diff options
author | Alyssa Ross <hi@alyssa.is> | 2021-09-27 16:00:58 +0000 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2021-09-27 16:00:58 +0000 |
commit | c504e5d19d940926b3ddcf62c983d66f49f3cbb2 (patch) | |
tree | ec955e58bcac2cb93b9f8c10786b23f61d40cd7e /nixpkgs/pkgs/development/tools/analysis | |
parent | 72789cefce7b17419815f600fbd18238d89afcc9 (diff) | |
parent | 1737f98af6667560e3e4f930312f9b5002649d04 (diff) | |
download | nixlib-c504e5d19d940926b3ddcf62c983d66f49f3cbb2.tar nixlib-c504e5d19d940926b3ddcf62c983d66f49f3cbb2.tar.gz nixlib-c504e5d19d940926b3ddcf62c983d66f49f3cbb2.tar.bz2 nixlib-c504e5d19d940926b3ddcf62c983d66f49f3cbb2.tar.lz nixlib-c504e5d19d940926b3ddcf62c983d66f49f3cbb2.tar.xz nixlib-c504e5d19d940926b3ddcf62c983d66f49f3cbb2.tar.zst nixlib-c504e5d19d940926b3ddcf62c983d66f49f3cbb2.zip |
Merge commit '1737f98af6667560e3e4f930312f9b5002649d04'
Conflicts: nixpkgs/nixos/modules/services/networking/ssh/sshd.nix nixpkgs/pkgs/applications/networking/irc/weechat/scripts/default.nix nixpkgs/pkgs/development/node-packages/default.nix nixpkgs/pkgs/development/python-modules/priority/deadline.patch
Diffstat (limited to 'nixpkgs/pkgs/development/tools/analysis')
10 files changed, 241 insertions, 21 deletions
diff --git a/nixpkgs/pkgs/development/tools/analysis/binlore/default.nix b/nixpkgs/pkgs/development/tools/analysis/binlore/default.nix new file mode 100644 index 000000000000..aba1c59b979d --- /dev/null +++ b/nixpkgs/pkgs/development/tools/analysis/binlore/default.nix @@ -0,0 +1,112 @@ +{ lib +, fetchFromGitHub +, runCommand +, yallback +, yara +}: + +/* TODO/CAUTION: + +I don't want to discourage use, but I'm not sure how stable +the API is. Have fun, but be prepared to track changes! :) + +For _now_, binlore is basically a thin wrapper around +`<invoke yara> | <postprocess with yallback>` with support +for running it on a derivation, saving the result in the +store, and aggregating results from a set of packages. + +In the longer term, I suspect there are more uses for this +general pattern (i.e., run some analysis tool that produces +a deterministic output and cache the result per package...). + +I'm not sure how that'll look and if it'll be the case that +binlore automatically collects all of them, or if you'll be +configuring which "kind(s)" of lore it generates. Nailing +that down will almost certainly mean reworking the API. + +*/ + +let + src = fetchFromGitHub { + owner = "abathur"; + repo = "binlore"; + rev = "v0.1.3"; + hash = "sha256-+rgv8gAQ3ptOpL/EhbKr/jq+k/4Lpn06/2qON+Ps2wE="; + }; + /* + binlore has one one more yallbacks responsible for + routing the appropriate lore to a named file in the + appropriate format. At some point I might try to do + something fancy with this, but for now the answer to + *all* questions about the lore are: the bare minimum + to get resholve over the next feature hump in time to + hopefully slip this feature in before the branch-off. + */ + # TODO: feeling really uninspired on the API + loreDef = { + # YARA rule file + rules = (src + /execers.yar); + # output filenames; "types" of lore + types = [ "execers" "wrappers" ]; + # shell rule callbacks; see github.com/abathur/yallback + yallback = (src + /execers.yall); + # TODO: + # - echo for debug, can be removed at some point + # - I really just wanted to put the bit after the pipe + # in here, but I'm erring on the side of flexibility + # since this form will make it easier to pilot other + # uses of binlore. + callback = lore: drv: overrides: '' + if [[ -d "${drv}/bin" ]]; then + echo generating binlore for $drv by running: + echo "${yara}/bin/yara ${lore.rules} ${drv}/bin | ${yallback}/bin/yallback ${lore.yallback}" + else + echo "failed to generate binlore for $drv (${drv}/bin doesn't exist)" + fi + '' + + /* + Override lore for some packages. Unsure, but for now: + 1. start with the ~name (pname-version) + 2. remove characters from the end until we find a match + in overrides/ + 3. execute the override script with the list of expected + lore types + */ + '' + i=''${#identifier} + filter= + while [[ $i > 0 ]] && [[ -z "$filter" ]]; do + if [[ -f "${overrides}/''${identifier:0:$i}" ]]; then + filter="${overrides}/''${identifier:0:$i}" + echo using "${overrides}/''${identifier:0:$i}" to generate overriden binlore for $drv + break + fi + ((i--)) || true # don't break build + done # || true # don't break build + if [[ -d "${drv}/bin" ]]; then + ${yara}/bin/yara ${lore.rules} ${drv}/bin | ${yallback}/bin/yallback ${lore.yallback} "$filter" + fi + ''; + }; + overrides = (src + /overrides); + +in rec { + collect = { lore ? loreDef, drvs }: (runCommand "more-binlore" { } '' + mkdir $out + for lorefile in ${toString lore.types}; do + cat ${lib.concatMapStrings (x: x + "/$lorefile ") (map (make lore) (map lib.getBin drvs))} > $out/$lorefile + done + ''); + # TODO: echo for debug, can be removed at some point + make = lore: drv: runCommand "${drv.name}-binlore" { + identifier = drv.name; + drv = drv; + } ('' + mkdir $out + touch $out/{${builtins.concatStringsSep "," lore.types}} + + ${lore.callback lore drv overrides} + + echo binlore for $drv written to $out + ''); +} diff --git a/nixpkgs/pkgs/development/tools/analysis/cvehound/default.nix b/nixpkgs/pkgs/development/tools/analysis/cvehound/default.nix new file mode 100644 index 000000000000..05073bba750d --- /dev/null +++ b/nixpkgs/pkgs/development/tools/analysis/cvehound/default.nix @@ -0,0 +1,41 @@ +{ lib, fetchFromGitHub, coccinelle, gnugrep, python3Packages }: + +with python3Packages; + +buildPythonApplication rec { + pname = "cvehound"; + version = "1.0.4"; + + src = fetchFromGitHub { + owner = "evdenis"; + repo = "cvehound"; + rev = version; + sha256 = "sha256-m8vpea02flQ8elSvGWv9FqBhsEcBzRYjcUk+dc4kb2M="; + }; + + makeWrapperArgs = [ + "--prefix PATH : ${lib.makeBinPath [ coccinelle gnugrep ]}" + ]; + + propagatedBuildInputs = [ + psutil + setuptools + sympy + ]; + + checkInputs = [ + GitPython + pytestCheckHook + ]; + + # Tries to clone the kernel sources + doCheck = false; + + meta = with lib; { + description = "tool to check linux kernel source dump for known CVEs"; + homepage = "https://github.com/evdenis/cvehound"; + # See https://github.com/evdenis/cvehound/issues/22 + license = with licenses; [ gpl2Only gpl3Only ]; + maintainers = with maintainers; [ ambroisie ]; + }; +} diff --git a/nixpkgs/pkgs/development/tools/analysis/flow/default.nix b/nixpkgs/pkgs/development/tools/analysis/flow/default.nix index e87a6be9cc55..ee4e6d733fc5 100644 --- a/nixpkgs/pkgs/development/tools/analysis/flow/default.nix +++ b/nixpkgs/pkgs/development/tools/analysis/flow/default.nix @@ -2,13 +2,13 @@ stdenv.mkDerivation rec { pname = "flow"; - version = "0.159.0"; + version = "0.160.0"; src = fetchFromGitHub { owner = "facebook"; repo = "flow"; rev = "v${version}"; - sha256 = "sha256-NGYaevL6Jpv5rkYlSzIFMIn36ds7ecOJtEToQIzbOsU="; + sha256 = "sha256-pgNxiNzL7Mb/ueBhWBtUi4BGnLnemk3o05K/fqXWE6Q="; }; installPhase = '' diff --git a/nixpkgs/pkgs/development/tools/analysis/rizin/cutter.nix b/nixpkgs/pkgs/development/tools/analysis/rizin/cutter.nix index c1d8ab99063c..3082d9d4f829 100644 --- a/nixpkgs/pkgs/development/tools/analysis/rizin/cutter.nix +++ b/nixpkgs/pkgs/development/tools/analysis/rizin/cutter.nix @@ -11,13 +11,13 @@ mkDerivation rec { pname = "cutter"; - version = "2.0.2"; + version = "2.0.3"; src = fetchFromGitHub { owner = "rizinorg"; repo = "cutter"; rev = "v${version}"; - sha256 = "sha256-CVVUXx6wt9vH3B7NrrlRGnOIrhXQPjV7GmX3O+KtMSM="; + sha256 = "sha256-OC04d3j8Dfsob1dUjNBc1pSQFxJlexzWJ4v0V3QNkno="; fetchSubmodules = true; }; diff --git a/nixpkgs/pkgs/development/tools/analysis/rizin/default.nix b/nixpkgs/pkgs/development/tools/analysis/rizin/default.nix index ff7717312f87..d76c63044ccd 100644 --- a/nixpkgs/pkgs/development/tools/analysis/rizin/default.nix +++ b/nixpkgs/pkgs/development/tools/analysis/rizin/default.nix @@ -23,11 +23,11 @@ stdenv.mkDerivation rec { pname = "rizin"; - version = "0.2.1"; + version = "0.3.0"; src = fetchurl { url = "https://github.com/rizinorg/rizin/releases/download/v${version}/rizin-src-v${version}.tar.xz"; - sha256 = "sha256-lxVsPI+qLenZ0pelvxtHlQ6fhWdQeqoEEHrUGZ5Rdmg="; + sha256 = "sha256-+XW12VIaRfRkLc3Li6ItF4VQfWLNRvxZW2VGtxVYJxY="; }; mesonFlags = [ diff --git a/nixpkgs/pkgs/development/tools/analysis/sparse/default.nix b/nixpkgs/pkgs/development/tools/analysis/sparse/default.nix index efbc46448259..75541dc112a8 100644 --- a/nixpkgs/pkgs/development/tools/analysis/sparse/default.nix +++ b/nixpkgs/pkgs/development/tools/analysis/sparse/default.nix @@ -1,27 +1,36 @@ -{ fetchurl, lib, stdenv, pkg-config, libxml2, llvm, perl }: +{ callPackage, fetchurl, lib, stdenv, gtk3, pkg-config, libxml2, llvm, perl, sqlite }: -stdenv.mkDerivation rec { +let + GCC_BASE = "${stdenv.cc.cc}/lib/gcc/${stdenv.hostPlatform.uname.processor}-unknown-linux-gnu/${stdenv.cc.cc.version}"; +in stdenv.mkDerivation rec { pname = "sparse"; - version = "0.5.0"; + version = "0.6.3"; src = fetchurl { url = "mirror://kernel/software/devel/sparse/dist/${pname}-${version}.tar.xz"; - sha256 = "1mc86jc5xdrdmv17nqj2cam2yqygnj6ar1iqkwsx2y37ij8wy7wj"; + sha256 = "16d8c4dhipjzjf8z4z7pix1pdpqydz0v4r7i345f5s09hjnxpxnl"; }; preConfigure = '' - sed -i Makefile -e "s|^PREFIX=.*$|PREFIX=$out|g" + sed -i 's|"/usr/include"|"${stdenv.cc.libc.dev}/include"|' pre-process.c + sed -i 's|qx(\$ccom -print-file-name=)|"${GCC_BASE}"|' cgcc + makeFlags+=" PREFIX=$out" ''; nativeBuildInputs = [ pkg-config ]; - buildInputs = [ libxml2 llvm perl ]; + buildInputs = [ gtk3 libxml2 llvm perl sqlite ]; doCheck = true; + buildFlags = "GCC_BASE:=${GCC_BASE}"; - meta = { + passthru.tests = { + simple-execution = callPackage ./tests.nix { }; + }; + + meta = with lib; { description = "Semantic parser for C"; homepage = "https://git.kernel.org/cgit/devel/sparse/sparse.git/"; - license = lib.licenses.mit; - platforms = lib.platforms.linux; - maintainers = [ lib.maintainers.thoughtpolice ]; + license = licenses.mit; + platforms = platforms.linux; + maintainers = with maintainers; [ thoughtpolice jkarlson ]; }; } diff --git a/nixpkgs/pkgs/development/tools/analysis/sparse/tests.nix b/nixpkgs/pkgs/development/tools/analysis/sparse/tests.nix new file mode 100644 index 000000000000..5eba254e537a --- /dev/null +++ b/nixpkgs/pkgs/development/tools/analysis/sparse/tests.nix @@ -0,0 +1,24 @@ +{ runCommand, gcc, sparse, writeText }: +let + src = writeText "CODE.c" '' + #include <stdio.h> + #include <stddef.h> + #include <stdlib.h> + + int main(int argc, char *argv[]) { + return EXIT_SUCCESS; + } + ''; +in + runCommand "${sparse.pname}-tests" { buildInputs = [ gcc sparse ]; meta.timeout = 3; } +'' + set -eu + ${sparse}/bin/cgcc ${src} > output 2>&1 || ret=$? + if [[ -z $(<output) ]]; then + mv output $out + else + echo "Test build returned $ret" + cat output + exit 1 + fi +'' diff --git a/nixpkgs/pkgs/development/tools/analysis/tflint/default.nix b/nixpkgs/pkgs/development/tools/analysis/tflint/default.nix index 443d9b4b1e69..c645cd359032 100644 --- a/nixpkgs/pkgs/development/tools/analysis/tflint/default.nix +++ b/nixpkgs/pkgs/development/tools/analysis/tflint/default.nix @@ -2,16 +2,16 @@ buildGoModule rec { pname = "tflint"; - version = "0.32.0"; + version = "0.32.1"; src = fetchFromGitHub { owner = "terraform-linters"; repo = pname; rev = "v${version}"; - sha256 = "1yf725lfwhvkc1mvzqpl9wchwq2z4pz3z7bp0qlbgdym8z66x8wm"; + sha256 = "sha256-0DK6uTbuIVqrfsrTF0tAbx1WnVpc97nE0zuwTcFoBf8="; }; - vendorSha256 = "0jg8a6vx2n71awr2zdkiisx76qcnj3qj6vj1w9m1c9kczz3mc7m3"; + vendorSha256 = "sha256-ox5Wx/9sJhZq4kFuI/GQlmFzuo5xti8yV+FY0bdR6Ek="; doCheck = false; diff --git a/nixpkgs/pkgs/development/tools/analysis/tfsec/default.nix b/nixpkgs/pkgs/development/tools/analysis/tfsec/default.nix index 5ded1e5cab25..66e876ec81a8 100644 --- a/nixpkgs/pkgs/development/tools/analysis/tfsec/default.nix +++ b/nixpkgs/pkgs/development/tools/analysis/tfsec/default.nix @@ -5,13 +5,13 @@ buildGoPackage rec { pname = "tfsec"; - version = "0.58.6"; + version = "0.58.10"; src = fetchFromGitHub { owner = "aquasecurity"; repo = pname; rev = "v${version}"; - sha256 = "sha256-FTrzEVTmMxXshDOvlSmQEwekde621KIclpFm1oEduEo="; + sha256 = "sha256-VMnc4frDBAkVc9hqUdXAiJ2vNsK9NzkLOUaQWhQQUBU="; }; goPackagePath = "github.com/aquasecurity/tfsec"; diff --git a/nixpkgs/pkgs/development/tools/analysis/yallback/default.nix b/nixpkgs/pkgs/development/tools/analysis/yallback/default.nix new file mode 100644 index 000000000000..17263d1766a8 --- /dev/null +++ b/nixpkgs/pkgs/development/tools/analysis/yallback/default.nix @@ -0,0 +1,34 @@ +{ lib +, stdenv +, fetchFromGitHub +, makeWrapper +, coreutils +, bashInteractive +}: + +stdenv.mkDerivation rec { + version = "0.1.0"; + pname = "yallback"; + src = fetchFromGitHub { + owner = "abathur"; + repo = "yallback"; + rev = "v${version}"; + hash = "sha256-FaPqpxstKMhqLPFLIdenHgwzDE3gspBbJUSY95tblgI="; + }; + + buildInputs = [ coreutils bashInteractive ]; + nativeBuildInputs = [ makeWrapper ]; + + installPhase = '' + install -Dv yallback $out/bin/yallback + wrapProgram $out/bin/yallback --prefix PATH : ${lib.makeBinPath [ coreutils ]} + ''; + + meta = with lib; { + description = "Callbacks for YARA rule matches"; + homepage = "https://github.com/abathur/yallback"; + license = licenses.mit; + maintainers = with maintainers; [ abathur ]; + platforms = platforms.all; + }; +} |