diff options
Diffstat (limited to 'tools/rust-crates-advisory/default.nix')
| -rw-r--r-- | tools/rust-crates-advisory/default.nix | 160 |
1 files changed, 108 insertions, 52 deletions
diff --git a/tools/rust-crates-advisory/default.nix b/tools/rust-crates-advisory/default.nix index c0cd4dc03e..71a51bb1af 100644 --- a/tools/rust-crates-advisory/default.nix +++ b/tools/rust-crates-advisory/default.nix @@ -3,81 +3,137 @@ let bins = - depot.nix.getBins pkgs.s6-portable-utils [ "s6-ln" "s6-cat" "s6-echo" "s6-mkdir" "s6-test" "s6-touch" ] + depot.nix.getBins pkgs.s6-portable-utils [ "s6-ln" "s6-cat" "s6-echo" "s6-mkdir" "s6-test" "s6-touch" ] // depot.nix.getBins pkgs.lr [ "lr" ] - ; + ; crate-advisories = "${depot.third_party.rustsec-advisory-db}/crates"; our-crates = lib.filter (v: v ? outPath) (builtins.attrValues depot.third_party.rust-crates); - check-security-advisory = depot.nix.writers.rustSimple { - name = "parse-security-advisory"; - dependencies = [ - depot.third_party.rust-crates.toml - depot.third_party.rust-crates.semver - ]; - } (builtins.readFile ./check-security-advisory.rs); + check-security-advisory = depot.nix.writers.rustSimple + { + name = "parse-security-advisory"; + dependencies = [ + depot.third_party.rust-crates.toml + depot.third_party.rust-crates.semver + ]; + } + (builtins.readFile ./check-security-advisory.rs); # $1 is the directory with advisories for crate $2 with version $3 check-crate-advisory = depot.nix.writeExecline "check-crate-advisory" { readNArgs = 3; } [ - "pipeline" [ bins.lr "-0" "-t" "depth == 1" "$1" ] - "forstdin" "-0" "-Eo" "0" "advisory" - "if" [ depot.tools.eprintf "advisory %s\n" "$advisory" ] - check-security-advisory "$advisory" "$3" + "pipeline" + [ bins.lr "-0" "-t" "depth == 1" "$1" ] + "forstdin" + "-0" + "-Eo" + "0" + "advisory" + "if" + [ depot.tools.eprintf "advisory %s\n" "$advisory" ] + check-security-advisory + "$advisory" + "$3" ]; # Run through everything in the `crate-advisories` repository # and check whether we can parse all the advisories without crashing. - test-parsing-all-security-advisories = depot.nix.runExecline "check-all-our-crates" {} [ - "pipeline" [ bins.lr "-0" "-t" "depth == 1" crate-advisories ] - "if" [ + test-parsing-all-security-advisories = depot.nix.runExecline "check-all-our-crates" { } [ + "pipeline" + [ bins.lr "-0" "-t" "depth == 1" crate-advisories ] + "if" + [ # this will succeed as long as check-crate-advisory doesn’t `panic!()` (status 101) - "forstdin" "-0" "-E" "-x" "101" "crate_advisories" - check-crate-advisory "$crate_advisories" "foo" "0.0.0" + "forstdin" + "-0" + "-E" + "-x" + "101" + "crate_advisories" + check-crate-advisory + "$crate_advisories" + "foo" + "0.0.0" ] - "importas" "out" "out" - bins.s6-touch "$out" + "importas" + "out" + "out" + bins.s6-touch + "$out" ]; - check-all-our-crates = depot.nix.runExecline "check-all-our-crates" { - stdin = lib.concatStrings - (map - (crate: - depot.nix.netstring.fromString - ( depot.nix.netstring.fromString crate.crateName - + depot.nix.netstring.fromString crate.version )) - our-crates); - } [ - "if" [ - "forstdin" "-o" "0" "-Ed" "" "crateNetstring" - "multidefine" "-d" "" "$crateNetstring" [ "crate" "crate_version" ] - "if" [ depot.tools.eprintf "checking %s, version %s\n" "$crate" "$crate_version" ] + check-all-our-crates = depot.nix.runExecline "check-all-our-crates" + { + stdin = lib.concatStrings + (map + (crate: + depot.nix.netstring.fromString + (depot.nix.netstring.fromString crate.crateName + + depot.nix.netstring.fromString crate.version)) + our-crates); + } [ + "if" + [ + "forstdin" + "-o" + "0" + "-Ed" + "" + "crateNetstring" + "multidefine" + "-d" + "" + "$crateNetstring" + [ "crate" "crate_version" ] + "if" + [ depot.tools.eprintf "checking %s, version %s\n" "$crate" "$crate_version" ] - "ifthenelse" [ bins.s6-test "-d" "${crate-advisories}/\${crate}" ] - [ # also print the full advisory text if it matches - "export" "PRINT_ADVISORY" "1" - check-crate-advisory "${crate-advisories}/\${crate}" "$crate" "$crate_version" - ] - [ depot.tools.eprintf "No advisories found for crate %s\n" "$crate" ] - "importas" "-ui" "ret" "?" - # put a marker in ./failed to read at the end - "ifelse" [ bins.s6-test "$ret" "-eq" "1" ] - [ bins.s6-touch "./failed" ] - "if" [ depot.tools.eprintf "\n" ] - "exit" "$ret" - ] - "ifelse" [ bins.s6-test "-f" "./failed" ] - [ "if" [ depot.tools.eprintf "Error: Found active advisories!" ] - "exit" "1" + "ifthenelse" + [ bins.s6-test "-d" "${crate-advisories}/\${crate}" ] + [ + # also print the full advisory text if it matches + "export" + "PRINT_ADVISORY" + "1" + check-crate-advisory + "${crate-advisories}/\${crate}" + "$crate" + "$crate_version" ] - "importas" "out" "out" - bins.s6-touch "$out" + [ depot.tools.eprintf "No advisories found for crate %s\n" "$crate" ] + "importas" + "-ui" + "ret" + "?" + # put a marker in ./failed to read at the end + "ifelse" + [ bins.s6-test "$ret" "-eq" "1" ] + [ bins.s6-touch "./failed" ] + "if" + [ depot.tools.eprintf "\n" ] + "exit" + "$ret" + ] + "ifelse" + [ bins.s6-test "-f" "./failed" ] + [ + "if" + [ depot.tools.eprintf "Error: Found active advisories!" ] + "exit" + "1" + ] + "importas" + "out" + "out" + bins.s6-touch + "$out" ]; -in depot.nix.readTree.drvTargets { +in +depot.nix.readTree.drvTargets { check-all-our-crates = depot.nix.drvSeqL |