github-actions: Add cargo-deny

Adds cargo-deny to scan for vulnerabilities and license issues regarding rust crates. Some modifications were required for the repo to pass the tests: Updates ttrpc to avoid using nix 0.16.0 https://rustsec.org/advisories/RUSTSEC-2021-0119 Updates slog-json to avoid MLP license (copyleft) Updates crossbeam-channel due to yanked package Ignores https://rustsec.org/advisories/RUSTSEC-2020-0071 because chrono is dependent on that version of time. chronotope/chrono#578 Allow multiple versions of the same package (package dependencies require this) Adds "oci" to src/libs workplace Adds Apache-2.0 license to workplace modules that did not have them because cargo-deny complains about them not having licenses. Notes GitHub Actions does not have an obvious way to loop over each of the Cargo.toml files, so they have been hardcoded as separate steps. An alternative that works is to use a matrix variable to run each directory in a separate job. I opted not to do that because it uses a bunch of runners and generates a lot of jobs, but open to feedback. Signed-off-by: Derek Lee <[email protected]>
bookinabox · Jul 21, 2022 · a56830d · a56830d
1 parent 0a9c8ca
commit a56830d
Show file tree

Hide file tree

Showing 21 changed files with 400 additions and 212 deletions.
diff --git a/.github/cargo-deny-composite-action/action.yaml b/.github/cargo-deny-composite-action/action.yaml
@@ -0,0 +1,85 @@
+name: 'Cargo Crates Check'
+description: 'Checks every Cargo.toml file using cargo-deny'
+inputs:
+  command:
+    description: Either 'advisories' or 'bans licenses sources'
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - uses: actions/checkout@v3
+      path: ./cargo-deny-action-copy/
+      # https://github.com/actions/runner/issues/1300
+
+    - name: src/agent/Cargo.toml
+      uses: EmbarkStudios/cargo-deny-action@v1
+      with:
+        arguments: --manifest-path src/agent/Cargo.toml
+        command: check ${{ inputs.command }}
+
+    - name: src/agent/rustjail/Cargo.toml
+      uses: EmbarkStudios/cargo-deny-action@v1
+      with:
+        arguments: --manifest-path src/agent/rustjail/Cargo.toml
+        command: check ${{ inputs.command }}
+
+    - name: src/agent/vsock-exporter/Cargo.toml
+      uses: EmbarkStudios/cargo-deny-action@v1
+      with:
+        arguments: --manifest-path src/agent/vsock-exporter/Cargo.toml
+        command: check ${{ inputs.command }}
+
+    - name: src/libs/logging/Cargo.toml
+      uses: EmbarkStudios/cargo-deny-action@v1
+      with:
+        arguments: --manifest-path src/libs/logging/Cargo.toml
+        command: check ${{ inputs.command }}
+
+    - name: src/libs/oci/Cargo.toml
+      uses: EmbarkStudios/cargo-deny-action@v1
+      with:
+        arguments: --manifest-path src/libs/oci/Cargo.toml
+        command: check ${{ inputs.command }}
+
+    - name: src/libs/protocols/Cargo.toml
+      uses: EmbarkStudios/cargo-deny-action@v1
+      with:
+        arguments: --manifest-path src/libs/protocols/Cargo.toml
+        command: check ${{ inputs.command }}
+
+    - name: src/libs/safe-path/Cargo.toml
+      uses: EmbarkStudios/cargo-deny-action@v1
+      with:
+        arguments: --manifest-path src/libs/safe-path/Cargo.toml
+        command: check ${{ inputs.command }}
+
+    - name: src/libs/Cargo.toml
+      uses: EmbarkStudios/cargo-deny-action@v1
+      with:
+        arguments: --manifest-path src/libs/Cargo.toml
+        command: check ${{ inputs.command }}
+
+    - name: src/tools/agent-ctl/Cargo.toml
+      uses: EmbarkStudios/cargo-deny-action@v1
+      with:
+        arguments: --manifest-path src/tools/agent-ctl/Cargo.toml
+        command: check ${{ inputs.command }}
+
+    - name: src/tools/runk/libcontainer/Cargo.toml
+      uses: EmbarkStudios/cargo-deny-action@v1
+      with:
+        arguments: --manifest-path src/tools/runk/libcontainer/Cargo.toml
+        command: check ${{ inputs.command }}
+
+    - name: src/tools/runk/Cargo.toml
+      uses: EmbarkStudios/cargo-deny-action@v1
+      with:
+        arguments: --manifest-path src/tools/runk/Cargo.toml
+        command: check ${{ inputs.command }}
+
+    - name: src/tools/trace-forwarder/Cargo.toml
+      uses: EmbarkStudios/cargo-deny-action@v1
+      with:
+        arguments: --manifest-path src/tools/trace-forwarder/Cargo.toml
+        command: check ${{ inputs.command }}
diff --git a/.github/cargo-deny-composite-action/cargo-deny-action.yaml b/.github/cargo-deny-composite-action/cargo-deny-action.yaml
@@ -0,0 +1,87 @@
+name: Cargo Crates Check
+on: [pull_request]
+jobs:
+  cargo-deny:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        checks:
+          - advisories
+          - bans licenses sources
+
+    continue-on-error: true
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: src/agent/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/agent/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/agent/rustjail/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/agent/rustjail/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/agent/vsock-exporter/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/agent/vsock-exporter/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/libs/logging/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/libs/logging/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/libs/oci/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/libs/oci/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/libs/protocols/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/libs/protocols/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/libs/safe-path/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/libs/safe-path/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/libs/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/libs/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/tools/agent-ctl/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/tools/agent-ctl/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/tools/runk/libcontainer/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/tools/runk/libcontainer/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/tools/runk/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/tools/runk/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/tools/trace-forwarder/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/tools/trace-forwarder/Cargo.toml
+          command: check ${{ matrix.checks }}
diff --git a/.github/cargo-deny-composite-action/cargo-deny-generator.sh b/.github/cargo-deny-composite-action/cargo-deny-generator.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+script_dir=$(dirname "$(readlink -f "$0")")
+parent_dir=$(realpath "${script_dir}/../..")
+cargo_tomls=$(find "${parent_dir}" -name Cargo.toml)
+
+temp_checkout_dir="./cargo-deny-action-copy"
+
+cargo_deny_file="${script_dir}/action.yaml"
+
+cat cargo-deny-skeleton.yaml.in > "${cargo_deny_file}"
+
+for path in $cargo_tomls
+do
+    path=$(realpath --relative-to="${parent_dir}" "${path}")
+
+    cat >> "${cargo_deny_file}" << EOF
+
+    - name: ${path}
+      uses: EmbarkStudios/cargo-deny-action@v1
+      with:
+        arguments: --manifest-path ${path}
+        command: check \${{ inputs.command }}
+EOF
+done
diff --git a/.github/cargo-deny-composite-action/cargo-deny-skeleton.yaml.in b/.github/cargo-deny-composite-action/cargo-deny-skeleton.yaml.in
@@ -0,0 +1,14 @@
+name: 'Cargo Crates Check'
+description: 'Checks every Cargo.toml file using cargo-deny'
+inputs:
+  command:
+    description: Either 'advisories' or 'bans licenses sources'
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - uses: actions/checkout@v3
+      path: ./cargo-deny-action-copy/
+      # https://github.com/actions/runner/issues/1300
+
diff --git a/.github/workflows/.old-cargo-deny.yaml b/.github/workflows/.old-cargo-deny.yaml
@@ -0,0 +1,90 @@
+name: Cargo Crates Check
+on: [pull_request]
+jobs:
+  cargo-deny:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        checks:
+          - advisories
+          - bans licenses sources
+
+    continue-on-error: true
+
+    # Github Actions does not have a clean way of looping
+    # Could use matrix, but leads to 12+ jobs being run separately
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: src/agent/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/agent/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/agent/rustjail/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/agent/rustjail/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/agent/vsock-exporter/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/agent/vsock-exporter/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/libs/logging/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/libs/logging/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/libs/oci/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/libs/oci/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/libs/protocols/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/libs/protocols/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/libs/safe-path/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/libs/safe-path/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/libs/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/libs/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/tools/agent-ctl/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/tools/agent-ctl/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/tools/runk/libcontainer/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/tools/runk/libcontainer/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/tools/runk/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/tools/runk/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/tools/trace-forwarder/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/tools/trace-forwarder/Cargo.toml
+          command: check ${{ matrix.checks }}
diff --git a/.github/workflows/cargo-deny-master.yaml b/.github/workflows/cargo-deny-master.yaml
@@ -0,0 +1,20 @@
+name: Cargo Crates Check
+on: [pull_request]
+jobs:
+  cargo-deny-master:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        checks:
+          - advisories
+          - bans licenses sources
+
+    continue-on-error: ${{ matrix.checks = 'advisories' }}
+
+    steps:
+      - uses: actions/checkout@v3
+      - run: bash cargo-deny-generator.sh
+        working-directory: ./.github/cargo-deny-composite-action/
+      - uses: ./.github/cargo-deny-composite-action
+        with:
+          command: ${{ matrix.checks }}
diff --git a/.github/workflows/cargo-deny.yaml b/.github/workflows/cargo-deny.yaml