mdebray/tvl-depot
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

style: format entire depot with nixpkgs-fmt

Browse source 
This CL can be used to compare the style of nixpkgs-fmt against other
formatters (nixpkgs, alejandra).

Change-Id: I87c6abff6bcb546b02ead15ad0405f81e01b6d9e
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4397
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: lukegb <lukegb@tvl.fyi>
Reviewed-by: wpcarro <wpcarro@gmail.com>
Reviewed-by: Profpatsch <mail@profpatsch.de>
Reviewed-by: kanepyork <rikingcoding@gmail.com>
Reviewed-by: tazjin <tazjin@tvl.su>
Reviewed-by: cynthia <cynthia@tvl.fyi>
Reviewed-by: edef <edef@edef.eu>
Reviewed-by: eta <tvl@eta.st>
Reviewed-by: grfn <grfn@gws.fyi>
This commit is contained in:
Vincent Ambo 2022-01-30 19:06:58 +03:00 committed by tazjin
parent 2d10d60fac
commit aa122cbae7
310 changed files with 7278 additions and 5490 deletions
Download patch file Download diff file Expand all files Collapse all files

234
users/sterni/nixpkgs-crate-holes/default.nix
View file

@ -33,7 +33,7 @@ let
symphorien
erictapen
expipiplus1
;
;
};
# buildRustPackage handling
@ -55,24 +55,25 @@ let
extractCargoLock = drv:
if !(drv ? cargoDeps.outPath)
then null
else pkgs.runCommandNoCC "${drv.name}-Cargo.lock" {} ''
if test -d "${drv.cargoDeps}"; then
cp "${drv.cargoDeps}/Cargo.lock" "$out"
fi
else
pkgs.runCommandNoCC "${drv.name}-Cargo.lock" { } ''
if test -d "${drv.cargoDeps}"; then
cp "${drv.cargoDeps}/Cargo.lock" "$out"
fi
if test -f "${drv.cargoDeps}"; then
tar -xO \
--no-wildcards-match-slash --wildcards \
-f "${drv.cargoDeps}" \
'*/Cargo.lock' \
> "$out"
fi
'';
if test -f "${drv.cargoDeps}"; then
tar -xO \
--no-wildcards-match-slash --wildcards \
-f "${drv.cargoDeps}" \
'*/Cargo.lock' \
> "$out"
fi
'';
# nixpkgs traversal
# Condition for us to recurse: Either at top-level or recurseForDerivation.
recurseInto = path: x: path == [] ||
recurseInto = path: x: path == [ ] ||
(lib.isAttrs x && (x.recurseForDerivations or false));
# Returns the value or false if an eval error occurs.
@ -97,46 +98,69 @@ let
doRec = tryEvalOrFalse (recurseInto path x);
isRust = tryEvalOrFalse (isRustPackage x);
in
if doRec then lib.concatLists (
lib.mapAttrsToList (n: go (path ++ [ n ])) x
) else if isDrv && isRust then [
{
attr = path;
lock = extractCargoLock x;
maintainers = x.meta.maintainers or [];
}
] else [];
in go [];
if doRec then
lib.concatLists
(
lib.mapAttrsToList (n: go (path ++ [ n ])) x
) else if isDrv && isRust then [
{
attr = path;
lock = extractCargoLock x;
maintainers = x.meta.maintainers or [ ];
}
] else [ ];
in
go [ ];
# Report generation and formatting
reportFor = { attr, lock, maintainers ? [] }: let
# naïve attribute path to Nix syntax conversion
strAttr = lib.concatStringsSep "." attr;
strMaintainers = lib.concatMapStringsSep " " (m: "@${m.github}") (
builtins.filter (x: builtins.elem x maintainerWhitelist) maintainers
);
in
reportFor = { attr, lock, maintainers ? [ ] }:
let
# naïve attribute path to Nix syntax conversion
strAttr = lib.concatStringsSep "." attr;
strMaintainers = lib.concatMapStringsSep " " (m: "@${m.github}") (
builtins.filter (x: builtins.elem x maintainerWhitelist) maintainers
);
in
if lock == null
then pkgs.emptyFile
else depot.nix.runExecline "${strAttr}-vulnerability-report" {} [
"pipeline" [
bins.cargo-audit
"audit" "--json"
"-n" "--db" rustsec-advisory-db
"-f" lock
]
"importas" "out" "out"
"redirfd" "-w" "1" "$out"
bins.jq "-rj" "-f" ./format-audit-result.jq
"--arg" "attr" strAttr
"--arg" "maintainers" strMaintainers
];
else
depot.nix.runExecline "${strAttr}-vulnerability-report" { } [
"pipeline"
[
bins.cargo-audit
"audit"
"--json"
"-n"
"--db"
rustsec-advisory-db
"-f"
lock
]
"importas"
"out"
"out"
"redirfd"
"-w"
"1"
"$out"
bins.jq
"-rj"
"-f"
./format-audit-result.jq
"--arg"
"attr"
strAttr
"--arg"
"maintainers"
strMaintainers
];
# GHMF in issues splits paragraphs on newlines
description = lib.concatMapStringsSep "\n\n" (
builtins.replaceStrings [ "\n" ] [ " " ]
) [
description = lib.concatMapStringsSep "\n\n"
(
builtins.replaceStrings [ "\n" ] [ " " ]
) [
''
The vulnerability report below was generated by
[nixpkgs-crate-holes](https://code.tvl.fyi/tree/users/sterni/nixpkgs-crate-holes)
@ -194,39 +218,63 @@ let
);
in
depot.nix.runExecline "nixpkgs-rust-pkgs-vulnerability-report.md" {
stdin = lib.concatMapStrings (report: "${report}\n") reports;
} [
"importas" "out" "out"
"redirfd" "-w" "1" "$out"
depot.nix.runExecline "nixpkgs-rust-pkgs-vulnerability-report.md"
{
stdin = lib.concatMapStrings (report: "${report}\n") reports;
} [
"importas"
"out"
"out"
"redirfd"
"-w"
"1"
"$out"
# Print introduction paragraph for the issue
"if" [ bins.printf "%s\n\n" description ]
"if"
[ bins.printf "%s\n\n" description ]
# Print all reports
"foreground" [
"forstdin" "-E" "report" bins.cat "$report"
"foreground"
[
"forstdin"
"-E"
"report"
bins.cat
"$report"
]
# Print stats at the end (mostly as a gimmick), we already know how many
# attributes there are and count the attributes with vulnerability by
# finding the number of checkable list entries in the output.
"backtick" "-E" "vulnerableCount" [
"pipeline" [
bins.grep "^- \\[ \\]" "$out"
"backtick"
"-E"
"vulnerableCount"
[
"pipeline"
[
bins.grep
"^- \\[ \\]"
"$out"
]
bins.wc "-l"
bins.wc
"-l"
]
"if" [
"if"
[
bins.printf
"\n%s of %s checked attributes have vulnerable dependencies.\n\n"
"$vulnerableCount"
(toString (builtins.length reports))
]
"if" [
bins.printf "%s\n\n" runInstructions
"if"
[
bins.printf
"%s\n\n"
runInstructions
]
];
singleReport =
{ # Attribute to check: string or list of strings (attr path)
{
# Attribute to check: string or list of strings (attr path)
attr
# Path to importable nixpkgs checkout
, nixpkgsPath
@ -241,37 +289,63 @@ let
strAttr = lib.concatStringsSep "." attr';
in
depot.nix.runExecline "${strAttr}-report.html" {} [
"importas" "out" "out"
"backtick" "-I" "-E" "-N" "report" [
bins.cargo-audit "audit"
depot.nix.runExecline "${strAttr}-report.html" { } [
"importas"
"out"
"out"
"backtick"
"-I"
"-E"
"-N"
"report"
[
bins.cargo-audit
"audit"
"--quiet"
"-n" "--db" rustsec-advisory-db
"-f" lockFile
"-n"
"--db"
rustsec-advisory-db
"-f"
lockFile
]
"pipeline" [
"ifte" [
bins.printf "%s" "$report"
] [
bins.printf "%s\n" "No vulnerabilities found"
"pipeline"
[
"ifte"
[
bins.printf
"%s"
"$report"
]
bins.test "-n" "$report"
[
bins.printf
"%s\n"
"No vulnerabilities found"
]
bins.test
"-n"
"$report"
]
"pipeline" [
bins.tee "/dev/stderr"
"pipeline"
[
bins.tee
"/dev/stderr"
]
"redirfd" "-w" "1" "$out"
"redirfd"
"-w"
"1"
"$out"
bins.ansi2html
];
in {
in
{
full = reportForNixpkgs;
single = singleReport;
inherit
extractCargoLock
allLockFiles
;
;
# simple sanity check, doesn't cover everything, but testing the full report
# is quite expensive in terms of evaluation.