diff options
author | sterni <sternenseemann@systemli.org> | 2022-02-03T13·44+0100 |
---|---|---|
committer | clbot <clbot@tvl.fyi> | 2022-02-04T11·20+0000 |
commit | 5d064256556a6af2e90a7c902c166ab67c65ea3a (patch) | |
tree | ea620f9f8e3329bdd997da20e044cad12b7727ee /tools | |
parent | c3684740ad6852f15de46577974f44dc98ca9703 (diff) |
chore: move format-audit-result.jq out of //users/sterni r/3762
In the spirit of the readTree filter we should also not include files in user directories from the outside. Change-Id: I1abe36a721048900d2758b5986063b68b8d1af93 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5200 Reviewed-by: sterni <sternenseemann@systemli.org> Reviewed-by: tazjin <tazjin@tvl.su> Autosubmit: sterni <sternenseemann@systemli.org> Tested-by: BuildkiteCI
Diffstat (limited to 'tools')
-rw-r--r-- | tools/rust-crates-advisory/OWNERS | 1 | ||||
-rw-r--r-- | tools/rust-crates-advisory/default.nix | 2 | ||||
-rw-r--r-- | tools/rust-crates-advisory/format-audit-result.jq | 73 |
3 files changed, 75 insertions, 1 deletions
diff --git a/tools/rust-crates-advisory/OWNERS b/tools/rust-crates-advisory/OWNERS index a742d0d22bf6..1895955b2018 100644 --- a/tools/rust-crates-advisory/OWNERS +++ b/tools/rust-crates-advisory/OWNERS @@ -1,3 +1,4 @@ inherited: true owners: - Profpatsch + - sterni diff --git a/tools/rust-crates-advisory/default.nix b/tools/rust-crates-advisory/default.nix index b8a25ef78333..ac190173627d 100644 --- a/tools/rust-crates-advisory/default.nix +++ b/tools/rust-crates-advisory/default.nix @@ -176,7 +176,7 @@ let "maintainers" "" "-f" - ../../users/sterni/nixpkgs-crate-holes/format-audit-result.jq + ./format-audit-result.jq ] "if" [ depot.tools.eprintf "%s\n" "$report" ] diff --git a/tools/rust-crates-advisory/format-audit-result.jq b/tools/rust-crates-advisory/format-audit-result.jq new file mode 100644 index 000000000000..6f230df3f9b0 --- /dev/null +++ b/tools/rust-crates-advisory/format-audit-result.jq @@ -0,0 +1,73 @@ +# This is a jq script to format the JSON output of cargo-audit into a short +# markdown report for humans. It is used by //users/sterni/nixpkgs-crate-holes +# and //tools/rust-crates-advisory:check-all-our-lock-files which will provide +# you with example invocations. +# +# It needs the following arguments passed to it: +# +# - maintainers: Either the empty string or a list of maintainers to @mention +# for the current lock file. +# - attr: An attribute name (or otherwise unique identifier) to associate the +# report for the current lock file with. + +# Link to human-readable advisory info for a given vulnerability +def link: + [ "https://rustsec.org/advisories/", .advisory.id, ".html" ] | add; + +# Format a list of version constraints +def version_list: + [ .[] | "`" + . + "`" ] | join("; "); + +# show paths to fixing this vulnerability: +# +# - if there are patched releases, show them (the version we are using presumably +# predates the vulnerability discovery, so we likely want to upgrade to a +# patched release). +# - if there are no patched releases, show the unaffected versions (in case we +# want to downgrade). +# - otherwise we state that no unaffected versions are available at this time. +# +# This logic should be useful, but is slightly dumber than cargo-audit's +# suggestion when using the non-JSON output. +def patched: + if .versions.patched == [] then + if .versions.unaffected != [] then + "unaffected: " + (.versions.unaffected | version_list) + else + "no unaffected version available" + end + else + "patched: " + (.versions.patched | version_list) + end; + +# if the vulnerability has aliases (like CVE-*) emit them in parens +def aliases: + if .advisory.aliases == [] then + "" + else + [ " (", (.advisory.aliases | join(", ")), ")" ] | add + end; + +# each vulnerability is rendered as a (normal) sublist item +def format_vulnerability: + [ " - " + , .package.name, " ", .package.version, ": " + , "[", .advisory.id, "](", link, ")" + , aliases + , ", ", patched + , "\n" + ] | add; + +# be quiet if no found vulnerabilities, otherwise render a GHFM checklist item +if .vulnerabilities.found | not then + "" +else + ([ "- [ ] " + , "`", $attr, "`: " + , (.vulnerabilities.count | tostring) + , " vulnerabilities in Cargo.lock" + , if $maintainers != "" then " (cc " + $maintainers + ")" else "" end + , "\n" + ] + (.vulnerabilities.list | map(format_vulnerability)) + ) | add +end |