Merge commit '1737f98af6667560e3e4f930312f9b5002649d04'

Conflicts:
	nixpkgs/nixos/modules/services/networking/ssh/sshd.nix
	nixpkgs/pkgs/applications/networking/irc/weechat/scripts/default.nix
	nixpkgs/pkgs/development/node-packages/default.nix
	nixpkgs/pkgs/development/python-modules/priority/deadline.patch

10 files changed, 241 insertions, 21 deletions

diff --git a/nixpkgs/pkgs/development/tools/analysis/binlore/default.nix b/nixpkgs/pkgs/development/tools/analysis/binlore/default.nix
new file mode 100644
index 000000000000..aba1c59b979d
--- /dev/null
+++ b/nixpkgs/pkgs/development/tools/analysis/binlore/default.nix
@@ -0,0 +1,112 @@
+{ lib
+, fetchFromGitHub
+, runCommand
+, yallback
+, yara
+}:
+
+/* TODO/CAUTION:
+
+I don't want to discourage use, but I'm not sure how stable
+the API is. Have fun, but be prepared to track changes! :)
+
+For _now_, binlore is basically a thin wrapper around
+`<invoke yara> | <postprocess with yallback>` with support
+for running it on a derivation, saving the result in the
+store, and aggregating results from a set of packages.
+
+In the longer term, I suspect there are more uses for this
+general pattern (i.e., run some analysis tool that produces
+a deterministic output and cache the result per package...).
+
+I'm not sure how that'll look and if it'll be the case that
+binlore automatically collects all of them, or if you'll be
+configuring which "kind(s)" of lore it generates. Nailing
+that down will almost certainly mean reworking the API.
+
+*/
+
+let
+  src = fetchFromGitHub {
+    owner = "abathur";
+    repo = "binlore";
+    rev = "v0.1.3";
+    hash = "sha256-+rgv8gAQ3ptOpL/EhbKr/jq+k/4Lpn06/2qON+Ps2wE=";
+  };
+  /*
+  binlore has one one more yallbacks responsible for
+  routing the appropriate lore to a named file in the
+  appropriate format. At some point I might try to do
+  something fancy with this, but for now the answer to
+  *all* questions about the lore are: the bare minimum
+  to get resholve over the next feature hump in time to
+  hopefully slip this feature in before the branch-off.
+  */
+  # TODO: feeling really uninspired on the API
+  loreDef = {
+    # YARA rule file
+    rules = (src + /execers.yar);
+    # output filenames; "types" of lore
+    types = [ "execers" "wrappers" ];
+    # shell rule callbacks; see github.com/abathur/yallback
+    yallback = (src + /execers.yall);
+    # TODO:
+    # - echo for debug, can be removed at some point
+    # - I really just wanted to put the bit after the pipe
+    #   in here, but I'm erring on the side of flexibility
+    #   since this form will make it easier to pilot other
+    #   uses of binlore.
+    callback = lore: drv: overrides: ''
+      if [[ -d "${drv}/bin" ]]; then
+        echo generating binlore for $drv by running:
+        echo "${yara}/bin/yara ${lore.rules} ${drv}/bin | ${yallback}/bin/yallback ${lore.yallback}"
+      else
+        echo "failed to generate binlore for $drv (${drv}/bin doesn't exist)"
+      fi
+    '' +
+    /*
+    Override lore for some packages. Unsure, but for now:
+    1. start with the ~name (pname-version)
+    2. remove characters from the end until we find a match
+       in overrides/
+    3. execute the override script with the list of expected
+       lore types
+    */
+    ''
+      i=''${#identifier}
+      filter=
+      while [[ $i > 0 ]] && [[ -z "$filter" ]]; do
+        if [[ -f "${overrides}/''${identifier:0:$i}" ]]; then
+          filter="${overrides}/''${identifier:0:$i}"
+          echo using "${overrides}/''${identifier:0:$i}" to generate overriden binlore for $drv
+          break
+        fi
+        ((i--)) || true # don't break build
+      done # || true # don't break build
+      if [[ -d "${drv}/bin" ]]; then
+        ${yara}/bin/yara ${lore.rules} ${drv}/bin | ${yallback}/bin/yallback ${lore.yallback} "$filter"
+      fi
+    '';
+  };
+  overrides = (src + /overrides);
+
+in rec {
+  collect = { lore ? loreDef, drvs }: (runCommand "more-binlore" { } ''
+    mkdir $out
+    for lorefile in ${toString lore.types}; do
+      cat ${lib.concatMapStrings (x: x + "/$lorefile ") (map (make lore) (map lib.getBin drvs))} > $out/$lorefile
+    done
+  '');
+  # TODO: echo for debug, can be removed at some point
+  make = lore: drv: runCommand "${drv.name}-binlore" {
+      identifier = drv.name;
+      drv = drv;
+    } (''
+    mkdir $out
+    touch $out/{${builtins.concatStringsSep "," lore.types}}
+
+    ${lore.callback lore drv overrides}
+
+    echo binlore for $drv written to $out
+  '');
+}
diff --git a/nixpkgs/pkgs/development/tools/analysis/cvehound/default.nix b/nixpkgs/pkgs/development/tools/analysis/cvehound/default.nix
new file mode 100644
index 000000000000..05073bba750d
--- /dev/null
+++ b/nixpkgs/pkgs/development/tools/analysis/cvehound/default.nix
@@ -0,0 +1,41 @@
+{ lib, fetchFromGitHub, coccinelle, gnugrep, python3Packages }:
+
+with python3Packages;
+
+buildPythonApplication rec {
+  pname = "cvehound";
+  version = "1.0.4";
+
+  src = fetchFromGitHub {
+    owner = "evdenis";
+    repo = "cvehound";
+    rev = version;
+    sha256 = "sha256-m8vpea02flQ8elSvGWv9FqBhsEcBzRYjcUk+dc4kb2M=";
+  };
+
+  makeWrapperArgs = [
+    "--prefix PATH : ${lib.makeBinPath [ coccinelle gnugrep ]}"
+  ];
+
+  propagatedBuildInputs = [
+    psutil
+    setuptools
+    sympy
+  ];
+
+  checkInputs = [
+    GitPython
+    pytestCheckHook
+  ];
+
+  # Tries to clone the kernel sources
+  doCheck = false;
+
+  meta = with lib; {
+    description = "tool to check linux kernel source dump for known CVEs";
+    homepage = "https://github.com/evdenis/cvehound";
+    # See https://github.com/evdenis/cvehound/issues/22
+    license = with licenses; [ gpl2Only gpl3Only ];
+    maintainers = with maintainers; [ ambroisie ];
+  };
+}
diff --git a/nixpkgs/pkgs/development/tools/analysis/flow/default.nix b/nixpkgs/pkgs/development/tools/analysis/flow/default.nix
index e87a6be9cc55..ee4e6d733fc5 100644
--- a/nixpkgs/pkgs/development/tools/analysis/flow/default.nix
+++ b/nixpkgs/pkgs/development/tools/analysis/flow/default.nix
@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "flow";
-  version = "0.159.0";
+  version = "0.160.0";
 
   src = fetchFromGitHub {
     owner = "facebook";
     repo = "flow";
     rev = "v${version}";
-    sha256 = "sha256-NGYaevL6Jpv5rkYlSzIFMIn36ds7ecOJtEToQIzbOsU=";
+    sha256 = "sha256-pgNxiNzL7Mb/ueBhWBtUi4BGnLnemk3o05K/fqXWE6Q=";
   };
 
   installPhase = ''
diff --git a/nixpkgs/pkgs/development/tools/analysis/rizin/cutter.nix b/nixpkgs/pkgs/development/tools/analysis/rizin/cutter.nix
index c1d8ab99063c..3082d9d4f829 100644
--- a/nixpkgs/pkgs/development/tools/analysis/rizin/cutter.nix
+++ b/nixpkgs/pkgs/development/tools/analysis/rizin/cutter.nix
@@ -11,13 +11,13 @@
 
 mkDerivation rec {
   pname = "cutter";
-  version = "2.0.2";
+  version = "2.0.3";
 
   src = fetchFromGitHub {
     owner = "rizinorg";
     repo = "cutter";
     rev = "v${version}";
-    sha256 = "sha256-CVVUXx6wt9vH3B7NrrlRGnOIrhXQPjV7GmX3O+KtMSM=";
+    sha256 = "sha256-OC04d3j8Dfsob1dUjNBc1pSQFxJlexzWJ4v0V3QNkno=";
     fetchSubmodules = true;
   };
 
diff --git a/nixpkgs/pkgs/development/tools/analysis/rizin/default.nix b/nixpkgs/pkgs/development/tools/analysis/rizin/default.nix
index ff7717312f87..d76c63044ccd 100644
--- a/nixpkgs/pkgs/development/tools/analysis/rizin/default.nix
+++ b/nixpkgs/pkgs/development/tools/analysis/rizin/default.nix
@@ -23,11 +23,11 @@
 
 stdenv.mkDerivation rec {
   pname = "rizin";
-  version = "0.2.1";
+  version = "0.3.0";
 
   src = fetchurl {
     url = "https://github.com/rizinorg/rizin/releases/download/v${version}/rizin-src-v${version}.tar.xz";
-    sha256 = "sha256-lxVsPI+qLenZ0pelvxtHlQ6fhWdQeqoEEHrUGZ5Rdmg=";
+    sha256 = "sha256-+XW12VIaRfRkLc3Li6ItF4VQfWLNRvxZW2VGtxVYJxY=";
   };
 
   mesonFlags = [
diff --git a/nixpkgs/pkgs/development/tools/analysis/sparse/default.nix b/nixpkgs/pkgs/development/tools/analysis/sparse/default.nix
index efbc46448259..75541dc112a8 100644
--- a/nixpkgs/pkgs/development/tools/analysis/sparse/default.nix
+++ b/nixpkgs/pkgs/development/tools/analysis/sparse/default.nix
@@ -1,27 +1,36 @@
-{ fetchurl, lib, stdenv, pkg-config, libxml2, llvm, perl }:
+{ callPackage, fetchurl, lib, stdenv, gtk3, pkg-config, libxml2, llvm, perl, sqlite }:
 
-stdenv.mkDerivation rec {
+let
+  GCC_BASE = "${stdenv.cc.cc}/lib/gcc/${stdenv.hostPlatform.uname.processor}-unknown-linux-gnu/${stdenv.cc.cc.version}";
+in stdenv.mkDerivation rec {
   pname = "sparse";
-  version = "0.5.0";
+  version = "0.6.3";
 
   src = fetchurl {
     url = "mirror://kernel/software/devel/sparse/dist/${pname}-${version}.tar.xz";
-    sha256 = "1mc86jc5xdrdmv17nqj2cam2yqygnj6ar1iqkwsx2y37ij8wy7wj";
+    sha256 = "16d8c4dhipjzjf8z4z7pix1pdpqydz0v4r7i345f5s09hjnxpxnl";
   };
 
   preConfigure = ''
-    sed -i Makefile -e "s|^PREFIX=.*$|PREFIX=$out|g"
+    sed -i 's|"/usr/include"|"${stdenv.cc.libc.dev}/include"|' pre-process.c
+    sed -i 's|qx(\$ccom -print-file-name=)|"${GCC_BASE}"|' cgcc
+    makeFlags+=" PREFIX=$out"
   '';
 
   nativeBuildInputs = [ pkg-config ];
-  buildInputs = [ libxml2 llvm perl ];
+  buildInputs = [ gtk3 libxml2 llvm perl sqlite ];
   doCheck = true;
+  buildFlags = "GCC_BASE:=${GCC_BASE}";
 
-  meta = {
+  passthru.tests = {
+    simple-execution = callPackage ./tests.nix { };
+  };
+
+  meta = with lib; {
     description = "Semantic parser for C";
     homepage    = "https://git.kernel.org/cgit/devel/sparse/sparse.git/";
-    license     = lib.licenses.mit;
-    platforms   = lib.platforms.linux;
-    maintainers = [ lib.maintainers.thoughtpolice ];
+    license     = licenses.mit;
+    platforms   = platforms.linux;
+    maintainers = with maintainers; [ thoughtpolice jkarlson ];
   };
 }
diff --git a/nixpkgs/pkgs/development/tools/analysis/sparse/tests.nix b/nixpkgs/pkgs/development/tools/analysis/sparse/tests.nix
new file mode 100644
index 000000000000..5eba254e537a
--- /dev/null
+++ b/nixpkgs/pkgs/development/tools/analysis/sparse/tests.nix
@@ -0,0 +1,24 @@
+{ runCommand, gcc, sparse, writeText }:
+let
+  src = writeText "CODE.c" ''
+    #include <stdio.h>
+    #include <stddef.h>
+    #include <stdlib.h>
+
+    int main(int argc, char *argv[]) {
+      return EXIT_SUCCESS;
+    }
+  '';
+in
+  runCommand "${sparse.pname}-tests" { buildInputs = [ gcc sparse ]; meta.timeout = 3; }
+''
+  set -eu
+  ${sparse}/bin/cgcc ${src} > output 2>&1 || ret=$?
+  if [[ -z $(<output) ]]; then
+    mv output $out
+  else
+    echo "Test build returned $ret"
+    cat output
+    exit 1
+  fi
+''
diff --git a/nixpkgs/pkgs/development/tools/analysis/tflint/default.nix b/nixpkgs/pkgs/development/tools/analysis/tflint/default.nix
index 443d9b4b1e69..c645cd359032 100644
--- a/nixpkgs/pkgs/development/tools/analysis/tflint/default.nix
+++ b/nixpkgs/pkgs/development/tools/analysis/tflint/default.nix
@@ -2,16 +2,16 @@
 
 buildGoModule rec {
   pname = "tflint";
-  version = "0.32.0";
+  version = "0.32.1";
 
   src = fetchFromGitHub {
     owner = "terraform-linters";
     repo = pname;
     rev = "v${version}";
-    sha256 = "1yf725lfwhvkc1mvzqpl9wchwq2z4pz3z7bp0qlbgdym8z66x8wm";
+    sha256 = "sha256-0DK6uTbuIVqrfsrTF0tAbx1WnVpc97nE0zuwTcFoBf8=";
   };
 
-  vendorSha256 = "0jg8a6vx2n71awr2zdkiisx76qcnj3qj6vj1w9m1c9kczz3mc7m3";
+  vendorSha256 = "sha256-ox5Wx/9sJhZq4kFuI/GQlmFzuo5xti8yV+FY0bdR6Ek=";
 
   doCheck = false;
 
diff --git a/nixpkgs/pkgs/development/tools/analysis/tfsec/default.nix b/nixpkgs/pkgs/development/tools/analysis/tfsec/default.nix
index 5ded1e5cab25..66e876ec81a8 100644
--- a/nixpkgs/pkgs/development/tools/analysis/tfsec/default.nix
+++ b/nixpkgs/pkgs/development/tools/analysis/tfsec/default.nix
@@ -5,13 +5,13 @@
 
 buildGoPackage rec {
   pname = "tfsec";
-  version = "0.58.6";
+  version = "0.58.10";
 
   src = fetchFromGitHub {
     owner = "aquasecurity";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-FTrzEVTmMxXshDOvlSmQEwekde621KIclpFm1oEduEo=";
+    sha256 = "sha256-VMnc4frDBAkVc9hqUdXAiJ2vNsK9NzkLOUaQWhQQUBU=";
   };
 
   goPackagePath = "github.com/aquasecurity/tfsec";
diff --git a/nixpkgs/pkgs/development/tools/analysis/yallback/default.nix b/nixpkgs/pkgs/development/tools/analysis/yallback/default.nix
new file mode 100644
index 000000000000..17263d1766a8
--- /dev/null
+++ b/nixpkgs/pkgs/development/tools/analysis/yallback/default.nix
@@ -0,0 +1,34 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, makeWrapper
+, coreutils
+, bashInteractive
+}:
+
+stdenv.mkDerivation rec {
+  version = "0.1.0";
+  pname = "yallback";
+  src = fetchFromGitHub {
+    owner = "abathur";
+    repo = "yallback";
+    rev = "v${version}";
+    hash = "sha256-FaPqpxstKMhqLPFLIdenHgwzDE3gspBbJUSY95tblgI=";
+  };
+
+  buildInputs = [ coreutils bashInteractive ];
+  nativeBuildInputs = [ makeWrapper ];
+
+  installPhase = ''
+    install -Dv yallback $out/bin/yallback
+    wrapProgram $out/bin/yallback --prefix PATH : ${lib.makeBinPath [ coreutils ]}
+  '';
+
+  meta = with lib; {
+    description = "Callbacks for YARA rule matches";
+    homepage = "https://github.com/abathur/yallback";
+    license = licenses.mit;
+    maintainers = with maintainers; [ abathur ];
+    platforms = platforms.all;
+  };
+}