feat(tools): add rust-crates-advisory
We have a bunch of crates in `third_party/rust-crates`; it would be great if we could check them for existing CVEs. This tool does that, it takes the rust security advisory database, parses the applicable CVEs, and cross-checks them against the actual crate versions we list in our package database. The dumb parser we wrote is tested against all entries in the database, so we will notice when upstream breaks their shit. Checking the semver stuff is easy enough with the semver crate. If an advisory matches, it prints the whole thing and fails the build. Change-Id: I9e912c43d37a685d9d7a4424defc467a171ea3c4 Reviewed-on: https://cl.tvl.fyi/c/depot/+/2818 Tested-by: BuildkiteCI Reviewed-by: tazjin <mail@tazj.in> Reviewed-by: sterni <sternenseemann@systemli.org>
This commit is contained in:
		
							parent
							
								
									72924facae
								
							
						
					
					
						commit
						952afb7da9
					
				
					 8 changed files with 208 additions and 11 deletions
				
			
		
							
								
								
									
										27
									
								
								third_party/rust-crates/default.nix
									
										
									
									
										vendored
									
									
								
							
							
						
						
									
										27
									
								
								third_party/rust-crates/default.nix
									
										
									
									
										vendored
									
									
								
							|  | @ -283,4 +283,31 @@ with depot.third_party.rust-crates; | ||||||
|     sha256 = "1zgl8l15i19lzp90icgwyi6zqdd31b9vm8w129f41d1zd0hs7ayq"; |     sha256 = "1zgl8l15i19lzp90icgwyi6zqdd31b9vm8w129f41d1zd0hs7ayq"; | ||||||
|     dependencies = [ log serde ]; |     dependencies = [ log serde ]; | ||||||
|   }; |   }; | ||||||
|  | 
 | ||||||
|  |   semver-parser = buildRustCrate { | ||||||
|  |     pname = "semver-parser"; | ||||||
|  |     version = "0.7.0"; | ||||||
|  |     crateName = "semver-parser"; | ||||||
|  |     edition = "2015"; | ||||||
|  |     sha256 = "1da66c8413yakx0y15k8c055yna5lyb6fr0fw9318kdwkrk5k12h"; | ||||||
|  |     dependencies = [ ]; | ||||||
|  |   }; | ||||||
|  | 
 | ||||||
|  |   semver = buildRustCrate { | ||||||
|  |     pname = "semver"; | ||||||
|  |     version = "0.10.0"; | ||||||
|  |     crateName = "semver"; | ||||||
|  |     edition = "2015"; | ||||||
|  |     sha256 = "0pbkdwlpq4d0hgdrymm2rcw31plni2siwd882gbcbscjvyvrrrqa"; | ||||||
|  |     dependencies = [ semver-parser ]; | ||||||
|  |   }; | ||||||
|  | 
 | ||||||
|  |   toml = buildRustCrate { | ||||||
|  |     pname = "toml"; | ||||||
|  |     version = "0.5.8"; | ||||||
|  |     crateName = "toml"; | ||||||
|  |     sha256 = "1vwjwmwsy83pbgvvm11a6grbhb09zkcrv9v95wfwv48wjm01wdj4"; | ||||||
|  |     edition = "2018"; | ||||||
|  |     dependencies = [ serde ]; | ||||||
|  |   }; | ||||||
| } | } | ||||||
|  |  | ||||||
							
								
								
									
										9
									
								
								tools/eprintf.nix
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										9
									
								
								tools/eprintf.nix
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,9 @@ | ||||||
|  | { depot, pkgs, ... }: | ||||||
|  | 
 | ||||||
|  | let | ||||||
|  |   bins = depot.nix.getBins pkgs.coreutils [ "printf" ]; | ||||||
|  | 
 | ||||||
|  | # printf(1), but redirect to stderr | ||||||
|  | in depot.nix.writeExecline "eprintf" {} [ | ||||||
|  |   "fdmove" "-c" "1" "2" bins.printf "$@" | ||||||
|  | ] | ||||||
							
								
								
									
										3
									
								
								tools/rust-crates-advisory/OWNERS
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										3
									
								
								tools/rust-crates-advisory/OWNERS
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,3 @@ | ||||||
|  | inherited: true | ||||||
|  | owners: | ||||||
|  |   - Profpatsch | ||||||
							
								
								
									
										67
									
								
								tools/rust-crates-advisory/check-security-advisory.rs
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										67
									
								
								tools/rust-crates-advisory/check-security-advisory.rs
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,67 @@ | ||||||
|  | extern crate semver; | ||||||
|  | extern crate toml; | ||||||
|  | 
 | ||||||
|  | use std::io::Write; | ||||||
|  | 
 | ||||||
|  | /// reads a security advisory of the form
 | ||||||
|  | /// https://github.com/RustSec/advisory-db/blob/a24932e220dfa9be8b0b501210fef8a0bc7ef43e/EXAMPLE_ADVISORY.md
 | ||||||
|  | /// and a crate version number,
 | ||||||
|  | /// and returns 0 if the crate version is patched
 | ||||||
|  | /// and returns 1 if the crate version is *not* patched
 | ||||||
|  | ///
 | ||||||
|  | /// If PRINT_ADVISORY is set, the advisory is printed if it matches.
 | ||||||
|  | 
 | ||||||
|  | fn main() { | ||||||
|  |     let mut args = std::env::args_os(); | ||||||
|  |     let file = args.nth(1).expect("security advisory md file is $1"); | ||||||
|  |     let crate_version = | ||||||
|  |         args.nth(0).expect("crate version is $2") | ||||||
|  |         .into_string().expect("crate version string not utf8") | ||||||
|  |         ; | ||||||
|  |     let crate_version = semver::Version::parse(&crate_version).expect(&format!("this is not a semver version: {}", &crate_version)); | ||||||
|  |     let filename = file.to_string_lossy(); | ||||||
|  | 
 | ||||||
|  |     let content = std::fs::read(&file).expect(&format!("could not read {}", filename)); | ||||||
|  |     let content = | ||||||
|  |         std::str::from_utf8(&content).expect(&format!("file {} was not encoded as utf-8", filename)); | ||||||
|  |     let content = content.trim_start(); | ||||||
|  | 
 | ||||||
|  |     let toml_start = content | ||||||
|  |         .strip_prefix("```toml").expect(&format!("file did not start with ```toml: {}", filename)); | ||||||
|  |     let toml_end_index = toml_start.find("```").expect(&format!("the toml section did not end, no `` found: {}", filename)); | ||||||
|  |     let toml = &toml_start[..toml_end_index]; | ||||||
|  |     let toml : toml::Value = toml::de::from_slice(toml.as_bytes()).expect(&format!("could not parse toml: {}", filename)); | ||||||
|  | 
 | ||||||
|  |     let versions = toml | ||||||
|  |         .as_table().expect(&format!("the toml is not a table: {}", filename)) | ||||||
|  |         .get("versions").expect(&format!("the toml does not contain the versions field: {}", filename)) | ||||||
|  |         .as_table().expect(&format!("the toml versions field must be a table: {}", filename)); | ||||||
|  | 
 | ||||||
|  |     let unaffected = match versions.get("unaffected") { | ||||||
|  |         Some(u) => u | ||||||
|  |             .as_array().expect(&format!("the toml versions.unaffected field must be a list of semvers: {}", filename)) | ||||||
|  |             .iter() | ||||||
|  |             .map(|v| semver::VersionReq::parse(v.as_str().expect(&format!("the version field {} is not a string", v))).expect(&format!("the version field {} is not a valid semver VersionReq", v))) | ||||||
|  |             .collect(), | ||||||
|  |         None => vec![] | ||||||
|  |     }; | ||||||
|  | 
 | ||||||
|  |     let mut patched : Vec<semver::VersionReq> = versions.get("patched").expect(&format!("the toml versions.patched field must exist: {}", filename)) | ||||||
|  |         .as_array().expect(&format!("the toml versions.patched field must be a list of semvers: {}", filename)) | ||||||
|  |         .iter() | ||||||
|  |         .map(|v| semver::VersionReq::parse(v.as_str().expect(&format!("the version field {} is not a string", v))).expect(&format!("the version field {} is not a valid semver VersionReq", v))) | ||||||
|  |         .collect(); | ||||||
|  | 
 | ||||||
|  |     patched.extend_from_slice(&unaffected[..]); | ||||||
|  |     let is_patched_or_unaffected = patched.iter().any(|req| req.matches(&crate_version)); | ||||||
|  | 
 | ||||||
|  |     if is_patched_or_unaffected { | ||||||
|  |         std::process::exit(0); | ||||||
|  |     } else { | ||||||
|  |         if std::env::var_os("PRINT_ADVISORY").is_some() { | ||||||
|  |             write!(std::io::stderr(), "Advisory {} matched!\n{}\n", filename, content).unwrap(); | ||||||
|  |         } | ||||||
|  |         std::process::exit(1); | ||||||
|  |     } | ||||||
|  | 
 | ||||||
|  | } | ||||||
							
								
								
									
										97
									
								
								tools/rust-crates-advisory/default.nix
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										97
									
								
								tools/rust-crates-advisory/default.nix
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,97 @@ | ||||||
|  | { depot, pkgs, lib, ... }: | ||||||
|  | 
 | ||||||
|  | let | ||||||
|  | 
 | ||||||
|  |   bins = | ||||||
|  |        depot.nix.getBins pkgs.s6-portable-utils [ "s6-ln" "s6-cat" "s6-echo" "s6-mkdir" "s6-test" "s6-touch" ] | ||||||
|  |     // depot.nix.getBins pkgs.lr [ "lr" ] | ||||||
|  |     ; | ||||||
|  | 
 | ||||||
|  |   crate-advisories = "${pkgs.fetchFromGitHub { | ||||||
|  |     owner = "RustSec"; | ||||||
|  |     repo = "advisory-db"; | ||||||
|  |     # TODO(Profpatsch): this will have to be updated regularly, how? | ||||||
|  |     rev = "113188c62380753f01ff0df5edb7d67a300b143a"; | ||||||
|  |     sha256 = "0v086ybwr71zgs5nv8yr4w2w2d4daxx6in2s1sjb4m41q1r9p0wj"; | ||||||
|  |   }}/crates"; | ||||||
|  | 
 | ||||||
|  |   our-crates = lib.mapAttrsToList (_: lib.id) | ||||||
|  |     # this is a bit eh, but no idea how to avoid the readTree thing otherwise | ||||||
|  |     (builtins.removeAttrs depot.third_party.rust-crates [ "__readTree" ]); | ||||||
|  | 
 | ||||||
|  |   check-security-advisory = depot.nix.writers.rustSimple { | ||||||
|  |     name = "parse-security-advisory"; | ||||||
|  |     dependencies = [ | ||||||
|  |       depot.third_party.rust-crates.toml | ||||||
|  |       depot.third_party.rust-crates.semver | ||||||
|  |     ]; | ||||||
|  |   } (builtins.readFile ./check-security-advisory.rs); | ||||||
|  | 
 | ||||||
|  |   # $1 is the directory with advisories for crate $2 with version $3 | ||||||
|  |   check-crate-advisory = depot.nix.writeExecline "check-crate-advisory" { readNArgs = 3; } [ | ||||||
|  |     "pipeline" [ bins.lr "-0" "-t" "depth == 1" "$1" ] | ||||||
|  |     "forstdin" "-0" "-Eo" "0" "advisory" | ||||||
|  |     "if" [ depot.tools.eprintf "advisory %s\n" "$advisory" ] | ||||||
|  |     check-security-advisory "$advisory" "$3" | ||||||
|  |   ]; | ||||||
|  | 
 | ||||||
|  |   # Run through everything in the `crate-advisories` repository | ||||||
|  |   # and check whether we can parse all the advisories without crashing. | ||||||
|  |   test-parsing-all-security-advisories = depot.nix.runExecline "check-all-our-crates" {} [ | ||||||
|  |     "pipeline" [ bins.lr "-0" "-t" "depth == 1" crate-advisories ] | ||||||
|  |     "if" [ | ||||||
|  |       # this will succeed as long as check-crate-advisory doesn’t `panic!()` (status 101) | ||||||
|  |       "forstdin" "-0" "-E" "-x" "101" "crate_advisories" | ||||||
|  |       check-crate-advisory "$crate_advisories" "foo" "0.0.0" | ||||||
|  |     ] | ||||||
|  |     "importas" "out" "out" | ||||||
|  |     bins.s6-touch "$out" | ||||||
|  |   ]; | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  |   check-all-our-crates = depot.nix.runExecline "check-all-our-crates" { | ||||||
|  |     stdin = lib.concatStrings | ||||||
|  |       (map | ||||||
|  |         (crate: | ||||||
|  |           depot.nix.netstring.fromString | ||||||
|  |             ( depot.nix.netstring.fromString crate.crateName | ||||||
|  |             + depot.nix.netstring.fromString crate.version )) | ||||||
|  |         our-crates); | ||||||
|  |   } [ | ||||||
|  |     "if" [ | ||||||
|  |       "forstdin" "-o" "0" "-Ed" "" "crateNetstring" | ||||||
|  |       "multidefine" "-d" "" "$crateNetstring" [ "crate" "crate_version" ] | ||||||
|  |       "if" [ depot.tools.eprintf "checking %s, version %s\n" "$crate" "$crate_version" ] | ||||||
|  | 
 | ||||||
|  |       "ifthenelse" [ bins.s6-test "-d" "${crate-advisories}/\${crate}" ] | ||||||
|  |           [ # also print the full advisory text if it matches | ||||||
|  |             "export" "PRINT_ADVISORY" "1" | ||||||
|  |             check-crate-advisory "${crate-advisories}/\${crate}" "$crate" "$crate_version" | ||||||
|  |           ] | ||||||
|  |         [ depot.tools.eprintf "No advisories found for crate %s\n" "$crate" ] | ||||||
|  |         "importas" "-ui" "ret" "?" | ||||||
|  |         # put a marker in ./failed to read at the end | ||||||
|  |         "ifelse" [ bins.s6-test "$ret" "-eq" "1" ] | ||||||
|  |           [ bins.s6-touch "./failed" ] | ||||||
|  |         "if" [ depot.tools.eprintf "\n" ] | ||||||
|  |         "exit" "$ret" | ||||||
|  |     ] | ||||||
|  |     "ifelse" [ bins.s6-test "-f" "./failed" ] | ||||||
|  |       [ "if" [ depot.tools.eprintf "Error: Found active advisories!" ] | ||||||
|  |         "exit" "1" | ||||||
|  |       ] | ||||||
|  |     "importas" "out" "out" | ||||||
|  |     bins.s6-touch "$out" | ||||||
|  |   ]; | ||||||
|  | 
 | ||||||
|  | in depot.nix.utils.drvTargets { | ||||||
|  | 
 | ||||||
|  |   check-all-our-crates = | ||||||
|  |     depot.nix.drvSeqL | ||||||
|  |       [ test-parsing-all-security-advisories ] | ||||||
|  |       check-all-our-crates; | ||||||
|  | 
 | ||||||
|  |   inherit | ||||||
|  |     check-crate-advisory | ||||||
|  |     ; | ||||||
|  | } | ||||||
|  | @ -81,7 +81,7 @@ let | ||||||
|     me.netencode.record-splice-env |     me.netencode.record-splice-env | ||||||
|     runOr return500 |     runOr return500 | ||||||
|     "importas" "-i" "path" "path" |     "importas" "-i" "path" "path" | ||||||
|     "if" [ me.lib.eprintf "GET \${path}\n" ] |     "if" [ depot.tools.eprintf "GET \${path}\n" ] | ||||||
|     runOr return404 |     runOr return404 | ||||||
|     "backtick" "-ni" "TEMPLATE_DATA" [ |     "backtick" "-ni" "TEMPLATE_DATA" [ | ||||||
|       "ifelse" [ bins.test "$path" "=" "/notes" ] |       "ifelse" [ bins.test "$path" "=" "/notes" ] | ||||||
|  | @ -118,7 +118,7 @@ let | ||||||
|     "importas" "?" "?" |     "importas" "?" "?" | ||||||
|     "ifelse" [ bins.test "$?" "-eq" "0" ] |     "ifelse" [ bins.test "$?" "-eq" "0" ] | ||||||
|     [] |     [] | ||||||
|     "if" [ me.lib.eprintf "runOr: exited \${?}, running \${1}\n" ] |     "if" [ depot.tools.eprintf "runOr: exited \${?}, running \${1}\n" ] | ||||||
|     "$1" |     "$1" | ||||||
|   ]; |   ]; | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
|  | @ -13,10 +13,6 @@ let | ||||||
|     "$@" |     "$@" | ||||||
|   ]; |   ]; | ||||||
| 
 | 
 | ||||||
|   eprintf = depot.nix.writeExecline "eprintf" {} [ |  | ||||||
|     "fdmove" "-c" "1" "2" bins.printf "$@" |  | ||||||
|   ]; |  | ||||||
| 
 |  | ||||||
|   eprint-stdin = depot.nix.writeExecline "eprint-stdin" {} [ |   eprint-stdin = depot.nix.writeExecline "eprint-stdin" {} [ | ||||||
|     "pipeline" [ bins.multitee "0-1,2" ] "$@" |     "pipeline" [ bins.multitee "0-1,2" ] "$@" | ||||||
|   ]; |   ]; | ||||||
|  | @ -37,7 +33,7 @@ let | ||||||
|   eprintenv = depot.nix.writeExecline "eprintenv" { readNArgs = 1; } [ |   eprintenv = depot.nix.writeExecline "eprintenv" { readNArgs = 1; } [ | ||||||
|     "ifelse" [ "fdmove" "-c" "1" "2" bins.printenv "$1" ] |     "ifelse" [ "fdmove" "-c" "1" "2" bins.printenv "$1" ] | ||||||
|     [ "$@" ] |     [ "$@" ] | ||||||
|     "if" [ eprintf "eprintenv: could not find \"\${1}\" in the environment\n" ] |     "if" [ depot.tools.eprintf "eprintenv: could not find \"\${1}\" in the environment\n" ] | ||||||
|     "$@" |     "$@" | ||||||
|   ]; |   ]; | ||||||
| 
 | 
 | ||||||
|  | @ -54,7 +50,6 @@ let | ||||||
| in { | in { | ||||||
|   inherit |   inherit | ||||||
|     debugExec |     debugExec | ||||||
|     eprintf |  | ||||||
|     eprint-stdin |     eprint-stdin | ||||||
|     eprint-stdin-netencode |     eprint-stdin-netencode | ||||||
|     eprintenv |     eprintenv | ||||||
|  |  | ||||||
|  | @ -5,7 +5,6 @@ let | ||||||
|     ; |     ; | ||||||
|   inherit (depot.users.Profpatsch.lib) |   inherit (depot.users.Profpatsch.lib) | ||||||
|     debugExec |     debugExec | ||||||
|     eprintf |  | ||||||
|     ; |     ; | ||||||
| 
 | 
 | ||||||
|   bins = depot.nix.getBins pkgs.coreutils [ "head" "shuf" ] |   bins = depot.nix.getBins pkgs.coreutils [ "head" "shuf" ] | ||||||
|  | @ -41,7 +40,7 @@ let | ||||||
|     "importas" "-ui" "file" "fileName" |     "importas" "-ui" "file" "fileName" | ||||||
|     "importas" "-ui" "from" "fromLine" |     "importas" "-ui" "from" "fromLine" | ||||||
|     "importas" "-ui" "to" "toLine" |     "importas" "-ui" "to" "toLine" | ||||||
|     "if" [ eprintf "%s-%s\n" "$from" "$to" ] |     "if" [ depot.tools.eprintf "%s-%s\n" "$from" "$to" ] | ||||||
|     (debugExec "adding lib") |     (debugExec "adding lib") | ||||||
|     bins.sed |     bins.sed | ||||||
|       "-e" "\${from},\${to} \${1}" |       "-e" "\${from},\${to} \${1}" | ||||||
|  | @ -98,7 +97,7 @@ let | ||||||
|     "pipeline" [ bins.shuf ] |     "pipeline" [ bins.shuf ] | ||||||
|     "pipeline" [ bins.head "-n" "1000" ] |     "pipeline" [ bins.head "-n" "1000" ] | ||||||
|     bins.xargs "-I" "{}" "-n1" |     bins.xargs "-I" "{}" "-n1" | ||||||
|     "if" [ eprintf "instantiating %s\n" "{}" ] |     "if" [ depot.tools.eprintf "instantiating %s\n" "{}" ] | ||||||
|     "nix-instantiate" "$1" "-A" "{}" |     "nix-instantiate" "$1" "-A" "{}" | ||||||
|   ]; |   ]; | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue