Merge commit '93883402a445ad467320925a0a5dbe43a949f25b'

Conflicts:
	nixpkgs/nixos/modules/programs/ssh.nix
	nixpkgs/pkgs/applications/networking/browsers/firefox/packages.nix
	nixpkgs/pkgs/data/fonts/noto-fonts/default.nix
	nixpkgs/pkgs/development/go-modules/generic/default.nix
	nixpkgs/pkgs/development/interpreters/ruby/default.nix
	nixpkgs/pkgs/development/libraries/mesa/default.nix

1 files changed, 42 insertions, 10 deletions

diff --git a/nixpkgs/pkgs/tools/security/grype/default.nix b/nixpkgs/pkgs/tools/security/grype/default.nix
index 9d327f37af6a..30206fab0eb9 100644
--- a/nixpkgs/pkgs/tools/security/grype/default.nix
+++ b/nixpkgs/pkgs/tools/security/grype/default.nix
@@ -1,39 +1,71 @@
 { lib
 , buildGoModule
-, docker
 , fetchFromGitHub
+, installShellFiles
 }:
 
 buildGoModule rec {
   pname = "grype";
-  version = "0.28.0";
+  version = "0.33.0";
 
   src = fetchFromGitHub {
     owner = "anchore";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-Mc0bO9BDcIXEoHwhQDbX9g84kagcT3gVz8PPxXpG7dw=";
+    sha256 = "sha256-RXEeJZeC6hA6DetZnUNWFtNZEy4HJpxviL8pySBLfts=";
+    # populate values that require us to use git. By doing this in postFetch we
+    # can delete .git afterwards and maintain better reproducibility of the src.
+    leaveDotGit = true;
+    postFetch = ''
+      cd "$out"
+      commit="$(git rev-parse HEAD)"
+      source_date_epoch=$(git log --date=format:'%Y-%m-%dT%H:%M:%SZ' -1 --pretty=%ad)
+      substituteInPlace "$out/internal/version/build.go" \
+        --replace 'gitCommit = valueNotProvided' "gitCommit = \"$commit\"" \
+        --replace 'buildDate = valueNotProvided' "buildDate = \"$source_date_epoch\""
+      find "$out" -name .git -print0 | xargs -0 rm -rf
+    '';
   };
 
-  vendorSha256 = "sha256-su0dg9Gidd8tQKM5IzX6/GC5jk8SCIO+qsI3UGlvpwg=";
+  vendorSha256 = "sha256-2T2fw1nOycP1LxUuMSmz1ke2bg4yox/tIAveXCNJG9Y=";
 
-  propagatedBuildInputs = [ docker ];
+  nativeBuildInputs = [
+    installShellFiles
+  ];
 
   ldflags = [
-    "-s" "-w" "-X github.com/anchore/grype/internal/version.version=${version}"
+    "-s"
+    "-w"
+    "-X github.com/anchore/grype/internal/version.version=${version}"
+    "-X github.com/anchore/grype/internal/version.gitTreeState=clean"
   ];
 
+  preBuild = ''
+    # grype version also displays the version of the syft library used
+    # we need to grab it from the go.sum and add an ldflag for it
+    SYFTVERSION="$(grep "github.com/anchore/syft" go.sum -m 1 | awk '{print $2}')"
+    ldflags+=" -X github.com/anchore/grype/internal/version.syftVersion=$SYFTVERSION"
+  '';
+
   # Tests require a running Docker instance
   doCheck = false;
 
+  postInstall = ''
+    installShellCompletion --cmd grype \
+      --bash <($out/bin/grype completion bash) \
+      --fish <($out/bin/grype completion fish) \
+      --zsh <($out/bin/grype completion zsh)
+  '';
+
   meta = with lib; {
+    homepage = "https://github.com/anchore/grype";
+    changelog = "https://github.com/anchore/grype/releases/tag/v${version}";
     description = "Vulnerability scanner for container images and filesystems";
     longDescription = ''
-      As a vulnerability scanner is grype abale to scan the contents of a container
-      image or filesystem to find known vulnerabilities.
+      As a vulnerability scanner grype is able to scan the contents of a
+      container image or filesystem to find known vulnerabilities.
     '';
-    homepage = "https://github.com/anchore/grype";
     license = with licenses; [ asl20 ];
-    maintainers = with maintainers; [ fab ];
+    maintainers = with maintainers; [ fab jk ];
   };
 }