refactor(rust-crates-advisory): move report generation into script

This script is somewhat usable by humans (it even has a help screen!)
and can be reused in //users/sterni/nixpkgs-crate-holes. We are using
bash since that allows us to exit with the actual exit code of
cargo-audit - something that's not possible in execline.

Change-Id: I3331ae8222a20e23b8e30dc920ab48af78f0247c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5228
Tested-by: BuildkiteCI
Reviewed-by: Profpatsch <mail@profpatsch.de>
This commit is contained in:
sterni 2022-02-04 17:28:09 +01:00
parent 813e0c0747
commit de62043a74
2 changed files with 43 additions and 50 deletions

View file

@ -136,6 +136,31 @@ let
"$out" "$out"
]; ];
lock-file-report = pkgs.writers.writeBash "lock-file-report" ''
set -u
if test "$#" -lt 2; then
echo "Usage: $0 IDENTIFIER LOCKFILE [CHECKLIST [MAINTAINERS]]" >&2
echo 2>&1
echo " IDENTIFIER Unique string describing the lock file" >&2
echo " LOCKFILE Path to Cargo.lock file" >&2
echo " CHECKLIST Whether to use GHFM checklists in the output (true or false)" >&2
echo " MAINTAINERS List of @names to cc in case of advisories" >&2
exit 100
fi
"${bins.cargo-audit}" audit --json --no-fetch \
--db "${depot.third_party.rustsec-advisory-db}" \
--file "$2" \
| "${bins.jq}" --raw-output --join-output \
--from-file "${./format-audit-result.jq}" \
--arg maintainers "''${4:-}" \
--argjson checklist "''${3:-false}" \
--arg attr "$1"
exit "''${PIPESTATUS[0]}" # inherit exit code from cargo-audit
'';
check-all-our-lock-files = depot.nix.writeExecline "check-all-our-lock-files" { } [ check-all-our-lock-files = depot.nix.writeExecline "check-all-our-lock-files" { } [
"backtick" "backtick"
"-E" "-E"
@ -156,30 +181,10 @@ let
bins.sed bins.sed
"s|^\\.|/|" "s|^\\.|/|"
] ]
"pipeline" lock-file-report
[
bins.cargo-audit
"audit"
"--json"
"-n"
"--db"
depot.third_party.rustsec-advisory-db
"-f"
"$lockFile"
]
bins.jq
"-rj"
"--arg"
"attr"
"$depotPath" "$depotPath"
"--arg" "$lockFile"
"maintainers"
""
"--argjson"
"checklist"
"false" "false"
"-f"
./format-audit-result.jq
] ]
"if" "if"
[ depot.tools.eprintf "%s\n" "$report" ] [ depot.tools.eprintf "%s\n" "$report" ]
@ -227,6 +232,7 @@ depot.nix.readTree.drvTargets {
inherit inherit
check-crate-advisory check-crate-advisory
lock-file-report
; ;

View file

@ -126,37 +126,24 @@ let
then pkgs.emptyFile then pkgs.emptyFile
else else
depot.nix.runExecline "${strAttr}-vulnerability-report" { } [ depot.nix.runExecline "${strAttr}-vulnerability-report" { } [
"pipeline" "foreground"
[ [
bins.cargo-audit "importas"
"audit" "out"
"--json" "out"
"-n" "redirfd"
"--db" "-w"
rustsec-advisory-db "1"
"-f" "$out"
depot.tools.rust-crates-advisory.lock-file-report
strAttr
lock lock
"true"
strMaintainers
] ]
"importas" # ignore exit status of report
"out" "exit"
"out" "0"
"redirfd"
"-w"
"1"
"$out"
bins.jq
"-rj"
"-f"
../../../tools/rust-crates-advisory/format-audit-result.jq
"--arg"
"attr"
strAttr
"--arg"
"maintainers"
strMaintainers
"--argjson"
"checklist"
"true"
]; ];
# GHMF in issues splits paragraphs on newlines # GHMF in issues splits paragraphs on newlines