mdebray/tvl-depot
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
tvl-depot/tools/rust-crates-advisory/default.nix
Vincent Ambo 4f1249e46f refactor(readTree): Move 'drvTargets' into readTree 
This function is also generally useful for readTree consumers that
have the concept of subtargets.

Change-Id: Ic7fc03380dec6953fb288763a28e50ab3624d233
2021-11-23 14:42:08 +00:00

90 lines
3.1 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{ depot, pkgs, lib, ... }:
let
bins =
depot.nix.getBins pkgs.s6-portable-utils [ "s6-ln" "s6-cat" "s6-echo" "s6-mkdir" "s6-test" "s6-touch" ]
// depot.nix.getBins pkgs.lr [ "lr" ]
;
crate-advisories = "${depot.third_party.rustsec-advisory-db}/crates";
our-crates = lib.filter (v: v ? outPath)
(builtins.attrValues depot.third_party.rust-crates);
check-security-advisory = depot.nix.writers.rustSimple {
name = "parse-security-advisory";
dependencies = [
depot.third_party.rust-crates.toml
depot.third_party.rust-crates.semver
];
} (builtins.readFile ./check-security-advisory.rs);
# $1 is the directory with advisories for crate $2 with version $3
check-crate-advisory = depot.nix.writeExecline "check-crate-advisory" { readNArgs = 3; } [
"pipeline" [ bins.lr "-0" "-t" "depth == 1" "$1" ]
"forstdin" "-0" "-Eo" "0" "advisory"
"if" [ depot.tools.eprintf "advisory %s\n" "$advisory" ]
check-security-advisory "$advisory" "$3"
];
# Run through everything in the `crate-advisories` repository
# and check whether we can parse all the advisories without crashing.
test-parsing-all-security-advisories = depot.nix.runExecline "check-all-our-crates" {} [
"pipeline" [ bins.lr "-0" "-t" "depth == 1" crate-advisories ]
"if" [
# this will succeed as long as check-crate-advisory doesnt `panic!()` (status 101)
"forstdin" "-0" "-E" "-x" "101" "crate_advisories"
check-crate-advisory "$crate_advisories" "foo" "0.0.0"
]
"importas" "out" "out"
bins.s6-touch "$out"
];
check-all-our-crates = depot.nix.runExecline "check-all-our-crates" {
stdin = lib.concatStrings
(map
(crate:
depot.nix.netstring.fromString
( depot.nix.netstring.fromString crate.crateName
+ depot.nix.netstring.fromString crate.version ))
our-crates);
} [
"if" [
"forstdin" "-o" "0" "-Ed" "" "crateNetstring"
"multidefine" "-d" "" "$crateNetstring" [ "crate" "crate_version" ]
"if" [ depot.tools.eprintf "checking %s, version %s\n" "$crate" "$crate_version" ]
"ifthenelse" [ bins.s6-test "-d" "${crate-advisories}/\${crate}" ]
[ # also print the full advisory text if it matches
"export" "PRINT_ADVISORY" "1"
check-crate-advisory "${crate-advisories}/\${crate}" "$crate" "$crate_version"
]
[ depot.tools.eprintf "No advisories found for crate %s\n" "$crate" ]
"importas" "-ui" "ret" "?"
# put a marker in ./failed to read at the end
"ifelse" [ bins.s6-test "$ret" "-eq" "1" ]
[ bins.s6-touch "./failed" ]
"if" [ depot.tools.eprintf "\n" ]
"exit" "$ret"
]
"ifelse" [ bins.s6-test "-f" "./failed" ]
[ "if" [ depot.tools.eprintf "Error: Found active advisories!" ]
"exit" "1"
]
"importas" "out" "out"
bins.s6-touch "$out"
];
in depot.nix.readTree.drvTargets {
check-all-our-crates =
depot.nix.drvSeqL
[ test-parsing-all-security-advisories ]
check-all-our-crates;
inherit
check-crate-advisory
;
}
Reference in a new issue View git blame Copy permalink