Skip to content
This repository has been archived by the owner on Dec 2, 2024. It is now read-only.

Commit

Permalink
github-actions: Add cargo-deny
Browse files Browse the repository at this point in the history
Adds cargo-deny to scan for vulnerabilities and license issues regarding
rust crates.

Some modifications were required for the repo to pass the tests:

 Updates ttrpc to avoid using nix 0.16.0
   https://rustsec.org/advisories/RUSTSEC-2021-0119

 Updates slog-json to avoid MLP license (copyleft)

 Updates crossbeam-channel because 0.52.0 was a yanked package

 Ignores https://rustsec.org/advisories/RUSTSEC-2020-0071
   because chrono is dependent on that version of time.
   chronotope/chrono#578

 Allow multiple versions of the same package
  (package dependencies require this)

 Adds "oci" to src/libs workplace

 Adds Apache-2.0 license to workplace modules that did not have them
 because cargo-deny complains about them not having licenses.

Notes
GitHub Actions does not have an obvious way to loop over each of the
Cargo.toml files. To avoid hardcoding it, I worked around the problem
using a composite action that first generates the cargo-deny action by
finding all Cargo.toml files before calling this new generated action in
the master workflow.

Fixes kata-containers#3359

Signed-off-by: Derek Lee <derlee@redhat.com>
  • Loading branch information
Derek Lee committed Jul 21, 2022
1 parent 575b5eb commit 28eee7a
Show file tree
Hide file tree
Showing 18 changed files with 244 additions and 140 deletions.
83 changes: 83 additions & 0 deletions .github/cargo-deny-composite-action/action.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
name: 'Cargo Crates Check'
description: 'Checks every Cargo.toml file using cargo-deny'
inputs:
command:
description: Either 'advisories' or 'bans licenses sources'
required: true

runs:
using: "composite"
steps:
- uses: actions/checkout@v3

- name: src/agent/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path src/agent/Cargo.toml
command: check ${{ inputs.command }}

- name: src/agent/rustjail/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path src/agent/rustjail/Cargo.toml
command: check ${{ inputs.command }}

- name: src/agent/vsock-exporter/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path src/agent/vsock-exporter/Cargo.toml
command: check ${{ inputs.command }}

- name: src/libs/logging/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path src/libs/logging/Cargo.toml
command: check ${{ inputs.command }}

- name: src/libs/oci/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path src/libs/oci/Cargo.toml
command: check ${{ inputs.command }}

- name: src/libs/protocols/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path src/libs/protocols/Cargo.toml
command: check ${{ inputs.command }}

- name: src/libs/safe-path/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path src/libs/safe-path/Cargo.toml
command: check ${{ inputs.command }}

- name: src/libs/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path src/libs/Cargo.toml
command: check ${{ inputs.command }}

- name: src/tools/agent-ctl/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path src/tools/agent-ctl/Cargo.toml
command: check ${{ inputs.command }}

- name: src/tools/runk/libcontainer/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path src/tools/runk/libcontainer/Cargo.toml
command: check ${{ inputs.command }}

- name: src/tools/runk/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path src/tools/runk/Cargo.toml
command: check ${{ inputs.command }}

- name: src/tools/trace-forwarder/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path src/tools/trace-forwarder/Cargo.toml
command: check ${{ inputs.command }}
24 changes: 24 additions & 0 deletions .github/cargo-deny-composite-action/cargo-deny-generator.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
#!/bin/bash
script_dir=$(dirname "$(readlink -f "$0")")
parent_dir=$(realpath "${script_dir}/../..")
cargo_tomls=$(find "${parent_dir}" -name Cargo.toml)

temp_checkout_dir="./cargo-deny-action-copy"

cargo_deny_file="${script_dir}/action.yaml"

cat cargo-deny-skeleton.yaml.in > "${cargo_deny_file}"

for path in $cargo_tomls
do
path=$(realpath --relative-to="${parent_dir}" "${path}")

cat >> "${cargo_deny_file}" << EOF
- name: ${path}
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path ${path}
command: check \${{ inputs.command }}
EOF
done
11 changes: 11 additions & 0 deletions .github/cargo-deny-composite-action/cargo-deny-skeleton.yaml.in
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
name: 'Cargo Crates Check'
description: 'Checks every Cargo.toml file using cargo-deny'
inputs:
command:
description: Either 'advisories' or 'bans licenses sources'
required: true

runs:
using: "composite"
steps:
- uses: actions/checkout@v3
20 changes: 20 additions & 0 deletions .github/workflows/cargo-deny-runner.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
name: Cargo Crates Check Runner
on: [pull_request]
jobs:
cargo-deny-master:
runs-on: ubuntu-latest
strategy:
matrix:
checks:
- advisories
- bans licenses sources

continue-on-error: ${{ matrix.checks == 'advisories' }}

steps:
- uses: actions/checkout@v3
- run: bash cargo-deny-generator.sh
working-directory: ./.github/cargo-deny-composite-action/
- uses: ./.github/cargo-deny-composite-action
with:
command: ${{ matrix.checks }}
30 changes: 30 additions & 0 deletions deny.toml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
targets = [
{ triple = "x86_64-unknown-linux-gnu" },
{ triple = "x86_64-unknown-linux-musl" },
{ triple = "x86_64-apple-darwin" },
{ triple = "x86_64-pc-windows-msvc" },
]

[advisories]
vulnerability = "deny"
unsound = "deny"
unmaintained = "deny"
ignore = ["RUSTSEC-2020-0071"]

[bans]
multiple-versions = "allow"
deny = [
{ name = "openssl-sys" },
{ name = "cmake" },
]

[licenses]
unlicensed = "deny"
allow-osi-fsf-free = "neither"
copyleft = "deny"
# We want really high confidence when inferring licenses from text
confidence-threshold = 0.93
allow = ["Apache-2.0", "MIT", "BSD-3-Clause", "ISC"]
private = { ignore = true}

exceptions = []
1 change: 1 addition & 0 deletions src/agent/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ name = "kata-agent"
version = "0.1.0"
authors = ["The Kata Containers community <kata-dev@lists.katacontainers.io>"]
edition = "2018"
license = "Apache-2.0"

[dependencies]
oci = { path = "../libs/oci" }
Expand Down
1 change: 1 addition & 0 deletions src/agent/rustjail/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ name = "rustjail"
version = "0.1.0"
authors = ["The Kata Containers community <kata-dev@lists.katacontainers.io>"]
edition = "2018"
license = "Apache-2.0"

[dependencies]
serde = "1.0.91"
Expand Down
1 change: 1 addition & 0 deletions src/agent/vsock-exporter/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ name = "vsock-exporter"
version = "0.1.0"
authors = ["James O. D. Hunt <james.o.hunt@intel.com>"]
edition = "2018"
license = "Apache-2.0"

# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

Expand Down
63 changes: 22 additions & 41 deletions src/libs/Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions src/libs/Cargo.toml
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
[workspace]
members = [
"logging",
"oci",
"safe-path",
"protocols",
]
Expand Down
1 change: 1 addition & 0 deletions src/libs/logging/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ name = "logging"
version = "0.1.0"
authors = ["The Kata Containers community <kata-dev@lists.katacontainers.io>"]
edition = "2018"
license = "Apache-2.0"

# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

Expand Down
1 change: 1 addition & 0 deletions src/libs/oci/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ name = "oci"
version = "0.1.0"
authors = ["The Kata Containers community <kata-dev@lists.katacontainers.io>"]
edition = "2018"
license = "Apache-2.0"

[dependencies]
serde = "1.0.131"
Expand Down
1 change: 1 addition & 0 deletions src/libs/protocols/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ name = "protocols"
version = "0.1.0"
authors = ["The Kata Containers community <kata-dev@lists.katacontainers.io>"]
edition = "2018"
license = "Apache-2.0"

[features]
default = []
Expand Down
Loading

0 comments on commit 28eee7a

Please sign in to comment.