about summary refs log tree commit diff
path: root/tools/rust-crates-advisory
diff options
context:
space:
mode:
authorsterni <sternenseemann@systemli.org>2022-02-04T16·28+0100
committersterni <sternenseemann@systemli.org>2022-02-13T18·42+0000
commitde62043a7445efeae9e0159e1225480be7954cfa (patch)
tree4cb637cea496f333181aa51771c6212e068168f7 /tools/rust-crates-advisory
parent813e0c07475bfdfbd1f05ba658ae65b8f1a4ef82 (diff)
refactor(rust-crates-advisory): move report generation into script r/3816
This script is somewhat usable by humans (it even has a help screen!)
and can be reused in //users/sterni/nixpkgs-crate-holes. We are using
bash since that allows us to exit with the actual exit code of
cargo-audit - something that's not possible in execline.

Change-Id: I3331ae8222a20e23b8e30dc920ab48af78f0247c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5228
Tested-by: BuildkiteCI
Reviewed-by: Profpatsch <mail@profpatsch.de>
Diffstat (limited to 'tools/rust-crates-advisory')
-rw-r--r--tools/rust-crates-advisory/default.nix50
1 files changed, 28 insertions, 22 deletions
diff --git a/tools/rust-crates-advisory/default.nix b/tools/rust-crates-advisory/default.nix
index 8382ec25435b..3b38aa9b9123 100644
--- a/tools/rust-crates-advisory/default.nix
+++ b/tools/rust-crates-advisory/default.nix
@@ -136,6 +136,31 @@ let
     "$out"
   ];
 
+  lock-file-report = pkgs.writers.writeBash "lock-file-report" ''
+    set -u
+
+    if test "$#" -lt 2; then
+      echo "Usage: $0 IDENTIFIER LOCKFILE [CHECKLIST [MAINTAINERS]]" >&2
+      echo 2>&1
+      echo "  IDENTIFIER  Unique string describing the lock file" >&2
+      echo "  LOCKFILE    Path to Cargo.lock file" >&2
+      echo "  CHECKLIST   Whether to use GHFM checklists in the output (true or false)" >&2
+      echo "  MAINTAINERS List of @names to cc in case of advisories" >&2
+      exit 100
+    fi
+
+    "${bins.cargo-audit}" audit --json --no-fetch \
+      --db "${depot.third_party.rustsec-advisory-db}" \
+      --file "$2" \
+    | "${bins.jq}" --raw-output --join-output \
+      --from-file "${./format-audit-result.jq}" \
+      --arg maintainers "''${4:-}" \
+      --argjson checklist "''${3:-false}" \
+      --arg attr "$1"
+
+    exit "''${PIPESTATUS[0]}" # inherit exit code from cargo-audit
+  '';
+
   check-all-our-lock-files = depot.nix.writeExecline "check-all-our-lock-files" { } [
     "backtick"
     "-E"
@@ -156,30 +181,10 @@ let
         bins.sed
         "s|^\\.|/|"
       ]
-      "pipeline"
-      [
-        bins.cargo-audit
-        "audit"
-        "--json"
-        "-n"
-        "--db"
-        depot.third_party.rustsec-advisory-db
-        "-f"
-        "$lockFile"
-      ]
-      bins.jq
-      "-rj"
-      "--arg"
-      "attr"
+      lock-file-report
       "$depotPath"
-      "--arg"
-      "maintainers"
-      ""
-      "--argjson"
-      "checklist"
+      "$lockFile"
       "false"
-      "-f"
-      ./format-audit-result.jq
     ]
     "if"
     [ depot.tools.eprintf "%s\n" "$report" ]
@@ -227,6 +232,7 @@ depot.nix.readTree.drvTargets {
 
   inherit
     check-crate-advisory
+    lock-file-report
     ;