Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

build: add audit buck build steps #3561

Merged
merged 4 commits into from
Nov 16, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 0 additions & 22 deletions .github/workflows/audit.yml

This file was deleted.

9 changes: 8 additions & 1 deletion apps/consent/BUCK
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,8 @@ load("@toolchains//workspace-pnpm:macros.bzl",
"build_node_modules",
"next_build",
"next_build_bin",
"eslint"
"eslint",
"audit",
)

dev_pnpm_task_binary(
Expand Down Expand Up @@ -65,6 +66,11 @@ dev_deps_srcs = {
"lib/eslint-config": "//lib/eslint-config:src",
}

audit(
name = "audit",
level = "critical",
)

eslint(
name = "lint",
srcs = [":src"] + glob([".eslint*"]),
Expand All @@ -76,6 +82,7 @@ eslint(
test_suite(
name = "test-unit",
tests = [
":audit",
":lint",
],
)
9 changes: 8 additions & 1 deletion apps/dashboard/BUCK
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,8 @@ load(
"build_node_modules",
"next_build",
"next_build_bin",
"eslint"
"eslint",
"audit",
)

dev_pnpm_task_binary(
Expand Down Expand Up @@ -55,6 +56,11 @@ dev_deps_srcs = {
"lib/eslint-config": "//lib/eslint-config:src",
}

audit(
name = "audit",
level = "critical",
)

eslint(
name = "lint",
srcs = [":src"] + glob([".eslint*"]),
Expand All @@ -66,6 +72,7 @@ eslint(
test_suite(
name = "test-unit",
tests = [
":audit",
":lint",
],
)
7 changes: 7 additions & 0 deletions core/api/BUCK
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ load(
"tsc_build",
"prod_tsc_build",
"prod_tsc_build_bin",
"audit",
"eslint",
"typescript_check",
"yaml_check",
Expand Down Expand Up @@ -122,6 +123,11 @@ dev_update_file(
out = "src/graphql/admin/schema.graphql"
)

audit(
name = "audit",
level = "critical",
)

eslint(
name = "check-lint",
srcs = [":src"] + [":test_src"] + glob([".eslint*"]),
Expand Down Expand Up @@ -152,6 +158,7 @@ madge_check(
test_suite(
name = "test-unit",
tests = [
":audit",
":check-lint",
":check-type",
":check-yaml",
Expand Down
5 changes: 5 additions & 0 deletions toolchains/workspace-pnpm/BUCK
Original file line number Diff line number Diff line change
Expand Up @@ -42,3 +42,8 @@ export_file(
name = "run_in_dir.py",
visibility = ["PUBLIC"],
)

export_file(
name = "run_audit.py",
visibility = ["PUBLIC"],
)
66 changes: 66 additions & 0 deletions toolchains/workspace-pnpm/macros.bzl
Original file line number Diff line number Diff line change
Expand Up @@ -608,6 +608,72 @@ def _npm_test_impl(
DefaultInfo(default_output = args_file),
]

def _audit_impl(ctx: AnalysisContext) -> list[[
DefaultInfo,
RunInfo,
ExternalRunnerTestInfo,
]]:
pnpm_toolchain = ctx.attrs._workspace_pnpm_toolchain[WorkspacePnpmToolchainInfo]

audit_args = cmd_args()
audit_args.add("--ignore-registry-errors")

run_cmd_args = cmd_args([
ctx.attrs._python_toolchain[PythonToolchainInfo].interpreter,
pnpm_toolchain.run_audit[DefaultInfo].default_outputs,
"--audit-level",
ctx.attrs.level,
"--",
audit_args,
])

args_file = ctx.actions.write("args.txt", run_cmd_args)

return inject_test_run_info(
ctx,
ExternalRunnerTestInfo(
type = "audit",
command = [run_cmd_args],
),
) + [
DefaultInfo(default_output = args_file),
]

_audit = rule(
impl = _audit_impl,
attrs = {
"level": attrs.enum(
["low", "moderate", "high", "critical"],
default = "critical"
),
"node_modules": attrs.source(
doc = """Target which builds `node_modules`.""",
),
"_inject_test_env": attrs.default_only(
attrs.dep(default = "prelude//test/tools:inject_test_env"),
),
"_python_toolchain": attrs.toolchain_dep(
default = "toolchains//:python",
providers = [PythonToolchainInfo],
),
"_workspace_pnpm_toolchain": attrs.toolchain_dep(
default = "toolchains//:workspace_pnpm",
providers = [WorkspacePnpmToolchainInfo],
),
},
)

def audit(
node_modules = ":node_modules",
visibility = ["PUBLIC"],
**kwargs):

_audit(
node_modules = node_modules,
visibility = visibility,
**kwargs,
)

def eslint_impl(ctx: AnalysisContext) -> list[[
DefaultInfo,
RunInfo,
Expand Down
55 changes: 55 additions & 0 deletions toolchains/workspace-pnpm/run_audit.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
#!/usr/bin/env python3
"""
Runs audit for npm dependencies.
"""
import argparse
import json
import subprocess
import sys

def sum_severities(severity_dict, start_level):
severity_order = [
"low",
"moderate",
"high",
"critical"
]

start_index = severity_order.index(start_level)
return sum(
severity_dict[level]
for level in severity_order[start_index:]
)

if __name__ == "__main__":
parser = argparse.ArgumentParser(description=__doc__)
parser.add_argument(
"--audit-level",
help="Audit severity to print advisories against.",
)
parser.add_argument(
"args",
help="Audit arguments",
nargs=argparse.REMAINDER,
)

args = parser.parse_args()
audit_args = args.args[1:] # ignore '--' separator

pnpm_cmd = ["pnpm", "audit"]
audit_cmd = [*pnpm_cmd, *audit_args]
audit_cmd_json_out = [*audit_cmd, "--json"]

result = subprocess.run(audit_cmd_json_out, stdout=subprocess.PIPE)
result_dict = json.loads(result.stdout)

num_vulns = sum_severities(
result_dict["metadata"]["vulnerabilities"],
args.audit_level
)
if num_vulns > 0:
printable_result = subprocess.run(audit_cmd, stdout=subprocess.PIPE, text=True)
print(printable_result.stdout)
sys.exit(1)

sys.exit(0)
5 changes: 5 additions & 0 deletions toolchains/workspace-pnpm/toolchain.bzl
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ WorkspacePnpmToolchainInfo = provider(fields = [
"build_next_build",
"package_next_bin",
"run_in_dir",
"run_audit",
])

def workspace_pnpm_toolchain_impl(ctx) -> list[[DefaultInfo, WorkspacePnpmToolchainInfo]]:
Expand All @@ -26,6 +27,7 @@ def workspace_pnpm_toolchain_impl(ctx) -> list[[DefaultInfo, WorkspacePnpmToolch
build_next_build = ctx.attrs._build_next_build,
package_next_bin = ctx.attrs._package_next_bin,
run_in_dir = ctx.attrs._run_in_dir,
run_audit = ctx.attrs._run_audit,
)
]

Expand Down Expand Up @@ -59,6 +61,9 @@ workspace_pnpm_toolchain = rule(
"_run_in_dir": attrs.dep(
default = "toolchains//workspace-pnpm:run_in_dir.py",
),
"_run_audit": attrs.dep(
default = "toolchains//workspace-pnpm:run_audit.py",
),
},
is_toolchain_rule = True,
)
Loading