tools/rust-crates-advisory/default.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121

{ depot, pkgs, lib, ... }:

let

  bins =
    depot.nix.getBins pkgs.cargo-audit [ "cargo-audit" ]
    // depot.nix.getBins pkgs.jq [ "jq" ]
    // depot.nix.getBins pkgs.findutils [ "find" ]
    // depot.nix.getBins pkgs.gnused [ "sed" ]
  ;

  our-crates = lib.filter (v: v ? outPath)
    (builtins.attrValues depot.third_party.rust-crates);

  our-crates-lock-file = pkgs.writeText "our-crates-Cargo.lock"
    (lib.concatMapStrings
      (crate: ''
        [[package]]
        name = "${crate.crateName}"
        version = "${crate.version}"
        source = "registry+https://github.com/rust-lang/crates.io-index"

      '')
      our-crates);

  lock-file-report = pkgs.writers.writeBash "lock-file-report" ''
    set -u

    if test "$#" -lt 2; then
      echo "Usage: $0 IDENTIFIER LOCKFILE [CHECKLIST [MAINTAINERS]]" >&2
      echo 2>&1
      echo "  IDENTIFIER  Unique string describing the lock file" >&2
      echo "  LOCKFILE    Path to Cargo.lock file" >&2
      echo "  CHECKLIST   Whether to use GHFM checklists in the output (true or false)" >&2
      echo "  MAINTAINERS List of @names to cc in case of advisories" >&2
      exit 100
    fi

    "${bins.cargo-audit}" audit --json --no-fetch \
      --db "${depot.third_party.rustsec-advisory-db}" \
      --file "$2" \
    | "${bins.jq}" --raw-output --join-output \
      --from-file "${./format-audit-result.jq}" \
      --arg maintainers "''${4:-}" \
      --argjson checklist "''${3:-false}" \
      --arg attr "$1"

    exit "''${PIPESTATUS[0]}" # inherit exit code from cargo-audit
  '';

  tree-lock-file-report = pkgs.writers.writeBash "tree-lock-file-report" ''
    set -euo pipefail
    status=0

    root="''${1:-.}"

    # Find prints the found lockfiles as <DEPOT ROOT>\t<LOCKFILE DIR>\t<LOCKFILE PATH>\0
    while IFS=$'\t' read -r -d $'\0' entryPoint dir lockFile; do
      label="$(printf '%s' "$dir" | "${bins.sed}" "s|^$entryPoint|/|")"
      "${lock-file-report}" "$label" "$lockFile" || status=1
    done < <("${bins.find}" "$root" -type f -name Cargo.lock -printf '%H\t%h\t%p\0' )

    exit $status
  '';

  depot-rust-crates-advisory-report = pkgs.writers.writeBash "depot-advisory-report" ''
    set -eu
    status=0

    "${lock-file-report}" "//third_party/rust-crates" "${our-crates-lock-file}" || status=1
    "${tree-lock-file-report}" || status=1

    exit $status
  '';

  buildkiteReportStep =
    { command
    , context ? null
    , style ? "warning"
    }:
    let
      commandName = depot.nix.utils.storePathName (builtins.head command);
    in

    pkgs.writers.writeBash "buildkite-report-${commandName}" ''
      set -uo pipefail

      report="$(${lib.escapeShellArgs command})"

      if test $? -ne 0; then
         printf "%s" "$report" | \
         buildkite-agent annotate ${
           lib.escapeShellArgs ([
             "--style"
             style
           ] ++ lib.optionals (context != null) [
             "--context"
             context
           ])
         }
      fi
    '';

in
depot.nix.readTree.drvTargets {
  inherit
    lock-file-report
    ;

  tree-lock-file-report = tree-lock-file-report // {
    meta.ci.extraSteps.run = {
      label = "Check all crates used in depot for advisories";
      alwaysRun = true;
      command = buildkiteReportStep {
        command = [ depot-rust-crates-advisory-report ];
        style = "warning";
        context = "depot-crate-advisories";
      };
    };
  };
}