diff options
Diffstat (limited to 'tools/rust-crates-advisory')
| -rw-r--r-- | tools/rust-crates-advisory/OWNERS | 4 | ||||
| -rw-r--r-- | tools/rust-crates-advisory/check-security-advisory.rs | 119 | ||||
| -rw-r--r-- | tools/rust-crates-advisory/default.nix | 200 | ||||
| -rw-r--r-- | tools/rust-crates-advisory/format-audit-result.jq | 75 |
4 files changed, 398 insertions, 0 deletions
diff --git a/tools/rust-crates-advisory/OWNERS b/tools/rust-crates-advisory/OWNERS new file mode 100644 index 0000000000..1895955b20 --- /dev/null +++ b/tools/rust-crates-advisory/OWNERS @@ -0,0 +1,4 @@ +inherited: true +owners: + - Profpatsch + - sterni diff --git a/tools/rust-crates-advisory/check-security-advisory.rs b/tools/rust-crates-advisory/check-security-advisory.rs new file mode 100644 index 0000000000..e76b090abc --- /dev/null +++ b/tools/rust-crates-advisory/check-security-advisory.rs @@ -0,0 +1,119 @@ +extern crate semver; +extern crate toml; + +use std::io::Write; + +/// reads a security advisory of the form +/// https://github.com/RustSec/advisory-db/blob/a24932e220dfa9be8b0b501210fef8a0bc7ef43e/EXAMPLE_ADVISORY.md +/// and a crate version number, +/// and returns 0 if the crate version is patched +/// and returns 1 if the crate version is *not* patched +/// +/// If PRINT_ADVISORY is set, the advisory is printed if it matches. + +fn main() { + let mut args = std::env::args_os(); + let file = args.nth(1).expect("security advisory md file is $1"); + let crate_version = args + .nth(0) + .expect("crate version is $2") + .into_string() + .expect("crate version string not utf8"); + let crate_version = semver::Version::parse(&crate_version) + .expect(&format!("this is not a semver version: {}", &crate_version)); + let filename = file.to_string_lossy(); + + let content = std::fs::read(&file).expect(&format!("could not read {}", filename)); + let content = std::str::from_utf8(&content) + .expect(&format!("file {} was not encoded as utf-8", filename)); + let content = content.trim_start(); + + let toml_start = content + .strip_prefix("```toml") + .expect(&format!("file did not start with ```toml: {}", filename)); + let toml_end_index = toml_start.find("```").expect(&format!( + "the toml section did not end, no `` found: {}", + filename + )); + let toml = &toml_start[..toml_end_index]; + let toml: toml::Value = toml::de::from_slice(toml.as_bytes()) + .expect(&format!("could not parse toml: {}", filename)); + + let versions = toml + .as_table() + .expect(&format!("the toml is not a table: {}", filename)) + .get("versions") + .expect(&format!( + "the toml does not contain the versions field: {}", + filename + )) + .as_table() + .expect(&format!( + "the toml versions field must be a table: {}", + filename + )); + + let unaffected = match versions.get("unaffected") { + Some(u) => u + .as_array() + .expect(&format!( + "the toml versions.unaffected field must be a list of semvers: {}", + filename + )) + .iter() + .map(|v| { + semver::VersionReq::parse( + v.as_str() + .expect(&format!("the version field {} is not a string", v)), + ) + .expect(&format!( + "the version field {} is not a valid semver VersionReq", + v + )) + }) + .collect(), + None => vec![], + }; + + let mut patched: Vec<semver::VersionReq> = versions + .get("patched") + .expect(&format!( + "the toml versions.patched field must exist: {}", + filename + )) + .as_array() + .expect(&format!( + "the toml versions.patched field must be a list of semvers: {}", + filename + )) + .iter() + .map(|v| { + semver::VersionReq::parse( + v.as_str() + .expect(&format!("the version field {} is not a string", v)), + ) + .expect(&format!( + "the version field {} is not a valid semver VersionReq", + v + )) + }) + .collect(); + + patched.extend_from_slice(&unaffected[..]); + let is_patched_or_unaffected = patched.iter().any(|req| req.matches(&crate_version)); + + if is_patched_or_unaffected { + std::process::exit(0); + } else { + if std::env::var_os("PRINT_ADVISORY").is_some() { + write!( + std::io::stderr(), + "Advisory {} matched!\n{}\n", + filename, + content + ) + .unwrap(); + } + std::process::exit(1); + } +} diff --git a/tools/rust-crates-advisory/default.nix b/tools/rust-crates-advisory/default.nix new file mode 100644 index 0000000000..b3e8c850eb --- /dev/null +++ b/tools/rust-crates-advisory/default.nix @@ -0,0 +1,200 @@ +{ depot, pkgs, lib, ... }: + +let + + bins = + depot.nix.getBins pkgs.s6-portable-utils [ "s6-ln" "s6-cat" "s6-echo" "s6-mkdir" "s6-test" "s6-touch" "s6-dirname" ] + // depot.nix.getBins pkgs.coreutils [ "printf" ] + // depot.nix.getBins pkgs.lr [ "lr" ] + // depot.nix.getBins pkgs.cargo-audit [ "cargo-audit" ] + // depot.nix.getBins pkgs.jq [ "jq" ] + // depot.nix.getBins pkgs.findutils [ "find" ] + // depot.nix.getBins pkgs.gnused [ "sed" ] + ; + + crate-advisories = "${depot.third_party.rustsec-advisory-db}/crates"; + + our-crates = lib.filter (v: v ? outPath) + (builtins.attrValues depot.third_party.rust-crates); + + our-crates-lock-file = pkgs.writeText "our-crates-Cargo.lock" + (lib.concatMapStrings + (crate: '' + [[package]] + name = "${crate.crateName}" + version = "${crate.version}" + source = "registry+https://github.com/rust-lang/crates.io-index" + + '') + our-crates); + + check-security-advisory = depot.nix.writers.rustSimple + { + name = "parse-security-advisory"; + dependencies = [ + depot.third_party.rust-crates.toml + depot.third_party.rust-crates.semver + ]; + } + (builtins.readFile ./check-security-advisory.rs); + + # $1 is the directory with advisories for crate $2 with version $3 + check-crate-advisory = depot.nix.writeExecline "check-crate-advisory" { readNArgs = 3; } [ + "pipeline" + [ bins.lr "-0" "-t" "depth == 1" "$1" ] + "forstdin" + "-0" + "-Eo" + "0" + "advisory" + "if" + [ depot.tools.eprintf "advisory %s\n" "$advisory" ] + check-security-advisory + "$advisory" + "$3" + ]; + + # Run through everything in the `crate-advisories` repository + # and check whether we can parse all the advisories without crashing. + test-parsing-all-security-advisories = depot.nix.runExecline "check-all-our-crates" { } [ + "pipeline" + [ bins.lr "-0" "-t" "depth == 1" crate-advisories ] + "if" + [ + # this will succeed as long as check-crate-advisory doesn’t `panic!()` (status 101) + "forstdin" + "-0" + "-E" + "-x" + "101" + "crate_advisories" + check-crate-advisory + "$crate_advisories" + "foo" + "0.0.0" + ] + "importas" + "out" + "out" + bins.s6-touch + "$out" + ]; + + + lock-file-report = pkgs.writers.writeBash "lock-file-report" '' + set -u + + if test "$#" -lt 2; then + echo "Usage: $0 IDENTIFIER LOCKFILE [CHECKLIST [MAINTAINERS]]" >&2 + echo 2>&1 + echo " IDENTIFIER Unique string describing the lock file" >&2 + echo " LOCKFILE Path to Cargo.lock file" >&2 + echo " CHECKLIST Whether to use GHFM checklists in the output (true or false)" >&2 + echo " MAINTAINERS List of @names to cc in case of advisories" >&2 + exit 100 + fi + + "${bins.cargo-audit}" audit --json --no-fetch \ + --db "${depot.third_party.rustsec-advisory-db}" \ + --file "$2" \ + | "${bins.jq}" --raw-output --join-output \ + --from-file "${./format-audit-result.jq}" \ + --arg maintainers "''${4:-}" \ + --argjson checklist "''${3:-false}" \ + --arg attr "$1" + + exit "''${PIPESTATUS[0]}" # inherit exit code from cargo-audit + ''; + + tree-lock-file-report = depot.nix.writeExecline "tree-lock-file-report" + { + readNArgs = 1; + } [ + "backtick" + "-E" + "report" + [ + "pipeline" + [ bins.find "$1" "-name" "Cargo.lock" "-and" "-type" "f" "-print0" ] + "forstdin" + "-E" + "-0" + "lockFile" + "backtick" + "-E" + "depotPath" + [ + "pipeline" + [ bins.s6-dirname "$lockFile" ] + bins.sed + "s|^\\.|/|" + ] + lock-file-report + "$depotPath" + "$lockFile" + "false" + ] + "if" + [ bins.printf "%s\n" "$report" ] + # empty report implies success (no advisories) + bins.s6-test + "-z" + "$report" + ]; + + check-all-our-lock-files = depot.nix.writeExecline "check-all-our-lock-files" { } [ + "backtick" + "-EI" + "report" + [ + "foreground" + [ + lock-file-report + "//third_party/rust-crates" + our-crates-lock-file + "false" + ] + tree-lock-file-report + "." + ] + "ifelse" + [ + bins.s6-test + "-z" + "$report" + ] + [ + "exit" + "0" + ] + "pipeline" + [ + "printf" + "%s" + "$report" + ] + "buildkite-agent" + "annotate" + "--style" + "warning" + "--context" + "check-all-our-lock-files" + ]; + +in +depot.nix.readTree.drvTargets { + inherit + test-parsing-all-security-advisories + check-crate-advisory + lock-file-report + ; + + + tree-lock-file-report = tree-lock-file-report // { + meta.ci.extraSteps.run = { + label = "Check all crates used in depot for advisories"; + alwaysRun = true; + command = check-all-our-lock-files; + }; + }; +} diff --git a/tools/rust-crates-advisory/format-audit-result.jq b/tools/rust-crates-advisory/format-audit-result.jq new file mode 100644 index 0000000000..d42ff6e55c --- /dev/null +++ b/tools/rust-crates-advisory/format-audit-result.jq @@ -0,0 +1,75 @@ +# This is a jq script to format the JSON output of cargo-audit into a short +# markdown report for humans. It is used by //users/sterni/nixpkgs-crate-holes +# and //tools/rust-crates-advisory:check-all-our-lock-files which will provide +# you with example invocations. +# +# It needs the following arguments passed to it: +# +# - maintainers: Either the empty string or a list of maintainers to @mention +# for the current lock file. +# - attr: An attribute name (or otherwise unique identifier) to associate the +# report for the current lock file with. +# - checklist: If true, the markdown report will use GHFM checklists for the +# report, allowing to tick of attributes as taken care of. + +# Link to human-readable advisory info for a given vulnerability +def link: + [ "https://rustsec.org/advisories/", .advisory.id, ".html" ] | add; + +# Format a list of version constraints +def version_list: + [ .[] | "`" + . + "`" ] | join("; "); + +# show paths to fixing this vulnerability: +# +# - if there are patched releases, show them (the version we are using presumably +# predates the vulnerability discovery, so we likely want to upgrade to a +# patched release). +# - if there are no patched releases, show the unaffected versions (in case we +# want to downgrade). +# - otherwise we state that no unaffected versions are available at this time. +# +# This logic should be useful, but is slightly dumber than cargo-audit's +# suggestion when using the non-JSON output. +def patched: + if .versions.patched == [] then + if .versions.unaffected != [] then + "unaffected: " + (.versions.unaffected | version_list) + else + "no unaffected version available" + end + else + "patched: " + (.versions.patched | version_list) + end; + +# if the vulnerability has aliases (like CVE-*) emit them in parens +def aliases: + if .advisory.aliases == [] then + "" + else + [ " (", (.advisory.aliases | join(", ")), ")" ] | add + end; + +# each vulnerability is rendered as a (normal) sublist item +def format_vulnerability: + [ " - " + , .package.name, " ", .package.version, ": " + , "[", .advisory.id, "](", link, ")" + , aliases + , ", ", patched + , "\n" + ] | add; + +# be quiet if no found vulnerabilities, otherwise render a GHFM checklist item +if .vulnerabilities.found | not then + "" +else + ([ "-", if $checklist then " [ ] " else " " end + , "`", $attr, "`: " + , (.vulnerabilities.count | tostring) + , " advisories for Cargo.lock" + , if $maintainers != "" then " (cc " + $maintainers + ")" else "" end + , "\n" + ] + (.vulnerabilities.list | map(format_vulnerability)) + ) | add +end |