feat(rust-crates-advisories): check 3p crates together w/ lock files
Instead of the strict check-all-our-crates, generate a fake Cargo.lock and add it to the report generated by check-all-our-lock-files. check-all-our-crates was a reimplementation of cargo-audit anyways and prevented us from updating the advisory db due to its strict model (failing on any advisory). Change-Id: I264a7f1a5058a527cbc46d26225352ecd437a22b Reviewed-on: https://cl.tvl.fyi/c/depot/+/5230 Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su>
This commit is contained in:
parent
f7a0d5a3d0
commit
6c4e447587
1 changed files with 20 additions and 74 deletions
|
@ -17,6 +17,17 @@ let
|
||||||
our-crates = lib.filter (v: v ? outPath)
|
our-crates = lib.filter (v: v ? outPath)
|
||||||
(builtins.attrValues depot.third_party.rust-crates);
|
(builtins.attrValues depot.third_party.rust-crates);
|
||||||
|
|
||||||
|
our-crates-lock-file = pkgs.writeText "our-crates-Cargo.lock"
|
||||||
|
(lib.concatMapStrings
|
||||||
|
(crate: ''
|
||||||
|
[[package]]
|
||||||
|
name = "${crate.crateName}"
|
||||||
|
version = "${crate.version}"
|
||||||
|
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||||
|
|
||||||
|
'')
|
||||||
|
our-crates);
|
||||||
|
|
||||||
check-security-advisory = depot.nix.writers.rustSimple
|
check-security-advisory = depot.nix.writers.rustSimple
|
||||||
{
|
{
|
||||||
name = "parse-security-advisory";
|
name = "parse-security-advisory";
|
||||||
|
@ -70,73 +81,6 @@ let
|
||||||
];
|
];
|
||||||
|
|
||||||
|
|
||||||
check-all-our-crates = depot.nix.runExecline "check-all-our-crates"
|
|
||||||
{
|
|
||||||
stdin = lib.concatStrings
|
|
||||||
(map
|
|
||||||
(crate:
|
|
||||||
depot.nix.netstring.fromString
|
|
||||||
(depot.nix.netstring.fromString crate.crateName
|
|
||||||
+ depot.nix.netstring.fromString crate.version))
|
|
||||||
our-crates);
|
|
||||||
} [
|
|
||||||
"if"
|
|
||||||
[
|
|
||||||
"forstdin"
|
|
||||||
"-o"
|
|
||||||
"0"
|
|
||||||
"-Ed"
|
|
||||||
""
|
|
||||||
"crateNetstring"
|
|
||||||
"multidefine"
|
|
||||||
"-d"
|
|
||||||
""
|
|
||||||
"$crateNetstring"
|
|
||||||
[ "crate" "crate_version" ]
|
|
||||||
"if"
|
|
||||||
[ depot.tools.eprintf "checking %s, version %s\n" "$crate" "$crate_version" ]
|
|
||||||
|
|
||||||
"ifthenelse"
|
|
||||||
[ bins.s6-test "-d" "${crate-advisories}/\${crate}" ]
|
|
||||||
[
|
|
||||||
# also print the full advisory text if it matches
|
|
||||||
"export"
|
|
||||||
"PRINT_ADVISORY"
|
|
||||||
"1"
|
|
||||||
check-crate-advisory
|
|
||||||
"${crate-advisories}/\${crate}"
|
|
||||||
"$crate"
|
|
||||||
"$crate_version"
|
|
||||||
]
|
|
||||||
[ depot.tools.eprintf "No advisories found for crate %s\n" "$crate" ]
|
|
||||||
"importas"
|
|
||||||
"-ui"
|
|
||||||
"ret"
|
|
||||||
"?"
|
|
||||||
# put a marker in ./failed to read at the end
|
|
||||||
"ifelse"
|
|
||||||
[ bins.s6-test "$ret" "-eq" "1" ]
|
|
||||||
[ bins.s6-touch "./failed" ]
|
|
||||||
"if"
|
|
||||||
[ depot.tools.eprintf "\n" ]
|
|
||||||
"exit"
|
|
||||||
"$ret"
|
|
||||||
]
|
|
||||||
"ifelse"
|
|
||||||
[ bins.s6-test "-f" "./failed" ]
|
|
||||||
[
|
|
||||||
"if"
|
|
||||||
[ depot.tools.eprintf "Error: Found active advisories!" ]
|
|
||||||
"exit"
|
|
||||||
"1"
|
|
||||||
]
|
|
||||||
"importas"
|
|
||||||
"out"
|
|
||||||
"out"
|
|
||||||
bins.s6-touch
|
|
||||||
"$out"
|
|
||||||
];
|
|
||||||
|
|
||||||
lock-file-report = pkgs.writers.writeBash "lock-file-report" ''
|
lock-file-report = pkgs.writers.writeBash "lock-file-report" ''
|
||||||
set -u
|
set -u
|
||||||
|
|
||||||
|
@ -203,6 +147,13 @@ let
|
||||||
"-EI"
|
"-EI"
|
||||||
"report"
|
"report"
|
||||||
[
|
[
|
||||||
|
"foreground"
|
||||||
|
[
|
||||||
|
lock-file-report
|
||||||
|
"//third_party/rust-crates"
|
||||||
|
our-crates-lock-file
|
||||||
|
"false"
|
||||||
|
]
|
||||||
tree-lock-file-report
|
tree-lock-file-report
|
||||||
"."
|
"."
|
||||||
]
|
]
|
||||||
|
@ -232,13 +183,8 @@ let
|
||||||
|
|
||||||
in
|
in
|
||||||
depot.nix.readTree.drvTargets {
|
depot.nix.readTree.drvTargets {
|
||||||
|
|
||||||
check-all-our-crates =
|
|
||||||
depot.nix.drvSeqL
|
|
||||||
[ test-parsing-all-security-advisories ]
|
|
||||||
check-all-our-crates;
|
|
||||||
|
|
||||||
inherit
|
inherit
|
||||||
|
test-parsing-all-security-advisories
|
||||||
check-crate-advisory
|
check-crate-advisory
|
||||||
lock-file-report
|
lock-file-report
|
||||||
;
|
;
|
||||||
|
@ -246,7 +192,7 @@ depot.nix.readTree.drvTargets {
|
||||||
|
|
||||||
tree-lock-file-report = tree-lock-file-report // {
|
tree-lock-file-report = tree-lock-file-report // {
|
||||||
meta.ci.extraSteps.run = {
|
meta.ci.extraSteps.run = {
|
||||||
label = "Check Cargo.lock files in depot for advisories";
|
label = "Check all crates used in depot for advisories";
|
||||||
alwaysRun = true;
|
alwaysRun = true;
|
||||||
command = check-all-our-lock-files;
|
command = check-all-our-lock-files;
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in a new issue