diff --git a/app/Main.hs b/app/Main.hs index d3e09d8..7fbe4e1 100644 --- a/app/Main.hs +++ b/app/Main.hs @@ -24,6 +24,7 @@ default (T.Text) data UpdateOptions = UpdateOptions { pr :: Bool, + cve :: Bool, cachix :: Bool, outpaths :: Bool } @@ -43,6 +44,7 @@ updateOptionsParser :: O.Parser UpdateOptions updateOptionsParser = UpdateOptions <$> O.flag False True (O.long "pr" <> O.help "Make a pull request using Hub.") + <*> O.flag False True (O.long "cve" <> O.help "Make a CVE vulnerability report.") <*> O.flag False True (O.long "cachix" <> O.help "Push changes to Cachix") <*> O.flag False True (O.long "outpaths" <> O.help "Calculate outpaths to determine the branch to target") @@ -124,19 +126,19 @@ main = do setupNixpkgs token P.setEnv "GITHUB_TOKEN" (T.unpack token) True deleteDone token - UpdateList UpdateOptions {pr, cachix, outpaths} -> do + UpdateList UpdateOptions {pr, cachix, cve, outpaths} -> do token <- getGithubToken updates <- T.readFile "packages-to-update.txt" setupNixpkgs token P.setEnv "PAGER" "" True P.setEnv "GITHUB_TOKEN" (T.unpack token) True - updateAll (Options pr True token cachix outpaths) updates - Update UpdateOptions {pr, cachix} update -> do + updateAll (Options pr True token cve cachix outpaths) updates + Update UpdateOptions {pr, cve, cachix} update -> do token <- getGithubToken setupNixpkgs token P.setEnv "PAGER" "" True P.setEnv "GITHUB_TOKEN" (T.unpack token) True - result <- updatePackage (Options pr False token cachix False) update + result <- updatePackage (Options pr False token cve cachix False) update case result of Left e -> T.putStrLn e Right () -> T.putStrLn "Done." @@ -149,17 +151,17 @@ main = do CheckAllVulnerable -> do setupNixpkgs undefined updates <- T.readFile "packages-to-update.txt" - cveAll (Options undefined undefined undefined undefined undefined) updates + cveAll undefined updates CheckVulnerable productID oldVersion newVersion -> do setupNixpkgs undefined report <- cveReport - (UpdateEnv productID oldVersion newVersion Nothing (Options False False undefined False False)) + (UpdateEnv productID oldVersion newVersion Nothing (Options False False undefined False False False)) T.putStrLn report SourceGithub -> do token <- getGithubToken updates <- T.readFile "packages-to-update.txt" setupNixpkgs token P.setEnv "GITHUB_TOKEN" (T.unpack token) True - sourceGithubAll (Options False False token False False) updates + sourceGithubAll (Options False False token False False False) updates FetchRepology -> Repology.fetch diff --git a/src/Update.hs b/src/Update.hs index 9d461cd..8698a6b 100644 --- a/src/Update.hs +++ b/src/Update.hs @@ -456,34 +456,36 @@ addPatched attrPath set = do cveReport :: UpdateEnv -> IO Text cveReport updateEnv = - withVulnDB $ \conn -> do - let pname1 = packageName updateEnv - let pname2 = T.replace "-" "_" pname1 - oldCVEs1 <- getCVEs conn pname1 (oldVersion updateEnv) - oldCVEs2 <- getCVEs conn pname2 (oldVersion updateEnv) - let oldCVEs = S.fromList (oldCVEs1 ++ oldCVEs2) - newCVEs1 <- getCVEs conn pname1 (newVersion updateEnv) - newCVEs2 <- getCVEs conn pname2 (newVersion updateEnv) - let newCVEs = S.fromList (newCVEs1 ++ newCVEs2) - let inOldButNotNew = S.difference oldCVEs newCVEs - inNewButNotOld = S.difference newCVEs oldCVEs - inBoth = S.intersection oldCVEs newCVEs - ifEmptyNone t = - if t == T.empty - then "none" - else t - inOldButNotNew' <- addPatched (packageName updateEnv) inOldButNotNew - inNewButNotOld' <- addPatched (packageName updateEnv) inNewButNotOld - inBoth' <- addPatched (packageName updateEnv) inBoth - let toMkdownList = fmap (uncurry cveLI) >>> T.unlines >>> ifEmptyNone - fixedList = toMkdownList inOldButNotNew' - newList = toMkdownList inNewButNotOld' - unresolvedList = toMkdownList inBoth' - if fixedList == "none" && unresolvedList == "none" && newList == "none" - then return "" - else - return - [interpolate| + if not (makeCVEReport . options $ updateEnv) + then return "" + else withVulnDB $ \conn -> do + let pname1 = packageName updateEnv + let pname2 = T.replace "-" "_" pname1 + oldCVEs1 <- getCVEs conn pname1 (oldVersion updateEnv) + oldCVEs2 <- getCVEs conn pname2 (oldVersion updateEnv) + let oldCVEs = S.fromList (oldCVEs1 ++ oldCVEs2) + newCVEs1 <- getCVEs conn pname1 (newVersion updateEnv) + newCVEs2 <- getCVEs conn pname2 (newVersion updateEnv) + let newCVEs = S.fromList (newCVEs1 ++ newCVEs2) + let inOldButNotNew = S.difference oldCVEs newCVEs + inNewButNotOld = S.difference newCVEs oldCVEs + inBoth = S.intersection oldCVEs newCVEs + ifEmptyNone t = + if t == T.empty + then "none" + else t + inOldButNotNew' <- addPatched (packageName updateEnv) inOldButNotNew + inNewButNotOld' <- addPatched (packageName updateEnv) inNewButNotOld + inBoth' <- addPatched (packageName updateEnv) inBoth + let toMkdownList = fmap (uncurry cveLI) >>> T.unlines >>> ifEmptyNone + fixedList = toMkdownList inOldButNotNew' + newList = toMkdownList inNewButNotOld' + unresolvedList = toMkdownList inBoth' + if fixedList == "none" && unresolvedList == "none" && newList == "none" + then return "" + else + return + [interpolate|
Security report (click to expand) diff --git a/src/Utils.hs b/src/Utils.hs index d97bfdb..5ed34a7 100644 --- a/src/Utils.hs +++ b/src/Utils.hs @@ -107,6 +107,7 @@ data Options { doPR :: Bool, batchUpdate :: Bool, githubToken :: Text, + makeCVEReport :: Bool, pushToCachix :: Bool, calculateOutpaths :: Bool }