Commit 59a1aeda authored by Yorick Peterse's avatar Yorick Peterse

Fix dependency scanning using cargo audit

Using the output produced by "cargo audit" directly no longer works.
This changes the dependency scanning setup so that we produce a report
file understood by GitLab.
parent 48e4213e
Pipeline #70360352 passed with stages
in 17 minutes and 1 second
......@@ -18,9 +18,14 @@ dependency_scanning:
before_script:
- cargo --version
- rustc --version
- ruby --version
script:
- ./scripts/audit.sh
- ./scripts/audit.rb
artifacts:
when: always
expire_in: 1 month
reports:
dependency_scanning: gl-dependency-scanning-report.json
paths:
- gl-dependency-scanning-report.json
allow_failure: true
......
#!/usr/bin/env ruby
# frozen_string_literal: true
# rubocop: disable all
require 'json'
require 'open3'
stdout, _, _ = Open3.capture3('cargo audit -f vm/Cargo.lock --json')
json = stdout.strip
status = 0
report = {
version: '2.1',
vulnerabilities: [],
remediations: []
}
unless json.empty?
raw_report = JSON.parse(json)
status = 1
raw_report['vulnerabilities']['list'].each do |vuln|
advisory = vuln['advisory']
report[:vulnerabilities] << {
category: 'dependency_scanning',
name: advisory['title'],
message: advisory['title'],
description: advisory['description'],
cve: "Cargo.lock:#{advisory['package']}:#{advisory['id']}",
severity: 'High',
confidence: 'Confirmed',
solution: "Upgrade to #{advisory['patched_versions'].join(', ')}",
scanner: {
id: 'rustsec',
name: 'RustSec'
},
location: {
file: raw_report['lockfile']['path'],
dependency: {
package: {
name: advisory['package']
},
version: vuln['package']['version']
}
},
identifiers: [
{
type: 'rustsec',
name: advisory['id'],
value: advisory['id'],
url: "https://github.com/RustSec/advisory-db/blob/master/crates/#{advisory['package']}/#{advisory['id']}.toml"
}
],
links: [
{
name: 'RustSec advisory',
url: "https://github.com/RustSec/advisory-db/blob/master/crates/#{advisory['package']}/#{advisory['id']}.toml"
},
{
name: 'Issue',
url: advisory['url']
}
]
}
end
end
File.open('gl-dependency-scanning-report.json', 'w') do |handle|
handle.write(JSON.pretty_generate(report))
end
exit(status)
#!/usr/bin/env bash
set -e
function audit() {
local report="gl-dependency-scanning-report.json"
cargo audit -f vm/Cargo.lock --json > $report
if [[ ! -s $report ]]
then
echo '[]' > $report
fi
}
audit
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment