vulnerability-scan

#!/usr/bin/env sh

set -xeo pipefail

#
# `morph build ...` output is like
#
#   Selected 2/2 hosts (name filter:-0, limits:-0):
#             0: xx.xx.xx.xx (secrets: 1, health checks: 0)
#             1: yy.yy.yy.yy (secrets: 2, health checks: 0)
#
#   /nix/store/d7spc457nnzh0rnv0f5lh1q2j435j1b9-morph
#   nix result path:
#   /nix/store/d7spc457nnzh0rnv0f5lh1q2j435j1b9-morph
#
# Get the last line so we can scan it.
#

OUTPUT=$1

[ -e scan-target ] && rm -v scan-target
nix-shell --run '
set -x
if morph_result=$(morph build morph/grid/testing/grid.nix 2>&1); then
  object=$(echo "$morph_result" | tail -n 1)
  ln -s "$object" scan-target
else
  echo "$morph_result"

  # exit status 0-3 reserved for vulnix result.
  exit 4
fi
'

# The version (1.9.6) of vulnix in nixos-21.05 incorrectly collapses
# derivations with the same name+version, but different sets of patches
# applied. Therefore, we use a recent nixos-unstable version that has a newer
# version of vulnix included.
export NIX_PATH=nixpkgs=https://api.github.com/repos/NixOS/nixpkgs/tarball/ee084c02040e864eeeb4cf4f8538d92f7c675671

# vulnix exits with an error status if there are vulnerabilities.  We told
# GitLab to allow this by setting `allow_failure` to true in the GitLab CI
# config.  vulnix exit status indicates what vulnix thinks happened.  If we
# upgrade to a newer GitLab then we can make GitLab pipeline behavior vary
# based on this.
#
# For now, allow 0 (no errors), 1 (only whitelisted errors), and 2
# (non-whitelisted errors).  3 indicates unexpected error so we let that
# propagate.
set +e
nix-shell -p vulnix --run 'vulnix --json ./scan-target/' | tee "$OUTPUT"
vulnix_status=$?
set -e

echo "vulnix status: $vulnix_status"
if [ $vulnix_status -eq 3 ]; then
    exit $vulnix_status
else
    exit 0
fi