tools/cve: Fix empty data dir case (envoyproxy#41313)

phlax · phlax · commit 10e56d75b560 · 2025-10-01T15:40:32.000+01:00
Signed-off-by: Ryan Northey &lt;ryan@synca.io&gt;
diff --git a/.bazelrc b/.bazelrc
@@ -582,6 +582,8 @@ common:remote-envoy-engflow --config=rbe-envoy-engflow
 common:remote-cache-envoy-engflow --config=common-envoy-engflow
 common:remote-cache-envoy-engflow --config=cache-envoy-engflow
 
+common:cves --//tools/dependency:cve-data=//tools/dependency:cve-data-dir
+
 # Specifies the rustfmt.toml for all rustfmt_test targets.
 build --@rules_rust//rust/settings:rustfmt.toml=//:rustfmt.toml
 
diff --git a/.github/workflows/_cve_scan.yml b/.github/workflows/_cve_scan.yml
@@ -42,4 +42,4 @@ jobs:
           "${{ steps.vars.outputs.cve-data-path }}"
     - name: Run CVE dependency scanner
       run: |
-        bazel test --config=ci //tools/dependency:cve_test
+        bazel test --config=ci --config=cves //tools/dependency:cve_test
diff --git a/tools/dependency/BUILD b/tools/dependency/BUILD
@@ -155,11 +155,29 @@ envoy_genjson(
 )
 
 filegroup(
-    name = "cve-data",
+    name = "cve-data-dir",
     srcs = glob(["cve_data/*.json"]),
     visibility = ["//visibility:public"],
 )
 
+genrule(
+    name = "placeholder",
+    outs = ["PLACEHOLDER.txt"],
+    cmd = "echo '' > $@",
+)
+
+filegroup(
+    name = "empty-directory",
+    srcs = [":placeholder"],  # default fallback
+    visibility = ["//visibility:public"],
+)
+
+label_flag(
+    name = "cve-data",
+    build_setting_default = ":empty-directory",
+    visibility = ["//visibility:public"],
+)
+
 sh_binary(
     name = "cves",
     srcs = ["cves.sh"],
@@ -195,6 +213,18 @@ genrule(
     export JQ_VERSION_UTILS="$(location :version.jq)"
     export CVES_IGNORED="$(location :ignored-cves.json)"
     export CVES="$(locations :cve-data)"
+    read -ra CVELIST <<< "$$CVES"
+    HAS_JSON=false
+    for f in "$${CVELIST[@]}"; do
+        if [[ "$$f" == *.json ]]; then
+            HAS_JSON=true
+            break
+        fi
+    done
+    if [[ "$$HAS_JSON" != true ]]; then
+        echo "No CVE data set, perhaps use --config=cves?" >&2
+        exit 1
+    fi
     $(location :cves) \
       > $@ || :
     """,
diff --git a/tools/dependency/cves.sh b/tools/dependency/cves.sh
@@ -31,6 +31,17 @@ JQ_VERSION_LIBDIR="$(dirname "$JQ_VERSION_UTILS")"
 
 read -ra CVES <<< "$CVES"
 
+for f in "${CVES[@]}"; do
+    if [[ "$f" == *.json ]]; then
+        HAS_JSON=true
+        break
+    fi
+done
+if [[ "$HAS_JSON" != true ]]; then
+    echo "No CVE data set, perhaps use --config=cves?" >&2
+    exit 1
+fi
+
 parse_cves () {
     # Stream the cves checking against the deps and then slurp the results into a single json object
     # cat "${CVEPATH}/"*.json \
