mdebray/tvl-depot
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
tvl-depot/tools/rust-crates-advisory/format-audit-result.jq
sterni 487dd4189e fix(format-audit-results.jq): use advisories over vulnerabilities 
Many of the vulnerabilities (in the respective crates) reported are not
actually exploitable vulnerabilties of the packages we report them for.
Consequently it is more accurate to state that they are advisories.

Change-Id: I02932125b77fc9c71e583ae49e822fd3438dce05
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5202
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
2022-02-04 11:22:43 +00:00

75 lines
2.5 KiB
Text
Raw Blame History

# This is a jq script to format the JSON output of cargo-audit into a short
# markdown report for humans. It is used by //users/sterni/nixpkgs-crate-holes
# and //tools/rust-crates-advisory:check-all-our-lock-files which will provide
# you with example invocations.
#
# It needs the following arguments passed to it:
#
# - maintainers: Either the empty string or a list of maintainers to @mention
# for the current lock file.
# - attr: An attribute name (or otherwise unique identifier) to associate the
# report for the current lock file with.
# - checklist: If true, the markdown report will use GHFM checklists for the
# report, allowing to tick of attributes as taken care of.
# Link to human-readable advisory info for a given vulnerability
def link:
[ "https://rustsec.org/advisories/", .advisory.id, ".html" ] | add;
# Format a list of version constraints
def version_list:
[ .[] | "`" + . + "`" ] | join("; ");
# show paths to fixing this vulnerability:
#
# - if there are patched releases, show them (the version we are using presumably
# predates the vulnerability discovery, so we likely want to upgrade to a
# patched release).
# - if there are no patched releases, show the unaffected versions (in case we
# want to downgrade).
# - otherwise we state that no unaffected versions are available at this time.
#
# This logic should be useful, but is slightly dumber than cargo-audit's
# suggestion when using the non-JSON output.
def patched:
if .versions.patched == [] then
if .versions.unaffected != [] then
"unaffected: " + (.versions.unaffected | version_list)
else
"no unaffected version available"
end
else
"patched: " + (.versions.patched | version_list)
end;
# if the vulnerability has aliases (like CVE-*) emit them in parens
def aliases:
if .advisory.aliases == [] then
""
else
[ " (", (.advisory.aliases | join(", ")), ")" ] | add
end;
# each vulnerability is rendered as a (normal) sublist item
def format_vulnerability:
[ " - "
, .package.name, " ", .package.version, ": "
, "[", .advisory.id, "](", link, ")"
, aliases
, ", ", patched
, "\n"
] | add;
# be quiet if no found vulnerabilities, otherwise render a GHFM checklist item
if .vulnerabilities.found | not then
""
else
([ "-", if $checklist then " [ ] " else " " end
, "`", $attr, "`: "
, (.vulnerabilities.count | tostring)
, " advisories for Cargo.lock"
, if $maintainers != "" then " (cc " + $maintainers + ")" else "" end
, "\n"
] + (.vulnerabilities.list | map(format_vulnerability))
) | add
end
Reference in a new issue View git blame Copy permalink