Merge pull request #600 from DataDog/amaan.qureshi/K9VULN-2634

[K9VULN-2634] Check in Cargo.lock, and pass in `--locked` to cargo commands

.github/workflows/check-regressions.yml

@@ -48,23 +48,25 @@ jobs:
           repository: ${{ matrix.repo.org }}/${{ matrix.repo.name }}
           path: ${{ matrix.repo.org }}/${{ matrix.repo.name }}
 
+      - name: Fetch dependencies (before)
+        run: cargo fetch
+
       - name: Obtain results before changes
         run: |
-          rm -f Cargo.lock
-          cargo clean
-          cargo run --release --bin datadog-static-analyzer -- -i ${{ matrix.repo.org }}/${{ matrix.repo.name }} -o result-pre.json -b -f sarif
+          cargo run --locked --release --bin datadog-static-analyzer -- -i ${{ matrix.repo.org }}/${{ matrix.repo.name }} -o result-pre.json -b -f sarif
 
       - name: Fetch all branches and checkout PR
         run: |
           git fetch --all
           git checkout ${{ github.sha }}
           echo 'checked out ${{ github.sha }}'
 
+      - name: Fetch dependencies (after)
+        run: cargo fetch
+
       - name: Obtain results after changes
         run: |
-          rm -f Cargo.lock
-          cargo clean
-          cargo run --release --bin datadog-static-analyzer -- -i ${{ matrix.repo.org }}/${{ matrix.repo.name }} -o result-post.json -b -f sarif
+          cargo run --locked --release --bin datadog-static-analyzer -- -i ${{ matrix.repo.org }}/${{ matrix.repo.name }} -o result-post.json -b -f sarif
 
       - name: Install Node.js dependencies
         run: npm install

.github/workflows/release.yml

@@ -66,11 +66,14 @@ jobs:
         shell: bash
         run: sed "s/development/$GITHUB_SHA/g" crates/static-analysis-kernel/src/constants.rs > bla && rm crates/static-analysis-kernel/src/constants.rs && mv bla crates/static-analysis-kernel/src/constants.rs
 
+      - name: Fetch dependencies
+        run: cargo fetch
+
       - name: Build Rust binaries
         run: |
-          cargo build --release --target ${{ matrix.target }} --bin datadog-static-analyzer
-          cargo build --release --target ${{ matrix.target }} --bin datadog-static-analyzer-git-hook
-          cargo build --release --target ${{ matrix.target }} --bin datadog-static-analyzer-server
+          cargo build --locked --release --target ${{ matrix.target }} --bin datadog-static-analyzer
+          cargo build --locked --release --target ${{ matrix.target }} --bin datadog-static-analyzer-git-hook
+          cargo build --locked --release --target ${{ matrix.target }} --bin datadog-static-analyzer-server
 
       - name: Zip Rust binaries (Unix)
         if: ${{ !startsWith(matrix.os, 'windows') }}

.github/workflows/rust.yaml

@@ -16,8 +16,8 @@ jobs:
           - { os: macos-latest, target: aarch64-apple-darwin, gha_alias: 'macOS aarch64 - ' }
           - { os: windows-latest, target: x86_64-pc-windows-msvc, gha_alias: 'Windows x64 - ' }
         cargo_cmd:
-          - { cmd_name: build, gha_alias: "Build - Profile 'debug'" }
-          - { cmd_name: test, args: '--workspace', gha_alias: "Test" }
+          - { cmd_name: build, args: '--locked'            , gha_alias: "Build - Profile 'debug'" }
+          - { cmd_name: test,  args: '--workspace --locked', gha_alias: "Test" }
         include:
           - config: { os: ubuntu-latest, target: aarch64-unknown-linux-gnu, gha_alias: '' }
             cargo_cmd: { cmd_name: clippy, args: '', gha_alias: "Clippy" }
@@ -30,19 +30,32 @@ jobs:
       DD_APP_KEY: ${{ secrets.DD_APP_KEY }}
       DD_SITE: ${{ vars.DD_SITE }}
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
       - name: Set up Rust
         uses: actions-rust-lang/[email protected]
+
+      - name: Fetch dependencies
+        run: cargo fetch
+
       - name: Run cargo ${{ matrix.cargo_cmd.cmd_name }} ${{ matrix.cargo_cmd.args }}
         uses: actions-rs/cargo@v1
         with:
           command: ${{ matrix.cargo_cmd.cmd_name }}
           args: ${{ matrix.cargo_cmd.args }}
+
+      - name: Check the lockfile is up to date
+        if: ${{ matrix.config.target == 'aarch64-unknown-linux-gnu' }}
+        run: |
+          cargo check
+          git diff --exit-code Cargo.lock || (echo "::error::Lockfile is out of date. Please run 'cargo check' and commit the updated Cargo.lock file." && exit 1)
+
       - name: Check python rulesets - part1
-        run: cargo run --bin datadog-static-analyzer-test-ruleset -- -r python-best-practices -r python-security -r python-code-style -r python-inclusive
+        run: cargo run --locked --bin datadog-static-analyzer-test-ruleset -- -r python-best-practices -r python-security -r python-code-style -r python-inclusive
       - name: Check python rulesets - part2
-        run: cargo run --bin datadog-static-analyzer-test-ruleset -- -r python-django -r python-flask -r python-design
+        run: cargo run --locked --bin datadog-static-analyzer-test-ruleset -- -r python-django -r python-flask -r python-design
       - name: Check Java rulesets
-        run: cargo run --bin datadog-static-analyzer-test-ruleset -- -r java-security -r java-best-practices -r java-code-style
+        run: cargo run --locked --bin datadog-static-analyzer-test-ruleset -- -r java-security -r java-best-practices -r java-code-style
       - name: Check Docker rulesets
-        run: cargo run --bin datadog-static-analyzer-test-ruleset -- -r docker-best-practices
+        run: cargo run --locked --bin datadog-static-analyzer-test-ruleset -- -r docker-best-practices

.github/workflows/test-rules.yaml

@@ -54,34 +54,47 @@ jobs:
     env:
       DD_SITE: datadoghq.com
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
       - name: Set up Rust
         uses: actions-rust-lang/[email protected]
         with:
           components: clippy
+
+      - name: Fetch dependencies
+        run: cargo fetch
+
       - name: Test all production rules
         run: |
-          cargo build --profile release-dev --bin datadog-static-analyzer && \
-          cargo build --profile release-dev --bin datadog-static-analyzer-server && \
+          cargo build --locked --profile release-dev --bin datadog-static-analyzer && \
+          cargo build --locked --profile release-dev --bin datadog-static-analyzer-server && \
           sudo apt-get install python3-requests && \
           for language in ${{ needs.extract-languages.outputs.languages }}; do \
             python misc/test-rules.py -c $PWD/target/release-dev/datadog-static-analyzer -s $PWD/target/release-dev/datadog-static-analyzer-server -l $language ; \
           done
+
   staging_rules:
     needs: extract-languages
     runs-on: ubuntu-latest
     env:
       DD_SITE: datad0g.com
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
       - name: Set up Rust
         uses: actions-rust-lang/[email protected]
         with:
           components: clippy
+
+      - name: Fetch dependencies
+        run: cargo fetch
+
       - name: Test all staging rules
         run: |
-          cargo build --profile release-dev --bin datadog-static-analyzer && \
-          cargo build --profile release-dev --bin datadog-static-analyzer-server && \
+          cargo build --locked --profile release-dev --bin datadog-static-analyzer && \
+          cargo build --locked --profile release-dev --bin datadog-static-analyzer-server && \
           sudo apt-get install python3-requests && \
           for language in ${{ needs.extract-languages.outputs.languages }}; do \
             python misc/test-rules.py -c $PWD/target/release-dev/datadog-static-analyzer -s $PWD/target/release-dev/datadog-static-analyzer-server -l $language ; \

.gitignore

@@ -3,10 +3,6 @@
 debug/
 target/
 
-# Remove Cargo.lock from gitignore if creating an executable, leave it for libraries
-# More information here https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html
-Cargo.lock
-
 # These are backup files generated by rustfmt
 **/*.rs.bk