From 5d064256556a6af2e90a7c902c166ab67c65ea3a Mon Sep 17 00:00:00 2001
From: sterni <sternenseemann@systemli.org>
Date: Thu, 3 Feb 2022 14:44:03 +0100
Subject: chore: move format-audit-result.jq out of //users/sterni

In the spirit of the readTree filter we should also not include files in
user directories from the outside.

Change-Id: I1abe36a721048900d2758b5986063b68b8d1af93
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5200
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
---
 tools/rust-crates-advisory/OWNERS                  |  1 +
 tools/rust-crates-advisory/default.nix             |  2 +-
 tools/rust-crates-advisory/format-audit-result.jq  | 73 ++++++++++++++++++++++
 users/sterni/nixpkgs-crate-holes/default.nix       |  2 +-
 .../nixpkgs-crate-holes/format-audit-result.jq     | 61 ------------------
 5 files changed, 76 insertions(+), 63 deletions(-)
 create mode 100644 tools/rust-crates-advisory/format-audit-result.jq
 delete mode 100644 users/sterni/nixpkgs-crate-holes/format-audit-result.jq

diff --git a/tools/rust-crates-advisory/OWNERS b/tools/rust-crates-advisory/OWNERS
index a742d0d22b..1895955b20 100644
--- a/tools/rust-crates-advisory/OWNERS
+++ b/tools/rust-crates-advisory/OWNERS
@@ -1,3 +1,4 @@
 inherited: true
 owners:
   - Profpatsch
+  - sterni
diff --git a/tools/rust-crates-advisory/default.nix b/tools/rust-crates-advisory/default.nix
index b8a25ef783..ac19017362 100644
--- a/tools/rust-crates-advisory/default.nix
+++ b/tools/rust-crates-advisory/default.nix
@@ -176,7 +176,7 @@ let
       "maintainers"
       ""
       "-f"
-      ../../users/sterni/nixpkgs-crate-holes/format-audit-result.jq
+      ./format-audit-result.jq
     ]
     "if"
     [ depot.tools.eprintf "%s\n" "$report" ]
diff --git a/tools/rust-crates-advisory/format-audit-result.jq b/tools/rust-crates-advisory/format-audit-result.jq
new file mode 100644
index 0000000000..6f230df3f9
--- /dev/null
+++ b/tools/rust-crates-advisory/format-audit-result.jq
@@ -0,0 +1,73 @@
+# This is a jq script to format the JSON output of cargo-audit into a short
+# markdown report for humans. It is used by //users/sterni/nixpkgs-crate-holes
+# and //tools/rust-crates-advisory:check-all-our-lock-files which will provide
+# you with example invocations.
+#
+# It needs the following arguments passed to it:
+#
+# - maintainers: Either the empty string or a list of maintainers to @mention
+#   for the current lock file.
+# - attr: An attribute name (or otherwise unique identifier) to associate the
+#   report for the current lock file with.
+
+# Link to human-readable advisory info for a given vulnerability
+def link:
+  [ "https://rustsec.org/advisories/", .advisory.id, ".html" ] | add;
+
+# Format a list of version constraints
+def version_list:
+  [ .[] | "`" + . + "`" ] | join("; ");
+
+# show paths to fixing this vulnerability:
+#
+# - if there are patched releases, show them (the version we are using presumably
+#   predates the vulnerability discovery, so we likely want to upgrade to a
+#   patched release).
+# - if there are no patched releases, show the unaffected versions (in case we
+#   want to downgrade).
+# - otherwise we state that no unaffected versions are available at this time.
+#
+# This logic should be useful, but is slightly dumber than cargo-audit's
+# suggestion when using the non-JSON output.
+def patched:
+  if .versions.patched == [] then
+    if .versions.unaffected != [] then
+       "unaffected: " + (.versions.unaffected | version_list)
+    else
+      "no unaffected version available"
+    end
+  else
+    "patched: " + (.versions.patched | version_list)
+  end;
+
+# if the vulnerability has aliases (like CVE-*) emit them in parens
+def aliases:
+  if .advisory.aliases == [] then
+    ""
+  else
+    [ " (", (.advisory.aliases | join(", ")), ")" ] | add
+  end;
+
+# each vulnerability is rendered as a (normal) sublist item
+def format_vulnerability:
+  [ "  - "
+  , .package.name, " ", .package.version, ": "
+  , "[", .advisory.id, "](", link, ")"
+  , aliases
+  , ", ", patched
+  , "\n"
+  ] | add;
+
+# be quiet if no found vulnerabilities, otherwise render a GHFM checklist item
+if .vulnerabilities.found | not then
+  ""
+else
+  ([ "- [ ] "
+   , "`", $attr, "`: "
+   , (.vulnerabilities.count | tostring)
+   , " vulnerabilities in Cargo.lock"
+   , if $maintainers != "" then " (cc " + $maintainers + ")" else "" end
+   , "\n"
+   ] + (.vulnerabilities.list | map(format_vulnerability))
+  ) | add
+end
diff --git a/users/sterni/nixpkgs-crate-holes/default.nix b/users/sterni/nixpkgs-crate-holes/default.nix
index b659c9c89e..63eaa16070 100644
--- a/users/sterni/nixpkgs-crate-holes/default.nix
+++ b/users/sterni/nixpkgs-crate-holes/default.nix
@@ -147,7 +147,7 @@ let
         bins.jq
         "-rj"
         "-f"
-        ./format-audit-result.jq
+        ../../../tools/rust-crates-advisory/format-audit-result.jq
         "--arg"
         "attr"
         strAttr
diff --git a/users/sterni/nixpkgs-crate-holes/format-audit-result.jq b/users/sterni/nixpkgs-crate-holes/format-audit-result.jq
deleted file mode 100644
index e3147b8016..0000000000
--- a/users/sterni/nixpkgs-crate-holes/format-audit-result.jq
+++ /dev/null
@@ -1,61 +0,0 @@
-# Link to human-readable advisory info for a given vulnerability
-def link:
-  [ "https://rustsec.org/advisories/", .advisory.id, ".html" ] | add;
-
-# Format a list of version constraints
-def version_list:
-  [ .[] | "`" + . + "`" ] | join("; ");
-
-# show paths to fixing this vulnerability:
-#
-# - if there are patched releases, show them (the version we are using presumably
-#   predates the vulnerability discovery, so we likely want to upgrade to a
-#   patched release).
-# - if there are no patched releases, show the unaffected versions (in case we
-#   want to downgrade).
-# - otherwise we state that no unaffected versions are available at this time.
-#
-# This logic should be useful, but is slightly dumber than cargo-audit's
-# suggestion when using the non-JSON output.
-def patched:
-  if .versions.patched == [] then
-    if .versions.unaffected != [] then
-       "unaffected: " + (.versions.unaffected | version_list)
-    else
-      "no unaffected version available"
-    end
-  else
-    "patched: " + (.versions.patched | version_list)
-  end;
-
-# if the vulnerability has aliases (like CVE-*) emit them in parens
-def aliases:
-  if .advisory.aliases == [] then
-    ""
-  else
-    [ " (", (.advisory.aliases | join(", ")), ")" ] | add
-  end;
-
-# each vulnerability is rendered as a (normal) sublist item
-def format_vulnerability:
-  [ "  - "
-  , .package.name, " ", .package.version, ": "
-  , "[", .advisory.id, "](", link, ")"
-  , aliases
-  , ", ", patched
-  , "\n"
-  ] | add;
-
-# be quiet if no found vulnerabilities, otherwise render a GHFM checklist item
-if .vulnerabilities.found | not then
-  ""
-else
-  ([ "- [ ] "
-   , "`", $attr, "`: "
-   , (.vulnerabilities.count | tostring)
-   , " vulnerabilities in Cargo.lock"
-   , if $maintainers != "" then " (cc " + $maintainers + ")" else "" end
-   , "\n"
-   ] + (.vulnerabilities.list | map(format_vulnerability))
-  ) | add
-end
-- 
cgit 1.4.1