about summary refs log tree commit diff
path: root/users/Profpatsch
diff options
context:
space:
mode:
authorProfpatsch <mail@profpatsch.de>2021-04-04T02·04+0200
committerProfpatsch <mail@profpatsch.de>2021-05-17T23·00+0000
commit952afb7da9a4b563f4e6478aec73f304827c2777 (patch)
tree2e219a08f2e8b0ff19c79fcb95c1b542c9f08906 /users/Profpatsch
parent72924facaebb9cf37d9cfd1da43335d5fe51fb6e (diff)
feat(tools): add rust-crates-advisory r/2595
We have a bunch of crates in `third_party/rust-crates`; it would be
great if we could check them for existing CVEs.

This tool does that, it takes the rust security advisory database,
parses the applicable CVEs, and cross-checks them against the actual
crate versions we list in our package database.

The dumb parser we wrote is tested against all entries in the
database, so we will notice when upstream breaks their shit.
Checking the semver stuff is easy enough with the semver crate.

If an advisory matches, it prints the whole thing and fails the build.

Change-Id: I9e912c43d37a685d9d7a4424defc467a171ea3c4
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2818
Tested-by: BuildkiteCI
Reviewed-by: tazjin <mail@tazj.in>
Reviewed-by: sterni <sternenseemann@systemli.org>
Diffstat (limited to 'users/Profpatsch')
-rw-r--r--users/Profpatsch/blog/default.nix4
-rw-r--r--users/Profpatsch/lib.nix7
-rw-r--r--users/Profpatsch/nixpkgs-rewriter/default.nix5
3 files changed, 5 insertions, 11 deletions
diff --git a/users/Profpatsch/blog/default.nix b/users/Profpatsch/blog/default.nix
index 584c12d8d73a..9d22e7f770c5 100644
--- a/users/Profpatsch/blog/default.nix
+++ b/users/Profpatsch/blog/default.nix
@@ -81,7 +81,7 @@ let
     me.netencode.record-splice-env
     runOr return500
     "importas" "-i" "path" "path"
-    "if" [ me.lib.eprintf "GET \${path}\n" ]
+    "if" [ depot.tools.eprintf "GET \${path}\n" ]
     runOr return404
     "backtick" "-ni" "TEMPLATE_DATA" [
       "ifelse" [ bins.test "$path" "=" "/notes" ]
@@ -118,7 +118,7 @@ let
     "importas" "?" "?"
     "ifelse" [ bins.test "$?" "-eq" "0" ]
     []
-    "if" [ me.lib.eprintf "runOr: exited \${?}, running \${1}\n" ]
+    "if" [ depot.tools.eprintf "runOr: exited \${?}, running \${1}\n" ]
     "$1"
   ];
 
diff --git a/users/Profpatsch/lib.nix b/users/Profpatsch/lib.nix
index 1e9652a27986..5d5fb01294cb 100644
--- a/users/Profpatsch/lib.nix
+++ b/users/Profpatsch/lib.nix
@@ -13,10 +13,6 @@ let
     "$@"
   ];
 
-  eprintf = depot.nix.writeExecline "eprintf" {} [
-    "fdmove" "-c" "1" "2" bins.printf "$@"
-  ];
-
   eprint-stdin = depot.nix.writeExecline "eprint-stdin" {} [
     "pipeline" [ bins.multitee "0-1,2" ] "$@"
   ];
@@ -37,7 +33,7 @@ let
   eprintenv = depot.nix.writeExecline "eprintenv" { readNArgs = 1; } [
     "ifelse" [ "fdmove" "-c" "1" "2" bins.printenv "$1" ]
     [ "$@" ]
-    "if" [ eprintf "eprintenv: could not find \"\${1}\" in the environment\n" ]
+    "if" [ depot.tools.eprintf "eprintenv: could not find \"\${1}\" in the environment\n" ]
     "$@"
   ];
 
@@ -54,7 +50,6 @@ let
 in {
   inherit
     debugExec
-    eprintf
     eprint-stdin
     eprint-stdin-netencode
     eprintenv
diff --git a/users/Profpatsch/nixpkgs-rewriter/default.nix b/users/Profpatsch/nixpkgs-rewriter/default.nix
index ff414862fa79..9dac01844165 100644
--- a/users/Profpatsch/nixpkgs-rewriter/default.nix
+++ b/users/Profpatsch/nixpkgs-rewriter/default.nix
@@ -5,7 +5,6 @@ let
     ;
   inherit (depot.users.Profpatsch.lib)
     debugExec
-    eprintf
     ;
 
   bins = depot.nix.getBins pkgs.coreutils [ "head" "shuf" ]
@@ -41,7 +40,7 @@ let
     "importas" "-ui" "file" "fileName"
     "importas" "-ui" "from" "fromLine"
     "importas" "-ui" "to" "toLine"
-    "if" [ eprintf "%s-%s\n" "$from" "$to" ]
+    "if" [ depot.tools.eprintf "%s-%s\n" "$from" "$to" ]
     (debugExec "adding lib")
     bins.sed
       "-e" "\${from},\${to} \${1}"
@@ -98,7 +97,7 @@ let
     "pipeline" [ bins.shuf ]
     "pipeline" [ bins.head "-n" "1000" ]
     bins.xargs "-I" "{}" "-n1"
-    "if" [ eprintf "instantiating %s\n" "{}" ]
+    "if" [ depot.tools.eprintf "instantiating %s\n" "{}" ]
     "nix-instantiate" "$1" "-A" "{}"
   ];