diff options
author | sterni <sternenseemann@systemli.org> | 2022-11-06T18·10+0100 |
---|---|---|
committer | sterni <sternenseemann@systemli.org> | 2022-11-06T18·40+0000 |
commit | 8699370faee2d337951dc920b67240cb3d675ef2 (patch) | |
tree | 812e0322c966bbe56bbf777219e72db14abd313e /users/Profpatsch/check-crate-advisory | |
parent | d92ca1099035590566dbb5790284bc2f3d68a84c (diff) |
chore(tools/rust-crates-advisory): move custom checker to user dir r/5258
Profpatsch originally implemented an advisory checker from scratch in Rust. We now ended up just using cargo-audit for the global checks exposed via CI and the custom implementation is unused. To clean up //tools/rust-crates-advisory a bit, we can move the unused parts to his user directory. Change-Id: Iacbd27c163edd07c804220fd1b3569c23aebd3e7 Reviewed-on: https://cl.tvl.fyi/c/depot/+/7171 Tested-by: BuildkiteCI Reviewed-by: Profpatsch <mail@profpatsch.de>
Diffstat (limited to 'users/Profpatsch/check-crate-advisory')
-rw-r--r-- | users/Profpatsch/check-crate-advisory/check-security-advisory.rs | 119 | ||||
-rw-r--r-- | users/Profpatsch/check-crate-advisory/default.nix | 68 |
2 files changed, 187 insertions, 0 deletions
diff --git a/users/Profpatsch/check-crate-advisory/check-security-advisory.rs b/users/Profpatsch/check-crate-advisory/check-security-advisory.rs new file mode 100644 index 000000000000..e76b090abccb --- /dev/null +++ b/users/Profpatsch/check-crate-advisory/check-security-advisory.rs @@ -0,0 +1,119 @@ +extern crate semver; +extern crate toml; + +use std::io::Write; + +/// reads a security advisory of the form +/// https://github.com/RustSec/advisory-db/blob/a24932e220dfa9be8b0b501210fef8a0bc7ef43e/EXAMPLE_ADVISORY.md +/// and a crate version number, +/// and returns 0 if the crate version is patched +/// and returns 1 if the crate version is *not* patched +/// +/// If PRINT_ADVISORY is set, the advisory is printed if it matches. + +fn main() { + let mut args = std::env::args_os(); + let file = args.nth(1).expect("security advisory md file is $1"); + let crate_version = args + .nth(0) + .expect("crate version is $2") + .into_string() + .expect("crate version string not utf8"); + let crate_version = semver::Version::parse(&crate_version) + .expect(&format!("this is not a semver version: {}", &crate_version)); + let filename = file.to_string_lossy(); + + let content = std::fs::read(&file).expect(&format!("could not read {}", filename)); + let content = std::str::from_utf8(&content) + .expect(&format!("file {} was not encoded as utf-8", filename)); + let content = content.trim_start(); + + let toml_start = content + .strip_prefix("```toml") + .expect(&format!("file did not start with ```toml: {}", filename)); + let toml_end_index = toml_start.find("```").expect(&format!( + "the toml section did not end, no `` found: {}", + filename + )); + let toml = &toml_start[..toml_end_index]; + let toml: toml::Value = toml::de::from_slice(toml.as_bytes()) + .expect(&format!("could not parse toml: {}", filename)); + + let versions = toml + .as_table() + .expect(&format!("the toml is not a table: {}", filename)) + .get("versions") + .expect(&format!( + "the toml does not contain the versions field: {}", + filename + )) + .as_table() + .expect(&format!( + "the toml versions field must be a table: {}", + filename + )); + + let unaffected = match versions.get("unaffected") { + Some(u) => u + .as_array() + .expect(&format!( + "the toml versions.unaffected field must be a list of semvers: {}", + filename + )) + .iter() + .map(|v| { + semver::VersionReq::parse( + v.as_str() + .expect(&format!("the version field {} is not a string", v)), + ) + .expect(&format!( + "the version field {} is not a valid semver VersionReq", + v + )) + }) + .collect(), + None => vec![], + }; + + let mut patched: Vec<semver::VersionReq> = versions + .get("patched") + .expect(&format!( + "the toml versions.patched field must exist: {}", + filename + )) + .as_array() + .expect(&format!( + "the toml versions.patched field must be a list of semvers: {}", + filename + )) + .iter() + .map(|v| { + semver::VersionReq::parse( + v.as_str() + .expect(&format!("the version field {} is not a string", v)), + ) + .expect(&format!( + "the version field {} is not a valid semver VersionReq", + v + )) + }) + .collect(); + + patched.extend_from_slice(&unaffected[..]); + let is_patched_or_unaffected = patched.iter().any(|req| req.matches(&crate_version)); + + if is_patched_or_unaffected { + std::process::exit(0); + } else { + if std::env::var_os("PRINT_ADVISORY").is_some() { + write!( + std::io::stderr(), + "Advisory {} matched!\n{}\n", + filename, + content + ) + .unwrap(); + } + std::process::exit(1); + } +} diff --git a/users/Profpatsch/check-crate-advisory/default.nix b/users/Profpatsch/check-crate-advisory/default.nix new file mode 100644 index 000000000000..e948771e2a75 --- /dev/null +++ b/users/Profpatsch/check-crate-advisory/default.nix @@ -0,0 +1,68 @@ +{ pkgs, depot, lib, ... }: + +let + bins = + depot.nix.getBins pkgs.s6-portable-utils [ "s6-ln" "s6-cat" "s6-echo" "s6-mkdir" "s6-test" "s6-touch" "s6-dirname" ] + // depot.nix.getBins pkgs.lr [ "lr" ] + ; + crate-advisories = "${depot.third_party.rustsec-advisory-db}/crates"; + + check-security-advisory = depot.nix.writers.rustSimple + { + name = "parse-security-advisory"; + dependencies = [ + depot.third_party.rust-crates.toml + depot.third_party.rust-crates.semver + ]; + } + (builtins.readFile ./check-security-advisory.rs); + + # $1 is the directory with advisories for crate $2 with version $3 + check-crate-advisory = depot.nix.writeExecline "check-crate-advisory" { readNArgs = 3; } [ + "pipeline" + [ bins.lr "-0" "-t" "depth == 1" "$1" ] + "forstdin" + "-0" + "-Eo" + "0" + "advisory" + "if" + [ depot.tools.eprintf "advisory %s\n" "$advisory" ] + check-security-advisory + "$advisory" + "$3" + ]; + + # Run through everything in the `crate-advisories` repository + # and check whether we can parse all the advisories without crashing. + test-parsing-all-security-advisories = depot.nix.runExecline "check-all-our-crates" { } [ + "pipeline" + [ bins.lr "-0" "-t" "depth == 1" crate-advisories ] + "if" + [ + # this will succeed as long as check-crate-advisory doesn’t `panic!()` (status 101) + "forstdin" + "-0" + "-E" + "-x" + "101" + "crate_advisories" + check-crate-advisory + "$crate_advisories" + "foo" + "0.0.0" + ] + "importas" + "out" + "out" + bins.s6-touch + "$out" + ]; +in + +depot.nix.readTree.drvTargets { + inherit + check-crate-advisory + test-parsing-all-security-advisories + ; +} |