about summary refs log tree commit diff
path: root/nixpkgs/pkgs/tools/security/semgrep/common.nix
diff options
context:
space:
mode:
Diffstat (limited to 'nixpkgs/pkgs/tools/security/semgrep/common.nix')
-rw-r--r--nixpkgs/pkgs/tools/security/semgrep/common.nix55
1 files changed, 55 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/tools/security/semgrep/common.nix b/nixpkgs/pkgs/tools/security/semgrep/common.nix
new file mode 100644
index 000000000000..3436d4267964
--- /dev/null
+++ b/nixpkgs/pkgs/tools/security/semgrep/common.nix
@@ -0,0 +1,55 @@
+{ lib }:
+
+rec {
+  version = "1.66.2";
+
+  srcHash = "sha256-xonZzZsAkAPMVINGEA10CvQ1diYgHBowNsR2pk4tYr8=";
+
+  # submodule dependencies
+  # these are fetched so we:
+  #   1. don't fetch the many submodules we don't need
+  #   2. avoid fetchSubmodules since it's prone to impurities
+  submodules = {
+    "cli/src/semgrep/semgrep_interfaces" = {
+      owner = "semgrep";
+      repo = "semgrep-interfaces";
+      rev = "215a54782174de84f97188632b4a37e35ba0f827";
+      hash = "sha256-Q8E5LkC/NV0wvt9ZwhkoPGjPlDavVHHMnX0sVNK3dAM=";
+    };
+  };
+
+  # fetch pre-built semgrep-core since the ocaml build is complex and relies on
+  # the opam package manager at some point
+  # pulling it out of the python wheel as r2c no longer release a built binary
+  # on github releases
+  core = {
+    x86_64-linux = {
+      platform = "any";
+      hash = "sha256-f/RcuJyd8y2bMclMxZ1BdNTVixhjLz0UxSKGZm+H8yI=";
+    };
+    x86_64-darwin = {
+      platform = "macosx_10_14_x86_64";
+      hash = "sha256-4H9PT41lPydMFl51O2CgeMQiTE66fZ8RP26CVT7Y7Ok=";
+    };
+    aarch64-darwin = {
+      platform = "macosx_11_0_arm64";
+      hash = "sha256-WxQ0ohojzhWmPo208xN98F5GwbNzQuxCjSwP7h3rBGA=";
+    };
+  };
+
+  meta = with lib; {
+    homepage = "https://semgrep.dev/";
+    downloadPage = "https://github.com/semgrep/semgrep/";
+    changelog = "https://github.com/semgrep/semgrep/blob/v${version}/CHANGELOG.md";
+    description = "Lightweight static analysis for many languages";
+    longDescription = ''
+      Semgrep is a fast, open-source, static analysis tool for finding bugs and
+      enforcing code standards at editor, commit, and CI time. Semgrep analyzes
+      code locally on your computer or in your build environment: code is never
+      uploaded. Its rules look like the code you already write; no abstract
+      syntax trees, regex wrestling, or painful DSLs.
+    '';
+    license = licenses.lgpl21Plus;
+    maintainers = with maintainers; [ jk ambroisie ];
+  };
+}
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-05 19:20:23 +0000