diff options
Diffstat (limited to 'nixpkgs/pkgs/tools/security/grype/default.nix')
-rw-r--r-- | nixpkgs/pkgs/tools/security/grype/default.nix | 71 |
1 files changed, 71 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/tools/security/grype/default.nix b/nixpkgs/pkgs/tools/security/grype/default.nix new file mode 100644 index 000000000000..30206fab0eb9 --- /dev/null +++ b/nixpkgs/pkgs/tools/security/grype/default.nix @@ -0,0 +1,71 @@ +{ lib +, buildGoModule +, fetchFromGitHub +, installShellFiles +}: + +buildGoModule rec { + pname = "grype"; + version = "0.33.0"; + + src = fetchFromGitHub { + owner = "anchore"; + repo = pname; + rev = "v${version}"; + sha256 = "sha256-RXEeJZeC6hA6DetZnUNWFtNZEy4HJpxviL8pySBLfts="; + # populate values that require us to use git. By doing this in postFetch we + # can delete .git afterwards and maintain better reproducibility of the src. + leaveDotGit = true; + postFetch = '' + cd "$out" + commit="$(git rev-parse HEAD)" + source_date_epoch=$(git log --date=format:'%Y-%m-%dT%H:%M:%SZ' -1 --pretty=%ad) + substituteInPlace "$out/internal/version/build.go" \ + --replace 'gitCommit = valueNotProvided' "gitCommit = \"$commit\"" \ + --replace 'buildDate = valueNotProvided' "buildDate = \"$source_date_epoch\"" + find "$out" -name .git -print0 | xargs -0 rm -rf + ''; + }; + + vendorSha256 = "sha256-2T2fw1nOycP1LxUuMSmz1ke2bg4yox/tIAveXCNJG9Y="; + + nativeBuildInputs = [ + installShellFiles + ]; + + ldflags = [ + "-s" + "-w" + "-X github.com/anchore/grype/internal/version.version=${version}" + "-X github.com/anchore/grype/internal/version.gitTreeState=clean" + ]; + + preBuild = '' + # grype version also displays the version of the syft library used + # we need to grab it from the go.sum and add an ldflag for it + SYFTVERSION="$(grep "github.com/anchore/syft" go.sum -m 1 | awk '{print $2}')" + ldflags+=" -X github.com/anchore/grype/internal/version.syftVersion=$SYFTVERSION" + ''; + + # Tests require a running Docker instance + doCheck = false; + + postInstall = '' + installShellCompletion --cmd grype \ + --bash <($out/bin/grype completion bash) \ + --fish <($out/bin/grype completion fish) \ + --zsh <($out/bin/grype completion zsh) + ''; + + meta = with lib; { + homepage = "https://github.com/anchore/grype"; + changelog = "https://github.com/anchore/grype/releases/tag/v${version}"; + description = "Vulnerability scanner for container images and filesystems"; + longDescription = '' + As a vulnerability scanner grype is able to scan the contents of a + container image or filesystem to find known vulnerabilities. + ''; + license = with licenses; [ asl20 ]; + maintainers = with maintainers; [ fab jk ]; + }; +} |