chore(tools/rust-crates-advisory): move custom checker to user dir
Profpatsch originally implemented an advisory checker from scratch in Rust. We now ended up just using cargo-audit for the global checks exposed via CI and the custom implementation is unused. To clean up //tools/rust-crates-advisory a bit, we can move the unused parts to his user directory. Change-Id: Iacbd27c163edd07c804220fd1b3569c23aebd3e7 Reviewed-on: https://cl.tvl.fyi/c/depot/+/7171 Tested-by: BuildkiteCI Reviewed-by: Profpatsch <mail@profpatsch.de>
This commit is contained in:
parent
d92ca10990
commit
8699370fae
3 changed files with 69 additions and 60 deletions
|
@ -3,16 +3,12 @@
|
|||
let
|
||||
|
||||
bins =
|
||||
depot.nix.getBins pkgs.s6-portable-utils [ "s6-ln" "s6-cat" "s6-echo" "s6-mkdir" "s6-test" "s6-touch" "s6-dirname" ]
|
||||
// depot.nix.getBins pkgs.lr [ "lr" ]
|
||||
// depot.nix.getBins pkgs.cargo-audit [ "cargo-audit" ]
|
||||
depot.nix.getBins pkgs.cargo-audit [ "cargo-audit" ]
|
||||
// depot.nix.getBins pkgs.jq [ "jq" ]
|
||||
// depot.nix.getBins pkgs.findutils [ "find" ]
|
||||
// depot.nix.getBins pkgs.gnused [ "sed" ]
|
||||
;
|
||||
|
||||
crate-advisories = "${depot.third_party.rustsec-advisory-db}/crates";
|
||||
|
||||
our-crates = lib.filter (v: v ? outPath)
|
||||
(builtins.attrValues depot.third_party.rust-crates);
|
||||
|
||||
|
@ -27,59 +23,6 @@ let
|
|||
'')
|
||||
our-crates);
|
||||
|
||||
check-security-advisory = depot.nix.writers.rustSimple
|
||||
{
|
||||
name = "parse-security-advisory";
|
||||
dependencies = [
|
||||
depot.third_party.rust-crates.toml
|
||||
depot.third_party.rust-crates.semver
|
||||
];
|
||||
}
|
||||
(builtins.readFile ./check-security-advisory.rs);
|
||||
|
||||
# $1 is the directory with advisories for crate $2 with version $3
|
||||
check-crate-advisory = depot.nix.writeExecline "check-crate-advisory" { readNArgs = 3; } [
|
||||
"pipeline"
|
||||
[ bins.lr "-0" "-t" "depth == 1" "$1" ]
|
||||
"forstdin"
|
||||
"-0"
|
||||
"-Eo"
|
||||
"0"
|
||||
"advisory"
|
||||
"if"
|
||||
[ depot.tools.eprintf "advisory %s\n" "$advisory" ]
|
||||
check-security-advisory
|
||||
"$advisory"
|
||||
"$3"
|
||||
];
|
||||
|
||||
# Run through everything in the `crate-advisories` repository
|
||||
# and check whether we can parse all the advisories without crashing.
|
||||
test-parsing-all-security-advisories = depot.nix.runExecline "check-all-our-crates" { } [
|
||||
"pipeline"
|
||||
[ bins.lr "-0" "-t" "depth == 1" crate-advisories ]
|
||||
"if"
|
||||
[
|
||||
# this will succeed as long as check-crate-advisory doesn’t `panic!()` (status 101)
|
||||
"forstdin"
|
||||
"-0"
|
||||
"-E"
|
||||
"-x"
|
||||
"101"
|
||||
"crate_advisories"
|
||||
check-crate-advisory
|
||||
"$crate_advisories"
|
||||
"foo"
|
||||
"0.0.0"
|
||||
]
|
||||
"importas"
|
||||
"out"
|
||||
"out"
|
||||
bins.s6-touch
|
||||
"$out"
|
||||
];
|
||||
|
||||
|
||||
lock-file-report = pkgs.writers.writeBash "lock-file-report" ''
|
||||
set -u
|
||||
|
||||
|
@ -161,8 +104,6 @@ let
|
|||
in
|
||||
depot.nix.readTree.drvTargets {
|
||||
inherit
|
||||
test-parsing-all-security-advisories
|
||||
check-crate-advisory
|
||||
lock-file-report
|
||||
;
|
||||
|
||||
|
|
68
users/Profpatsch/check-crate-advisory/default.nix
Normal file
68
users/Profpatsch/check-crate-advisory/default.nix
Normal file
|
@ -0,0 +1,68 @@
|
|||
{ pkgs, depot, lib, ... }:
|
||||
|
||||
let
|
||||
bins =
|
||||
depot.nix.getBins pkgs.s6-portable-utils [ "s6-ln" "s6-cat" "s6-echo" "s6-mkdir" "s6-test" "s6-touch" "s6-dirname" ]
|
||||
// depot.nix.getBins pkgs.lr [ "lr" ]
|
||||
;
|
||||
crate-advisories = "${depot.third_party.rustsec-advisory-db}/crates";
|
||||
|
||||
check-security-advisory = depot.nix.writers.rustSimple
|
||||
{
|
||||
name = "parse-security-advisory";
|
||||
dependencies = [
|
||||
depot.third_party.rust-crates.toml
|
||||
depot.third_party.rust-crates.semver
|
||||
];
|
||||
}
|
||||
(builtins.readFile ./check-security-advisory.rs);
|
||||
|
||||
# $1 is the directory with advisories for crate $2 with version $3
|
||||
check-crate-advisory = depot.nix.writeExecline "check-crate-advisory" { readNArgs = 3; } [
|
||||
"pipeline"
|
||||
[ bins.lr "-0" "-t" "depth == 1" "$1" ]
|
||||
"forstdin"
|
||||
"-0"
|
||||
"-Eo"
|
||||
"0"
|
||||
"advisory"
|
||||
"if"
|
||||
[ depot.tools.eprintf "advisory %s\n" "$advisory" ]
|
||||
check-security-advisory
|
||||
"$advisory"
|
||||
"$3"
|
||||
];
|
||||
|
||||
# Run through everything in the `crate-advisories` repository
|
||||
# and check whether we can parse all the advisories without crashing.
|
||||
test-parsing-all-security-advisories = depot.nix.runExecline "check-all-our-crates" { } [
|
||||
"pipeline"
|
||||
[ bins.lr "-0" "-t" "depth == 1" crate-advisories ]
|
||||
"if"
|
||||
[
|
||||
# this will succeed as long as check-crate-advisory doesn’t `panic!()` (status 101)
|
||||
"forstdin"
|
||||
"-0"
|
||||
"-E"
|
||||
"-x"
|
||||
"101"
|
||||
"crate_advisories"
|
||||
check-crate-advisory
|
||||
"$crate_advisories"
|
||||
"foo"
|
||||
"0.0.0"
|
||||
]
|
||||
"importas"
|
||||
"out"
|
||||
"out"
|
||||
bins.s6-touch
|
||||
"$out"
|
||||
];
|
||||
in
|
||||
|
||||
depot.nix.readTree.drvTargets {
|
||||
inherit
|
||||
check-crate-advisory
|
||||
test-parsing-all-security-advisories
|
||||
;
|
||||
}
|
Loading…
Reference in a new issue