From 5ef7aa57855732201c9a0d9f0265233775a2b1e1 Mon Sep 17 00:00:00 2001 From: seonghobae <8172694+seonghobae@users.noreply.github.com> Date: Sun, 21 Jun 2026 16:01:13 +0000 Subject: [PATCH 1/2] =?UTF-8?q?=F0=9F=A7=B9=20Refactor=20rust=5Fglib=5Fadv?= =?UTF-8?q?isory=5Fviolations=20to=20use=20GlibLegacyContext=20dataclass?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- scripts/checks/verify_supply_chain.py | 50 +++++++++++++-------------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/scripts/checks/verify_supply_chain.py b/scripts/checks/verify_supply_chain.py index ca4864c6..a4c4c8f3 100644 --- a/scripts/checks/verify_supply_chain.py +++ b/scripts/checks/verify_supply_chain.py @@ -4,6 +4,7 @@ import re import shlex from itertools import pairwise +from dataclasses import dataclass from pathlib import Path try: @@ -1644,6 +1645,15 @@ def verify_release_asset_allowlist_policy() -> list[str]: return violations + +@dataclass(frozen=True) +class GlibLegacyContext: + package_dependencies: dict[str, list[str]] + glib_exception_owned_packages: set[str] + legacy_glib_ancestors: set[str] + legacy_glib_direct_owners: set[str] + + def rust_dependency_advisory_violations( lockfile: Path = Path("apps/desktop/src-tauri/Cargo.lock"), ) -> list[str]: @@ -1661,6 +1671,12 @@ def rust_dependency_advisory_violations( legacy_glib_direct_owners = cargo_lock_dependency_owners( package_dependencies, RUST_GLIB_LEGACY_EXCEPTION_PACKAGE ) + glib_context = GlibLegacyContext( + package_dependencies=package_dependencies, + glib_exception_owned_packages=glib_exception_owned_packages, + legacy_glib_ancestors=legacy_glib_ancestors, + legacy_glib_direct_owners=legacy_glib_direct_owners, + ) for package in cargo_lock_packages(lockfile): current_name = str(package.get("name", "")) version = str(package.get("version", "")) @@ -1675,10 +1691,7 @@ def rust_dependency_advisory_violations( rust_glib_advisory_violations( lockfile, version, - package_dependencies, - legacy_glib_ancestors, - legacy_glib_direct_owners, - glib_exception_owned_packages, + glib_context, ) ) continue @@ -1809,19 +1822,11 @@ def rust_osv_exception_violations( def rust_glib_advisory_violations( lockfile: Path, version: str, - package_dependencies: dict[str, list[str]], - legacy_glib_ancestors: set[str], - legacy_glib_direct_owners: set[str], - glib_exception_owned_packages: set[str], + context: GlibLegacyContext, ) -> list[str]: """Return violations for vulnerable glib versions outside the Tauri GTK stack.""" if version == RUST_GLIB_LEGACY_EXCEPTION_VERSION: - if glib_legacy_exception_owners_are_allowed( - package_dependencies, - legacy_glib_ancestors, - glib_exception_owned_packages, - legacy_glib_direct_owners, - ): + if glib_legacy_exception_owners_are_allowed(context): return [] return [ f"{lockfile}: glib {version} matches the legacy exception version but " @@ -1849,24 +1854,19 @@ def rust_glib_advisory_violations( return [] -def glib_legacy_exception_owners_are_allowed( - package_dependencies: dict[str, list[str]], - legacy_glib_ancestors: set[str], - glib_exception_owned_packages: set[str], - legacy_glib_direct_owners: set[str], -) -> bool: +def glib_legacy_exception_owners_are_allowed(context: GlibLegacyContext) -> bool: """Return whether every glib ancestor matches the documented GTK/WebKit stack.""" - if not legacy_glib_ancestors: + if not context.legacy_glib_ancestors: return False ancestor_names = { - ancestor.rsplit(" ", maxsplit=1)[0] for ancestor in legacy_glib_ancestors + ancestor.rsplit(" ", maxsplit=1)[0] for ancestor in context.legacy_glib_ancestors } direct_owner_names = { - owner.rsplit(" ", maxsplit=1)[0] for owner in legacy_glib_direct_owners + owner.rsplit(" ", maxsplit=1)[0] for owner in context.legacy_glib_direct_owners } if not direct_owner_names <= RUST_GLIB_LEGACY_DIRECT_OWNER_NAMES: return False - off_chain_ancestors = legacy_glib_ancestors - glib_exception_owned_packages + off_chain_ancestors = context.legacy_glib_ancestors - context.glib_exception_owned_packages allowed_app_roots = { ancestor for ancestor in off_chain_ancestors @@ -1876,7 +1876,7 @@ def glib_legacy_exception_owners_are_allowed( if off_chain_ancestors != allowed_app_roots: return False if not glib_allowed_app_roots_reach_glib_through_tauri( - package_dependencies, allowed_app_roots + context.package_dependencies, allowed_app_roots ): return False return ancestor_names <= ( From 3c7bd609f46a35e37ffc01beccc390592ceb94ee Mon Sep 17 00:00:00 2001 From: seonghobae <8172694+seonghobae@users.noreply.github.com> Date: Sun, 21 Jun 2026 17:05:27 +0000 Subject: [PATCH 2/2] =?UTF-8?q?=F0=9F=A7=B9=20Refactor=20rust=5Fglib=5Fadv?= =?UTF-8?q?isory=5Fviolations=20to=20use=20GlibLegacyContext=20dataclass?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- scripts/checks/verify_supply_chain.py | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/checks/verify_supply_chain.py b/scripts/checks/verify_supply_chain.py index a4c4c8f3..1c7a82f3 100644 --- a/scripts/checks/verify_supply_chain.py +++ b/scripts/checks/verify_supply_chain.py @@ -1648,6 +1648,7 @@ def verify_release_asset_allowlist_policy() -> list[str]: @dataclass(frozen=True) class GlibLegacyContext: + """Context for validating legacy glib dependencies against allowed owners.""" package_dependencies: dict[str, list[str]] glib_exception_owned_packages: set[str] legacy_glib_ancestors: set[str]