about summary refs log tree commit diff
path: root/tools/rust-crates-advisory/default.nix
AgeCommit message (Collapse)AuthorFilesLines
2022-02-04 r/3763 feat(tools/rust-crates-advisory): omit GHFM checklist in buildkitesterni1-0/+3
Buildkite doesn't understand GitHub Flavored Markdown and having a read only checklist in there is probably not much use. Change-Id: I41538487087e8c817b1a5e653f077bb0fbe6eb47 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5201 Reviewed-by: sterni <sternenseemann@systemli.org> Reviewed-by: tazjin <tazjin@tvl.su> Autosubmit: sterni <sternenseemann@systemli.org> Tested-by: BuildkiteCI
2022-02-04 r/3762 chore: move format-audit-result.jq out of //users/sternisterni1-1/+1
In the spirit of the readTree filter we should also not include files in user directories from the outside. Change-Id: I1abe36a721048900d2758b5986063b68b8d1af93 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5200 Reviewed-by: sterni <sternenseemann@systemli.org> Reviewed-by: tazjin <tazjin@tvl.su> Autosubmit: sterni <sternenseemann@systemli.org> Tested-by: BuildkiteCI
2022-02-04 r/3761 feat(tools/rust-crates-advisory): also check all our Cargo.lockssterni1-1/+92
check-all-our-lock-files works very similarly to //users/sterni/nixpkgs-crate-holes, even reusing some parts of it, but is much simpler since we don't need to extract the lock files — they are already in tree. It is implemented as a very simple script which just traverses the subtree of the current directory, collecting all warnings. When executing this script in buildkite via extraSteps, it never fails, instead annotating the pipeline run with a warning. Change-Id: I0a0bc26deffe7b20b99f5aa7238fb3c3bb9deb92 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3721 Reviewed-by: sterni <sternenseemann@systemli.org> Autosubmit: sterni <sternenseemann@systemli.org> Tested-by: BuildkiteCI
2022-01-31 r/3723 style: format entire depot with nixpkgs-fmtVincent Ambo1-52/+108
This CL can be used to compare the style of nixpkgs-fmt against other formatters (nixpkgs, alejandra). Change-Id: I87c6abff6bcb546b02ead15ad0405f81e01b6d9e Reviewed-on: https://cl.tvl.fyi/c/depot/+/4397 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Reviewed-by: lukegb <lukegb@tvl.fyi> Reviewed-by: wpcarro <wpcarro@gmail.com> Reviewed-by: Profpatsch <mail@profpatsch.de> Reviewed-by: kanepyork <rikingcoding@gmail.com> Reviewed-by: tazjin <tazjin@tvl.su> Reviewed-by: cynthia <cynthia@tvl.fyi> Reviewed-by: edef <edef@edef.eu> Reviewed-by: eta <tvl@eta.st> Reviewed-by: grfn <grfn@gws.fyi>
2021-11-23 r/3088 refactor(readTree): Move 'drvTargets' into readTreeVincent Ambo1-1/+1
This function is also generally useful for readTree consumers that have the concept of subtargets. Change-Id: Ic7fc03380dec6953fb288763a28e50ab3624d233
2021-10-12 r/2967 refactor(tools/rust-crates-advisory): move advisory-db to 3psterni1-7/+1
Change-Id: Iaaed35de078292c0c99a7c83de9ca5fdf27b8135 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3711 Tested-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in>
2021-09-15 r/2868 refactor(rust-crates-advisory): check type instead of blacklistingsterni1-3/+2
`our-crates` can just check if the attributes in question are derivation (i. e. have an `outPath`) instead of blacklisting the `__readTree` attribute specifically. Change-Id: I472692e89c0e9eff551372c72a73ab765b0b6599
2021-05-17 r/2595 feat(tools): add rust-crates-advisoryProfpatsch1-0/+97
We have a bunch of crates in `third_party/rust-crates`; it would be great if we could check them for existing CVEs. This tool does that, it takes the rust security advisory database, parses the applicable CVEs, and cross-checks them against the actual crate versions we list in our package database. The dumb parser we wrote is tested against all entries in the database, so we will notice when upstream breaks their shit. Checking the semver stuff is easy enough with the semver crate. If an advisory matches, it prints the whole thing and fails the build. Change-Id: I9e912c43d37a685d9d7a4424defc467a171ea3c4 Reviewed-on: https://cl.tvl.fyi/c/depot/+/2818 Tested-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in> Reviewed-by: sterni <sternenseemann@systemli.org>