mdebray/tvl-depot
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
tvl-depot/users/Profpatsch/nixpkgs-rewriter/default.nix
Profpatsch 952afb7da9 feat(tools): add rust-crates-advisory 
We have a bunch of crates in `third_party/rust-crates`; it would be
great if we could check them for existing CVEs.

This tool does that, it takes the rust security advisory database,
parses the applicable CVEs, and cross-checks them against the actual
crate versions we list in our package database.

The dumb parser we wrote is tested against all entries in the
database, so we will notice when upstream breaks their shit.
Checking the semver stuff is easy enough with the semver crate.

If an advisory matches, it prints the whole thing and fails the build.

Change-Id: I9e912c43d37a685d9d7a4424defc467a171ea3c4
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2818
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
Reviewed-by: sterni <sternenseemann@systemli.org>
2021-05-17 23:00:57 +00:00

112 lines
3.1 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{ depot, pkgs, ... }:
let
inherit (depot.nix)
writeExecline
;
inherit (depot.users.Profpatsch.lib)
debugExec
;
bins = depot.nix.getBins pkgs.coreutils [ "head" "shuf" ]
// depot.nix.getBins pkgs.jq [ "jq" ]
// depot.nix.getBins pkgs.findutils [ "xargs" ]
// depot.nix.getBins pkgs.gnused [ "sed" ]
;
export-json-object = pkgs.writers.writePython3 "export-json-object" {} ''
import json
import sys
import os
d = json.load(sys.stdin)
if d == {}:
sys.exit(0)
for k, v in d.items():
os.environ[k] = str(v)
os.execvp(sys.argv[1], sys.argv[1:])
'';
meta-stdenv-lib = pkgs.writers.writeHaskell "meta-stdenv-lib" {
libraries = [
pkgs.haskellPackages.hnix
pkgs.haskellPackages.aeson
];
} ./MetaStdenvLib.hs;
replace-between-lines = writeExecline "replace-between-lines" { readNArgs = 1; } [
"importas" "-ui" "file" "fileName"
"importas" "-ui" "from" "fromLine"
"importas" "-ui" "to" "toLine"
"if" [ depot.tools.eprintf "%s-%s\n" "$from" "$to" ]
(debugExec "adding lib")
bins.sed
"-e" "\${from},\${to} \${1}"
"-i" "$file"
];
add-lib-if-necessary = writeExecline "add-lib-if-necessary" { readNArgs = 1; } [
"pipeline" [ meta-stdenv-lib "$1" ]
export-json-object
# first replace any stdenv.lib mentions in the arg header
# if this is not done, the replace below kills these.
# Since we want it anyway ultimately, lets do it here.
"if" [ replace-between-lines "s/stdenv\.lib/lib/" ]
# then add the lib argument
# (has to be before stdenv, otherwise default arguments might be in the way)
replace-between-lines "s/stdenv/lib, stdenv/"
];
metaString = ''meta = with stdenv.lib; {'';
replace-stdenv-lib = pkgs.writers.writeBash "replace-stdenv-lib" ''
set -euo pipefail
sourceDir="$1"
for file in $(
${pkgs.ripgrep}/bin/rg \
--files-with-matches \
--fixed-strings \
-e '${metaString}' \
"$sourceDir"
)
do
echo "replacing stdenv.lib meta in $file" >&2
${bins.sed} -e '/${metaString}/ s/stdenv.lib/lib/' \
-i "$file"
${add-lib-if-necessary} "$file"
done
'';
instantiate-nixpkgs-randomly = writeExecline "instantiate-nixpkgs-randomly" { readNArgs = 1; } [
"export" "NIXPKGS_ALLOW_BROKEN" "1"
"export" "NIXPKGS_ALLOW_UNFREE" "1"
"export" "NIXPKGS_ALLOW_INSECURE" "1"
"export" "NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM" "1"
"pipeline" [
"nix"
"eval"
"--raw"
''(
let pkgs = import ''${1} {};
in builtins.toJSON (builtins.attrNames pkgs)
)''
]
"pipeline" [ bins.jq "-r" ".[]" ]
"pipeline" [ bins.shuf ]
"pipeline" [ bins.head "-n" "1000" ]
bins.xargs "-I" "{}" "-n1"
"if" [ depot.tools.eprintf "instantiating %s\n" "{}" ]
"nix-instantiate" "$1" "-A" "{}"
];
in depot.nix.utils.drvTargets {
inherit
instantiate-nixpkgs-randomly
# requires hnix, which we dont want in tvl for now
# uncomment manually if you want to use it.
# meta-stdenv-lib
# replace-stdenv-lib
;
}
Reference in a new issue View git blame Copy permalink