feat(rust-crates-advisories): check 3p crates together w/ lock files

Instead of the strict check-all-our-crates, generate a fake Cargo.lock and add it to the report generated by check-all-our-lock-files. check-all-our-crates was a reimplementation of cargo-audit anyways and prevented us from updating the advisory db due to its strict model (failing on any advisory). Change-Id: I264a7f1a5058a527cbc46d26225352ecd437a22b Reviewed-on: https://cl.tvl.fyi/c/depot/+/5230 Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su>
2022-02-04 19:54:53 +01:00 · 2022-02-04 19:54:53 +01:00 · 6c4e447587
commit 6c4e447587
parent f7a0d5a3d0
1 changed files with 20 additions and 74 deletions
--- a/tools/rust-crates-advisory/default.nix
+++ b/tools/rust-crates-advisory/default.nix
@ -17,6 +17,17 @@ let
  our-crates = lib.filter (v: v ? outPath)
    (builtins.attrValues depot.third_party.rust-crates);

+  our-crates-lock-file = pkgs.writeText "our-crates-Cargo.lock"
+    (lib.concatMapStrings
+      (crate: ''
+        [[package]]
+        name = "${crate.crateName}"
+        version = "${crate.version}"
+        source = "registry+https://github.com/rust-lang/crates.io-index"
+
+      '')
+      our-crates);
+
  check-security-advisory = depot.nix.writers.rustSimple
    {
      name = "parse-security-advisory";
@ -70,73 +81,6 @@ let
  ];


-  check-all-our-crates = depot.nix.runExecline "check-all-our-crates"
-    {
-      stdin = lib.concatStrings
-        (map
-          (crate:
-            depot.nix.netstring.fromString
-              (depot.nix.netstring.fromString crate.crateName
-                + depot.nix.netstring.fromString crate.version))
-          our-crates);
-    } [
-    "if"
-    [
-      "forstdin"
-      "-o"
-      "0"
-      "-Ed"
-      ""
-      "crateNetstring"
-      "multidefine"
-      "-d"
-      ""
-      "$crateNetstring"
-      [ "crate" "crate_version" ]
-      "if"
-      [ depot.tools.eprintf "checking %s, version %s\n" "$crate" "$crate_version" ]
-
-      "ifthenelse"
-      [ bins.s6-test "-d" "${crate-advisories}/\${crate}" ]
-      [
-        # also print the full advisory text if it matches
-        "export"
-        "PRINT_ADVISORY"
-        "1"
-        check-crate-advisory
-        "${crate-advisories}/\${crate}"
-        "$crate"
-        "$crate_version"
-      ]
-      [ depot.tools.eprintf "No advisories found for crate %s\n" "$crate" ]
-      "importas"
-      "-ui"
-      "ret"
-      "?"
-      # put a marker in ./failed to read at the end
-      "ifelse"
-      [ bins.s6-test "$ret" "-eq" "1" ]
-      [ bins.s6-touch "./failed" ]
-      "if"
-      [ depot.tools.eprintf "\n" ]
-      "exit"
-      "$ret"
-    ]
-    "ifelse"
-    [ bins.s6-test "-f" "./failed" ]
-    [
-      "if"
-      [ depot.tools.eprintf "Error: Found active advisories!" ]
-      "exit"
-      "1"
-    ]
-    "importas"
-    "out"
-    "out"
-    bins.s6-touch
-    "$out"
-  ];
-
  lock-file-report = pkgs.writers.writeBash "lock-file-report" ''
    set -u

@ -203,6 +147,13 @@ let
    "-EI"
    "report"
    [
+      "foreground"
+      [
+        lock-file-report
+        "//third_party/rust-crates"
+        our-crates-lock-file
+        "false"
+      ]
      tree-lock-file-report
      "."
    ]
@ -232,13 +183,8 @@ let

 in
 depot.nix.readTree.drvTargets {
-
-  check-all-our-crates =
-    depot.nix.drvSeqL
-      [ test-parsing-all-security-advisories ]
-      check-all-our-crates;
-
  inherit
+    test-parsing-all-security-advisories
    check-crate-advisory
    lock-file-report
    ;
@ -246,7 +192,7 @@ depot.nix.readTree.drvTargets {

  tree-lock-file-report = tree-lock-file-report // {
    meta.ci.extraSteps.run = {
-      label = "Check Cargo.lock files in depot for advisories";
+      label = "Check all crates used in depot for advisories";
      alwaysRun = true;
      command = check-all-our-lock-files;
    };