Skip to content

Commit b7a0498

Browse files
authored
SQL-2272: sanitize deps (mongodb#237)
* SQL-2272: sanitize deps * join arrays in case there are multiple * send output to stderr
1 parent 06ebe75 commit b7a0498

File tree

9 files changed

+67
-580
lines changed

9 files changed

+67
-580
lines changed

Cargo.lock

+17-543
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

core/Cargo.toml

-3
Original file line numberDiff line numberDiff line change
@@ -18,10 +18,7 @@ regex = "1.6.0"
1818
serde = { version = "1", features = ["derive"] }
1919
itertools = "0.10.4"
2020
lazy_static = "1.4.0"
21-
likely_stable = "0.1.2"
2221
num-traits = "0.2.14"
23-
num-derive = "0.3.3"
24-
chrono = "0.4.24"
2522
cstr = { path = "../cstr" }
2623
fancy-regex = "0.11.0"
2724
shared_sql_utils = { path = "../shared_sql_utils" }

cstr/Cargo.toml

+3
Original file line numberDiff line numberDiff line change
@@ -19,3 +19,6 @@ utf32 = []
1919

2020
[lints]
2121
workspace = true
22+
23+
[package.metadata.cargo-machete]
24+
ignored = ["num-traits"]

definitions/Cargo.toml

+3
Original file line numberDiff line numberDiff line change
@@ -17,3 +17,6 @@ iodbc = []
1717
odbc_version_3_50 = []
1818
odbc_version_3_80 = ["odbc_version_3_50"]
1919
odbc_version_4 = ["odbc_version_3_80"]
20+
21+
[package.metadata.cargo-machete]
22+
ignored = ["num-traits"]

evergreen.yml

+39-17
Original file line numberDiff line numberDiff line change
@@ -177,6 +177,24 @@ functions:
177177
${prepare_shell}
178178
cargo fmt --all -- --check
179179
180+
"check unused dependencies":
181+
- command: shell.exec
182+
type: test
183+
params:
184+
shell: bash
185+
working_dir: mongosql-odbc-driver
186+
script: |
187+
${prepare_shell}
188+
cargo install cargo-machete
189+
set +e
190+
cargo machete
191+
RETURN=$?
192+
set -e
193+
if [ $RETURN -ne 0 ]; then
194+
>&2 echo "Unused dependencies found"
195+
>&2 cargo machete
196+
fi
197+
180198
"generate SBOM":
181199
- command: shell.exec
182200
type: test
@@ -253,7 +271,7 @@ functions:
253271
chmod +x ./$SBOM_DIR/jq
254272
echo "------------------------------------"
255273
echo "<<<< Done installing SBOM tools"
256-
274+
257275
echo ">>>> Generate SBOM..."
258276
echo "-- Generating SBOMs with the licenses information --"
259277
cargo cyclonedx --target all -v -f json
@@ -270,18 +288,18 @@ functions:
270288
echo "------------------------------------"
271289
272290
echo "-- Merging the SBOMs with the licenses information and the SBOM with the vulnerabilities information in $SBOM_FINAL --"
273-
291+
274292
temp_output="temp_output.json"
275293
if [[ -f "$temp_output" ]] ; then
276294
rm "$temp_output"
277295
fi
278296
touch $temp_output
279-
297+
280298
while IFS= read -r line
281299
do
282300
if [[ "$line" == *"purl"* ]]; then
283301
bash_purl=$(echo $line | cut -d '"' -f4)
284-
command=$(echo "./$SBOM_DIR/jq '.components[] | select(.purl == \"$bash_purl\").licenses' $SBOM_LICENSES")
302+
command=$(echo "./$SBOM_DIR/jq '.components[] | select(.purl == \"$bash_purl\").licenses' $SBOM_LICENSES | ./$SBOM_DIR/jq -s 'flatten(1)'")
285303
# Add the license information back in the augmented SBOM.
286304
licenseInfo=$(eval " $command")
287305
if [[ -z "$licenseInfo" ]]; then
@@ -294,12 +312,12 @@ functions:
294312
295313
done < $SBOM_VULN
296314
echo "------------------------------------"
297-
315+
298316
echo "-- Adding the name of the team responsible for each dependency as required by Silk and format the json file --"
299317
echo "./$SBOM_DIR/jq '.components[].properties += [{\"name\": \"internal:team_responsible\", \"value\": \"Atlas SQL\"}]' $temp_output > $SBOM_FINAL"
300318
./$SBOM_DIR/jq '.components[].properties += [{"name": "internal:team_responsible", "value": "Atlas SQL"}]' $temp_output > $SBOM_FINAL
301319
echo "------------------------------------"
302-
320+
303321
echo "-- Adding VEX info for vulnerabilities still present in SBOM--"
304322
IFS=','; for vuln_id in $ALLOW_VULNS; do
305323
echo "-- Updating SBOM with VEX info for vulnerability with id $vuln_id--"
@@ -329,7 +347,7 @@ functions:
329347
working_dir: mongosql-odbc-driver
330348
script: |
331349
${prepare_shell}
332-
350+
333351
echo ">>>> Scan SBOM for vulnerabilities..."
334352
if [[ "$ALLOW_VULNS" != "" ]]; then
335353
echo "Vulnerability ids to ignore : $ALLOW_VULNS"
@@ -345,12 +363,12 @@ functions:
345363
done
346364
echo "------------------------------------"
347365
fi
348-
366+
349367
echo "-- Scanning dependency for vulnerabilities --"
350368
./$SBOM_DIR/grype sbom:$SBOM_LICENSES --fail-on low
351369
echo "---------------------------------------------"
352370
echo "<<<< Done scanning SBOM"
353-
371+
354372
"generate compliance report":
355373
- command: shell.exec
356374
params:
@@ -424,9 +442,9 @@ functions:
424442
SILK_CLIENT_ID=${SILK_CLIENT_ID}
425443
SILK_CLIENT_SECRET=${SILK_CLIENT_SECRET}
426444
EOF
427-
445+
428446
echo "SBOM_FINAL = $SBOM_FINAL"
429-
447+
430448
echo "-- Uploading initial SBOM Lite to Silk --"
431449
docker run -i --platform="linux/amd64" --rm -v "$PWD":/pwd \
432450
--env-file silkbomb.env \
@@ -447,7 +465,7 @@ functions:
447465
SILK_CLIENT_ID=${SILK_CLIENT_ID}
448466
SILK_CLIENT_SECRET=${SILK_CLIENT_SECRET}
449467
EOF
450-
468+
451469
echo "-- Downloading augmented SBOM --"
452470
docker run -i --platform="linux/amd64" --rm -v "$PWD":/pwd \
453471
--env-file silkbomb.env \
@@ -463,7 +481,6 @@ functions:
463481
content_type: application/json
464482
bucket: mciuploads
465483
permissions: public-read
466-
467484

468485
"publish augmented SBOM":
469486
- command: s3.get
@@ -534,7 +551,7 @@ functions:
534551
-v $(pwd):$(pwd) -w $(pwd) \
535552
${garasign_jsign_image} \
536553
/bin/bash -c "jsign -a mongo-authenticode-2021 --replace --tsaurl http://timestamp.digicert.com -d SHA-256 ${MSI_FILENAME}"
537-
554+
538555
# Generating checksums
539556
if [ -e $msi_filename ]; then
540557
shasum -a 1 ${MSI_FILENAME} | tee ${MSI_FILENAME}.sha1
@@ -1877,14 +1894,14 @@ functions:
18771894
content_type: text/plain
18781895
bucket: mciuploads
18791896
permissions: public-read
1880-
1897+
18811898
"publish static code analysis":
18821899
- command: s3.get
18831900
params:
18841901
aws_key: ${aws_key}
18851902
aws_secret: ${aws_secret}
18861903
local_file: mongosql-odbc-driver/${STATIC_CODE_ANALYSIS_NAME}
1887-
remote_file: mongosql-odbc-driver/artifacts/${version_id}/ssdlc/${STATIC_CODE_ANALYSIS_NAME}
1904+
remote_file: mongosql-odbc-driver/artifacts/${version_id}/ssdlc/${STATIC_CODE_ANALYSIS_NAME}
18881905
content_type: application/json
18891906
bucket: mciuploads
18901907
- command: s3.put
@@ -1915,6 +1932,11 @@ tasks:
19151932
- func: "install rust toolchain"
19161933
- func: "check rustfmt"
19171934

1935+
- name: unused-deps
1936+
commands:
1937+
- func: "install rust toolchain"
1938+
- func: "check unused dependencies"
1939+
19181940
- name: sbom
19191941
commands:
19201942
- func: "install rust toolchain"
@@ -2158,7 +2180,6 @@ tasks:
21582180
- func: "generate compliance report"
21592181
- func: "publish compliance report"
21602182

2161-
21622183
task_groups:
21632184
- name: windows-windows-test-unit-group
21642185
setup_group_can_fail_task: false
@@ -2205,6 +2226,7 @@ buildvariants:
22052226
tasks:
22062227
- name: clippy
22072228
- name: rustfmt
2229+
- name: unused-deps
22082230
- name: asan-compile
22092231

22102232
- name: code-quality-security

integration_test/Cargo.toml

-1
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,6 @@ logger = { path = "../logger" }
1717
log = "0.4"
1818
regex = "1"
1919
num-traits = "0.2.14"
20-
num-derive = "0.3.3"
2120
mongodb = { version = "3", features = ["aws-auth", "dns-resolver"] }
2221
tailcall = "1.0"
2322
# Do NOT change these features without consulting with other team members.

logger/Cargo.toml

-1
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,6 @@ edition = "2021"
88
[dependencies]
99
log = "0.4.17"
1010
log4rs = { version = "1.2.0", features = ["background_rotation"] }
11-
cstr = { path = "../cstr" }
1211
shared_sql_utils = { path = "../shared_sql_utils" }
1312
constants = { path = "../constants" }
1413
directories = "5.0"

macos_postinstall/Cargo.toml

+4-3
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,13 @@
11
[package]
22
name = "macos_postinstall"
33
version = "0.0.0"
4-
authors = [
5-
"Patrick Meredith <pmeredit@protonmail.com>",
6-
]
4+
authors = ["Patrick Meredith <pmeredit@protonmail.com>"]
75
edition = "2021"
86

97
[dependencies]
108
rust-ini = "0.20.0"
119
itertools = "0.10.5"
1210
lazy_static = "1"
11+
12+
[package.metadata.cargo-machete]
13+
ignored = ["rust-ini"]

odbc/Cargo.toml

+1-12
Original file line numberDiff line numberDiff line change
@@ -11,11 +11,9 @@ authors = [
1111
edition = "2021"
1212

1313
[dependencies]
14-
async-std = { version = "1.12.0", features = ["attributes"] }
1514
thiserror = "1"
1615
lazy_static = "1.4.0"
1716
num-traits = "0.2.14"
18-
num-derive = "0.3.3"
1917
regex = "1.6.0"
2018
chrono = "0.4.24"
2119
constants = { path = "../constants" }
@@ -31,21 +29,12 @@ log = "0.4.17"
3129
# The features are used to control the behavior of tokio. Tokio is unsafe to use
3230
# across ABI boundaries in any other runtime but current_thread
3331
tokio = { version = "1", features = ["rt", "sync", "io-util", "macros", "net"] }
34-
mongodb = { version="3", features = ["aws-auth", "dns-resolver"] }
32+
mongodb = { version = "3", features = ["aws-auth", "dns-resolver"] }
3533

3634
[dependencies.bson]
3735
version = "2"
3836
features = ["chrono-0_4"]
3937

40-
[dependencies.windows]
41-
version = "0.*"
42-
features = [
43-
"Win32_Foundation",
44-
"Win32_System_SystemServices",
45-
"Win32_UI_WindowsAndMessaging",
46-
"Win32_System_LibraryLoader",
47-
]
48-
4938

5039
[dev-dependencies]
5140
serde = { version = "1", features = ["derive"] }

0 commit comments

Comments
 (0)