We have a bunch of crates in `third_party/rust-crates`; it would be
great if we could check them for existing CVEs.
This tool does that, it takes the rust security advisory database,
parses the applicable CVEs, and cross-checks them against the actual
crate versions we list in our package database.
The dumb parser we wrote is tested against all entries in the
database, so we will notice when upstream breaks their shit.
Checking the semver stuff is easy enough with the semver crate.
If an advisory matches, it prints the whole thing and fails the build.
Change-Id: I9e912c43d37a685d9d7a4424defc467a171ea3c4
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2818
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
Reviewed-by: sterni <sternenseemann@systemli.org>
Like `eprint-stdin`, but reads stdin as netencode and pretty-prints it
to stderr.
Change-Id: I430c010b0cac45f077cde9dadfd79adfa7a53eca
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2533
Tested-by: BuildkiteCI
Reviewed-by: Profpatsch <mail@profpatsch.de>
eprintenv is a debugging tool, as such the code should probably not
crash when the environment variable we want to look at is missing.
But we can print a warning instead.
Change-Id: I41a24dc0c1cc488587563b85c1adbd089dd364f2
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2525
Tested-by: BuildkiteCI
Reviewed-by: Profpatsch <mail@profpatsch.de>
Small helper that empties out the environment, except for the given
list of variables.
Change-Id: I5e265496aaa5c248136318aa1c6cd91a67d3f028
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2506
Tested-by: BuildkiteCI
Reviewed-by: Profpatsch <mail@profpatsch.de>
Uses inotify to watch a file and print when it is modified, so we can
update the parser and display the sexp on the terminal.
Now the setup is good enough to start experiementing with queries on
the syntax tree.
Change-Id: I091587fc495ff627c79a69a52915aaaa8c51fcd2
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2411
Tested-by: BuildkiteCI
Reviewed-by: Profpatsch <mail@profpatsch.de>
Running this after a codified refactor acts as a good smoke test,
if a big subset of packages is broken or any central packages are
broken, this should find them quite quickly, thanks to randomness™.
Just let it run for a few minutes and check the errors that pop up.
Change-Id: I1505dd31ca25b29254474a15cd6cb71d9743038a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2346
Tested-by: BuildkiteCI
Reviewed-by: Profpatsch <mail@profpatsch.de>
Reviewed-by: lukegb <lukegb@tvl.fyi>
This is in order to advance the rewriting from stdenv.lib to lib.
https://github.com/NixOS/nixpkgs/issues/108938
The hard part about changing the argument is that a package might not
include lib in its arguments, which is why I use hnix to check whether
lib is included and add it to the import list if it doesn’t already
exist there.
So far, only the really common pattern of
meta = with stdenv.lib;
is rewritten.
Change-Id: I370f0a321b0e5a5bd21ec21fc7cefdd65ec845ed
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2345
Tested-by: BuildkiteCI
Reviewed-by: Profpatsch <mail@profpatsch.de>