We have a bunch of crates in `third_party/rust-crates`; it would be
great if we could check them for existing CVEs.
This tool does that, it takes the rust security advisory database,
parses the applicable CVEs, and cross-checks them against the actual
crate versions we list in our package database.
The dumb parser we wrote is tested against all entries in the
database, so we will notice when upstream breaks their shit.
Checking the semver stuff is easy enough with the semver crate.
If an advisory matches, it prints the whole thing and fails the build.
Change-Id: I9e912c43d37a685d9d7a4424defc467a171ea3c4
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2818
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
Reviewed-by: sterni <sternenseemann@systemli.org>
Setting meta.targets to include all derivations in the different package
sets in Profpatsch's user folder makes them checked by CI until they do
the readTree refactor as promised.
To reduce code duplication we handle this in a simple function which is
exposed from nix.utils which may be a good place for depot specific bits
and bops we accumulate over time.
To get around the issue of too nested sets we perform the following
renames:
* users.Profpatsch.tests gets moved into its own directory
* users.Profpatsch.arglib.netencode now lives in its own file instead of
the default.nix
* users.Profpatsch.netstring.tests gets moved into its own directory
Change-Id: Icd039c29d7760a711c1c53554504d6b0cd19e120
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2603
Tested-by: BuildkiteCI
Reviewed-by: Profpatsch <mail@profpatsch.de>
Running this after a codified refactor acts as a good smoke test,
if a big subset of packages is broken or any central packages are
broken, this should find them quite quickly, thanks to randomness™.
Just let it run for a few minutes and check the errors that pop up.
Change-Id: I1505dd31ca25b29254474a15cd6cb71d9743038a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2346
Tested-by: BuildkiteCI
Reviewed-by: Profpatsch <mail@profpatsch.de>
Reviewed-by: lukegb <lukegb@tvl.fyi>
This is in order to advance the rewriting from stdenv.lib to lib.
https://github.com/NixOS/nixpkgs/issues/108938
The hard part about changing the argument is that a package might not
include lib in its arguments, which is why I use hnix to check whether
lib is included and add it to the import list if it doesn’t already
exist there.
So far, only the really common pattern of
meta = with stdenv.lib;
is rewritten.
Change-Id: I370f0a321b0e5a5bd21ec21fc7cefdd65ec845ed
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2345
Tested-by: BuildkiteCI
Reviewed-by: Profpatsch <mail@profpatsch.de>