From 48a9cd2ffcd5f94ca4e96db3c1610cc5a58f9fe7 Mon Sep 17 00:00:00 2001 From: Bas van Dijk Date: Thu, 19 Dec 2019 17:37:29 +0100 Subject: [PATCH] ci: add the dfinity-sdk.packages.cargo-security-audit job The `dfinity-sdk.packages.cargo-security-audit` job only exists in the `sdk` jobset (i.e. the jobset which corresponds to the `master` branch). The job will run `cargo audit` which scans `Cargo.lock` for security vulnerabilities in crates reported in the RustSec advisory-db. The DB is an input to the jobset. This means that whenever a new vulnerability is reported or when `Cargo.lock` changes `cargo audit` will run. --- ci/ci-pr.nix | 2 +- ci/ci.nix | 7 ++++++- jobset.nix | 5 ++++- nix/default.nix | 14 ++++++++++++-- nix/overlays/dfinity-sdk.nix | 16 ++++++++++++++++ 5 files changed, 39 insertions(+), 5 deletions(-) diff --git a/ci/ci-pr.nix b/ci/ci-pr.nix index 25a0f90238..b35ff1f11b 100644 --- a/ci/ci-pr.nix +++ b/ci/ci-pr.nix @@ -1,4 +1,4 @@ # This file is used to govern CI jobs for GitHub PRs args@{supportedSystems ? [ "x86_64-linux" ], ...}: -import ./ci.nix (args // { inherit supportedSystems; }) +import ./ci.nix (args // { inherit supportedSystems; isMaster = false; }) diff --git a/ci/ci.nix b/ci/ci.nix index a8badde167..c010904a0b 100644 --- a/ci/ci.nix +++ b/ci/ci.nix @@ -1,9 +1,14 @@ { supportedSystems ? [ "x86_64-linux" "x86_64-darwin" ] , scrubJobs ? true +, RustSec-advisory-db ? null +, isMaster ? true }: let pkgs = import ../nix {}; in pkgs.ci ../jobset.nix - { inherit supportedSystems scrubJobs; isMaster = true; + { inherit supportedSystems scrubJobs isMaster; rev = pkgs.lib.commitIdFromGitRepo (pkgs.lib.gitDir ../.); + packageSetArgs = { + inherit RustSec-advisory-db; + }; } diff --git a/jobset.nix b/jobset.nix index 7c1224c7fd..4a21766db4 100644 --- a/jobset.nix +++ b/jobset.nix @@ -3,6 +3,9 @@ , config ? {} , overlays ? [] , src ? null +, RustSec-advisory-db ? null }: { - inherit (import ./nix { inherit system crossSystem config overlays; }) dfinity-sdk; + inherit (import ./nix { + inherit system crossSystem config overlays RustSec-advisory-db; + }) dfinity-sdk; } diff --git a/nix/default.nix b/nix/default.nix index f959cb8cf9..ec2c86abb7 100644 --- a/nix/default.nix +++ b/nix/default.nix @@ -5,6 +5,7 @@ , config ? {} , overlays ? [] , releaseVersion ? "latest" +, RustSec-advisory-db ? null }: let # The `common` repo provides code (mostly Nix) that is used in the @@ -21,9 +22,18 @@ let else builtins.fetchGit { name = "common-sources"; url = "ssh://git@github.com/dfinity-lab/common"; - rev = "8872018a48260010599e945526fe0dcf28022444"; + rev = "a066833f9ce8fac453f736639d46021a714682b2"; }; in import commonSrc { inherit system crossSystem config; - overlays = import ./overlays ++ [ (_self: _super: { inherit releaseVersion; }) ] ++ overlays; + overlays = import ./overlays ++ [ + (_self: _super: { + inherit + releaseVersion + # The dfinity-sdk.packages.cargo-security-audit job has this RustSec + # advisory-db as a dependency so we add it here to the package set so + # that job has access to it. + RustSec-advisory-db; + }) + ] ++ overlays; } diff --git a/nix/overlays/dfinity-sdk.nix b/nix/overlays/dfinity-sdk.nix index cadb92c051..d37831c0c7 100644 --- a/nix/overlays/dfinity-sdk.nix +++ b/nix/overlays/dfinity-sdk.nix @@ -27,6 +27,22 @@ in { e2e-tests = super.callPackage ../e2e-tests.nix {}; public-folder = super.callPackage ../public.nix {}; + } // + # We only run `cargo audit` on the `master` branch so to not let PRs + # fail because of an updated RustSec advisory-db. Also we only add the + # job if the RustSec advisory-db is defined. Note that by default + # RustSec-advisory-db is undefined (null). However, on Hydra the + # `sdk` master jobset has RustSec-advisory-db defined as an + # input. This means that whenever a new security vulnerability is + # published or when Cargo.lock has been changed `cargo audit` will + # run. + self.lib.optionalAttrs (self.isMaster && self.RustSec-advisory-db != null) { + cargo-security-audit = self.lib.cargo-security-audit { + name = "dfinity-sdk"; + cargoLock = ../../Cargo.lock; + db = self.RustSec-advisory-db; + ignores = []; + }; }; dfx-release = mkRelease "dfx" self.releaseVersion packages.rust-workspace-standalone "dfx";