about summary refs log tree commit diff
path: root/users/sterni/nixpkgs-crate-holes/default.nix
diff options
context:
space:
mode:
Diffstat (limited to 'users/sterni/nixpkgs-crate-holes/default.nix')
-rw-r--r--users/sterni/nixpkgs-crate-holes/default.nix236
1 files changed, 155 insertions, 81 deletions
diff --git a/users/sterni/nixpkgs-crate-holes/default.nix b/users/sterni/nixpkgs-crate-holes/default.nix
index a022568dc941..b659c9c89eb2 100644
--- a/users/sterni/nixpkgs-crate-holes/default.nix
+++ b/users/sterni/nixpkgs-crate-holes/default.nix
@@ -33,7 +33,7 @@ let
       symphorien
       erictapen
       expipiplus1
-    ;
+      ;
   };
 
   # buildRustPackage handling
@@ -55,24 +55,25 @@ let
   extractCargoLock = drv:
     if !(drv ? cargoDeps.outPath)
     then null
-    else pkgs.runCommandNoCC "${drv.name}-Cargo.lock" {} ''
-      if test -d "${drv.cargoDeps}"; then
-        cp "${drv.cargoDeps}/Cargo.lock" "$out"
-      fi
-
-      if test -f "${drv.cargoDeps}"; then
-        tar -xO \
-          --no-wildcards-match-slash --wildcards \
-          -f "${drv.cargoDeps}" \
-          '*/Cargo.lock' \
-          > "$out"
-      fi
-    '';
+    else
+      pkgs.runCommandNoCC "${drv.name}-Cargo.lock" { } ''
+        if test -d "${drv.cargoDeps}"; then
+          cp "${drv.cargoDeps}/Cargo.lock" "$out"
+        fi
+
+        if test -f "${drv.cargoDeps}"; then
+          tar -xO \
+            --no-wildcards-match-slash --wildcards \
+            -f "${drv.cargoDeps}" \
+            '*/Cargo.lock' \
+            > "$out"
+        fi
+      '';
 
   # nixpkgs traversal
 
   # Condition for us to recurse: Either at top-level or recurseForDerivation.
-  recurseInto = path: x: path == [] ||
+  recurseInto = path: x: path == [ ] ||
     (lib.isAttrs x && (x.recurseForDerivations or false));
 
   # Returns the value or false if an eval error occurs.
@@ -97,46 +98,69 @@ let
           doRec = tryEvalOrFalse (recurseInto path x);
           isRust = tryEvalOrFalse (isRustPackage x);
         in
-          if doRec then lib.concatLists (
-            lib.mapAttrsToList (n: go (path ++ [ n ])) x
-          ) else if isDrv && isRust then [
-            {
-              attr = path;
-              lock = extractCargoLock x;
-              maintainers = x.meta.maintainers or [];
-            }
-          ] else [];
-    in go [];
+        if doRec then
+          lib.concatLists
+            (
+              lib.mapAttrsToList (n: go (path ++ [ n ])) x
+            ) else if isDrv && isRust then [
+          {
+            attr = path;
+            lock = extractCargoLock x;
+            maintainers = x.meta.maintainers or [ ];
+          }
+        ] else [ ];
+    in
+    go [ ];
 
   # Report generation and formatting
 
-  reportFor = { attr, lock, maintainers ? [] }: let
-    # naïve attribute path to Nix syntax conversion
-    strAttr = lib.concatStringsSep "." attr;
-    strMaintainers = lib.concatMapStringsSep " " (m: "@${m.github}") (
-      builtins.filter (x: builtins.elem x maintainerWhitelist) maintainers
-    );
-  in
+  reportFor = { attr, lock, maintainers ? [ ] }:
+    let
+      # naïve attribute path to Nix syntax conversion
+      strAttr = lib.concatStringsSep "." attr;
+      strMaintainers = lib.concatMapStringsSep " " (m: "@${m.github}") (
+        builtins.filter (x: builtins.elem x maintainerWhitelist) maintainers
+      );
+    in
     if lock == null
     then pkgs.emptyFile
-    else depot.nix.runExecline "${strAttr}-vulnerability-report" {} [
-      "pipeline" [
-        bins.cargo-audit
-        "audit" "--json"
-        "-n" "--db" rustsec-advisory-db
-        "-f" lock
-      ]
-      "importas" "out" "out"
-      "redirfd" "-w" "1" "$out"
-      bins.jq "-rj" "-f" ./format-audit-result.jq
-      "--arg" "attr" strAttr
-      "--arg" "maintainers" strMaintainers
-    ];
+    else
+      depot.nix.runExecline "${strAttr}-vulnerability-report" { } [
+        "pipeline"
+        [
+          bins.cargo-audit
+          "audit"
+          "--json"
+          "-n"
+          "--db"
+          rustsec-advisory-db
+          "-f"
+          lock
+        ]
+        "importas"
+        "out"
+        "out"
+        "redirfd"
+        "-w"
+        "1"
+        "$out"
+        bins.jq
+        "-rj"
+        "-f"
+        ./format-audit-result.jq
+        "--arg"
+        "attr"
+        strAttr
+        "--arg"
+        "maintainers"
+        strMaintainers
+      ];
 
   # GHMF in issues splits paragraphs on newlines
-  description = lib.concatMapStringsSep "\n\n" (
-    builtins.replaceStrings [ "\n" ] [ " " ]
-  ) [
+  description = lib.concatMapStringsSep "\n\n"
+    (
+      builtins.replaceStrings [ "\n" ] [ " " ]
+    ) [
     ''
       The vulnerability report below was generated by
       [nixpkgs-crate-holes](https://code.tvl.fyi/tree/users/sterni/nixpkgs-crate-holes)
@@ -194,39 +218,63 @@ let
       );
     in
 
-    depot.nix.runExecline "nixpkgs-rust-pkgs-vulnerability-report.md" {
-      stdin = lib.concatMapStrings (report: "${report}\n") reports;
-    } [
-      "importas" "out" "out"
-      "redirfd" "-w" "1" "$out"
+    depot.nix.runExecline "nixpkgs-rust-pkgs-vulnerability-report.md"
+      {
+        stdin = lib.concatMapStrings (report: "${report}\n") reports;
+      } [
+      "importas"
+      "out"
+      "out"
+      "redirfd"
+      "-w"
+      "1"
+      "$out"
       # Print introduction paragraph for the issue
-      "if" [ bins.printf "%s\n\n" description ]
+      "if"
+      [ bins.printf "%s\n\n" description ]
       # Print all reports
-      "foreground" [
-        "forstdin" "-E" "report" bins.cat "$report"
+      "foreground"
+      [
+        "forstdin"
+        "-E"
+        "report"
+        bins.cat
+        "$report"
       ]
       # Print stats at the end (mostly as a gimmick), we already know how many
       # attributes there are and count the attributes with vulnerability by
       # finding the number of checkable list entries in the output.
-      "backtick" "-E" "vulnerableCount" [
-        "pipeline" [
-          bins.grep "^- \\[ \\]" "$out"
+      "backtick"
+      "-E"
+      "vulnerableCount"
+      [
+        "pipeline"
+        [
+          bins.grep
+          "^- \\[ \\]"
+          "$out"
         ]
-        bins.wc "-l"
+        bins.wc
+        "-l"
       ]
-      "if" [
+      "if"
+      [
         bins.printf
         "\n%s of %s checked attributes have vulnerable dependencies.\n\n"
         "$vulnerableCount"
         (toString (builtins.length reports))
       ]
-      "if" [
-        bins.printf "%s\n\n" runInstructions
+      "if"
+      [
+        bins.printf
+        "%s\n\n"
+        runInstructions
       ]
     ];
 
   singleReport =
-    { # Attribute to check: string or list of strings (attr path)
+    {
+      # Attribute to check: string or list of strings (attr path)
       attr
       # Path to importable nixpkgs checkout
     , nixpkgsPath
@@ -241,37 +289,63 @@ let
       strAttr = lib.concatStringsSep "." attr';
     in
 
-    depot.nix.runExecline "${strAttr}-report.html" {} [
-      "importas" "out" "out"
-      "backtick" "-I" "-E" "-N" "report" [
-        bins.cargo-audit "audit"
+    depot.nix.runExecline "${strAttr}-report.html" { } [
+      "importas"
+      "out"
+      "out"
+      "backtick"
+      "-I"
+      "-E"
+      "-N"
+      "report"
+      [
+        bins.cargo-audit
+        "audit"
         "--quiet"
-        "-n" "--db" rustsec-advisory-db
-        "-f" lockFile
+        "-n"
+        "--db"
+        rustsec-advisory-db
+        "-f"
+        lockFile
       ]
-      "pipeline" [
-        "ifte" [
-          bins.printf "%s" "$report"
-        ] [
-          bins.printf "%s\n" "No vulnerabilities found"
+      "pipeline"
+      [
+        "ifte"
+        [
+          bins.printf
+          "%s"
+          "$report"
+        ]
+        [
+          bins.printf
+          "%s\n"
+          "No vulnerabilities found"
         ]
-        bins.test "-n" "$report"
+        bins.test
+        "-n"
+        "$report"
       ]
-      "pipeline" [
-        bins.tee "/dev/stderr"
+      "pipeline"
+      [
+        bins.tee
+        "/dev/stderr"
       ]
-      "redirfd" "-w" "1" "$out"
+      "redirfd"
+      "-w"
+      "1"
+      "$out"
       bins.ansi2html
     ];
 
-in {
+in
+{
   full = reportForNixpkgs;
   single = singleReport;
 
   inherit
     extractCargoLock
     allLockFiles
-  ;
+    ;
 
   # simple sanity check, doesn't cover everything, but testing the full report
   # is quite expensive in terms of evaluation.