diff --git a/scripts/checks/verify_supply_chain.py b/scripts/checks/verify_supply_chain.py index ca4864c6..1c7a82f3 100644 --- a/scripts/checks/verify_supply_chain.py +++ b/scripts/checks/verify_supply_chain.py @@ -4,6 +4,7 @@ import re import shlex from itertools import pairwise +from dataclasses import dataclass from pathlib import Path try: @@ -1644,6 +1645,16 @@ def verify_release_asset_allowlist_policy() -> list[str]: return violations + +@dataclass(frozen=True) +class GlibLegacyContext: + """Context for validating legacy glib dependencies against allowed owners.""" + package_dependencies: dict[str, list[str]] + glib_exception_owned_packages: set[str] + legacy_glib_ancestors: set[str] + legacy_glib_direct_owners: set[str] + + def rust_dependency_advisory_violations( lockfile: Path = Path("apps/desktop/src-tauri/Cargo.lock"), ) -> list[str]: @@ -1661,6 +1672,12 @@ def rust_dependency_advisory_violations( legacy_glib_direct_owners = cargo_lock_dependency_owners( package_dependencies, RUST_GLIB_LEGACY_EXCEPTION_PACKAGE ) + glib_context = GlibLegacyContext( + package_dependencies=package_dependencies, + glib_exception_owned_packages=glib_exception_owned_packages, + legacy_glib_ancestors=legacy_glib_ancestors, + legacy_glib_direct_owners=legacy_glib_direct_owners, + ) for package in cargo_lock_packages(lockfile): current_name = str(package.get("name", "")) version = str(package.get("version", "")) @@ -1675,10 +1692,7 @@ def rust_dependency_advisory_violations( rust_glib_advisory_violations( lockfile, version, - package_dependencies, - legacy_glib_ancestors, - legacy_glib_direct_owners, - glib_exception_owned_packages, + glib_context, ) ) continue @@ -1809,19 +1823,11 @@ def rust_osv_exception_violations( def rust_glib_advisory_violations( lockfile: Path, version: str, - package_dependencies: dict[str, list[str]], - legacy_glib_ancestors: set[str], - legacy_glib_direct_owners: set[str], - glib_exception_owned_packages: set[str], + context: GlibLegacyContext, ) -> list[str]: """Return violations for vulnerable glib versions outside the Tauri GTK stack.""" if version == RUST_GLIB_LEGACY_EXCEPTION_VERSION: - if glib_legacy_exception_owners_are_allowed( - package_dependencies, - legacy_glib_ancestors, - glib_exception_owned_packages, - legacy_glib_direct_owners, - ): + if glib_legacy_exception_owners_are_allowed(context): return [] return [ f"{lockfile}: glib {version} matches the legacy exception version but " @@ -1849,24 +1855,19 @@ def rust_glib_advisory_violations( return [] -def glib_legacy_exception_owners_are_allowed( - package_dependencies: dict[str, list[str]], - legacy_glib_ancestors: set[str], - glib_exception_owned_packages: set[str], - legacy_glib_direct_owners: set[str], -) -> bool: +def glib_legacy_exception_owners_are_allowed(context: GlibLegacyContext) -> bool: """Return whether every glib ancestor matches the documented GTK/WebKit stack.""" - if not legacy_glib_ancestors: + if not context.legacy_glib_ancestors: return False ancestor_names = { - ancestor.rsplit(" ", maxsplit=1)[0] for ancestor in legacy_glib_ancestors + ancestor.rsplit(" ", maxsplit=1)[0] for ancestor in context.legacy_glib_ancestors } direct_owner_names = { - owner.rsplit(" ", maxsplit=1)[0] for owner in legacy_glib_direct_owners + owner.rsplit(" ", maxsplit=1)[0] for owner in context.legacy_glib_direct_owners } if not direct_owner_names <= RUST_GLIB_LEGACY_DIRECT_OWNER_NAMES: return False - off_chain_ancestors = legacy_glib_ancestors - glib_exception_owned_packages + off_chain_ancestors = context.legacy_glib_ancestors - context.glib_exception_owned_packages allowed_app_roots = { ancestor for ancestor in off_chain_ancestors @@ -1876,7 +1877,7 @@ def glib_legacy_exception_owners_are_allowed( if off_chain_ancestors != allowed_app_roots: return False if not glib_allowed_app_roots_reach_glib_through_tauri( - package_dependencies, allowed_app_roots + context.package_dependencies, allowed_app_roots ): return False return ancestor_names <= (