diff options
Diffstat (limited to 'users/sterni/nixpkgs-crate-holes/default.nix')
| -rw-r--r-- | users/sterni/nixpkgs-crate-holes/default.nix | 228 |
1 files changed, 146 insertions, 82 deletions
diff --git a/users/sterni/nixpkgs-crate-holes/default.nix b/users/sterni/nixpkgs-crate-holes/default.nix index a022568dc9..1630ecb8f1 100644 --- a/users/sterni/nixpkgs-crate-holes/default.nix +++ b/users/sterni/nixpkgs-crate-holes/default.nix @@ -33,7 +33,7 @@ let symphorien erictapen expipiplus1 - ; + ; }; # buildRustPackage handling @@ -55,24 +55,25 @@ let extractCargoLock = drv: if !(drv ? cargoDeps.outPath) then null - else pkgs.runCommandNoCC "${drv.name}-Cargo.lock" {} '' - if test -d "${drv.cargoDeps}"; then - cp "${drv.cargoDeps}/Cargo.lock" "$out" - fi - - if test -f "${drv.cargoDeps}"; then - tar -xO \ - --no-wildcards-match-slash --wildcards \ - -f "${drv.cargoDeps}" \ - '*/Cargo.lock' \ - > "$out" - fi - ''; + else + pkgs.runCommand "${drv.name}-Cargo.lock" { } '' + if test -d "${drv.cargoDeps}"; then + cp "${drv.cargoDeps}/Cargo.lock" "$out" + fi + + if test -f "${drv.cargoDeps}"; then + tar -xO \ + --no-wildcards-match-slash --wildcards \ + -f "${drv.cargoDeps}" \ + '*/Cargo.lock' \ + > "$out" + fi + ''; # nixpkgs traversal # Condition for us to recurse: Either at top-level or recurseForDerivation. - recurseInto = path: x: path == [] || + recurseInto = path: x: path == [ ] || (lib.isAttrs x && (x.recurseForDerivations or false)); # Returns the value or false if an eval error occurs. @@ -97,46 +98,59 @@ let doRec = tryEvalOrFalse (recurseInto path x); isRust = tryEvalOrFalse (isRustPackage x); in - if doRec then lib.concatLists ( - lib.mapAttrsToList (n: go (path ++ [ n ])) x - ) else if isDrv && isRust then [ - { - attr = path; - lock = extractCargoLock x; - maintainers = x.meta.maintainers or []; - } - ] else []; - in go []; + if doRec then + lib.concatLists + ( + lib.mapAttrsToList (n: go (path ++ [ n ])) x + ) else if isDrv && isRust then [ + { + attr = path; + lock = extractCargoLock x; + maintainers = x.meta.maintainers or [ ]; + } + ] else [ ]; + in + go [ ]; # Report generation and formatting - reportFor = { attr, lock, maintainers ? [] }: let - # naïve attribute path to Nix syntax conversion - strAttr = lib.concatStringsSep "." attr; - strMaintainers = lib.concatMapStringsSep " " (m: "@${m.github}") ( - builtins.filter (x: builtins.elem x maintainerWhitelist) maintainers - ); - in + reportFor = { attr, lock, maintainers ? [ ] }: + let + # naïve attribute path to Nix syntax conversion + strAttr = lib.concatStringsSep "." attr; + strMaintainers = lib.concatMapStringsSep " " (m: "@${m.github}") ( + builtins.filter (x: builtins.elem x maintainerWhitelist) maintainers + ); + in if lock == null then pkgs.emptyFile - else depot.nix.runExecline "${strAttr}-vulnerability-report" {} [ - "pipeline" [ - bins.cargo-audit - "audit" "--json" - "-n" "--db" rustsec-advisory-db - "-f" lock - ] - "importas" "out" "out" - "redirfd" "-w" "1" "$out" - bins.jq "-rj" "-f" ./format-audit-result.jq - "--arg" "attr" strAttr - "--arg" "maintainers" strMaintainers - ]; + else + depot.nix.runExecline "${strAttr}-vulnerability-report" { } [ + "foreground" + [ + "importas" + "out" + "out" + "redirfd" + "-w" + "1" + "$out" + depot.tools.rust-crates-advisory.lock-file-report + strAttr + lock + "true" + strMaintainers + ] + # ignore exit status of report + "exit" + "0" + ]; # GHMF in issues splits paragraphs on newlines - description = lib.concatMapStringsSep "\n\n" ( - builtins.replaceStrings [ "\n" ] [ " " ] - ) [ + description = lib.concatMapStringsSep "\n\n" + ( + builtins.replaceStrings [ "\n" ] [ " " ] + ) [ '' The vulnerability report below was generated by [nixpkgs-crate-holes](https://code.tvl.fyi/tree/users/sterni/nixpkgs-crate-holes) @@ -194,39 +208,63 @@ let ); in - depot.nix.runExecline "nixpkgs-rust-pkgs-vulnerability-report.md" { - stdin = lib.concatMapStrings (report: "${report}\n") reports; - } [ - "importas" "out" "out" - "redirfd" "-w" "1" "$out" + depot.nix.runExecline "nixpkgs-rust-pkgs-vulnerability-report.md" + { + stdin = lib.concatMapStrings (report: "${report}\n") reports; + } [ + "importas" + "out" + "out" + "redirfd" + "-w" + "1" + "$out" # Print introduction paragraph for the issue - "if" [ bins.printf "%s\n\n" description ] + "if" + [ bins.printf "%s\n\n" description ] # Print all reports - "foreground" [ - "forstdin" "-E" "report" bins.cat "$report" + "foreground" + [ + "forstdin" + "-E" + "report" + bins.cat + "$report" ] # Print stats at the end (mostly as a gimmick), we already know how many # attributes there are and count the attributes with vulnerability by # finding the number of checkable list entries in the output. - "backtick" "-E" "vulnerableCount" [ - "pipeline" [ - bins.grep "^- \\[ \\]" "$out" + "backtick" + "-E" + "vulnerableCount" + [ + "pipeline" + [ + bins.grep + "^- \\[ \\]" + "$out" ] - bins.wc "-l" + bins.wc + "-l" ] - "if" [ + "if" + [ bins.printf "\n%s of %s checked attributes have vulnerable dependencies.\n\n" "$vulnerableCount" (toString (builtins.length reports)) ] - "if" [ - bins.printf "%s\n\n" runInstructions + "if" + [ + bins.printf + "%s\n\n" + runInstructions ] ]; singleReport = - { # Attribute to check: string or list of strings (attr path) + { + # Attribute to check: string or list of strings (attr path) attr # Path to importable nixpkgs checkout , nixpkgsPath @@ -241,37 +279,63 @@ let strAttr = lib.concatStringsSep "." attr'; in - depot.nix.runExecline "${strAttr}-report.html" {} [ - "importas" "out" "out" - "backtick" "-I" "-E" "-N" "report" [ - bins.cargo-audit "audit" + depot.nix.runExecline "${strAttr}-report.html" { } [ + "importas" + "out" + "out" + "backtick" + "-I" + "-E" + "-N" + "report" + [ + bins.cargo-audit + "audit" "--quiet" - "-n" "--db" rustsec-advisory-db - "-f" lockFile + "-n" + "--db" + rustsec-advisory-db + "-f" + lockFile ] - "pipeline" [ - "ifte" [ - bins.printf "%s" "$report" - ] [ - bins.printf "%s\n" "No vulnerabilities found" + "pipeline" + [ + "ifte" + [ + bins.printf + "%s" + "$report" + ] + [ + bins.printf + "%s\n" + "No vulnerabilities found" ] - bins.test "-n" "$report" + bins.test + "-n" + "$report" ] - "pipeline" [ - bins.tee "/dev/stderr" + "pipeline" + [ + bins.tee + "/dev/stderr" ] - "redirfd" "-w" "1" "$out" + "redirfd" + "-w" + "1" + "$out" bins.ansi2html ]; -in { +in +{ full = reportForNixpkgs; single = singleReport; inherit extractCargoLock allLockFiles - ; + ; # simple sanity check, doesn't cover everything, but testing the full report # is quite expensive in terms of evaluation. @@ -280,5 +344,5 @@ in { attr = [ "ripgrep" ]; }; - meta.targets = [ "testSingle" ]; + meta.ci.targets = [ "testSingle" ]; } |