tvl-depot/users/sterni/nixpkgs-crate-holes/format-audit-result.jq

# Link to human-readable advisory info for a given vulnerability
def link:
  [ "https://rustsec.org/advisories/", .advisory.id, ".html" ] | add;

# Format a list of version constraints
def version_list:
  [ .[] | "`" + . + "`" ] | join("; ");

# show paths to fixing this vulnerability:
#
# - if there are patched releases, show them (the version we are using presumably
#   predates the vulnerability discovery, so we likely want to upgrade to a
#   patched release).
# - if there are no patched releases, show the unaffected versions (in case we
#   want to downgrade).
# - otherwise we state that no unaffected versions are available at this time.
#
# This logic should be useful, but is slightly dumber than cargo-audit's
# suggestion when using the non-JSON output.
def patched:
  if .versions.patched == [] then
    if .versions.unaffected != [] then
       "unaffected: " + (.versions.unaffected | version_list)
    else
      "no unaffected version available"
    end
  else
    "patched: " + (.versions.patched | version_list)
  end;

# if the vulnerability has aliases (like CVE-*) emit them in parens
def aliases:
  if .advisory.aliases == [] then
    ""
  else
    [ " (", (.advisory.aliases | join(", ")), ")" ] | add
  end;

# each vulnerability is rendered as a (normal) sublist item
def format_vulnerability:
  [ "  - "
  , .package.name, " ", .package.version, ": "
  , "[", .advisory.id, "](", link, ")"
  , aliases
  , ", ", patched
  , "\n"
  ] | add;

# be quiet if no found vulnerabilities, otherwise render a GHFM checklist item
if .vulnerabilities.found | not then
  ""
else
  ([ "- [ ] "
   , "`", $attr, "`: "
   , (.vulnerabilities.count | tostring)
   , " vulnerabilities in Cargo.lock"
   , if $maintainers != "" then " (cc " + $maintainers + ")" else "" end
   , "\n"
   ] + (.vulnerabilities.list | map(format_vulnerability))
  ) | add
end
feat(nixpkgs-crate-holes): report vulnerable crates in cargoDeps nixpkgs-crate-holes can build a markdown report detailing all vulnerable crates pinned in cargoDeps vendors in nixpkgs according to RustSec's advisory db. This report is intended to be pasted into a GitHub issue. The report is produced by a derivation and can be obtained like this: nix-build -A users.sterni.nixpkgs-crate-holes.full \ --argstr nixpkgsPath /path/to/nixpkgs Example output: https://gist.github.com/sternenseemann/27509eece93d6eff35cd4b8ce75423b5 Additionally, you can obtain a more verbose report for a single attribute of nixpkgs, in HTML format since we just reuse the command line output of cargo-audit and convert it to HTML using ansi2html: nix-build -A users.sterni.nixpkgs-crate-holes.single \ --argstr nixpkgsPath /path/to/nixpkgs --argstr attr ripgrep Change-Id: Ic1c029ab67770fc41ba521b2acb798628357f9b2 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3715 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> 2021-10-10 21:31:53 +02:00			`# Link to human-readable advisory info for a given vulnerability`
			`def link:`
			`[ "https://rustsec.org/advisories/", .advisory.id, ".html" ] \| add;`

			`# Format a list of version constraints`
			`def version_list:`
			[ .[] \| "`" + . + "`" ] \| join("; ");

			`# show paths to fixing this vulnerability:`
			`#`
			`# - if there are patched releases, show them (the version we are using presumably`
			`# predates the vulnerability discovery, so we likely want to upgrade to a`
			`# patched release).`
			`# - if there are no patched releases, show the unaffected versions (in case we`
			`# want to downgrade).`
			`# - otherwise we state that no unaffected versions are available at this time.`
			`#`
			`# This logic should be useful, but is slightly dumber than cargo-audit's`
			`# suggestion when using the non-JSON output.`
			`def patched:`
			`if .versions.patched == [] then`
			`if .versions.unaffected != [] then`
			`"unaffected: " + (.versions.unaffected \| version_list)`
			`else`
			`"no unaffected version available"`
			`end`
			`else`
			`"patched: " + (.versions.patched \| version_list)`
			`end;`

			`# if the vulnerability has aliases (like CVE-*) emit them in parens`
			`def aliases:`
			`if .advisory.aliases == [] then`
			`""`
			`else`
			`[ " (", (.advisory.aliases \| join(", ")), ")" ] \| add`
			`end;`

			`# each vulnerability is rendered as a (normal) sublist item`
			`def format_vulnerability:`
			`[ " - "`
			`, .package.name, " ", .package.version, ": "`
			`, "[", .advisory.id, "](", link, ")"`
			`, aliases`
			`, ", ", patched`
			`, "\n"`
			`] \| add;`

			`# be quiet if no found vulnerabilities, otherwise render a GHFM checklist item`
			`if .vulnerabilities.found \| not then`
			`""`
			`else`
			`([ "- [ ] "`
			, "`", $attr, "`: "
			`, (.vulnerabilities.count \| tostring)`
feat(nixpkgs-crate-holes): cc maintainers allowed by a whitelist Change-Id: Iffbe173a48b466c52669efc70f9b5e5d4a6aff9a Reviewed-on: https://cl.tvl.fyi/c/depot/+/3730 Tested-by: BuildkiteCI Reviewed-by: Alyssa Ross <hi@alyssa.is> Reviewed-by: sterni <sternenseemann@systemli.org> 2021-10-15 20:48:57 +02:00			`, " vulnerabilities in Cargo.lock"`
			`, if $maintainers != "" then " (cc " + $maintainers + ")" else "" end`
			`, "\n"`
feat(nixpkgs-crate-holes): report vulnerable crates in cargoDeps nixpkgs-crate-holes can build a markdown report detailing all vulnerable crates pinned in cargoDeps vendors in nixpkgs according to RustSec's advisory db. This report is intended to be pasted into a GitHub issue. The report is produced by a derivation and can be obtained like this: nix-build -A users.sterni.nixpkgs-crate-holes.full \ --argstr nixpkgsPath /path/to/nixpkgs Example output: https://gist.github.com/sternenseemann/27509eece93d6eff35cd4b8ce75423b5 Additionally, you can obtain a more verbose report for a single attribute of nixpkgs, in HTML format since we just reuse the command line output of cargo-audit and convert it to HTML using ansi2html: nix-build -A users.sterni.nixpkgs-crate-holes.single \ --argstr nixpkgsPath /path/to/nixpkgs --argstr attr ripgrep Change-Id: Ic1c029ab67770fc41ba521b2acb798628357f9b2 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3715 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> 2021-10-10 21:31:53 +02:00			`] + (.vulnerabilities.list \| map(format_vulnerability))`
			`) \| add`
			`end`