feat(tools/rust-crates-advisory): also check all our Cargo.locks
check-all-our-lock-files works very similarly to //users/sterni/nixpkgs-crate-holes, even reusing some parts of it, but is much simpler since we don't need to extract the lock files — they are already in tree. It is implemented as a very simple script which just traverses the subtree of the current directory, collecting all warnings. When executing this script in buildkite via extraSteps, it never fails, instead annotating the pipeline run with a warning. Change-Id: I0a0bc26deffe7b20b99f5aa7238fb3c3bb9deb92 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3721 Reviewed-by: sterni <sternenseemann@systemli.org> Autosubmit: sterni <sternenseemann@systemli.org> Tested-by: BuildkiteCI
This commit is contained in:
parent
32da9861d5
commit
c3684740ad
1 changed files with 92 additions and 1 deletions
|
@ -3,8 +3,12 @@
|
|||
let
|
||||
|
||||
bins =
|
||||
depot.nix.getBins pkgs.s6-portable-utils [ "s6-ln" "s6-cat" "s6-echo" "s6-mkdir" "s6-test" "s6-touch" ]
|
||||
depot.nix.getBins pkgs.s6-portable-utils [ "s6-ln" "s6-cat" "s6-echo" "s6-mkdir" "s6-test" "s6-touch" "s6-dirname" ]
|
||||
// depot.nix.getBins pkgs.lr [ "lr" ]
|
||||
// depot.nix.getBins pkgs.cargo-audit [ "cargo-audit" ]
|
||||
// depot.nix.getBins pkgs.jq [ "jq" ]
|
||||
// depot.nix.getBins pkgs.findutils [ "find" ]
|
||||
// depot.nix.getBins pkgs.gnused [ "sed" ]
|
||||
;
|
||||
|
||||
crate-advisories = "${depot.third_party.rustsec-advisory-db}/crates";
|
||||
|
@ -132,6 +136,84 @@ let
|
|||
"$out"
|
||||
];
|
||||
|
||||
check-all-our-lock-files = depot.nix.writeExecline "check-all-our-lock-files" { } [
|
||||
"backtick"
|
||||
"-E"
|
||||
"report"
|
||||
[
|
||||
"pipeline"
|
||||
[ bins.find "." "-name" "Cargo.lock" "-and" "-type" "f" "-print0" ]
|
||||
"forstdin"
|
||||
"-E"
|
||||
"-0"
|
||||
"lockFile"
|
||||
"backtick"
|
||||
"-E"
|
||||
"depotPath"
|
||||
[
|
||||
"pipeline"
|
||||
[ bins.s6-dirname "$lockFile" ]
|
||||
bins.sed
|
||||
"s|^\\.|/|"
|
||||
]
|
||||
"pipeline"
|
||||
[
|
||||
bins.cargo-audit
|
||||
"audit"
|
||||
"--json"
|
||||
"-n"
|
||||
"--db"
|
||||
depot.third_party.rustsec-advisory-db
|
||||
"-f"
|
||||
"$lockFile"
|
||||
]
|
||||
bins.jq
|
||||
"-rj"
|
||||
"--arg"
|
||||
"attr"
|
||||
"$depotPath"
|
||||
"--arg"
|
||||
"maintainers"
|
||||
""
|
||||
"-f"
|
||||
../../users/sterni/nixpkgs-crate-holes/format-audit-result.jq
|
||||
]
|
||||
"if"
|
||||
[ depot.tools.eprintf "%s\n" "$report" ]
|
||||
"ifelse"
|
||||
[ bins.s6-test "-z" "$report" ]
|
||||
# empty report implies success (no advisories)
|
||||
[ "exit" "0" ]
|
||||
# If we reach this point, we know that the report is non-empty, so we should
|
||||
# only continue without one if we are running in buildkite.
|
||||
"if"
|
||||
[
|
||||
"importas"
|
||||
"-D"
|
||||
""
|
||||
"BUILDKITE_BUILD_ID"
|
||||
"BUILDKITE_BUILD_ID"
|
||||
bins.s6-test
|
||||
"-n"
|
||||
"$BUILDKITE_BUILD_ID"
|
||||
]
|
||||
# If we're running in buildkite, annotate the pipeline run with the report
|
||||
# as a warning. Only fail if something goes wrong with buildkite-agent
|
||||
# which is assumed to be in PATH.
|
||||
"pipeline"
|
||||
[
|
||||
"printf"
|
||||
"%s"
|
||||
"$report"
|
||||
]
|
||||
"buildkite-agent"
|
||||
"annotate"
|
||||
"--style"
|
||||
"warning"
|
||||
"--context"
|
||||
"check-all-our-lock-files"
|
||||
];
|
||||
|
||||
in
|
||||
depot.nix.readTree.drvTargets {
|
||||
|
||||
|
@ -143,4 +225,13 @@ depot.nix.readTree.drvTargets {
|
|||
inherit
|
||||
check-crate-advisory
|
||||
;
|
||||
|
||||
|
||||
check-all-our-lock-files = check-all-our-lock-files // {
|
||||
meta.ci.extraSteps.run = {
|
||||
label = "Check Cargo.lock files in depot for advisories";
|
||||
alwaysRun = true;
|
||||
command = check-all-our-lock-files;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue