refactor(rust-crates-advisory): move report generation into script
This script is somewhat usable by humans (it even has a help screen!) and can be reused in //users/sterni/nixpkgs-crate-holes. We are using bash since that allows us to exit with the actual exit code of cargo-audit - something that's not possible in execline. Change-Id: I3331ae8222a20e23b8e30dc920ab48af78f0247c Reviewed-on: https://cl.tvl.fyi/c/depot/+/5228 Tested-by: BuildkiteCI Reviewed-by: Profpatsch <mail@profpatsch.de>
This commit is contained in:
parent
813e0c0747
commit
de62043a74
2 changed files with 43 additions and 50 deletions
|
@ -136,6 +136,31 @@ let
|
||||||
"$out"
|
"$out"
|
||||||
];
|
];
|
||||||
|
|
||||||
|
lock-file-report = pkgs.writers.writeBash "lock-file-report" ''
|
||||||
|
set -u
|
||||||
|
|
||||||
|
if test "$#" -lt 2; then
|
||||||
|
echo "Usage: $0 IDENTIFIER LOCKFILE [CHECKLIST [MAINTAINERS]]" >&2
|
||||||
|
echo 2>&1
|
||||||
|
echo " IDENTIFIER Unique string describing the lock file" >&2
|
||||||
|
echo " LOCKFILE Path to Cargo.lock file" >&2
|
||||||
|
echo " CHECKLIST Whether to use GHFM checklists in the output (true or false)" >&2
|
||||||
|
echo " MAINTAINERS List of @names to cc in case of advisories" >&2
|
||||||
|
exit 100
|
||||||
|
fi
|
||||||
|
|
||||||
|
"${bins.cargo-audit}" audit --json --no-fetch \
|
||||||
|
--db "${depot.third_party.rustsec-advisory-db}" \
|
||||||
|
--file "$2" \
|
||||||
|
| "${bins.jq}" --raw-output --join-output \
|
||||||
|
--from-file "${./format-audit-result.jq}" \
|
||||||
|
--arg maintainers "''${4:-}" \
|
||||||
|
--argjson checklist "''${3:-false}" \
|
||||||
|
--arg attr "$1"
|
||||||
|
|
||||||
|
exit "''${PIPESTATUS[0]}" # inherit exit code from cargo-audit
|
||||||
|
'';
|
||||||
|
|
||||||
check-all-our-lock-files = depot.nix.writeExecline "check-all-our-lock-files" { } [
|
check-all-our-lock-files = depot.nix.writeExecline "check-all-our-lock-files" { } [
|
||||||
"backtick"
|
"backtick"
|
||||||
"-E"
|
"-E"
|
||||||
|
@ -156,30 +181,10 @@ let
|
||||||
bins.sed
|
bins.sed
|
||||||
"s|^\\.|/|"
|
"s|^\\.|/|"
|
||||||
]
|
]
|
||||||
"pipeline"
|
lock-file-report
|
||||||
[
|
|
||||||
bins.cargo-audit
|
|
||||||
"audit"
|
|
||||||
"--json"
|
|
||||||
"-n"
|
|
||||||
"--db"
|
|
||||||
depot.third_party.rustsec-advisory-db
|
|
||||||
"-f"
|
|
||||||
"$lockFile"
|
|
||||||
]
|
|
||||||
bins.jq
|
|
||||||
"-rj"
|
|
||||||
"--arg"
|
|
||||||
"attr"
|
|
||||||
"$depotPath"
|
"$depotPath"
|
||||||
"--arg"
|
"$lockFile"
|
||||||
"maintainers"
|
|
||||||
""
|
|
||||||
"--argjson"
|
|
||||||
"checklist"
|
|
||||||
"false"
|
"false"
|
||||||
"-f"
|
|
||||||
./format-audit-result.jq
|
|
||||||
]
|
]
|
||||||
"if"
|
"if"
|
||||||
[ depot.tools.eprintf "%s\n" "$report" ]
|
[ depot.tools.eprintf "%s\n" "$report" ]
|
||||||
|
@ -227,6 +232,7 @@ depot.nix.readTree.drvTargets {
|
||||||
|
|
||||||
inherit
|
inherit
|
||||||
check-crate-advisory
|
check-crate-advisory
|
||||||
|
lock-file-report
|
||||||
;
|
;
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -126,17 +126,8 @@ let
|
||||||
then pkgs.emptyFile
|
then pkgs.emptyFile
|
||||||
else
|
else
|
||||||
depot.nix.runExecline "${strAttr}-vulnerability-report" { } [
|
depot.nix.runExecline "${strAttr}-vulnerability-report" { } [
|
||||||
"pipeline"
|
"foreground"
|
||||||
[
|
[
|
||||||
bins.cargo-audit
|
|
||||||
"audit"
|
|
||||||
"--json"
|
|
||||||
"-n"
|
|
||||||
"--db"
|
|
||||||
rustsec-advisory-db
|
|
||||||
"-f"
|
|
||||||
lock
|
|
||||||
]
|
|
||||||
"importas"
|
"importas"
|
||||||
"out"
|
"out"
|
||||||
"out"
|
"out"
|
||||||
|
@ -144,19 +135,15 @@ let
|
||||||
"-w"
|
"-w"
|
||||||
"1"
|
"1"
|
||||||
"$out"
|
"$out"
|
||||||
bins.jq
|
depot.tools.rust-crates-advisory.lock-file-report
|
||||||
"-rj"
|
|
||||||
"-f"
|
|
||||||
../../../tools/rust-crates-advisory/format-audit-result.jq
|
|
||||||
"--arg"
|
|
||||||
"attr"
|
|
||||||
strAttr
|
strAttr
|
||||||
"--arg"
|
lock
|
||||||
"maintainers"
|
|
||||||
strMaintainers
|
|
||||||
"--argjson"
|
|
||||||
"checklist"
|
|
||||||
"true"
|
"true"
|
||||||
|
strMaintainers
|
||||||
|
]
|
||||||
|
# ignore exit status of report
|
||||||
|
"exit"
|
||||||
|
"0"
|
||||||
];
|
];
|
||||||
|
|
||||||
# GHMF in issues splits paragraphs on newlines
|
# GHMF in issues splits paragraphs on newlines
|
||||||
|
|
Loading…
Reference in a new issue