From 5875d9f0cba23d1953214e42d35d3edf5559f7fe Mon Sep 17 00:00:00 2001
From: Robin Stumm <robin.stumm@iohk.io>
Date: Tue, 21 Sep 2021 18:41:30 +0200
Subject: [PATCH] vulnix module: add `scanClosure` option to scan only runtime
 dependencies

use forked vulnix until https://github.com/flyingcircusio/vulnix/pull/80 is merged
---
 flake.lock         | 11 ++++----
 flake.nix          |  2 +-
 modules/vulnix.nix | 65 +++++++++++++++++++++++++++++++++++-----------
 3 files changed, 57 insertions(+), 21 deletions(-)

diff --git a/flake.lock b/flake.lock
index 59d84b62..c29eefbe 100644
--- a/flake.lock
+++ b/flake.lock
@@ -465,15 +465,16 @@
     "vulnix": {
       "flake": false,
       "locked": {
-        "lastModified": 1627294547,
-        "narHash": "sha256-C3PM19Y4YxLBJ3V6LBJzpwSJwDjJH7vkWOe4hBppQvQ=",
-        "owner": "flyingcircusio",
+        "lastModified": 1632235864,
+        "narHash": "sha256-C9YGheEZydpqeTFCMmXZzUmyYAb8Z6eSx7h7xuev3m8=",
+        "owner": "dermetfan",
         "repo": "vulnix",
-        "rev": "06daccda0e51098fbdbc65f61b6663c5c6df9358",
+        "rev": "5228f2b8d89b816125d20907febc1d02393acc1b",
         "type": "github"
       },
       "original": {
-        "owner": "flyingcircusio",
+        "owner": "dermetfan",
+        "ref": "runtime-deps",
         "repo": "vulnix",
         "type": "github"
       }
diff --git a/flake.nix b/flake.nix
index d1ee5cbb..d8b376f5 100644
--- a/flake.nix
+++ b/flake.nix
@@ -23,7 +23,7 @@
       flake = false;
     };
     vulnix = {
-      url = "github:flyingcircusio/vulnix";
+      url = "github:dermetfan/vulnix/runtime-deps";
       flake = false;
     };
 
diff --git a/modules/vulnix.nix b/modules/vulnix.nix
index 33bb2f4e..49fb650a 100644
--- a/modules/vulnix.nix
+++ b/modules/vulnix.nix
@@ -15,9 +15,11 @@ in {
     };
 
     scanRequisites = mkEnableOption "scan of transitive closures" // {
-      default = true;
+      default = !cfg.scanClosure;
     };
 
+    scanClosure = mkEnableOption "scan of the store path closure";
+
     scanSystem = mkEnableOption "scan of the current system" // {
       default = true;
     };
@@ -114,17 +116,50 @@ in {
       script = ''
         set -o pipefail
 
+        # make Nix commands work
+        export XDG_CACHE_HOME=$CACHE_DIRECTORY
+        export GIT_SSH_COMMAND="${pkgs.openssh}/bin/ssh -i $CREDENTIALS_DIRECTORY/ssh"
+        export NIX_CONFIG="netrc-file = $CREDENTIALS_DIRECTORY/netrc"
+
+        # simply echoes everything after `--`
+        function positionals {
+          local no_more_flags
+          for arg in "$@"; do
+            if [[ "$arg" = -- ]]; then
+              no_more_flags=1
+              continue
+            fi
+            if [[ -n "$no_more_flags" ]]; then
+              echo "$arg"
+            fi
+          done
+        }
+
         function scan {
-          vulnix ${lib.cli.toGNUCommandLineShell {} (with cfg; {
-            json = true;
-            requisites = scanRequisites;
-            no-requisites = !scanRequisites;
-            whitelist = map (lib.flip lib.pipe [
-              (whitelistFormat.generate "vulnix-whitelist.toml")
-              (drv: "${drv}")
-            ]) whitelists;
-          })} \
-            --cache-dir $CACHE_DIRECTORY \
+          posis=$(positionals "$@")
+          >&2 echo scanning $posis
+
+          ${lib.optionalString cfg.scanClosure ''
+            if [[ -n "$posis" ]]; then
+              >&2 nix build --no-link $posis
+            fi
+          ''}
+
+          vulnix ${lib.cli.toGNUCommandLineShell {} (
+            with cfg;
+            assert scanClosure -> !scanRequisites;
+            {
+              json = true;
+              requisites = scanRequisites;
+              no-requisites = !scanRequisites;
+              closure = scanClosure;
+              whitelist = map (lib.flip lib.pipe [
+                (whitelistFormat.generate "vulnix-whitelist.toml")
+                (drv: "${drv}")
+              ]) whitelists;
+            }
+          )} \
+            --cache-dir $CACHE_DIRECTORY/vulnix \
             ${lib.concatStringsSep " " cfg.extraOpts} "$@" \
           || case $? in
             # XXX adapt this after action on https://github.com/flyingcircusio/vulnix/issues/79
@@ -133,6 +168,8 @@ in {
             2 ) ;; # vulnerabilities found
             * ) exit $? ;; # unexpected
           esac
+
+          >&2 echo done scanning $posis
         }
 
         scan ${lib.cli.toGNUCommandLineShell {} (with cfg; {
@@ -164,10 +201,8 @@ in {
           | jq --unbuffered -rc 'select(length > 0) | {"index": .Index} as $out | .Events[] | select(.Type == "EvaluationUpdated").Payload.Job | $out * {"namespace": .Namespace, "job": .ID} as $out | .TaskGroups[] | $out * {"taskgroup": .Name} as $out | .Tasks[] | $out * {"task": .Name, "flake": .Config.flake}' \
           | while read -r job; do
             <<< "$job" jq -rc .flake \
-            | XDG_CACHE_HOME=$CACHE_DIRECTORY \
-              GIT_SSH_COMMAND="${pkgs.openssh}/bin/ssh -i $CREDENTIALS_DIRECTORY/ssh" \
-              xargs -L 1 \
-              nix --netrc-file $CREDENTIALS_DIRECTORY/netrc show-derivation \
+            | xargs -L 1 \
+              nix show-derivation \
             | jq --unbuffered -r keys[] \
             | while read -r drv; do
               scan -- "$drv" \