Skip to content

Comments

ci: add the dfinity-sdk.packages.cargo-security-audit job#265

Merged
mergify[bot] merged 1 commit intomasterfrom
basvandijk/add-cargo-audit-job
Dec 20, 2019
Merged

ci: add the dfinity-sdk.packages.cargo-security-audit job#265
mergify[bot] merged 1 commit intomasterfrom
basvandijk/add-cargo-audit-job

Conversation

@basvandijk
Copy link
Contributor

@basvandijk basvandijk commented Dec 19, 2019
edited
Loading

The dfinity-sdk.packages.cargo-security-audit job only exists in the sdk jobset (i.e. the jobset which corresponds to the master branch).

The job will run cargo audit which scans Cargo.lock for security vulnerabilities in crates reported in the RustSec advisory-db. The DB is an input to the jobset. This means that whenever a new vulnerability is reported or when Cargo.lock changes cargo audit will run.

This depends on:

https://github.com/dfinity-lab/dfinity/pull/2161 is the corresponding PR in the dfinity repo.

@basvandijk basvandijk requested a review from nmattia December 19, 2019 16:40
@basvandijk basvandijk requested a review from a team as a code owner December 19, 2019 16:40
@basvandijk basvandijk changed the title ci: add the dfinity.rs.cargo-security-audit job ci: add the dfinity-sdk.rs.cargo-security-audit job Dec 19, 2019
@basvandijk basvandijk force-pushed the basvandijk/add-cargo-audit-job branch from 73ea2aa to 419afc9 Compare December 19, 2019 16:43
@basvandijk basvandijk changed the title ci: add the dfinity-sdk.rs.cargo-security-audit job ci: add the dfinity-sdk.packages.cargo-security-audit job Dec 19, 2019
nmattia
nmattia approved these changes Dec 19, 2019
View reviewed changes
Copy link
Contributor

@nmattia nmattia left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good modulo the packageSetArgs, see https://github.com/dfinity-lab/common/pull/84#pullrequestreview-334767598

nmattia
nmattia requested changes Dec 19, 2019
View reviewed changes
Copy link
Contributor

@nmattia nmattia left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually I take it back, why the extra overlay for the db?

nmattia
nmattia approved these changes Dec 19, 2019
View reviewed changes
Copy link
Contributor

@nmattia nmattia left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clarified offline!

@basvandijk basvandijk force-pushed the basvandijk/add-cargo-audit-job branch from 419afc9 to d62d1fe Compare December 19, 2019 18:03
eftychis
eftychis reviewed Dec 19, 2019
View reviewed changes
nix/overlays/dfinity-sdk.nix
# fail because of an updated RustSec advisory-db. Also we only add the
# job if the RustSec advisory-db is defined. Note that by default
# RustSec-advisory-db is undefined (null). However, on Hydra the
# `sdk` master jobset has RustSec-advisory-db defined as an
Copy link
Contributor

@eftychis eftychis Dec 19, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we also add that for the release job (stable branch)?

Copy link
Contributor Author

@basvandijk basvandijk Dec 20, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure. But let's do this in a separate PR. I would first like to test this in practice.

Copy link
Contributor

@eftychis eftychis Dec 20, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yup!

eftychis
eftychis reviewed Dec 19, 2019
View reviewed changes
nix/default.nix Outdated
inherit system crossSystem config;
overlays = import ./overlays ++ [ (_self: _super: { inherit releaseVersion; }) ] ++ overlays;
overlays = import ./overlays ++ [
(_self: _super: { inherit releaseVersion RustSec-advisory-db; })
Copy link
Contributor

@eftychis eftychis Dec 19, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we clarify this change?

Copy link
Contributor Author

@basvandijk basvandijk Dec 20, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added some documentation on why RustSec-advisory-db is added to the package set.

@eftychis
Copy link
Contributor

eftychis commented Dec 19, 2019

@nmattia @basvandijk Can we clarify online also 😛 ?

@basvandijk basvandijk force-pushed the basvandijk/add-cargo-audit-job branch from d62d1fe to 936e585 Compare December 20, 2019 09:24
@basvandijk
Copy link
Contributor Author

basvandijk commented Dec 20, 2019

Regarding packageSetArgs: we need to be able to pass arguments to ci/ci.nix (like RustSec-advisory-db) down to jobset.nix. We can now use packageSetArgs to pass these arguments.

After discussing with @nmattia I also have some other ideas how to do this but I would like to do that in another PR because it also requires changes to common.

@basvandijk
ci: add the dfinity-sdk.packages.cargo-security-audit job
48a9cd2 
The `dfinity-sdk.packages.cargo-security-audit` job only exists in the
`sdk` jobset (i.e. the jobset which corresponds to the `master`
branch).

The job will run `cargo audit` which scans `Cargo.lock` for security
vulnerabilities in crates reported in the RustSec advisory-db. The DB
is an input to the jobset. This means that whenever a new
vulnerability is reported or when `Cargo.lock` changes `cargo audit`
will run.
@basvandijk basvandijk force-pushed the basvandijk/add-cargo-audit-job branch from 936e585 to 48a9cd2 Compare December 20, 2019 11:25
@mergify mergify bot merged commit 82d9e4b into master Dec 20, 2019
@mergify mergify bot deleted the basvandijk/add-cargo-audit-job branch December 20, 2019 11:26
dfinity-bot added a commit that referenced this pull request Sep 4, 2020
@dfinity-bot
build: niv common: update 4b93b09b -> ea141762
a941d21 
## Changelog for common:
Branch: master
Commits: [dfinity-lab/common@4b93b09b...ea141762](https://github.com/dfinity-lab/common/compare/4b93b09b796fbb62f3c4789e7527a0765eae0cdb...ea14176247375af2f762d92d5413c05ab9b40152)

* [`3d1f1d49`](https://github.com/dfinity-lab/common/commit/3d1f1d49108941e5008d0c423cab2793b2ea3862) Upgrade to rustc 1.45 using the standardized upgrade workflow ([dfinity-lab/common⁠#265](http://r.duckduckgo.com/l/?uddg=https://github.com/dfinity-lab/common/issues/265))
* [`ea141762`](https://github.com/dfinity-lab/common/commit/ea14176247375af2f762d92d5413c05ab9b40152) Add nasm's office laptop key
dfinity-bot added a commit that referenced this pull request Oct 2, 2020
@dfinity-bot
build: niv common: update 4b93b09b -> 4a65b834
b1272d7 
## Changelog for common:
Branch: master
Commits: [dfinity-lab/common@4b93b09b...4a65b834](https://github.com/dfinity-lab/common/compare/4b93b09b796fbb62f3c4789e7527a0765eae0cdb...4a65b8341dd4cff0059947b7f2254d09219a90db)

* [`3d1f1d49`](https://github.com/dfinity-lab/common/commit/3d1f1d49108941e5008d0c423cab2793b2ea3862) Upgrade to rustc 1.45 using the standardized upgrade workflow ([dfinity-lab/common⁠#265](http://r.duckduckgo.com/l/?uddg=https://github.com/dfinity-lab/common/issues/265))
* [`ea141762`](https://github.com/dfinity-lab/common/commit/ea14176247375af2f762d92d5413c05ab9b40152) Add nasm's office laptop key
* [`4cc01d21`](https://github.com/dfinity-lab/common/commit/4cc01d21c5ea4835da56753c8414930c33bd6ce3) niv niv: update fad2a6cb -> b50a0107
* [`71fc95ea`](https://github.com/dfinity-lab/common/commit/71fc95ea0e67ee6fb6b5225482e164de9f9edc52) niv niv: update b50a0107 -> dd13098d
* [`87c2ae9a`](https://github.com/dfinity-lab/common/commit/87c2ae9a01b6cc1ec4ad67596181ed42ed6f4d61) Add Islam to accounts.nix
* [`62ec3d1a`](https://github.com/dfinity-lab/common/commit/62ec3d1ae61891e525e12ef34534db4a7e8f28d6) nix-fmt
* [`7c53b963`](https://github.com/dfinity-lab/common/commit/7c53b963ad327f03626ab59cb1a2c92c7b27bab8) add account for ssh
* [`6abecb30`](https://github.com/dfinity-lab/common/commit/6abecb3075ea8f3bbb449a7faf411ffd16211de1) pkgs/overlays/accounts.nix: fixed account for chenyan
* [`181196c0`](https://github.com/dfinity-lab/common/commit/181196c0561bffa598070705e65ebb466434573f) niv cargo2nix: update c5200932 -> 688f9272
* [`abffb600`](https://github.com/dfinity-lab/common/commit/abffb60072633f0c7fd4c4880196c819bb01c159) add ssh pk ([dfinity-lab/common⁠#273](http://r.duckduckgo.com/l/?uddg=https://github.com/dfinity-lab/common/issues/273))
* [`f550021d`](https://github.com/dfinity-lab/common/commit/f550021df8697aa29c9ad71dc1220f4a3bfa09b9) adding ssh key for Hassen
* [`f1f7f69a`](https://github.com/dfinity-lab/common/commit/f1f7f69a65aa03aabc334663b066ca723dec1c28) formatting
* [`cd7f0b51`](https://github.com/dfinity-lab/common/commit/cd7f0b51f893344ed974f1b3bbd47fd3bc24d16d) fix email address
* [`25b1d9f4`](https://github.com/dfinity-lab/common/commit/25b1d9f4ce2040d7bebd0a7a6fd172720b6b1559) run nix-fmt
* [`c5fe2afa`](https://github.com/dfinity-lab/common/commit/c5fe2afacad8a09d1318f1b87a6aa057d2eadeee) Update ssh key for Khushboo
* [`00a59776`](https://github.com/dfinity-lab/common/commit/00a59776062f35e64d1527bcc8165a6c16039090) Add Stavros to authorized keys
* [`aff78c26`](https://github.com/dfinity-lab/common/commit/aff78c262d7415d9d07f41a6b3be0d6d315e881e) niv niv: update dd13098d -> 29ddaaf4
* [`5a552545`](https://github.com/dfinity-lab/common/commit/5a552545638885aaf1333d22b94199be97309a84) add some more metadata debugging information for macos
* [`a3fc9b6c`](https://github.com/dfinity-lab/common/commit/a3fc9b6c737bc4bd17e7fef0cba1eed0c67be274) Give dsd access to IC-OS instances
* [`d86c8b6c`](https://github.com/dfinity-lab/common/commit/d86c8b6cac5f2f1387d3459d615f2da0fba72097) Clarify Xfmt commands
* [`d0ceee12`](https://github.com/dfinity-lab/common/commit/d0ceee12a8991c7a623d20d708e7a5e56b76b8b6) mk-jobset.nix: support excluding jobs for certain systems from all-systems-go
* [`129dcc07`](https://github.com/dfinity-lab/common/commit/129dcc07ccf90440e0ececf5e8cf1a5a0318f8fe) Add Alin's SSH key ([dfinity-lab/common⁠#283](http://r.duckduckgo.com/l/?uddg=https://github.com/dfinity-lab/common/issues/283))
* [`7ac40580`](https://github.com/dfinity-lab/common/commit/7ac4058099d16318690cdfc02b1dce09be733fc7) pkgs/overlays/accounts.nix: update bas' SSH key from rsa to ed25519
* [`3fb04d11`](https://github.com/dfinity-lab/common/commit/3fb04d11ea3a760b759998dc50b1c9b42af88e4a) cargo2nix.nix: export cratesRelease and cratesDebug from mkDfinityWorkspace
* [`458c29b4`](https://github.com/dfinity-lab/common/commit/458c29b48b3256b23daed9fcaf61c2d35565f3d3) niv cargo2nix: update 688f9272 -> 20083037 ([dfinity-lab/common⁠#285](http://r.duckduckgo.com/l/?uddg=https://github.com/dfinity-lab/common/issues/285))
* [`cf39e301`](https://github.com/dfinity-lab/common/commit/cf39e301bc4d5e0ac60e65b7f09c8e9da85593f6) nix/sources.json: cargo-audit: v0.11.2 -> v0.12.1
mergify bot pushed a commit that referenced this pull request Oct 2, 2020
@dfinity-bot
build: niv common: update 4b93b09b -> 4a65b834 (#1084)
fcb1416 
## Changelog for common:
Branch: master
Commits: [dfinity-lab/common@4b93b09b...4a65b834](https://github.com/dfinity-lab/common/compare/4b93b09b796fbb62f3c4789e7527a0765eae0cdb...4a65b8341dd4cff0059947b7f2254d09219a90db)

* [`3d1f1d49`](https://github.com/dfinity-lab/common/commit/3d1f1d49108941e5008d0c423cab2793b2ea3862) Upgrade to rustc 1.45 using the standardized upgrade workflow ([dfinity-lab/common⁠#265](http://r.duckduckgo.com/l/?uddg=https://github.com/dfinity-lab/common/issues/265))
* [`ea141762`](https://github.com/dfinity-lab/common/commit/ea14176247375af2f762d92d5413c05ab9b40152) Add nasm's office laptop key
* [`4cc01d21`](https://github.com/dfinity-lab/common/commit/4cc01d21c5ea4835da56753c8414930c33bd6ce3) niv niv: update fad2a6cb -> b50a0107
* [`71fc95ea`](https://github.com/dfinity-lab/common/commit/71fc95ea0e67ee6fb6b5225482e164de9f9edc52) niv niv: update b50a0107 -> dd13098d
* [`87c2ae9a`](https://github.com/dfinity-lab/common/commit/87c2ae9a01b6cc1ec4ad67596181ed42ed6f4d61) Add Islam to accounts.nix
* [`62ec3d1a`](https://github.com/dfinity-lab/common/commit/62ec3d1ae61891e525e12ef34534db4a7e8f28d6) nix-fmt
* [`7c53b963`](https://github.com/dfinity-lab/common/commit/7c53b963ad327f03626ab59cb1a2c92c7b27bab8) add account for ssh
* [`6abecb30`](https://github.com/dfinity-lab/common/commit/6abecb3075ea8f3bbb449a7faf411ffd16211de1) pkgs/overlays/accounts.nix: fixed account for chenyan
* [`181196c0`](https://github.com/dfinity-lab/common/commit/181196c0561bffa598070705e65ebb466434573f) niv cargo2nix: update c5200932 -> 688f9272
* [`abffb600`](https://github.com/dfinity-lab/common/commit/abffb60072633f0c7fd4c4880196c819bb01c159) add ssh pk ([dfinity-lab/common⁠#273](http://r.duckduckgo.com/l/?uddg=https://github.com/dfinity-lab/common/issues/273))
* [`f550021d`](https://github.com/dfinity-lab/common/commit/f550021df8697aa29c9ad71dc1220f4a3bfa09b9) adding ssh key for Hassen
* [`f1f7f69a`](https://github.com/dfinity-lab/common/commit/f1f7f69a65aa03aabc334663b066ca723dec1c28) formatting
* [`cd7f0b51`](https://github.com/dfinity-lab/common/commit/cd7f0b51f893344ed974f1b3bbd47fd3bc24d16d) fix email address
* [`25b1d9f4`](https://github.com/dfinity-lab/common/commit/25b1d9f4ce2040d7bebd0a7a6fd172720b6b1559) run nix-fmt
* [`c5fe2afa`](https://github.com/dfinity-lab/common/commit/c5fe2afacad8a09d1318f1b87a6aa057d2eadeee) Update ssh key for Khushboo
* [`00a59776`](https://github.com/dfinity-lab/common/commit/00a59776062f35e64d1527bcc8165a6c16039090) Add Stavros to authorized keys
* [`aff78c26`](https://github.com/dfinity-lab/common/commit/aff78c262d7415d9d07f41a6b3be0d6d315e881e) niv niv: update dd13098d -> 29ddaaf4
* [`5a552545`](https://github.com/dfinity-lab/common/commit/5a552545638885aaf1333d22b94199be97309a84) add some more metadata debugging information for macos
* [`a3fc9b6c`](https://github.com/dfinity-lab/common/commit/a3fc9b6c737bc4bd17e7fef0cba1eed0c67be274) Give dsd access to IC-OS instances
* [`d86c8b6c`](https://github.com/dfinity-lab/common/commit/d86c8b6cac5f2f1387d3459d615f2da0fba72097) Clarify Xfmt commands
* [`d0ceee12`](https://github.com/dfinity-lab/common/commit/d0ceee12a8991c7a623d20d708e7a5e56b76b8b6) mk-jobset.nix: support excluding jobs for certain systems from all-systems-go
* [`129dcc07`](https://github.com/dfinity-lab/common/commit/129dcc07ccf90440e0ececf5e8cf1a5a0318f8fe) Add Alin's SSH key ([dfinity-lab/common⁠#283](http://r.duckduckgo.com/l/?uddg=https://github.com/dfinity-lab/common/issues/283))
* [`7ac40580`](https://github.com/dfinity-lab/common/commit/7ac4058099d16318690cdfc02b1dce09be733fc7) pkgs/overlays/accounts.nix: update bas' SSH key from rsa to ed25519
* [`3fb04d11`](https://github.com/dfinity-lab/common/commit/3fb04d11ea3a760b759998dc50b1c9b42af88e4a) cargo2nix.nix: export cratesRelease and cratesDebug from mkDfinityWorkspace
* [`458c29b4`](https://github.com/dfinity-lab/common/commit/458c29b48b3256b23daed9fcaf61c2d35565f3d3) niv cargo2nix: update 688f9272 -> 20083037 ([dfinity-lab/common⁠#285](http://r.duckduckgo.com/l/?uddg=https://github.com/dfinity-lab/common/issues/285))
* [`cf39e301`](https://github.com/dfinity-lab/common/commit/cf39e301bc4d5e0ac60e65b7f09c8e9da85593f6) nix/sources.json: cargo-audit: v0.11.2 -> v0.12.1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nmattia nmattia nmattia approved these changes

+1 more reviewer

@eftychis eftychis eftychis left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@basvandijk @eftychis @nmattia