about summary refs log tree commit diff
path: root/tools/rust-crates-advisory
diff options
context:
space:
mode:
authorsterni <sternenseemann@systemli.org>2021-10-11T12·24+0200
committerclbot <clbot@tvl.fyi>2022-02-04T11·20+0000
commitc3684740ad6852f15de46577974f44dc98ca9703 (patch)
treeb82503c21d24ecc60f3791186c6a33bb19f71080 /tools/rust-crates-advisory
parent32da9861d5e8d8c3a51e3a102f08f15072ab8eea (diff)
feat(tools/rust-crates-advisory): also check all our Cargo.locks r/3761
check-all-our-lock-files works very similarly to
//users/sterni/nixpkgs-crate-holes, even reusing some parts of it, but
is much simpler since we don't need to extract the lock files — they are
already in tree.

It is implemented as a very simple script which just traverses the
subtree of the current directory, collecting all warnings. When
executing this script in buildkite via extraSteps, it never fails,
instead annotating the pipeline run with a warning.

Change-Id: I0a0bc26deffe7b20b99f5aa7238fb3c3bb9deb92
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3721
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
Diffstat (limited to 'tools/rust-crates-advisory')
-rw-r--r--tools/rust-crates-advisory/default.nix93
1 files changed, 92 insertions, 1 deletions
diff --git a/tools/rust-crates-advisory/default.nix b/tools/rust-crates-advisory/default.nix
index 71a51bb1af1b..b8a25ef78333 100644
--- a/tools/rust-crates-advisory/default.nix
+++ b/tools/rust-crates-advisory/default.nix
@@ -3,8 +3,12 @@
 let
 
   bins =
-    depot.nix.getBins pkgs.s6-portable-utils [ "s6-ln" "s6-cat" "s6-echo" "s6-mkdir" "s6-test" "s6-touch" ]
+    depot.nix.getBins pkgs.s6-portable-utils [ "s6-ln" "s6-cat" "s6-echo" "s6-mkdir" "s6-test" "s6-touch" "s6-dirname" ]
     // depot.nix.getBins pkgs.lr [ "lr" ]
+    // depot.nix.getBins pkgs.cargo-audit [ "cargo-audit" ]
+    // depot.nix.getBins pkgs.jq [ "jq" ]
+    // depot.nix.getBins pkgs.findutils [ "find" ]
+    // depot.nix.getBins pkgs.gnused [ "sed" ]
   ;
 
   crate-advisories = "${depot.third_party.rustsec-advisory-db}/crates";
@@ -132,6 +136,84 @@ let
     "$out"
   ];
 
+  check-all-our-lock-files = depot.nix.writeExecline "check-all-our-lock-files" { } [
+    "backtick"
+    "-E"
+    "report"
+    [
+      "pipeline"
+      [ bins.find "." "-name" "Cargo.lock" "-and" "-type" "f" "-print0" ]
+      "forstdin"
+      "-E"
+      "-0"
+      "lockFile"
+      "backtick"
+      "-E"
+      "depotPath"
+      [
+        "pipeline"
+        [ bins.s6-dirname "$lockFile" ]
+        bins.sed
+        "s|^\\.|/|"
+      ]
+      "pipeline"
+      [
+        bins.cargo-audit
+        "audit"
+        "--json"
+        "-n"
+        "--db"
+        depot.third_party.rustsec-advisory-db
+        "-f"
+        "$lockFile"
+      ]
+      bins.jq
+      "-rj"
+      "--arg"
+      "attr"
+      "$depotPath"
+      "--arg"
+      "maintainers"
+      ""
+      "-f"
+      ../../users/sterni/nixpkgs-crate-holes/format-audit-result.jq
+    ]
+    "if"
+    [ depot.tools.eprintf "%s\n" "$report" ]
+    "ifelse"
+    [ bins.s6-test "-z" "$report" ]
+    # empty report implies success (no advisories)
+    [ "exit" "0" ]
+    # If we reach this point, we know that the report is non-empty, so we should
+    # only continue without one if we are running in buildkite.
+    "if"
+    [
+      "importas"
+      "-D"
+      ""
+      "BUILDKITE_BUILD_ID"
+      "BUILDKITE_BUILD_ID"
+      bins.s6-test
+      "-n"
+      "$BUILDKITE_BUILD_ID"
+    ]
+    # If we're running in buildkite, annotate the pipeline run with the report
+    # as a warning. Only fail if something goes wrong with buildkite-agent
+    # which is assumed to be in PATH.
+    "pipeline"
+    [
+      "printf"
+      "%s"
+      "$report"
+    ]
+    "buildkite-agent"
+    "annotate"
+    "--style"
+    "warning"
+    "--context"
+    "check-all-our-lock-files"
+  ];
+
 in
 depot.nix.readTree.drvTargets {
 
@@ -143,4 +225,13 @@ depot.nix.readTree.drvTargets {
   inherit
     check-crate-advisory
     ;
+
+
+  check-all-our-lock-files = check-all-our-lock-files // {
+    meta.ci.extraSteps.run = {
+      label = "Check Cargo.lock files in depot for advisories";
+      alwaysRun = true;
+      command = check-all-our-lock-files;
+    };
+  };
 }