diff options
Diffstat (limited to 'nixpkgs/pkgs/tools/security/semgrep/update.sh')
-rwxr-xr-x | nixpkgs/pkgs/tools/security/semgrep/update.sh | 146 |
1 files changed, 146 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/tools/security/semgrep/update.sh b/nixpkgs/pkgs/tools/security/semgrep/update.sh new file mode 100755 index 000000000000..67b720154b0b --- /dev/null +++ b/nixpkgs/pkgs/tools/security/semgrep/update.sh @@ -0,0 +1,146 @@ +#!/usr/bin/env nix-shell +#!nix-shell -i bash -p curl gnused jq nix-prefetch + +set -euxo pipefail + +# provide a github token so you don't get rate limited +# if you use gh cli you can use: +# `export GITHUB_TOKEN="$(cat ~/.config/gh/config.yml | yq '.hosts."github.com".oauth_token' -r)"` +# or just set your token by hand: +# `read -s -p "Enter your token: " GITHUB_TOKEN; export GITHUB_TOKEN` +# (we use read so it doesn't show in our shell history and in secret mode so the token you paste isn't visible) +if [ -z "${GITHUB_TOKEN:-}" ]; then + echo "no GITHUB_TOKEN provided - you could meet API request limiting" >&2 +fi + +ROOT="$(dirname "$(readlink -f "$0")")" +NIXPKGS_ROOT="$ROOT/../../../.." + +COMMON_FILE="$ROOT/common.nix" + +instantiateClean() { + nix-instantiate -A "$1" --eval --strict | cut -d\" -f2 +} + +# get latest version +NEW_VERSION=$( + curl -s -L -H \ + "Accept: application/vnd.github.v3+json" \ + ${GITHUB_TOKEN:+ -H "Authorization: bearer $GITHUB_TOKEN"} \ + https://api.github.com/repos/semgrep/semgrep/releases/latest \ + | jq -r '.tag_name' +) +# trim v prefix +NEW_VERSION="${NEW_VERSION:1}" +OLD_VERSION="$(instantiateClean semgrep.passthru.common.version)" + +if [[ "$OLD_VERSION" == "$NEW_VERSION" ]]; then + echo "Already up to date" + exit +fi + +replace() { + sed -i "s@$1@$2@g" "$3" +} + +fetchgithub() { + set +eo pipefail + nix-build -A "$1" 2>&1 >/dev/null | grep "got:" | cut -d':' -f2 | sed 's| ||g' + set -eo pipefail +} + +fetch_arch() { + VERSION=$1 + PLATFORM=$2 + nix-prefetch "{ fetchPypi }: +fetchPypi rec { + pname = \"semgrep\"; + version = \"$VERSION\"; + format = \"wheel\"; + dist = python; + python = \"cp38.cp39.cp310.cp311.py37.py38.py39.py310.py311\"; + platform = \"$PLATFORM\"; +} +" +} + +replace "$OLD_VERSION" "$NEW_VERSION" "$COMMON_FILE" + +echo "Updating src" + +OLD_HASH="$(instantiateClean semgrep.passthru.common.srcHash)" +echo "Old hash $OLD_HASH" +TMP_HASH="sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" +replace "$OLD_HASH" "$TMP_HASH" "$COMMON_FILE" +NEW_HASH="$(fetchgithub semgrep.src)" +echo "New hash $NEW_HASH" +replace "$TMP_HASH" "$NEW_HASH" "$COMMON_FILE" + +echo "Updated src" + + +update_core_platform() { + SYSTEM=$1 + echo "Updating core src $SYSTEM" + + PLATFORM="$(instantiateClean "semgrep.passthru.common.core.$SYSTEM.platform")" + + OLD_HASH="$(instantiateClean "semgrep.passthru.common.core.$SYSTEM.hash")" + echo "Old core hash $OLD_HASH" + NEW_HASH="$(fetch_arch "$NEW_VERSION" "$PLATFORM")" + echo "New core hash $NEW_HASH" + replace "$OLD_HASH" "$NEW_HASH" "$COMMON_FILE" + + echo "Updated core src $SYSTEM" +} + +update_core_platform "x86_64-linux" +update_core_platform "x86_64-darwin" +update_core_platform "aarch64-darwin" + +OLD_PWD=$PWD +TMPDIR="$(mktemp -d)" +# shallow clone to check submodule commits, don't actually need the submodules +git clone https://github.com/semgrep/semgrep "$TMPDIR/semgrep" --depth 1 --branch "v$NEW_VERSION" + +get_submodule_commit() { + OLD_PWD=$PWD + ( + cd "$TMPDIR/semgrep" + git ls-tree --object-only HEAD "$1" + cd "$OLD_PWD" + ) +} + +# loop through submodules +nix-instantiate -E "with import $NIXPKGS_ROOT {}; builtins.attrNames semgrep.passthru.common.submodules" --eval --strict --json \ +| jq '.[]' -r \ +| while read -r SUBMODULE; do + echo "Updating $SUBMODULE" + OLD_REV=$(instantiateClean semgrep.passthru.common.submodules."$SUBMODULE".rev) + echo "Old commit $OLD_REV" + OLD_HASH=$(instantiateClean semgrep.passthru.common.submodules."$SUBMODULE".hash) + echo "Old hash $OLD_HASH" + + NEW_REV=$(get_submodule_commit "$SUBMODULE") + echo "New commit $NEW_REV" + + if [[ "$OLD_REV" == "$NEW_REV" ]]; then + echo "$SUBMODULE already up to date" + continue + fi + + TMP_HASH="sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" + replace "$OLD_REV" "$NEW_REV" "$COMMON_FILE" + replace "$OLD_HASH" "$TMP_HASH" "$COMMON_FILE" + NEW_HASH="$(fetchgithub semgrep.passthru.submodulesSubset."$SUBMODULE")" + echo "New hash $NEW_HASH" + replace "$TMP_HASH" "$NEW_HASH" "$COMMON_FILE" + + echo "Updated $SUBMODULE" +done + +rm -rf "$TMPDIR" + +echo "Finished" + |