diff options
Diffstat (limited to 'nixpkgs/pkgs/tools/security/semgrep/common.nix')
-rw-r--r-- | nixpkgs/pkgs/tools/security/semgrep/common.nix | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/tools/security/semgrep/common.nix b/nixpkgs/pkgs/tools/security/semgrep/common.nix new file mode 100644 index 000000000000..3436d4267964 --- /dev/null +++ b/nixpkgs/pkgs/tools/security/semgrep/common.nix @@ -0,0 +1,55 @@ +{ lib }: + +rec { + version = "1.66.2"; + + srcHash = "sha256-xonZzZsAkAPMVINGEA10CvQ1diYgHBowNsR2pk4tYr8="; + + # submodule dependencies + # these are fetched so we: + # 1. don't fetch the many submodules we don't need + # 2. avoid fetchSubmodules since it's prone to impurities + submodules = { + "cli/src/semgrep/semgrep_interfaces" = { + owner = "semgrep"; + repo = "semgrep-interfaces"; + rev = "215a54782174de84f97188632b4a37e35ba0f827"; + hash = "sha256-Q8E5LkC/NV0wvt9ZwhkoPGjPlDavVHHMnX0sVNK3dAM="; + }; + }; + + # fetch pre-built semgrep-core since the ocaml build is complex and relies on + # the opam package manager at some point + # pulling it out of the python wheel as r2c no longer release a built binary + # on github releases + core = { + x86_64-linux = { + platform = "any"; + hash = "sha256-f/RcuJyd8y2bMclMxZ1BdNTVixhjLz0UxSKGZm+H8yI="; + }; + x86_64-darwin = { + platform = "macosx_10_14_x86_64"; + hash = "sha256-4H9PT41lPydMFl51O2CgeMQiTE66fZ8RP26CVT7Y7Ok="; + }; + aarch64-darwin = { + platform = "macosx_11_0_arm64"; + hash = "sha256-WxQ0ohojzhWmPo208xN98F5GwbNzQuxCjSwP7h3rBGA="; + }; + }; + + meta = with lib; { + homepage = "https://semgrep.dev/"; + downloadPage = "https://github.com/semgrep/semgrep/"; + changelog = "https://github.com/semgrep/semgrep/blob/v${version}/CHANGELOG.md"; + description = "Lightweight static analysis for many languages"; + longDescription = '' + Semgrep is a fast, open-source, static analysis tool for finding bugs and + enforcing code standards at editor, commit, and CI time. Semgrep analyzes + code locally on your computer or in your build environment: code is never + uploaded. Its rules look like the code you already write; no abstract + syntax trees, regex wrestling, or painful DSLs. + ''; + license = licenses.lgpl21Plus; + maintainers = with maintainers; [ jk ambroisie ]; + }; +} |