Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package obs-service-cargo_audit for
openSUSE:Factory checked in at 2022-03-11 21:41:16
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/obs-service-cargo_audit (Old)
and /work/SRC/openSUSE:Factory/.obs-service-cargo_audit.new.25692 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "obs-service-cargo_audit"
Fri Mar 11 21:41:16 2022 rev:8 rq:960958 version:0.1.8~0
Changes:
--------
---
/work/SRC/openSUSE:Factory/obs-service-cargo_audit/obs-service-cargo_audit.changes
2022-02-15 23:57:39.880276200 +0100
+++
/work/SRC/openSUSE:Factory/.obs-service-cargo_audit.new.25692/obs-service-cargo_audit.changes
2022-03-11 21:41:27.090079137 +0100
@@ -1,0 +2,15 @@
+Fri Mar 11 03:21:58 UTC 2022 - [email protected]
+
+- Update to version 0.1.8~0:
+ * Fix workspace scanning
+ * Improve output to show fast/slow path updates
+ * Resolve issue with multibuild tests
+ * Improve handling when a lock is requested but not existing
+ * Improve do_scan for querying specific rustsec ids
+ * Improve tool to allow scanning of an individual advisory
+ * Fix do_scan to use nsjail
+ * Improve audit to generate lockfiles and keep working dir clean
+ * Allow running services before scan
+ * Add more docs
+
+-------------------------------------------------------------------
Old:
----
obs-service-cargo_audit-0.1.7~0.tar.xz
New:
----
obs-service-cargo_audit-0.1.8~0.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ obs-service-cargo_audit.spec ++++++
--- /var/tmp/diff_new_pack.9wZI2h/_old 2022-03-11 21:41:27.734079632 +0100
+++ /var/tmp/diff_new_pack.9wZI2h/_new 2022-03-11 21:41:27.738079635 +0100
@@ -22,7 +22,7 @@
License: MPL-2.0
Group: Development/Tools/Building
URL: https://github.com/openSUSE/obs-service-%{service}
-Version: 0.1.7~0
+Version: 0.1.8~0
Release: 0
Source: %{name}-%{version}.tar.xz
BuildRequires: python3
++++++ _service ++++++
--- /var/tmp/diff_new_pack.9wZI2h/_old 2022-03-11 21:41:27.774079662 +0100
+++ /var/tmp/diff_new_pack.9wZI2h/_new 2022-03-11 21:41:27.778079666 +0100
@@ -3,7 +3,7 @@
<param
name="url">https://github.com/openSUSE/obs-service-cargo_audit.git</param>
<param name="versionformat">@PARENT_TAG@~@TAG_OFFSET@</param>
<param name="scm">git</param>
- <param name="revision">v0.1.7</param>
+ <param name="revision">v0.1.8</param>
<param name="match-tag">v*</param>
<param name="versionrewrite-pattern">v(\d+\.\d+\.\d+)</param>
<param name="versionrewrite-replacement">\1</param>
++++++ obs-service-cargo_audit-0.1.7~0.tar.xz ->
obs-service-cargo_audit-0.1.8~0.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/obs-service-cargo_audit-0.1.7~0/cargo_audit
new/obs-service-cargo_audit-0.1.8~0/cargo_audit
--- old/obs-service-cargo_audit-0.1.7~0/cargo_audit 2022-02-15
04:51:21.000000000 +0100
+++ new/obs-service-cargo_audit-0.1.8~0/cargo_audit 2022-03-11
04:19:55.000000000 +0100
@@ -64,7 +64,7 @@
def generate_lock(path):
log.debug(f" Running cargo generate-lockfile against: {path}/Cargo.toml")
cmd = [
- "cargo", "generate-lockfile", "-q",
+ "cargo", "generate-lockfile",
"--manifest-path", f"{path}/Cargo.toml",
]
dcmd = " ".join(cmd)
@@ -74,6 +74,8 @@
log.debug(f" return: {proc.returncode}")
if proc.returncode != 0:
log.error(f" Could not generate Cargo.lock under {path}")
+ log.error(f"{output}")
+ log.error(f"{os.listdir(path)}")
exit(1)
def cargo_audit(lock_file):
@@ -95,6 +97,7 @@
proc = run(cmd, check=False, stdout=PIPE, stderr=STDOUT)
output = proc.stdout.decode("utf-8").strip()
log.debug(f"return: {proc.returncode}")
+ log.debug(f"{output}")
details = json.loads(output)
# log.debug(json.dumps(details, sort_keys=True, indent=4))
if proc.returncode != 0:
@@ -125,32 +128,41 @@
log.debug(f"Unpacking assumed source tar {src} to {tgt_dir}")
with tarfile.open(f"{from_dir}/{src}", "r:*") as tar:
tar.extractall(path=tgt_dir)
+ return [os.path.join(tgt_dir, x) for x in os.listdir(tgt_dir)]
def do_cargo_audit(workdir, lsrcdir, lockfile):
scan = []
# Setup our temp dir, in case we need it.
with tempfile.TemporaryDirectory() as tmpdirname:
+ srcdirs = [lsrcdir]
if lsrcdir is None:
# We likely need to unpack sources.
log.debug(f" setting up sources into {tmpdirname}")
lsrcdir = tmpdirname
- do_extract(workdir, tmpdirname)
+ srcdirs = do_extract(workdir, tmpdirname)
else:
(_, dirname) = os.path.split(lsrcdir)
dirpath = os.path.join(tmpdirname, dirname)
log.debug(f" copying sources into {dirpath}")
lsrcdir = shutil.copytree(lsrcdir, dirpath, dirs_exist_ok=True)
+ log.debug(f"srcdirs {srcdirs}")
+
+ if not srcdirs:
+ log.error(" No source directories are available - perhaps this
requires services?")
+ raise ValueError("No source directories are available")
+
cargo_lock_paths = []
- if lockfile:
- cargo_lock_f = os.path.join(lsrcdir, lockfile)
+ if lockfile and len(srcdirs) == 1:
+ tsrcdir = srcdirs[0]
+ cargo_lock_f = os.path.join(tsrcdir, lockfile)
log.info(f" _service configured lock file: {lockfile} ->
{cargo_lock_f}")
if not os.path.exists(cargo_lock_f):
(tgtsrc, _) = os.path.split(cargo_lock_f)
generate_lock(tgtsrc)
cargo_lock_paths = [cargo_lock_f]
- log.debug(f" {cargo_lock_paths}")
+ log.debug(f"using {cargo_lock_paths}")
else:
log.debug(f" Searching for Cargo.lock in: {lsrcdir}")
cargo_lock_paths = find_file(lsrcdir, "Cargo.lock")
@@ -158,12 +170,24 @@
if not cargo_lock_paths:
log.info(f" No Rust Cargo.lock found under {lsrcdir}")
log.info(f" Searching for Cargo.toml in: {lsrcdir}")
- if find_file(lsrcdir, "Cargo.toml"):
- generate_lock(lsrcdir)
- cargo_lock_paths = [os.path.join(lsrcdir, 'Cargo.lock')]
+ cargo_tomls = find_file(lsrcdir, "Cargo.toml")
+ if len(cargo_tomls) > 0:
+ for toml in cargo_tomls:
+ gsrcdir = os.path.dirname(toml)
+ generate_lock(gsrcdir)
+ # cargo_lock_paths = [os.path.join(gsrcdir,
'Cargo.lock')]
else:
log.error(f" No Rust Cargo.toml found under {lsrcdir}")
exit(1)
+ # depending on the layout this could be a workspace, or a bunch
+ # of projects. This changes where the cargo locks MAY end up
so we
+ # have to rescan here.
+ log.debug(f" Searching for Cargo.lock in: {lsrcdir}")
+ cargo_lock_paths = find_file(lsrcdir, "Cargo.lock")
+
+ if not cargo_lock_paths:
+ log.error(f" No Rust Cargo.lock found under {lsrcdir}
after generation")
+ exit(1)
else:
log.debug(f" Detected Rust lock files: {cargo_lock_paths}")
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/obs-service-cargo_audit-0.1.7~0/do_scan.py
new/obs-service-cargo_audit-0.1.8~0/do_scan.py
--- old/obs-service-cargo_audit-0.1.7~0/do_scan.py 2022-02-15
04:51:21.000000000 +0100
+++ new/obs-service-cargo_audit-0.1.8~0/do_scan.py 2022-03-11
04:19:55.000000000 +0100
@@ -46,12 +46,16 @@
# Remove any empty strings.
raw_depends = [x for x in raw_depends if x != '']
+ # remove anything that ends with :term, since this is a multi-build and
generally used in tests
+ raw_depends = [x for x in raw_depends if len(x.split(':')) == 1]
+
# Do we have anything that we should exclude?
raw_depends = [x for x in raw_depends if x not in EXCLUDE]
return raw_depends
def get_develproject(pkgname):
+ print(f"intent to scan - openSUSE:Factory/{pkgname}")
try:
out = subprocess.check_output(["osc", "dp",
f"openSUSE:Factory/{pkgname}"])
except subprocess.CalledProcessError as e:
@@ -60,17 +64,22 @@
raise e
return out.decode('UTF-8').strip()
-def checkout_or_update(pkgname):
+def checkout_or_update(pkgname, should_setup):
try:
if os.path.exists('openSUSE:Factory') and
os.path.exists(f'openSUSE:Factory/{pkgname}'):
- print(f"osc up openSUSE:Factory/{pkgname}")
+ print(f"osc revert openSUSE:Factory/{pkgname}")
# Revert/cleanup if required.
out = subprocess.check_output(["osc", "revert", "."],
cwd=f"openSUSE:Factory/{pkgname}")
+ print(f"osc clean openSUSE:Factory/{pkgname}")
out = subprocess.check_output(["osc", "clean", "."],
cwd=f"openSUSE:Factory/{pkgname}")
- out = subprocess.check_output(["osc", "up",
f"openSUSE:Factory/{pkgname}"])
- else:
+ if should_setup:
+ print(f"osc up openSUSE:Factory/{pkgname}")
+ out = subprocess.check_output(["osc", "up",
f"openSUSE:Factory/{pkgname}"])
+ elif should_setup:
print(f"osc co openSUSE:Factory/{pkgname}")
out = subprocess.check_output(["osc", "co",
f"openSUSE:Factory/{pkgname}"])
+ else:
+ print(f"Nothing to do")
except subprocess.CalledProcessError as e:
print(f"Failed to checkout or update openSUSE:Factory/{pkgname}")
print(e.stdout)
@@ -169,6 +178,7 @@
# For testing, we hardcode the list for dev.
# depends = ["kanidm", "389-ds", "bottom", "helvum"]
+ # depends = ["greetd"]
devel_projects = {}
for pkgname in depends:
@@ -181,30 +191,30 @@
need_services = set()
maybe_vuln = set()
- if args.should_setup:
- for pkgname in depends:
- print("---")
- checkout_or_update(pkgname)
- # do they have cargo_audit as a service? Could we consider adding
it?
- (has_services, has_audit, has_vendor_update, lockfile) =
does_have_cargo_audit(pkgname)
- lockfiles[pkgname] = lockfile
-
- if not has_vendor_update:
- print(f"???? openSUSE:Factory/{pkgname} missing cargo_vendor
service + update - the maintainer should be contacted to add this")
- need_services.add(f"{devel_projects[pkgname]}/{pkgname}")
- if not has_audit:
- print(f"?????? openSUSE:Factory/{pkgname} missing
cargo_audit service - the maintainer should be contacted to add this")
- # print(f"??????
https://build.opensuse.org/package/users/openSUSE:Factory/{pkgname}";)
- # If not, we should contact the developers to add this. We can
attempt to unpack
- # and run a scan still though.
- unpack_depends.append((pkgname, has_services))
- need_services.add(f"{devel_projects[pkgname]}/{pkgname}")
- else:
- # If they do, run services. We may not know what they need for
this to work, so we
- # have to run the full stack, but at the least, the developer
probably has this
- # working.
- auditable_depends.append(pkgname)
+ for pkgname in depends:
+ print("---")
+ checkout_or_update(pkgname, args.should_setup)
+ # do they have cargo_audit as a service? Could we consider adding it?
+ (has_services, has_audit, has_vendor_update, lockfile) =
does_have_cargo_audit(pkgname)
+ lockfiles[pkgname] = lockfile
+
+ if not has_vendor_update:
+ print(f"???? openSUSE:Factory/{pkgname} missing cargo_vendor
service + update - the maintainer should be contacted to add this")
+ need_services.add(f"{devel_projects[pkgname]}/{pkgname}")
+ if not has_audit:
+ print(f"?????? openSUSE:Factory/{pkgname} missing cargo_audit
service - the maintainer should be contacted to add this")
+ # print(f"??????
https://build.opensuse.org/package/users/openSUSE:Factory/{pkgname}";)
+ # If not, we should contact the developers to add this. We can
attempt to unpack
+ # and run a scan still though.
+ unpack_depends.append((pkgname, has_services))
+ need_services.add(f"{devel_projects[pkgname]}/{pkgname}")
+ else:
+ # If they do, run services. We may not know what they need for
this to work, so we
+ # have to run the full stack, but at the least, the developer
probably has this
+ # working.
+ auditable_depends.append(pkgname)
+ if args.should_setup:
for pkgname in auditable_depends:
print("---")
print(f"???? running services for
{devel_projects[pkgname]}/{pkgname} ...")
@@ -224,19 +234,33 @@
if not do_unpack_scan(pkgname, lockfile, args.rustsec_id):
maybe_vuln.add(f"{devel_projects[pkgname]}/{pkgname}")
+ slow_update = maybe_vuln & need_services
+ fast_update = maybe_vuln - slow_update
+ # We will warn about these anyway since they are in the vuln set.
need_services -= maybe_vuln
+ # Remove items which items can rapid-update from the slow set
+ maybe_vuln -= fast_update
+
print("--- complete")
- if len(maybe_vuln) > 0:
+ if len(fast_update) > 0:
+ if args.rustsec_id:
+ print(f"- the following pkgs need SECURITY updates to address
{args.rustsec_id} - svc setup")
+ else:
+ print("- the following pkgs need SECURITY updates - svc setup")
+ for item in fast_update:
+ print(f"osc bco {item}")
+
+ if len(slow_update) > 0:
if args.rustsec_id:
- print(f"- the following pkgs need SECURITY updates to address
{args.rustsec_id}")
+ print(f"- the following pkgs need SECURITY updates to address
{args.rustsec_id} - manual")
else:
- print("- the following pkgs need SECURITY updates")
- for item in maybe_vuln:
+ print("- the following pkgs need SECURITY updates - manual")
+ for item in slow_update:
print(f"osc bco {item}")
if len(need_services) > 0:
- print("- the following SHOULD have services updated")
+ print("- the following are NOT vulnerable but SHOULD have services
updated")
for item in need_services:
print(f"osc bco {item}")
