about summary refs log tree commit diff
path: root/users/sterni/nixpkgs-crate-holes/format-audit-result.jq
diff options
context:
space:
mode:
authorsterni <sternenseemann@systemli.org>2021-10-10T19·31+0200
committersterni <sternenseemann@systemli.org>2021-10-12T14·15+0000
commit3a2fd6e275580616b86190c9959654521760abe4 (patch)
tree849b7d11d789872f875113ff4da935d8a2b36de6 /users/sterni/nixpkgs-crate-holes/format-audit-result.jq
parent14282370e9519bb916da650c311f8f90ce73ce82 (diff)
feat(nixpkgs-crate-holes): report vulnerable crates in cargoDeps r/2969
nixpkgs-crate-holes can build a markdown report detailing all vulnerable
crates pinned in cargoDeps vendors in nixpkgs according to RustSec's
advisory db. This report is intended to be pasted into a GitHub issue.

The report is produced by a derivation and can be obtained like this:

    nix-build -A users.sterni.nixpkgs-crate-holes.full \
      --argstr nixpkgsPath /path/to/nixpkgs

Example output: https://gist.github.com/sternenseemann/27509eece93d6eff35cd4b8ce75423b5

Additionally, you can obtain a more verbose report for a single
attribute of nixpkgs, in HTML format since we just reuse the command
line output of cargo-audit and convert it to HTML using ansi2html:

    nix-build -A users.sterni.nixpkgs-crate-holes.single \
      --argstr nixpkgsPath /path/to/nixpkgs --argstr attr ripgrep

Change-Id: Ic1c029ab67770fc41ba521b2acb798628357f9b2
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3715
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Diffstat (limited to 'users/sterni/nixpkgs-crate-holes/format-audit-result.jq')
-rw-r--r--users/sterni/nixpkgs-crate-holes/format-audit-result.jq59
1 files changed, 59 insertions, 0 deletions
diff --git a/users/sterni/nixpkgs-crate-holes/format-audit-result.jq b/users/sterni/nixpkgs-crate-holes/format-audit-result.jq
new file mode 100644
index 000000000000..c527bc4da9ec
--- /dev/null
+++ b/users/sterni/nixpkgs-crate-holes/format-audit-result.jq
@@ -0,0 +1,59 @@
+# Link to human-readable advisory info for a given vulnerability
+def link:
+  [ "https://rustsec.org/advisories/", .advisory.id, ".html" ] | add;
+
+# Format a list of version constraints
+def version_list:
+  [ .[] | "`" + . + "`" ] | join("; ");
+
+# show paths to fixing this vulnerability:
+#
+# - if there are patched releases, show them (the version we are using presumably
+#   predates the vulnerability discovery, so we likely want to upgrade to a
+#   patched release).
+# - if there are no patched releases, show the unaffected versions (in case we
+#   want to downgrade).
+# - otherwise we state that no unaffected versions are available at this time.
+#
+# This logic should be useful, but is slightly dumber than cargo-audit's
+# suggestion when using the non-JSON output.
+def patched:
+  if .versions.patched == [] then
+    if .versions.unaffected != [] then
+       "unaffected: " + (.versions.unaffected | version_list)
+    else
+      "no unaffected version available"
+    end
+  else
+    "patched: " + (.versions.patched | version_list)
+  end;
+
+# if the vulnerability has aliases (like CVE-*) emit them in parens
+def aliases:
+  if .advisory.aliases == [] then
+    ""
+  else
+    [ " (", (.advisory.aliases | join(", ")), ")" ] | add
+  end;
+
+# each vulnerability is rendered as a (normal) sublist item
+def format_vulnerability:
+  [ "  - "
+  , .package.name, " ", .package.version, ": "
+  , "[", .advisory.id, "](", link, ")"
+  , aliases
+  , ", ", patched
+  , "\n"
+  ] | add;
+
+# be quiet if no found vulnerabilities, otherwise render a GHFM checklist item
+if .vulnerabilities.found | not then
+  ""
+else
+  ([ "- [ ] "
+   , "`", $attr, "`: "
+   , (.vulnerabilities.count | tostring)
+   , " vulnerabilities in Cargo.lock\n"
+   ] + (.vulnerabilities.list | map(format_vulnerability))
+  ) | add
+end