about summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--tools/rust-crates-advisory/default.nix50
-rw-r--r--users/sterni/nixpkgs-crate-holes/default.nix43
2 files changed, 43 insertions, 50 deletions
diff --git a/tools/rust-crates-advisory/default.nix b/tools/rust-crates-advisory/default.nix
index 8382ec25435b..3b38aa9b9123 100644
--- a/tools/rust-crates-advisory/default.nix
+++ b/tools/rust-crates-advisory/default.nix
@@ -136,6 +136,31 @@ let
     "$out"
   ];
 
+  lock-file-report = pkgs.writers.writeBash "lock-file-report" ''
+    set -u
+
+    if test "$#" -lt 2; then
+      echo "Usage: $0 IDENTIFIER LOCKFILE [CHECKLIST [MAINTAINERS]]" >&2
+      echo 2>&1
+      echo "  IDENTIFIER  Unique string describing the lock file" >&2
+      echo "  LOCKFILE    Path to Cargo.lock file" >&2
+      echo "  CHECKLIST   Whether to use GHFM checklists in the output (true or false)" >&2
+      echo "  MAINTAINERS List of @names to cc in case of advisories" >&2
+      exit 100
+    fi
+
+    "${bins.cargo-audit}" audit --json --no-fetch \
+      --db "${depot.third_party.rustsec-advisory-db}" \
+      --file "$2" \
+    | "${bins.jq}" --raw-output --join-output \
+      --from-file "${./format-audit-result.jq}" \
+      --arg maintainers "''${4:-}" \
+      --argjson checklist "''${3:-false}" \
+      --arg attr "$1"
+
+    exit "''${PIPESTATUS[0]}" # inherit exit code from cargo-audit
+  '';
+
   check-all-our-lock-files = depot.nix.writeExecline "check-all-our-lock-files" { } [
     "backtick"
     "-E"
@@ -156,30 +181,10 @@ let
         bins.sed
         "s|^\\.|/|"
       ]
-      "pipeline"
-      [
-        bins.cargo-audit
-        "audit"
-        "--json"
-        "-n"
-        "--db"
-        depot.third_party.rustsec-advisory-db
-        "-f"
-        "$lockFile"
-      ]
-      bins.jq
-      "-rj"
-      "--arg"
-      "attr"
+      lock-file-report
       "$depotPath"
-      "--arg"
-      "maintainers"
-      ""
-      "--argjson"
-      "checklist"
+      "$lockFile"
       "false"
-      "-f"
-      ./format-audit-result.jq
     ]
     "if"
     [ depot.tools.eprintf "%s\n" "$report" ]
@@ -227,6 +232,7 @@ depot.nix.readTree.drvTargets {
 
   inherit
     check-crate-advisory
+    lock-file-report
     ;
 
 
diff --git a/users/sterni/nixpkgs-crate-holes/default.nix b/users/sterni/nixpkgs-crate-holes/default.nix
index 4dff82d6aa78..c24200ff10f9 100644
--- a/users/sterni/nixpkgs-crate-holes/default.nix
+++ b/users/sterni/nixpkgs-crate-holes/default.nix
@@ -126,37 +126,24 @@ let
     then pkgs.emptyFile
     else
       depot.nix.runExecline "${strAttr}-vulnerability-report" { } [
-        "pipeline"
+        "foreground"
         [
-          bins.cargo-audit
-          "audit"
-          "--json"
-          "-n"
-          "--db"
-          rustsec-advisory-db
-          "-f"
+          "importas"
+          "out"
+          "out"
+          "redirfd"
+          "-w"
+          "1"
+          "$out"
+          depot.tools.rust-crates-advisory.lock-file-report
+          strAttr
           lock
+          "true"
+          strMaintainers
         ]
-        "importas"
-        "out"
-        "out"
-        "redirfd"
-        "-w"
-        "1"
-        "$out"
-        bins.jq
-        "-rj"
-        "-f"
-        ../../../tools/rust-crates-advisory/format-audit-result.jq
-        "--arg"
-        "attr"
-        strAttr
-        "--arg"
-        "maintainers"
-        strMaintainers
-        "--argjson"
-        "checklist"
-        "true"
+        # ignore exit status of report
+        "exit"
+        "0"
       ];
 
   # GHMF in issues splits paragraphs on newlines