about summary refs log tree commit diff
path: root/tools/rust-crates-advisory
diff options
context:
space:
mode:
Diffstat (limited to 'tools/rust-crates-advisory')
-rw-r--r--tools/rust-crates-advisory/OWNERS4
-rw-r--r--tools/rust-crates-advisory/check-security-advisory.rs119
-rw-r--r--tools/rust-crates-advisory/default.nix200
-rw-r--r--tools/rust-crates-advisory/format-audit-result.jq75
4 files changed, 398 insertions, 0 deletions
diff --git a/tools/rust-crates-advisory/OWNERS b/tools/rust-crates-advisory/OWNERS
new file mode 100644
index 000000000000..1895955b2018
--- /dev/null
+++ b/tools/rust-crates-advisory/OWNERS
@@ -0,0 +1,4 @@
+inherited: true
+owners:
+  - Profpatsch
+  - sterni
diff --git a/tools/rust-crates-advisory/check-security-advisory.rs b/tools/rust-crates-advisory/check-security-advisory.rs
new file mode 100644
index 000000000000..e76b090abccb
--- /dev/null
+++ b/tools/rust-crates-advisory/check-security-advisory.rs
@@ -0,0 +1,119 @@
+extern crate semver;
+extern crate toml;
+
+use std::io::Write;
+
+/// reads a security advisory of the form
+/// https://github.com/RustSec/advisory-db/blob/a24932e220dfa9be8b0b501210fef8a0bc7ef43e/EXAMPLE_ADVISORY.md
+/// and a crate version number,
+/// and returns 0 if the crate version is patched
+/// and returns 1 if the crate version is *not* patched
+///
+/// If PRINT_ADVISORY is set, the advisory is printed if it matches.
+
+fn main() {
+    let mut args = std::env::args_os();
+    let file = args.nth(1).expect("security advisory md file is $1");
+    let crate_version = args
+        .nth(0)
+        .expect("crate version is $2")
+        .into_string()
+        .expect("crate version string not utf8");
+    let crate_version = semver::Version::parse(&crate_version)
+        .expect(&format!("this is not a semver version: {}", &crate_version));
+    let filename = file.to_string_lossy();
+
+    let content = std::fs::read(&file).expect(&format!("could not read {}", filename));
+    let content = std::str::from_utf8(&content)
+        .expect(&format!("file {} was not encoded as utf-8", filename));
+    let content = content.trim_start();
+
+    let toml_start = content
+        .strip_prefix("```toml")
+        .expect(&format!("file did not start with ```toml: {}", filename));
+    let toml_end_index = toml_start.find("```").expect(&format!(
+        "the toml section did not end, no `` found: {}",
+        filename
+    ));
+    let toml = &toml_start[..toml_end_index];
+    let toml: toml::Value = toml::de::from_slice(toml.as_bytes())
+        .expect(&format!("could not parse toml: {}", filename));
+
+    let versions = toml
+        .as_table()
+        .expect(&format!("the toml is not a table: {}", filename))
+        .get("versions")
+        .expect(&format!(
+            "the toml does not contain the versions field: {}",
+            filename
+        ))
+        .as_table()
+        .expect(&format!(
+            "the toml versions field must be a table: {}",
+            filename
+        ));
+
+    let unaffected = match versions.get("unaffected") {
+        Some(u) => u
+            .as_array()
+            .expect(&format!(
+                "the toml versions.unaffected field must be a list of semvers: {}",
+                filename
+            ))
+            .iter()
+            .map(|v| {
+                semver::VersionReq::parse(
+                    v.as_str()
+                        .expect(&format!("the version field {} is not a string", v)),
+                )
+                .expect(&format!(
+                    "the version field {} is not a valid semver VersionReq",
+                    v
+                ))
+            })
+            .collect(),
+        None => vec![],
+    };
+
+    let mut patched: Vec<semver::VersionReq> = versions
+        .get("patched")
+        .expect(&format!(
+            "the toml versions.patched field must exist: {}",
+            filename
+        ))
+        .as_array()
+        .expect(&format!(
+            "the toml versions.patched field must be a list of semvers: {}",
+            filename
+        ))
+        .iter()
+        .map(|v| {
+            semver::VersionReq::parse(
+                v.as_str()
+                    .expect(&format!("the version field {} is not a string", v)),
+            )
+            .expect(&format!(
+                "the version field {} is not a valid semver VersionReq",
+                v
+            ))
+        })
+        .collect();
+
+    patched.extend_from_slice(&unaffected[..]);
+    let is_patched_or_unaffected = patched.iter().any(|req| req.matches(&crate_version));
+
+    if is_patched_or_unaffected {
+        std::process::exit(0);
+    } else {
+        if std::env::var_os("PRINT_ADVISORY").is_some() {
+            write!(
+                std::io::stderr(),
+                "Advisory {} matched!\n{}\n",
+                filename,
+                content
+            )
+            .unwrap();
+        }
+        std::process::exit(1);
+    }
+}
diff --git a/tools/rust-crates-advisory/default.nix b/tools/rust-crates-advisory/default.nix
new file mode 100644
index 000000000000..b3e8c850eb4b
--- /dev/null
+++ b/tools/rust-crates-advisory/default.nix
@@ -0,0 +1,200 @@
+{ depot, pkgs, lib, ... }:
+
+let
+
+  bins =
+    depot.nix.getBins pkgs.s6-portable-utils [ "s6-ln" "s6-cat" "s6-echo" "s6-mkdir" "s6-test" "s6-touch" "s6-dirname" ]
+    // depot.nix.getBins pkgs.coreutils [ "printf" ]
+    // depot.nix.getBins pkgs.lr [ "lr" ]
+    // depot.nix.getBins pkgs.cargo-audit [ "cargo-audit" ]
+    // depot.nix.getBins pkgs.jq [ "jq" ]
+    // depot.nix.getBins pkgs.findutils [ "find" ]
+    // depot.nix.getBins pkgs.gnused [ "sed" ]
+  ;
+
+  crate-advisories = "${depot.third_party.rustsec-advisory-db}/crates";
+
+  our-crates = lib.filter (v: v ? outPath)
+    (builtins.attrValues depot.third_party.rust-crates);
+
+  our-crates-lock-file = pkgs.writeText "our-crates-Cargo.lock"
+    (lib.concatMapStrings
+      (crate: ''
+        [[package]]
+        name = "${crate.crateName}"
+        version = "${crate.version}"
+        source = "registry+https://github.com/rust-lang/crates.io-index"
+
+      '')
+      our-crates);
+
+  check-security-advisory = depot.nix.writers.rustSimple
+    {
+      name = "parse-security-advisory";
+      dependencies = [
+        depot.third_party.rust-crates.toml
+        depot.third_party.rust-crates.semver
+      ];
+    }
+    (builtins.readFile ./check-security-advisory.rs);
+
+  # $1 is the directory with advisories for crate $2 with version $3
+  check-crate-advisory = depot.nix.writeExecline "check-crate-advisory" { readNArgs = 3; } [
+    "pipeline"
+    [ bins.lr "-0" "-t" "depth == 1" "$1" ]
+    "forstdin"
+    "-0"
+    "-Eo"
+    "0"
+    "advisory"
+    "if"
+    [ depot.tools.eprintf "advisory %s\n" "$advisory" ]
+    check-security-advisory
+    "$advisory"
+    "$3"
+  ];
+
+  # Run through everything in the `crate-advisories` repository
+  # and check whether we can parse all the advisories without crashing.
+  test-parsing-all-security-advisories = depot.nix.runExecline "check-all-our-crates" { } [
+    "pipeline"
+    [ bins.lr "-0" "-t" "depth == 1" crate-advisories ]
+    "if"
+    [
+      # this will succeed as long as check-crate-advisory doesn’t `panic!()` (status 101)
+      "forstdin"
+      "-0"
+      "-E"
+      "-x"
+      "101"
+      "crate_advisories"
+      check-crate-advisory
+      "$crate_advisories"
+      "foo"
+      "0.0.0"
+    ]
+    "importas"
+    "out"
+    "out"
+    bins.s6-touch
+    "$out"
+  ];
+
+
+  lock-file-report = pkgs.writers.writeBash "lock-file-report" ''
+    set -u
+
+    if test "$#" -lt 2; then
+      echo "Usage: $0 IDENTIFIER LOCKFILE [CHECKLIST [MAINTAINERS]]" >&2
+      echo 2>&1
+      echo "  IDENTIFIER  Unique string describing the lock file" >&2
+      echo "  LOCKFILE    Path to Cargo.lock file" >&2
+      echo "  CHECKLIST   Whether to use GHFM checklists in the output (true or false)" >&2
+      echo "  MAINTAINERS List of @names to cc in case of advisories" >&2
+      exit 100
+    fi
+
+    "${bins.cargo-audit}" audit --json --no-fetch \
+      --db "${depot.third_party.rustsec-advisory-db}" \
+      --file "$2" \
+    | "${bins.jq}" --raw-output --join-output \
+      --from-file "${./format-audit-result.jq}" \
+      --arg maintainers "''${4:-}" \
+      --argjson checklist "''${3:-false}" \
+      --arg attr "$1"
+
+    exit "''${PIPESTATUS[0]}" # inherit exit code from cargo-audit
+  '';
+
+  tree-lock-file-report = depot.nix.writeExecline "tree-lock-file-report"
+    {
+      readNArgs = 1;
+    } [
+    "backtick"
+    "-E"
+    "report"
+    [
+      "pipeline"
+      [ bins.find "$1" "-name" "Cargo.lock" "-and" "-type" "f" "-print0" ]
+      "forstdin"
+      "-E"
+      "-0"
+      "lockFile"
+      "backtick"
+      "-E"
+      "depotPath"
+      [
+        "pipeline"
+        [ bins.s6-dirname "$lockFile" ]
+        bins.sed
+        "s|^\\.|/|"
+      ]
+      lock-file-report
+      "$depotPath"
+      "$lockFile"
+      "false"
+    ]
+    "if"
+    [ bins.printf "%s\n" "$report" ]
+    # empty report implies success (no advisories)
+    bins.s6-test
+    "-z"
+    "$report"
+  ];
+
+  check-all-our-lock-files = depot.nix.writeExecline "check-all-our-lock-files" { } [
+    "backtick"
+    "-EI"
+    "report"
+    [
+      "foreground"
+      [
+        lock-file-report
+        "//third_party/rust-crates"
+        our-crates-lock-file
+        "false"
+      ]
+      tree-lock-file-report
+      "."
+    ]
+    "ifelse"
+    [
+      bins.s6-test
+      "-z"
+      "$report"
+    ]
+    [
+      "exit"
+      "0"
+    ]
+    "pipeline"
+    [
+      "printf"
+      "%s"
+      "$report"
+    ]
+    "buildkite-agent"
+    "annotate"
+    "--style"
+    "warning"
+    "--context"
+    "check-all-our-lock-files"
+  ];
+
+in
+depot.nix.readTree.drvTargets {
+  inherit
+    test-parsing-all-security-advisories
+    check-crate-advisory
+    lock-file-report
+    ;
+
+
+  tree-lock-file-report = tree-lock-file-report // {
+    meta.ci.extraSteps.run = {
+      label = "Check all crates used in depot for advisories";
+      alwaysRun = true;
+      command = check-all-our-lock-files;
+    };
+  };
+}
diff --git a/tools/rust-crates-advisory/format-audit-result.jq b/tools/rust-crates-advisory/format-audit-result.jq
new file mode 100644
index 000000000000..d42ff6e55c79
--- /dev/null
+++ b/tools/rust-crates-advisory/format-audit-result.jq
@@ -0,0 +1,75 @@
+# This is a jq script to format the JSON output of cargo-audit into a short
+# markdown report for humans. It is used by //users/sterni/nixpkgs-crate-holes
+# and //tools/rust-crates-advisory:check-all-our-lock-files which will provide
+# you with example invocations.
+#
+# It needs the following arguments passed to it:
+#
+# - maintainers: Either the empty string or a list of maintainers to @mention
+#   for the current lock file.
+# - attr: An attribute name (or otherwise unique identifier) to associate the
+#   report for the current lock file with.
+# - checklist: If true, the markdown report will use GHFM checklists for the
+#   report, allowing to tick of attributes as taken care of.
+
+# Link to human-readable advisory info for a given vulnerability
+def link:
+  [ "https://rustsec.org/advisories/", .advisory.id, ".html" ] | add;
+
+# Format a list of version constraints
+def version_list:
+  [ .[] | "`" + . + "`" ] | join("; ");
+
+# show paths to fixing this vulnerability:
+#
+# - if there are patched releases, show them (the version we are using presumably
+#   predates the vulnerability discovery, so we likely want to upgrade to a
+#   patched release).
+# - if there are no patched releases, show the unaffected versions (in case we
+#   want to downgrade).
+# - otherwise we state that no unaffected versions are available at this time.
+#
+# This logic should be useful, but is slightly dumber than cargo-audit's
+# suggestion when using the non-JSON output.
+def patched:
+  if .versions.patched == [] then
+    if .versions.unaffected != [] then
+       "unaffected: " + (.versions.unaffected | version_list)
+    else
+      "no unaffected version available"
+    end
+  else
+    "patched: " + (.versions.patched | version_list)
+  end;
+
+# if the vulnerability has aliases (like CVE-*) emit them in parens
+def aliases:
+  if .advisory.aliases == [] then
+    ""
+  else
+    [ " (", (.advisory.aliases | join(", ")), ")" ] | add
+  end;
+
+# each vulnerability is rendered as a (normal) sublist item
+def format_vulnerability:
+  [ "  - "
+  , .package.name, " ", .package.version, ": "
+  , "[", .advisory.id, "](", link, ")"
+  , aliases
+  , ", ", patched
+  , "\n"
+  ] | add;
+
+# be quiet if no found vulnerabilities, otherwise render a GHFM checklist item
+if .vulnerabilities.found | not then
+  ""
+else
+  ([ "-", if $checklist then " [ ] " else " " end
+   , "`", $attr, "`: "
+   , (.vulnerabilities.count | tostring)
+   , " advisories for Cargo.lock"
+   , if $maintainers != "" then " (cc " + $maintainers + ")" else "" end
+   , "\n"
+   ] + (.vulnerabilities.list | map(format_vulnerability))
+  ) | add
+end