Page MenuHomeFreeBSD
Differential D17448

Mk/Uses/cargo.mk: Add support for security/cargo-audit
AbandonedPublic
Actions

Authored by tobik on Oct 6 2018, 10:41 AM.
Tags
None
Referenced Files
Unknown Object (File)
Dec 27 2023, 10:14 AM
Unknown Object (File)
Dec 25 2023, 9:42 AM
Unknown Object (File)
Dec 22 2023, 10:15 PM
Unknown Object (File)
Dec 14 2023, 9:29 PM
Unknown Object (File)
Dec 13 2023, 3:59 AM
Unknown Object (File)
Oct 22 2023, 6:10 PM
Unknown Object (File)
Sep 25 2023, 3:26 PM
Unknown Object (File)
Aug 25 2023, 8:39 PM
View All 16 Files
Subscribers
None

Details

Reviewers
dumbbell
riggs
mat
Group Reviewers
O5: Ports Framework(Owns No Changed Paths)
portmgr
Summary

security/cargo-audit [1] can be used to check Cargo.lock files for vulnerable crates. I thought it might be nice to add support for it to cargo.mk.

It adds a new cargo-audit target that just checks the crates from CARGO_CRATES. Since this is incomplete (e.g., due to local crates from GH_TUPLE or similar that will never be in CARGO_CRATES) it also runs cargo-audit after the build when there is a complete Cargo.lock.

[1] https://rustsec.org/

Diff Detail

Repository
rP FreeBSD ports repository
Lint
No Lint Coverage
Unit
No Test Coverage
Build Status
Buildable 20027
Build 19531: arc lint + arc unit

Event Timeline

tobik created this revision.Oct 6 2018, 10:41 AM
Owners added a reviewer: O5: Ports Framework.Oct 6 2018, 10:41 AM
Herald added a reviewer: portmgr. · View Herald TranscriptOct 6 2018, 10:41 AM
Harbormaster completed remote builds in B20027: Diff 48824.Oct 6 2018, 10:41 AM
mat added inline comments.Oct 6 2018, 1:53 PM
Mk/Uses/cargo.mk
264–275

I think this should be in Mk/Scripts/qa.sh.

Also, maybe whatever provides ${LOCALBASE}/bin/cargo-audit should be added to BUILD_DEPENDS when DEVELOPER is set.

265–266

Should this be called something else? its being named "post-build" is confusing when it is in the install/stage phase.

tobik updated this revision to Diff 48830.Oct 6 2018, 2:37 PM
tobik marked 3 inline comments as done.
  • Use qa.sh
  • Add cargo-audit to BUILD_DEPENDS
  • Also add --force to cargo install to allow cargo to overwrite already staged binaries for painless restaging
Harbormaster completed remote builds in B20032: Diff 48830.Oct 6 2018, 2:37 PM
tobik added inline comments.Oct 6 2018, 2:37 PM
Mk/Uses/cargo.mk
265–266

Probably. I was flip-flopping between hooking this up to just after building (which would actually be far enough) and after staging.

tobik added inline comments.Oct 6 2018, 2:41 PM
Mk/bsd.port.mk
1644–1661 ↗(On Diff #48830)

Why does this happen in bsd.port.mk instead of the individual USES?

tobik planned changes to this revision.Oct 6 2018, 5:47 PM

This requires way more thought.

cargo-audit opens a network connection to fetch a database of vulnerable crates which obviously isn't allowed in Poudriere, so qa.sh integration is probably not possible in a good way.

mat added a comment.Oct 6 2018, 7:01 PM
In D17448#372255, @tobik wrote:

This requires way more thought.

cargo-audit opens a network connection to fetch a database of vulnerable crates which obviously isn't allowed in Poudriere, so qa.sh integration is probably not possible in a good way.

Mmmm, maybe the db could be fetched during fetch and used later?

Mk/Uses/cargo.mk
67

Could you make that .cargo-home so that it stays hidden?

tobik updated this revision to Diff 48848.Oct 7 2018, 9:22 AM
  • Hide CARGO_HOME
  • As a PoC apply some messy hacks to cargo-audit to add an offline, fetch-only mode, and to allow it to load the advisory database from a regular directory
  • Add CARGO_DISABLE_AUDIT knob to turn the qa check off. This is nice to have but also necessary for security/cargo-audit as it cannot depend on itself.
  • Add security/rustsec-advisory-db port that serves as a way to fetch the database in a Poudriere compatible way

Poudriere does not seem to set DEVELOPER{,_MODE} (or another knob
that identifies that we are in port testing mode) when calculating which
dependencies it needs, so unfortunately POUDRIERE_CARGO_AUDIT_WORKAROUND
currently has to be set in make.conf for this to even work.

Harbormaster completed remote builds in B20045: Diff 48848.Oct 7 2018, 9:22 AM
tobik updated this revision to Diff 48849.Oct 7 2018, 9:54 AM
  • Cleanup cargo-audit target a bit
Harbormaster completed remote builds in B20046: Diff 48849.Oct 7 2018, 9:54 AM
mat added a comment.Oct 8 2018, 3:39 PM

If the only consumer of CARGO_DISABLE_AUDIT is security/cargo-audit, then it should probably be better to test something like .if ${PKGORIGIN} != security/cargo-audit instead of adding a new variable only used once in the whole ports tree.

Mk/Scripts/qa.sh
947 ↗(On Diff #48849)

I do not think you need a second variable, you could add a -x "${LOCALBASE...".

951–953 ↗(On Diff #48849)

I think I remember you saying this can exit with a non 0 status, I think it should be trapped with, for example, || :.

Mk/Uses/cargo.mk
47–50

The only variable is DEVELOPER, there is no DEVELOPER_MODE.

tobik planned changes to this revision.Oct 9 2018, 7:25 AM
tobik marked 5 inline comments as done.
tobik added inline comments.
Mk/Uses/cargo.mk
47–50

Poudriere sets DEVELOPER_MODE=yes in port testing mode consistently, but AFAICT it only sets DEVELOPER=1 during check-sanity, stage-qa, check-plist.

This was useful in a previous iteration when I was still adding cargo-audit to FETCH_DEPENDS with a custom fetch target to grab the advisory db with cargo-audit --fetch_only.

It can definitely go away now though.

tobik marked an inline comment as done.Oct 9 2018, 7:26 AM
tobik abandoned this revision.Oct 26 2018, 10:16 PM

It's not going to happen in a good way, so burying this idea.

tobik mentioned this in R11:d00e32651ac5: Uses/cargo: Add cargo-audit maintainer target.Apr 23 2022, 7:49 AM

Revision Contents
Changeset List

PathSize
Mk/
Uses/
42 lines

Diff 48824

View Options

Mk/Uses/cargo.mk

Loading...