Page MenuHomeFreeBSD

Mk/Uses/cargo.mk: Add support for security/cargo-audit
AbandonedPublic

Authored by tobik on Oct 6 2018, 10:41 AM.

Details

Reviewers
dumbbell
riggs
mat
Group Reviewers
O5: Ports Framework(Owns No Changed Paths)
portmgr
Summary

security/cargo-audit [1] can be used to check Cargo.lock files for vulnerable crates. I thought it might be nice to add support for it to cargo.mk.

It adds a new cargo-audit target that just checks the crates from CARGO_CRATES. Since this is incomplete (e.g., due to local crates from GH_TUPLE or similar that will never be in CARGO_CRATES) it also runs cargo-audit after the build when there is a complete Cargo.lock.

[1] https://rustsec.org/

Diff Detail

Repository
rP FreeBSD ports repository
Lint
No Linters Available
Unit
No Unit Test Coverage
Build Status
Buildable 20046
Build 19550: arc lint + arc unit

Event Timeline

tobik created this revision.Oct 6 2018, 10:41 AM
mat added inline comments.Oct 6 2018, 1:53 PM
Mk/Uses/cargo.mk
285–296

I think this should be in Mk/Scripts/qa.sh.

Also, maybe whatever provides ${LOCALBASE}/bin/cargo-audit should be added to BUILD_DEPENDS when DEVELOPER is set.

286–287

Should this be called something else? its being named "post-build" is confusing when it is in the install/stage phase.

tobik updated this revision to Diff 48830.Oct 6 2018, 2:37 PM
tobik marked 3 inline comments as done.
  • Use qa.sh
  • Add cargo-audit to BUILD_DEPENDS
  • Also add --force to cargo install to allow cargo to overwrite already staged binaries for painless restaging
tobik added inline comments.Oct 6 2018, 2:37 PM
Mk/Uses/cargo.mk
286–287

Probably. I was flip-flopping between hooking this up to just after building (which would actually be far enough) and after staging.

tobik added inline comments.Oct 6 2018, 2:41 PM
Mk/bsd.port.mk
1644–1661

Why does this happen in bsd.port.mk instead of the individual USES?

tobik planned changes to this revision.Oct 6 2018, 5:47 PM

This requires way more thought.

cargo-audit opens a network connection to fetch a database of vulnerable crates which obviously isn't allowed in Poudriere, so qa.sh integration is probably not possible in a good way.

mat added a comment.Oct 6 2018, 7:01 PM

This requires way more thought.

cargo-audit opens a network connection to fetch a database of vulnerable crates which obviously isn't allowed in Poudriere, so qa.sh integration is probably not possible in a good way.

Mmmm, maybe the db could be fetched during fetch and used later?

Mk/Uses/cargo.mk
81

Could you make that .cargo-home so that it stays hidden?

tobik updated this revision to Diff 48848.Oct 7 2018, 9:22 AM
  • Hide CARGO_HOME
  • As a PoC apply some messy hacks to cargo-audit to add an offline, fetch-only mode, and to allow it to load the advisory database from a regular directory
  • Add CARGO_DISABLE_AUDIT knob to turn the qa check off. This is nice to have but also necessary for security/cargo-audit as it cannot depend on itself.
  • Add security/rustsec-advisory-db port that serves as a way to fetch the database in a Poudriere compatible way

Poudriere does not seem to set DEVELOPER{,_MODE} (or another knob
that identifies that we are in port testing mode) when calculating which
dependencies it needs, so unfortunately POUDRIERE_CARGO_AUDIT_WORKAROUND
currently has to be set in make.conf for this to even work.

tobik updated this revision to Diff 48849.Oct 7 2018, 9:54 AM
  • Cleanup cargo-audit target a bit
mat added a comment.Oct 8 2018, 3:39 PM

If the only consumer of CARGO_DISABLE_AUDIT is security/cargo-audit, then it should probably be better to test something like .if ${PKGORIGIN} != security/cargo-audit instead of adding a new variable only used once in the whole ports tree.

Mk/Scripts/qa.sh
947

I do not think you need a second variable, you could add a -x "${LOCALBASE...".

951–953

I think I remember you saying this can exit with a non 0 status, I think it should be trapped with, for example, || :.

Mk/Uses/cargo.mk
50–53

The only variable is DEVELOPER, there is no DEVELOPER_MODE.

tobik planned changes to this revision.Oct 9 2018, 7:25 AM
tobik marked 5 inline comments as done.
tobik added inline comments.
Mk/Uses/cargo.mk
50–53

Poudriere sets DEVELOPER_MODE=yes in port testing mode consistently, but AFAICT it only sets DEVELOPER=1 during check-sanity, stage-qa, check-plist.

This was useful in a previous iteration when I was still adding cargo-audit to FETCH_DEPENDS with a custom fetch target to grab the advisory db with cargo-audit --fetch_only.

It can definitely go away now though.

tobik marked an inline comment as done.Oct 9 2018, 7:26 AM
tobik abandoned this revision.Oct 26 2018, 10:16 PM

It's not going to happen in a good way, so burying this idea.