From de62043a7445efeae9e0159e1225480be7954cfa Mon Sep 17 00:00:00 2001 From: sterni Date: Fri, 4 Feb 2022 17:28:09 +0100 Subject: refactor(rust-crates-advisory): move report generation into script This script is somewhat usable by humans (it even has a help screen!) and can be reused in //users/sterni/nixpkgs-crate-holes. We are using bash since that allows us to exit with the actual exit code of cargo-audit - something that's not possible in execline. Change-Id: I3331ae8222a20e23b8e30dc920ab48af78f0247c Reviewed-on: https://cl.tvl.fyi/c/depot/+/5228 Tested-by: BuildkiteCI Reviewed-by: Profpatsch --- tools/rust-crates-advisory/default.nix | 50 ++++++++++++++++------------ users/sterni/nixpkgs-crate-holes/default.nix | 43 +++++++++--------------- 2 files changed, 43 insertions(+), 50 deletions(-) diff --git a/tools/rust-crates-advisory/default.nix b/tools/rust-crates-advisory/default.nix index 8382ec25435b..3b38aa9b9123 100644 --- a/tools/rust-crates-advisory/default.nix +++ b/tools/rust-crates-advisory/default.nix @@ -136,6 +136,31 @@ let "$out" ]; + lock-file-report = pkgs.writers.writeBash "lock-file-report" '' + set -u + + if test "$#" -lt 2; then + echo "Usage: $0 IDENTIFIER LOCKFILE [CHECKLIST [MAINTAINERS]]" >&2 + echo 2>&1 + echo " IDENTIFIER Unique string describing the lock file" >&2 + echo " LOCKFILE Path to Cargo.lock file" >&2 + echo " CHECKLIST Whether to use GHFM checklists in the output (true or false)" >&2 + echo " MAINTAINERS List of @names to cc in case of advisories" >&2 + exit 100 + fi + + "${bins.cargo-audit}" audit --json --no-fetch \ + --db "${depot.third_party.rustsec-advisory-db}" \ + --file "$2" \ + | "${bins.jq}" --raw-output --join-output \ + --from-file "${./format-audit-result.jq}" \ + --arg maintainers "''${4:-}" \ + --argjson checklist "''${3:-false}" \ + --arg attr "$1" + + exit "''${PIPESTATUS[0]}" # inherit exit code from cargo-audit + ''; + check-all-our-lock-files = depot.nix.writeExecline "check-all-our-lock-files" { } [ "backtick" "-E" @@ -156,30 +181,10 @@ let bins.sed "s|^\\.|/|" ] - "pipeline" - [ - bins.cargo-audit - "audit" - "--json" - "-n" - "--db" - depot.third_party.rustsec-advisory-db - "-f" - "$lockFile" - ] - bins.jq - "-rj" - "--arg" - "attr" + lock-file-report "$depotPath" - "--arg" - "maintainers" - "" - "--argjson" - "checklist" + "$lockFile" "false" - "-f" - ./format-audit-result.jq ] "if" [ depot.tools.eprintf "%s\n" "$report" ] @@ -227,6 +232,7 @@ depot.nix.readTree.drvTargets { inherit check-crate-advisory + lock-file-report ; diff --git a/users/sterni/nixpkgs-crate-holes/default.nix b/users/sterni/nixpkgs-crate-holes/default.nix index 4dff82d6aa78..c24200ff10f9 100644 --- a/users/sterni/nixpkgs-crate-holes/default.nix +++ b/users/sterni/nixpkgs-crate-holes/default.nix @@ -126,37 +126,24 @@ let then pkgs.emptyFile else depot.nix.runExecline "${strAttr}-vulnerability-report" { } [ - "pipeline" + "foreground" [ - bins.cargo-audit - "audit" - "--json" - "-n" - "--db" - rustsec-advisory-db - "-f" + "importas" + "out" + "out" + "redirfd" + "-w" + "1" + "$out" + depot.tools.rust-crates-advisory.lock-file-report + strAttr lock + "true" + strMaintainers ] - "importas" - "out" - "out" - "redirfd" - "-w" - "1" - "$out" - bins.jq - "-rj" - "-f" - ../../../tools/rust-crates-advisory/format-audit-result.jq - "--arg" - "attr" - strAttr - "--arg" - "maintainers" - strMaintainers - "--argjson" - "checklist" - "true" + # ignore exit status of report + "exit" + "0" ]; # GHMF in issues splits paragraphs on newlines -- cgit 1.4.1