:
github-actions[bot]
2026-06-17 17:24:25 +03:00
committed by GitHub
parent 4a4b547b92
commit 8648aad6d7
9 changed files with 2150 additions and 2564 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/skill-release.yml
+6
View File
@@ -7,6 +7,8 @@ on:
pull_request:
paths:
- 'skills/**'
- '!skills/clawsec-feed/advisories/feed.json'
- '!skills/clawsec-feed/advisories/feed.json.sig'
- '.github/workflows/skill-release.yml'
- 'scripts/ci/**'
- 'scripts/test-skill-*.mjs'
@@ -88,6 +90,8 @@ jobs:
touched_skills_file="$(mktemp)"
git diff --name-only "${BASE_SHA}...${HEAD_SHA}" -- \
'skills/*/**' \
':(exclude)skills/clawsec-feed/advisories/feed.json' \
':(exclude)skills/clawsec-feed/advisories/feed.json.sig' \
':(exclude)skills/*/test/**' \
':(exclude)skills/*/tests/**' \
| awk -F/ '
@@ -410,6 +414,8 @@ jobs:
touched_skills_file="$(mktemp)"
git diff --name-only "${BASE_SHA}...${HEAD_SHA}" -- \
'skills/*/**' \
':(exclude)skills/clawsec-feed/advisories/feed.json' \
':(exclude)skills/clawsec-feed/advisories/feed.json.sig' \
':(exclude)skills/*/test/**' \
':(exclude)skills/*/tests/**' \
| awk -F/ 'NF >= 3 {print $1 "/" $2}' \
advisories/feed.json
+945 -1194
View File
File diff suppressed because it is too large Load Diff
advisories/feed.json.sig
+1 -1
View File
@@ -1 +1 @@
jPrlTYwicRwoQgTs5Rk3Y3g6Lz78jNRs9ZNf0R09M4jkJokZENxfvhvHphI9MH4u+7wv0sFZ+yZbQtJ42y+hCQ==
xKNJ6JgvibenqtGH32KqHZ6XgqBxMGCzVUE4Agf8FNWjUjRC6eY+CMtffQPYNTqXlRzsmo0dpwRfFTwf5M/5AQ==
advisories/ghsa-without-cve.json
+223 -169
View File
File diff suppressed because it is too large Load Diff
advisories/ghsa-without-cve.json.sig
+1 -1
View File
@@ -1 +1 @@
M1Jm4YHXsm0msygmd+XCJBRWMrXIjQfv1Y5v7XS8RCachLQwEzUJ1nhhic6CXxItNLmvgmDjVCMPVdHpnOMqDA==
pmw3QutYARGuNH2evzHY/slVqxsrIGU+JrtS1hr1kOSqo1Md1aVBEA0tsNoQ+SkVjNohwGVk/61CcUxeW6WAAA==
scripts/ci/validate_skill_install_docs.mjs
+2
View File
@@ -143,6 +143,8 @@ function changedSkillDirs({ root, base, head }) {
`${base}...${head}`,
"--",
"skills/*/**",
":(exclude)skills/clawsec-feed/advisories/feed.json",
":(exclude)skills/clawsec-feed/advisories/feed.json.sig",
":(exclude)skills/*/test/**",
":(exclude)skills/*/tests/**",
],
scripts/test-skill-release-workflow.mjs
+26 -4
View File
@@ -3,10 +3,12 @@ import { readFile } from 'node:fs/promises';
const workflowPath = new URL('../.github/workflows/skill-release.yml', import.meta.url);
const ciWorkflowPath = new URL('../.github/workflows/ci.yml', import.meta.url);
const validateSkillInstallDocsPath = new URL('./ci/validate_skill_install_docs.mjs', import.meta.url);
const installClawhubCliPath = new URL('./ci/install_clawhub_cli.sh', import.meta.url);
const patchClawhubPayloadPath = new URL('./ci/patch_clawhub_publish_payload.mjs', import.meta.url);
const workflow = await readFile(workflowPath, 'utf8');
const ciWorkflow = await readFile(ciWorkflowPath, 'utf8');
const validateSkillInstallDocs = await readFile(validateSkillInstallDocsPath, 'utf8');
const installClawhubCli = await readFile(installClawhubCliPath, 'utf8');
const patchClawhubPayload = await readFile(patchClawhubPayloadPath, 'utf8');
@@ -16,6 +18,16 @@ assert.match(
'Skill release workflow must run when any skill package file changes',
);
for (const generatedFeedPath of [
'skills/clawsec-feed/advisories/feed.json',
'skills/clawsec-feed/advisories/feed.json.sig',
]) {
assert.ok(
workflow.includes(` - '!${generatedFeedPath}'`),
`Skill release workflow must not run for generated advisory mirror-only changes to ${generatedFeedPath}`,
);
}
assert.match(
workflow,
/pull_request:[\s\S]*paths:[\s\S]*- '\.github\/workflows\/skill-release\.yml'[\s\S]*- 'scripts\/ci\/\*\*'/,
@@ -34,10 +46,20 @@ assert.ok(
assert.match(
workflow,
/git diff --name-only "\$\{BASE_SHA\}\.\.\.\$\{HEAD_SHA\}" --[\s\S]*'skills\/\*\/\*\*'[\s\S]*':\(exclude\)skills\/\*\/test\/\*\*'[\s\S]*':\(exclude\)skills\/\*\/tests\/\*\*'/,
'Skill release validation must ignore test-only skill changes while inspecting release-relevant skill files',
/git diff --name-only "\$\{BASE_SHA\}\.\.\.\$\{HEAD_SHA\}" --[\s\S]*'skills\/\*\/\*\*'[\s\S]*':\(exclude\)skills\/clawsec-feed\/advisories\/feed\.json'[\s\S]*':\(exclude\)skills\/clawsec-feed\/advisories\/feed\.json\.sig'[\s\S]*':\(exclude\)skills\/\*\/test\/\*\*'[\s\S]*':\(exclude\)skills\/\*\/tests\/\*\*'/,
'Skill release validation must ignore generated clawsec-feed advisory mirror and test-only changes while inspecting release-relevant skill files',
);
for (const generatedFeedPath of [
':(exclude)skills/clawsec-feed/advisories/feed.json',
':(exclude)skills/clawsec-feed/advisories/feed.json.sig',
]) {
assert.ok(
validateSkillInstallDocs.includes(`"${generatedFeedPath}"`),
`Install-doc validation changed-skill detection must ignore generated advisory mirror-only changes to ${generatedFeedPath}`,
);
}
assert.ok(
workflow.includes('name = tolower($NF)')
&& workflow.includes('name ~ /^(test|spec)[_-]/')
@@ -137,8 +159,8 @@ assert.match(
assert.match(
workflow,
/Run release dry-run for changed skills[\s\S]*git diff --name-only "\$\{BASE_SHA\}\.\.\.\$\{HEAD_SHA\}" --[\s\S]*'skills\/\*\/\*\*'[\s\S]*':\(exclude\)skills\/\*\/test\/\*\*'[\s\S]*':\(exclude\)skills\/\*\/tests\/\*\*'/,
'PR dry-run SkillSpector scan must run when any release-relevant skill package file changes',
/Run release dry-run for changed skills[\s\S]*git diff --name-only "\$\{BASE_SHA\}\.\.\.\$\{HEAD_SHA\}" --[\s\S]*'skills\/\*\/\*\*'[\s\S]*':\(exclude\)skills\/clawsec-feed\/advisories\/feed\.json'[\s\S]*':\(exclude\)skills\/clawsec-feed\/advisories\/feed\.json\.sig'[\s\S]*':\(exclude\)skills\/\*\/test\/\*\*'[\s\S]*':\(exclude\)skills\/\*\/tests\/\*\*'/,
'PR dry-run SkillSpector scan must run when any release-relevant skill package file changes except generated advisory mirror files',
);
assert.ok(
skills/clawsec-feed/advisories/feed.json
+945 -1194
View File
File diff suppressed because it is too large Load Diff
skills/clawsec-feed/advisories/feed.json.sig
+1 -1
View File
@@ -1 +1 @@
jPrlTYwicRwoQgTs5Rk3Y3g6Lz78jNRs9ZNf0R09M4jkJokZENxfvhvHphI9MH4u+7wv0sFZ+yZbQtJ42y+hCQ==
xKNJ6JgvibenqtGH32KqHZ6XgqBxMGCzVUE4Agf8FNWjUjRC6eY+CMtffQPYNTqXlRzsmo0dpwRfFTwf5M/5AQ==