about summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--tools/rust-crates-advisory/default.nix93
1 files changed, 92 insertions, 1 deletions
diff --git a/tools/rust-crates-advisory/default.nix b/tools/rust-crates-advisory/default.nix
index 71a51bb1af..b8a25ef783 100644
--- a/tools/rust-crates-advisory/default.nix
+++ b/tools/rust-crates-advisory/default.nix
@@ -3,8 +3,12 @@
 let
 
   bins =
-    depot.nix.getBins pkgs.s6-portable-utils [ "s6-ln" "s6-cat" "s6-echo" "s6-mkdir" "s6-test" "s6-touch" ]
+    depot.nix.getBins pkgs.s6-portable-utils [ "s6-ln" "s6-cat" "s6-echo" "s6-mkdir" "s6-test" "s6-touch" "s6-dirname" ]
     // depot.nix.getBins pkgs.lr [ "lr" ]
+    // depot.nix.getBins pkgs.cargo-audit [ "cargo-audit" ]
+    // depot.nix.getBins pkgs.jq [ "jq" ]
+    // depot.nix.getBins pkgs.findutils [ "find" ]
+    // depot.nix.getBins pkgs.gnused [ "sed" ]
   ;
 
   crate-advisories = "${depot.third_party.rustsec-advisory-db}/crates";
@@ -132,6 +136,84 @@ let
     "$out"
   ];
 
+  check-all-our-lock-files = depot.nix.writeExecline "check-all-our-lock-files" { } [
+    "backtick"
+    "-E"
+    "report"
+    [
+      "pipeline"
+      [ bins.find "." "-name" "Cargo.lock" "-and" "-type" "f" "-print0" ]
+      "forstdin"
+      "-E"
+      "-0"
+      "lockFile"
+      "backtick"
+      "-E"
+      "depotPath"
+      [
+        "pipeline"
+        [ bins.s6-dirname "$lockFile" ]
+        bins.sed
+        "s|^\\.|/|"
+      ]
+      "pipeline"
+      [
+        bins.cargo-audit
+        "audit"
+        "--json"
+        "-n"
+        "--db"
+        depot.third_party.rustsec-advisory-db
+        "-f"
+        "$lockFile"
+      ]
+      bins.jq
+      "-rj"
+      "--arg"
+      "attr"
+      "$depotPath"
+      "--arg"
+      "maintainers"
+      ""
+      "-f"
+      ../../users/sterni/nixpkgs-crate-holes/format-audit-result.jq
+    ]
+    "if"
+    [ depot.tools.eprintf "%s\n" "$report" ]
+    "ifelse"
+    [ bins.s6-test "-z" "$report" ]
+    # empty report implies success (no advisories)
+    [ "exit" "0" ]
+    # If we reach this point, we know that the report is non-empty, so we should
+    # only continue without one if we are running in buildkite.
+    "if"
+    [
+      "importas"
+      "-D"
+      ""
+      "BUILDKITE_BUILD_ID"
+      "BUILDKITE_BUILD_ID"
+      bins.s6-test
+      "-n"
+      "$BUILDKITE_BUILD_ID"
+    ]
+    # If we're running in buildkite, annotate the pipeline run with the report
+    # as a warning. Only fail if something goes wrong with buildkite-agent
+    # which is assumed to be in PATH.
+    "pipeline"
+    [
+      "printf"
+      "%s"
+      "$report"
+    ]
+    "buildkite-agent"
+    "annotate"
+    "--style"
+    "warning"
+    "--context"
+    "check-all-our-lock-files"
+  ];
+
 in
 depot.nix.readTree.drvTargets {
 
@@ -143,4 +225,13 @@ depot.nix.readTree.drvTargets {
   inherit
     check-crate-advisory
     ;
+
+
+  check-all-our-lock-files = check-all-our-lock-files // {
+    meta.ci.extraSteps.run = {
+      label = "Check Cargo.lock files in depot for advisories";
+      alwaysRun = true;
+      command = check-all-our-lock-files;
+    };
+  };
 }
generated by cgit-pink 1.4.1 (git 2.44.0) at 2024-05-15T22ยท23+0000