bottlerocket-os · ginglis13 · Feb 24, 2025 · Feb 26, 2025 · Feb 28, 2025 · cbgbt
diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
@@ -20,9 +20,10 @@ jobs:
       - uses: actions/setup-go@v5
         with:
           go-version: "^1.18"
-      # Install `patch`, needed to build `krane-bundle`
-      - run: sudo apt-get install -y patch
-      - run: make build
+      # Install `patch`, needed to build `krane-bundle`, and tools for linking against musl
+      - run: sudo apt-get install -y patch musl-tools musl-dev
+      - run: rustup target add x86_64-unknown-linux-musl
+      - run: CARGO_BUILD_TARGET=x86_64-unknown-linux-musl make build
 
   cross-build:
     runs-on:

diff --git a/clarify.toml b/clarify.toml
@@ -5,7 +5,7 @@ license-files = [
     { path = "COPYING", hash = 0x278afbcf },
     { path = "LICENSE-APACHE", hash = 0x24b54f4b },
     { path = "LICENSE-MIT", hash = 0x462dee44 },
-    { path = "src/unicode/data/LICENSE-UNICODE", hash = 0x70f7339 },
+    { path = "src/unicode/data/LICENSE-UNICODE", hash = 0x70f7339  },
 ]
 
 [clarify.petgraph]
@@ -27,6 +27,23 @@ license-files = [
     { path = "src/unicode_tables/LICENSE-UNICODE", hash = 0xa7f28b93 },
 ]
 
+[clarify.rust-fuzzy-search]
+expression = "MIT OR Apache-2.0"
+license-files = [
+    { path = "LICENSE-APACHE", hash = 0xbde481e5 },
+    { path = "LICENSE-MIT", hash = 0xb5a90d39 },
+]
+skip-files = [
+    # these licenses apply to documentation
+    "target/doc/FiraSans-LICENSE.txt",
+    "target/doc/COPYRIGHT.txt",
+    "target/doc/LICENSE-APACHE.txt",
+    "target/doc/LICENSE-MIT.txt",
+    "target/doc/SourceCodePro-LICENSE.txt",
+    "target/doc/SourceSerif4-LICENSE.md",
+]
+
+
 [clarify.typenum]
 expression = "MIT OR Apache-2.0"
 license-files = [

diff --git a/deny.toml b/deny.toml
@@ -78,8 +78,6 @@ skip = [
     { name = "tabled", version = "0.15.0" },
     # multiple deps are using an older version of tabled_derive
     { name = "tabled_derive", version = "0.7.0" },
-    # multiple deps are using an older version of zerocopy
-    { name = "zerocopy", version = "0.7.35" },
 ]
 
 skip-tree = [
@@ -90,9 +88,9 @@ skip-tree = [
     { name = "windows-sys" },
 ]
 
-[bans.workspace-dependencies]    
-duplicates = "deny"                                                                                                                                                                                                                                   
-include-path-dependencies = true    
+[bans.workspace-dependencies]
+duplicates = "deny"
+include-path-dependencies = true
 unused = "deny"
 
 [sources]

diff --git a/rust-toolchain.toml b/rust-toolchain.toml
@@ -2,5 +2,5 @@
 # particular date of the nightly compiler, but we want builds to be reproducable, so we lock to a
 # specific, recent instance of nightly.
 [toolchain]
-channel = "nightly-2024-07-11"
+channel = "nightly-2025-02-28"
 profile = "default"
diff --git a/tools/buildsys/src/cache.rs b/tools/buildsys/src/cache.rs
@@ -159,7 +159,7 @@ impl LookasideCache {
         let name = parsed
             .path_segments()
             .context(error::ExternalFileNameSnafu { path: url })?
-            .last()
+            .next_back()
             .context(error::ExternalFileNameSnafu { path: url })?;
         Ok(name.into())
     }

diff --git a/tools/buildsys/src/gomod.rs b/tools/buildsys/src/gomod.rs
@@ -162,7 +162,7 @@ fn extract_file_name(url: &str) -> Result<PathBuf> {
     let name = parsed
         .path_segments()
         .context(error::InputFileBadSnafu { path: url })?
-        .last()
+        .next_back()
         .context(error::InputFileBadSnafu { path: url })?;
     Ok(name.into())
 }

diff --git a/tools/oci-cli-wrapper/src/lib.rs b/tools/oci-cli-wrapper/src/lib.rs
@@ -3,14 +3,14 @@
 //!
 //! Current two tools are supported:
 //! * crane, gcrane, krane
-//!     Crane provides a more direct interaction with the container registry,
-//!     allowing us to query image information in the registry without having to pull the full image to
-//!     disk. It also does not require a daemon to operate and has optimizations for pulling large images to disk
+//!   Crane provides a more direct interaction with the container registry,
+//!   allowing us to query image information in the registry without having to pull the full image to
+//!   disk. It also does not require a daemon to operate and has optimizations for pulling large images to disk
 //! * docker
-//!     Docker can perform all interactions we need with several caveats that make it less efficient than
-//!     crane. The image needs to be pulled locally in order for docker to inspect the manifest and extract
-//!     metadata. In addition, in order to operate with OCI image format, the containerd-snapshotter
-//!     feature has to be enabled in the docker daemon
+//!   Docker can perform all interactions we need with several caveats that make it less efficient than
+//!   crane. The image needs to be pulled locally in order for docker to inspect the manifest and extract
+//!   metadata. In addition, in order to operate with OCI image format, the containerd-snapshotter
+//!   feature has to be enabled in the docker daemon
 use std::fmt::{Display, Formatter};
 use std::{collections::HashMap, path::Path};
 

diff --git a/tools/testsys/src/aws_resources.rs b/tools/testsys/src/aws_resources.rs
@@ -114,8 +114,8 @@ pub(crate) struct AmiImage {
 }
 
 /// Create a CRD to launch Bottlerocket instances on an EKS or ECS cluster.
-pub(crate) async fn ec2_crd<'a>(
-    bottlerocket_input: BottlerocketInput<'a>,
+pub(crate) async fn ec2_crd(
+    bottlerocket_input: BottlerocketInput<'_>,
     cluster_type: ClusterType,
     region: &str,
 ) -> Result<Resource> {
@@ -231,8 +231,8 @@ pub(crate) async fn ec2_crd<'a>(
 }
 
 /// Create a CRD to launch Bottlerocket instances on an EKS or ECS cluster.
-pub(crate) async fn ec2_karpenter_crd<'a>(
-    bottlerocket_input: BottlerocketInput<'a>,
+pub(crate) async fn ec2_karpenter_crd(
+    bottlerocket_input: BottlerocketInput<'_>,
     region: &str,
 ) -> Result<Resource> {
     let cluster_name = bottlerocket_input

diff --git a/tools/testsys/src/crds.rs b/tools/testsys/src/crds.rs
@@ -36,7 +36,7 @@ pub struct CrdInput<'a> {
     pub images: TestsysImages,
 }
 
-impl<'a> CrdInput<'a> {
+impl CrdInput<'_> {
     /// Retrieve the TUF repo information from `Infra.toml`
     pub fn tuf_repo_config(&self) -> Option<TufRepoConfig> {
         if let (Some(metadata_base_url), Some(targets_url)) = (

diff --git a/tools/update-metadata/src/lib.rs b/tools/update-metadata/src/lib.rs
@@ -311,7 +311,7 @@ impl Update {
             .waves
             .range((Included(0), Excluded(seed)))
             .map(|(k, v)| (*k, *v))
-            .last();
+            .next_back();
         let end_wave = self
             .waves
             .range((Included(seed), Included(MAX_SEED)))

diff --git a/twoliter/embedded/Makefile.toml b/twoliter/embedded/Makefile.toml
@@ -416,6 +416,7 @@ done
 [tasks.check]
 dependencies = [
    "check-cargo-version",
+   "check-advisories",
    "unit-tests",
    "check-fmt",
    "check-lints",
@@ -540,6 +541,61 @@ fi
 '''
 ]
 
+# Task to lint Bottlerocket Security Advisories by checking for valid CVE or GHSA IDs
+# and verifying that each versioned directory under "advisories" has a corresponding
+# tag on the Twoliter project this task runs against.
+[tasks.check-advisories]
+script_runner = "bash"
+script = [
+'''
+if find advisories -name '*.toml' -type f >/dev/null 2>&1 ; then
-if find advisories -name '*.toml' -type f >/dev/null 2>&1 ; then
+if find ${BUILDSYS_ROOT_DIR}/advisories -name '*.toml' -type f >/dev/null 2>&1 ; then
-if find advisories -name '*.toml' -type f >/dev/null 2>&1 ; then
+if find ${BUILDSYS_ROOT_DIR}/advisories -name '*.toml' -type f >/dev/null 2>&1 ; then
+
+  # Ensure each versioned advisories directory has a corresponding release tag.
+  for version in $(find advisories/* -type d -not -path advisories/staging); do
+    set +e; grep -q v$(basename ${version})$ <(PAGER= git tag); rc="$?"; set -e;
+    if [ "${rc}" -ne 0  ]; then
+      echo "error: no corresponding tag found for ${version} advisories directory" >&2
+      exit 1
+    fi
+  done
+
+
+  # Not all BRSAs might have a CVE; there can be cases where an advisory
+  # is for a GHSA, for example, but no corresponding CVE, and vice versa.
+  # Check separately for GHSA ID regex when a 'ghsa' is included and for
+  # CVE ID regex when a 'cve' is included.
+
+  # 1. If ghsa line exists and GHSA ID does not match regex, error
+
+  # Regex to strictly match a GHSA identifier in an advisory
+  # https://github.com/github/advisory-database?tab=readme-ov-file#ghsa-ids
+  ghsa_regex="^ghsa\s+=\s+\"GHSA(-[23456789cfghjmpqrvwx]{4}){3}\""
+
+  # Find all non-matching GHSA lines and report
+  ghsa_found="$(grep -L --include '*.toml' -R -P ${ghsa_regex} advisories | xargs awk '/ghsa/')"
+  if [ ! -z "${ghsa_found}"  ] ; then
+    echo "error: advisory GHSA ID did not match expression '${ghsa_regex}' and may contain non-ASCII characters" >&2
+    echo "${ghsa_found}" >&2
+    exit 1
+  fi
+
+  # 2. If cve line exists and CVE ID does not match regex, error
+
+  # Regex to strictly match CVE identifier in an advisory
+  # https://cve.mitre.org/cve/identifiers/tech-guidance.html#input_format
+  cve_regex="^cve\s+=\s+\"CVE-\d{4}-(0\d{3}|[1-9]\d{3,})\""
+
+  # Find all non-matching CVE lines and report
+  cve_found="$(grep -L --include '*.toml' -R -P ${cve_regex} advisories | xargs awk '/cve/')"
+  if [ ! -z "${cve_found}"  ] ; then
+    echo "error: advisory CVE ID did not match expression '${cve_regex}' and may contain non-ASCII characters" >&2
+    echo "${cve_found}" >&2
+    exit 1
+  fi
+fi
+'''
+]
+
 [tasks.check-golangci-lint]
 script = [
 '''

diff --git a/twoliter/src/project/lock/mod.rs b/twoliter/src/project/lock/mod.rs
@@ -1,7 +1,7 @@
-/// Covers the functionality and implementation of Twoliter.lock which is generated using
-/// `twoliter update`. It acts similarly to Cargo.lock as a flattened out representation of all kit
-/// and sdk image dependencies with associated digests so twoliter can validate that contents of a kit
-/// do not mutate unexpectedly.
+//! Covers the functionality and implementation of Twoliter.lock which is generated using
+//! `twoliter update`. It acts similarly to Cargo.lock as a flattened out representation of all kit
+//! and sdk image dependencies with associated digests so twoliter can validate that contents of a kit
+//! do not mutate unexpectedly.
 
 /// Contains operations for working with an OCI Archive
 mod archive;

diff --git a/twoliter/src/project/lock/verification.rs b/twoliter/src/project/lock/verification.rs
@@ -101,9 +101,6 @@ impl LockfileVerifier for Lock {
     }
 }
 
-/// A `LockfileVerifier` can return a set of `VerifyTag` structs, claiming that those artifacts
-/// have been resolved and verified against the lockfile.
-
 /// Writes marker files indicating which artifacts have been resolved and verified against the lock
 #[derive(Debug)]
 pub(crate) struct VerificationTagger {

diff --git a/twoliter/src/project/vendor.rs b/twoliter/src/project/vendor.rs
@@ -98,7 +98,7 @@ impl OverriddenVendor {
             .unwrap_or(&self.original_vendor.registry)
     }
 
-    pub(crate) fn repo_for<'a, V: VendedArtifact>(&'a self, image: &'a V) -> &str {
+    pub(crate) fn repo_for<'a, V: VendedArtifact>(&'a self, image: &'a V) -> &'a str {
         self.override_
             .name
             .as_deref()