diff options
Diffstat (limited to 'pkgs/tools/security')
20 files changed, 290 insertions, 118 deletions
diff --git a/pkgs/tools/security/bitwarden/default.nix b/pkgs/tools/security/bitwarden/default.nix index 9440f9fef552..db618f4ec4c3 100644 --- a/pkgs/tools/security/bitwarden/default.nix +++ b/pkgs/tools/security/bitwarden/default.nix @@ -26,13 +26,13 @@ let buildNpmPackage' = buildNpmPackage.override { nodejs = nodejs_18; }; electron = electron_24; - version = "2023.5.0"; + version = "2023.5.1"; src = applyPatches { src = fetchFromGitHub { owner = "bitwarden"; repo = "clients"; rev = "desktop-v${version}"; - sha256 = "sha256-ELKpGSY4ZbgSk4vJnTiB+IOa8RQU8Ahy3A1mYsKtthU="; + sha256 = "sha256-dD9C6+GRjCMcfBse2Qq0ot8bVGyhjnd8VvpdNlrjRs4="; }; patches = [ ]; @@ -42,7 +42,7 @@ let pname = "bitwarden-desktop-native"; inherit src version; sourceRoot = "source-patched/apps/desktop/desktop_native"; - cargoSha256 = "sha256-SeK8Nbgenof9vXI2v7tJ5oHiX60kBoR+UNOSJTRHdzk="; + cargoSha256 = "sha256-8U4E5q2OSZGXy2ZRn0y4Skm5Y+FiOJVU1mtzObO9UqY="; nativeBuildInputs = [ pkg-config @@ -95,7 +95,7 @@ buildNpmPackage' { npmBuildFlags = [ "--workspace apps/desktop" ]; - npmDepsHash = "sha256-G8DEYPjEP3L4s0pr5n2ZTj8kkT0E7Po1BKhZ2hUdJuY="; + npmDepsHash = "sha256-USXWA/7wuu3i9/+/pMXREgcB+4yOpQGG5RGuUyJvuQw="; ELECTRON_SKIP_BINARY_DOWNLOAD = "1"; diff --git a/pkgs/tools/security/cloudfox/default.nix b/pkgs/tools/security/cloudfox/default.nix index b34d152f5c8d..f82705cdd3e1 100644 --- a/pkgs/tools/security/cloudfox/default.nix +++ b/pkgs/tools/security/cloudfox/default.nix @@ -5,13 +5,13 @@ buildGoModule rec { pname = "cloudfox"; - version = "1.11.1"; + version = "1.11.2"; src = fetchFromGitHub { owner = "BishopFox"; repo = pname; rev = "refs/tags/v${version}"; - hash = "sha256-46w0/Da5sJkw2jLEGiFICEaX9bvCs0sbad1RyDCxINw="; + hash = "sha256-EqL5/PVQm/lfviojKoYKDnzilx7KQZ7T3EEx/or6y7E="; }; vendorHash = "sha256-lgccNq1cSg8rrHW0aMLcC5HrZXf8TvdFSmk6pbGXNqQ="; diff --git a/pkgs/tools/security/das/default.nix b/pkgs/tools/security/das/default.nix new file mode 100644 index 000000000000..f8ccf8cb4ac7 --- /dev/null +++ b/pkgs/tools/security/das/default.nix @@ -0,0 +1,50 @@ +{ lib +, python3 +, fetchFromGitHub +}: + +python3.pkgs.buildPythonApplication rec { + pname = "das"; + version = "0.3.6"; + format = "pyproject"; + + src = fetchFromGitHub { + owner = "snovvcrash"; + repo = "DivideAndScan"; + rev = "refs/tags/v${version}"; + hash = "sha256-UFuIy19OUiS8VmmfGm0F4hI4s4BU5b4ZVh40bFGiLfk="; + }; + + postPatch = '' + substituteInPlace pyproject.toml \ + --replace 'networkx = "^2.8.4"' 'networkx = "*"' + ''; + + nativeBuildInputs = with python3.pkgs; [ + poetry-core + ]; + + propagatedBuildInputs = with python3.pkgs; [ + dash + defusedxml + dnspython + netaddr + networkx + pandas + plotly + python-nmap + scipy + tinydb + ]; + + pythonImportsCheck = [ + "das" + ]; + + meta = with lib; { + description = "Divide full port scan results and use it for targeted Nmap runs"; + homepage = "https://github.com/snovvcrash/DivideAndScan"; + license = licenses.bsd2; + maintainers = with maintainers; [ fab ]; + }; +} diff --git a/pkgs/tools/security/eid-mw/default.nix b/pkgs/tools/security/eid-mw/default.nix index a4b6f6c164f3..102313ddbdfc 100644 --- a/pkgs/tools/security/eid-mw/default.nix +++ b/pkgs/tools/security/eid-mw/default.nix @@ -21,13 +21,13 @@ stdenv.mkDerivation rec { pname = "eid-mw"; # NOTE: Don't just blindly update to the latest version/tag. Releases are always for a specific OS. - version = "5.1.10"; + version = "5.1.11"; src = fetchFromGitHub { owner = "Fedict"; repo = "eid-mw"; rev = "v${version}"; - hash = "sha256-2Xru/s7KawZlIxON5nO679P+L3okofE054WDfRsE3ZI="; + hash = "sha256-70UjfkH+rx1Q+2XEuAByoDsP5ZelyuGXaHdkjTe/sCY="; }; nativeBuildInputs = [ autoreconfHook autoconf-archive pkg-config makeWrapper ]; diff --git a/pkgs/tools/security/exploitdb/default.nix b/pkgs/tools/security/exploitdb/default.nix index 212277577069..63fe55331111 100644 --- a/pkgs/tools/security/exploitdb/default.nix +++ b/pkgs/tools/security/exploitdb/default.nix @@ -6,13 +6,13 @@ stdenv.mkDerivation rec { pname = "exploitdb"; - version = "2023-06-23"; + version = "2023-06-24"; src = fetchFromGitLab { owner = "exploit-database"; repo = pname; rev = "refs/tags/${version}"; - hash = "sha256-bTTf4p8FVYnXZxTS8FOtCasMXZVlQl+PQb0RS10WvN0="; + hash = "sha256-uQQ/TPE+64VeUSbnzNlRBdG1Nv4QcsQvfLyoRH68OhA="; }; nativeBuildInputs = [ diff --git a/pkgs/tools/security/gnupg/22.nix b/pkgs/tools/security/gnupg/22.nix index 6c2ffe123548..78f4af894a30 100644 --- a/pkgs/tools/security/gnupg/22.nix +++ b/pkgs/tools/security/gnupg/22.nix @@ -80,7 +80,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - passthru.tests.connman = lib.nixosTests.gnupg; + passthru.tests = lib.nixosTests.gnupg; meta = with lib; { homepage = "https://gnupg.org"; diff --git a/pkgs/tools/security/gnupg/24.nix b/pkgs/tools/security/gnupg/24.nix index c8e313cd9cf5..de8fd8ce1508 100644 --- a/pkgs/tools/security/gnupg/24.nix +++ b/pkgs/tools/security/gnupg/24.nix @@ -6,6 +6,7 @@ , withPcsc ? !enableMinimal, pcsclite , guiSupport ? stdenv.isDarwin, pinentry , withTpm2Tss ? !stdenv.isDarwin && !enableMinimal, tpm2-tss +, nixosTests }: assert guiSupport -> enableMinimal == false; @@ -85,7 +86,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - passthru.tests.connman = lib.nixosTests.gnupg; + passthru.tests = nixosTests.gnupg; meta = with lib; { homepage = "https://gnupg.org"; diff --git a/pkgs/tools/security/jwx/default.nix b/pkgs/tools/security/jwx/default.nix index a290bd9e17eb..da39777074c6 100644 --- a/pkgs/tools/security/jwx/default.nix +++ b/pkgs/tools/security/jwx/default.nix @@ -5,13 +5,13 @@ buildGoModule rec { pname = "jwx"; - version = "2.0.9"; + version = "2.0.11"; src = fetchFromGitHub { owner = "lestrrat-go"; repo = pname; rev = "v${version}"; - hash = "sha256-0Ha16moHpPt7IwSmSLSf3ExKlp2TDkssPppNIPHrsJw="; + hash = "sha256-8ZzDVCJERf9T9Tlth+9imVJPZIAwffR03S/8UflKjZc="; }; vendorHash = "sha256-RyAQh1uXw3bEZ6vuh8+mEf8T4l3ZIFAaFJ6dGMoANys="; diff --git a/pkgs/tools/security/notation/default.nix b/pkgs/tools/security/notation/default.nix new file mode 100644 index 000000000000..4c579f3f016d --- /dev/null +++ b/pkgs/tools/security/notation/default.nix @@ -0,0 +1,27 @@ +{ lib, buildGoModule, fetchFromGitHub }: + +buildGoModule rec { + pname = "notation"; + version = "1.0.0-rc.7"; + + src = fetchFromGitHub { + owner = "notaryproject"; + repo = pname; + rev = "v${version}"; + hash = "sha256-EM2QunSL88Am3zgKwgI94jET3xaVfvsa4MCtMZ3ejjU="; + }; + + vendorHash = "sha256-88PCnIm7nQB8jLzrfVOyDLXWX7RZeT31n1cwvb4Qza0="; + + # This is a Go sub-module and cannot be built directly (e2e tests). + excludedPackages = [ "./test" ]; + + ldflags = [ "-s" "-w" ]; + + meta = with lib; { + description = "CLI tool to sign and verify OCI artifacts and container images"; + homepage = "https://notaryproject.dev/"; + license = licenses.asl20; + maintainers = with maintainers; [ aaronjheng ]; + }; +} diff --git a/pkgs/tools/security/nuclei/default.nix b/pkgs/tools/security/nuclei/default.nix index 778f5e6ca008..2f6323bb3f79 100644 --- a/pkgs/tools/security/nuclei/default.nix +++ b/pkgs/tools/security/nuclei/default.nix @@ -5,16 +5,16 @@ buildGoModule rec { pname = "nuclei"; - version = "2.9.6"; + version = "2.9.7"; src = fetchFromGitHub { owner = "projectdiscovery"; repo = pname; rev = "v${version}"; - hash = "sha256-hltXm+NXExmO9IuwdfuET9+PaRby9pLAE/4ac7xQqvE="; + hash = "sha256-w9XiXZzkDM1ZETzs/c3uMEoaRXUXKzpzn3k3RbgTXbE="; }; - vendorHash = "sha256-geQBa0caKjDQD3AlVNhU8cmM9mFSR+Ix0HjxKKadSqE="; + vendorHash = "sha256-T09uSUBRZGsI732723UTd2jOT9/pYjUp+nshWthGA1k="; modRoot = "./v2"; subPackages = [ @@ -36,6 +36,6 @@ buildGoModule rec { homepage = "https://github.com/projectdiscovery/nuclei"; changelog = "https://github.com/projectdiscovery/nuclei/releases/tag/v${version}"; license = licenses.mit; - maintainers = with maintainers; [ fab ]; + maintainers = with maintainers; [ fab Misaka13514 ]; }; } diff --git a/pkgs/tools/security/proxmark3/darwin-always-gui.patch b/pkgs/tools/security/proxmark3/darwin-always-gui.patch new file mode 100644 index 000000000000..99c4495e9661 --- /dev/null +++ b/pkgs/tools/security/proxmark3/darwin-always-gui.patch @@ -0,0 +1,13 @@ +diff --git a/client/src/proxmark3.c b/client/src/proxmark3.c +index 6c77bfad3..0d41a2d6b 100644 +--- a/client/src/proxmark3.c ++++ b/client/src/proxmark3.c +@@ -1098,7 +1098,7 @@ int main(int argc, char *argv[]) { + + #ifdef HAVE_GUI + +-# if defined(_WIN32) ++# if defined(_WIN32) || (defined(__MACH__) && defined(__APPLE__)) + InitGraphics(argc, argv, script_cmds_file, script_cmd, stayInCommandLoop); + MainGraphics(); + # else diff --git a/pkgs/tools/security/proxmark3/proxmark3-rrg.nix b/pkgs/tools/security/proxmark3/proxmark3-rrg.nix index 6b021e970277..59b2ee8f253a 100644 --- a/pkgs/tools/security/proxmark3/proxmark3-rrg.nix +++ b/pkgs/tools/security/proxmark3/proxmark3-rrg.nix @@ -1,11 +1,28 @@ -{ lib, mkDerivation, fetchFromGitHub, pkg-config, gcc-arm-embedded, bluez5 +{ lib +, stdenv +, fetchFromGitHub +, pkg-config +, gcc-arm-embedded , readline - -, hardwarePlatform ? "PM3RDV4" - -, hardwarePlatformExtras ? "" }: - -mkDerivation rec { +, bzip2 +, openssl +, jansson +, whereami +, lua +, Foundation +, AppKit +, withGui ? true, wrapQtAppsHook, qtbase +, withPython ? true, python3 +, withBlueshark ? false, bluez5 +, withGeneric ? false +, withSmall ? false +, withoutFunctions ? [] +, hardwarePlatform ? if withGeneric then "PM3GENERIC" else "PM3RDV4" +, hardwarePlatformExtras ? lib.optionalString withBlueshark "BTADDON" +, standalone ? "LF_SAMYRUN" +}: +assert withBlueshark -> stdenv.hostPlatform.isLinux; +stdenv.mkDerivation rec { pname = "proxmark3-rrg"; version = "4.16191"; @@ -16,23 +33,54 @@ mkDerivation rec { sha256 = "sha256-l0aDp0s9ekUUHqkzGfVoSIf/4/GN2uiVGL/+QtKRCOs="; }; - nativeBuildInputs = [ pkg-config gcc-arm-embedded ]; - buildInputs = [ bluez5 readline ]; + patches = [ + # Don't check for DISPLAY env variable on Darwin. pm3 uses this to test if + # XQuartz is installed, however it is not actually required for GUI features + ./darwin-always-gui.patch + ]; + + postPatch = '' + # Remove hardcoded paths on Darwin + substituteInPlace Makefile.defs \ + --replace "/usr/bin/ar" "ar" \ + --replace "/usr/bin/ranlib" "ranlib" + # Replace hardcoded path to libwhereami + substituteInPlace client/Makefile \ + --replace "/usr/include/whereami.h" "${whereami}/include/whereami.h" + ''; + + nativeBuildInputs = [ + pkg-config + gcc-arm-embedded + ] ++ lib.optional withGui wrapQtAppsHook; + buildInputs = [ + readline + bzip2 + openssl + jansson + whereami + lua + ] ++ lib.optional withGui qtbase + ++ lib.optional withPython python3 + ++ lib.optional withBlueshark bluez5 + ++ lib.optionals stdenv.hostPlatform.isDarwin [ Foundation AppKit ]; makeFlags = [ + "PREFIX=${placeholder "out"}" + "UDEV_PREFIX=${placeholder "out"}/etc/udev/rules.d" "PLATFORM=${hardwarePlatform}" "PLATFORM_EXTRAS=${hardwarePlatformExtras}" - ]; - - installPhase = '' - install -Dt $out/bin client/proxmark3 - install -Dt $out/firmware bootrom/obj/bootrom.elf armsrc/obj/fullimage.elf - ''; + "STANDALONE=${standalone}" + "USE_BREW=0" + ] ++ lib.optional withSmall "PLATFORM_SIZE=256" + ++ map (x: "SKIP_${x}=1") withoutFunctions; + enableParallelBuilding = true; meta = with lib; { description = "Client for proxmark3, powerful general purpose RFID tool"; homepage = "https://rfidresearchgroup.com/"; license = licenses.gpl2Plus; - maintainers = with maintainers; [ nyanotech ]; + maintainers = with maintainers; [ nyanotech emilytrau ]; + platforms = platforms.unix; }; } diff --git a/pkgs/tools/security/saml2aws/default.nix b/pkgs/tools/security/saml2aws/default.nix index cddb284e80c3..c461c83e12b2 100644 --- a/pkgs/tools/security/saml2aws/default.nix +++ b/pkgs/tools/security/saml2aws/default.nix @@ -2,16 +2,16 @@ buildGoModule rec { pname = "saml2aws"; - version = "2.36.8"; + version = "2.36.9"; src = fetchFromGitHub { owner = "Versent"; repo = "saml2aws"; rev = "v${version}"; - sha256 = "sha256-eBgyjiospcBzUCMSMRgL3V5YyybD6aqt7gQZ7VfrmZY="; + sha256 = "sha256-eV922fUtNAHGFxuDwTKoakSzf1lMzVg+vOeaBbOP4V0="; }; - vendorHash = "sha256-wepAJ92IZbUZHO0HiX+JOtQ/WKydCImzHytXRUhjhAU="; + vendorHash = "sha256-20IggKOPS+Pu4tQIdYU5SXQhu2FrW0MdCdB9dvmqs7E="; buildInputs = lib.optionals stdenv.isDarwin [ AppKit ]; diff --git a/pkgs/tools/security/semgrep/common.nix b/pkgs/tools/security/semgrep/common.nix index 48381e9eb0e6..0ad680b0ddee 100644 --- a/pkgs/tools/security/semgrep/common.nix +++ b/pkgs/tools/security/semgrep/common.nix @@ -1,54 +1,39 @@ -{ lib, fetchFromGitHub, fetchzip, stdenv }: +{ lib }: rec { - version = "1.15.0"; + version = "1.27.0"; - src = fetchFromGitHub { - owner = "returntocorp"; - repo = "semgrep"; - rev = "v${version}"; - sha256 = "sha256-x+AOt6nn2hN4MODFZCvlq0kZ3VLoS7rVcFGGCEssIu0="; - }; + srcHash = "sha256-F6n3LQY4a5sO6c8SMQF9YjjgOS+v2SH+UQPwhg2EX7Q="; # submodule dependencies # these are fetched so we: # 1. don't fetch the many submodules we don't need # 2. avoid fetchSubmodules since it's prone to impurities submodules = { - "cli/src/semgrep/lang" = fetchFromGitHub { - owner = "returntocorp"; - repo = "semgrep-langs"; - rev = "08656cdefc9e6818c64e168cf51ee1e76ea8829e"; - sha256 = "sha256-vYf33JhfvEDmt/VW0hBOmqailIERS0GdUgrPuCxWt9I="; - }; - "cli/src/semgrep/semgrep_interfaces" = fetchFromGitHub { + "cli/src/semgrep/semgrep_interfaces" = { owner = "returntocorp"; repo = "semgrep-interfaces"; - rev = "ba9241ca8f13dea72a4ca5c5eae99f45c071c8b4"; - sha256 = "sha256-2rcMmN42445AivcyYLPeE+HBYOyxJijQME1UUr9HISA="; + rev = "213f67abea73546ca6111e1bbf0ef96aa917c940"; + hash = "sha256-HeNHJkTje9j16+dwsfyMhoqQn/J18q/7XvQPRwgTw/Y="; }; }; # fetch pre-built semgrep-core since the ocaml build is complex and relies on # the opam package manager at some point - core = rec { - data = { - x86_64-linux = { - suffix = "-ubuntu-16.04.tgz"; - sha256 = "sha256-vLtV1WAnOD6HhgrWYIP0NfXHKfvXORksdNp5UTG1QWc="; - }; - x86_64-darwin = { - suffix = "-osx.zip"; - sha256 = "sha256-6+ENjOOIJ5TSjpnJ5pDudblrWj/FLUe66UGr6V9c0HQ="; - }; + # pulling it out of the python wheel as r2c no longer release a built binary + # on github releases + core = { + x86_64-linux = { + platform = "any"; + hash = "sha256-cRj81dXpAE6S0EXajsRikOIAPzlUf42FhiDCWjv+wZQ="; + }; + x86_64-darwin = { + platform = "macosx_10_14_x86_64"; + hash = "sha256-jqfGVZGF/DFgXkr7kQg6QyqEELSr8AKE3Ga8kTftnIY="; }; - src = let - inherit (stdenv.hostPlatform) system; - selectSystemData = data: data.${system} or (throw "Unsupported system: ${system}"); - inherit (selectSystemData data) suffix sha256; - in fetchzip { - url = "https://github.com/returntocorp/semgrep/releases/download/v${version}/semgrep-v${version}${suffix}"; - inherit sha256; + aarch64-darwin = { + platform = "macosx_11_0_arm64"; + hash = "sha256-e/uCSRMdbVD0lvc0hukbiUzheqRNIIh1LgMq6Ae7JYI="; }; }; @@ -66,7 +51,5 @@ rec { ''; license = licenses.lgpl21Plus; maintainers = with maintainers; [ jk ambroisie ]; - # limited by semgrep-core - platforms = [ "x86_64-linux" "x86_64-darwin" ]; }; } diff --git a/pkgs/tools/security/semgrep/default.nix b/pkgs/tools/security/semgrep/default.nix index 0e9c3ddc391c..23749643a443 100644 --- a/pkgs/tools/security/semgrep/default.nix +++ b/pkgs/tools/security/semgrep/default.nix @@ -1,6 +1,5 @@ { lib , fetchFromGitHub -, callPackage , semgrep-core , buildPythonApplication , pythonPackages @@ -11,12 +10,20 @@ }: let - common = callPackage ./common.nix { }; + common = import ./common.nix { inherit lib; }; in buildPythonApplication rec { pname = "semgrep"; - inherit (common) src version; + inherit (common) version; + src = fetchFromGitHub { + owner = "returntocorp"; + repo = "semgrep"; + rev = "v${version}"; + hash = common.srcHash; + }; + # prepare a subset of the submodules as we only need a handful + # and there are many many submodules total postPatch = (lib.concatStringsSep "\n" (lib.mapAttrsToList ( path: submodule: '' @@ -27,7 +34,7 @@ buildPythonApplication rec { ln -s ${submodule}/ ${path} '' ) - common.submodules)) + '' + passthru.submodulesSubset)) + '' cd cli ''; @@ -97,10 +104,12 @@ buildPythonApplication rec { passthru = { inherit common; + submodulesSubset = lib.mapAttrs (k: args: fetchFromGitHub args) common.submodules; updateScript = ./update.sh; }; meta = common.meta // { description = common.meta.description + " - cli"; + inherit (semgrep-core.meta) platforms; }; } diff --git a/pkgs/tools/security/semgrep/semgrep-core.nix b/pkgs/tools/security/semgrep/semgrep-core.nix index e5ce941298a4..c4846c6d91d5 100644 --- a/pkgs/tools/security/semgrep/semgrep-core.nix +++ b/pkgs/tools/security/semgrep/semgrep-core.nix @@ -1,21 +1,52 @@ -{ lib, stdenvNoCC, callPackage }: +{ lib, stdenvNoCC, fetchPypi, unzip }: let - common = callPackage ./common.nix { }; + common = import ./common.nix { inherit lib; }; in stdenvNoCC.mkDerivation rec { pname = "semgrep-core"; inherit (common) version; - inherit (common.core) src; + # fetch pre-built semgrep-core since the ocaml build is complex and relies on + # the opam package manager at some point + # pulling it out of the python wheel as r2c no longer release a built binary + # on github releases + src = + let + inherit (stdenvNoCC.hostPlatform) system; + data = common.core.${system} or (throw "Unsupported system: ${system}"); + in + fetchPypi rec { + pname = "semgrep"; + inherit version; + format = "wheel"; + dist = python; + python = "cp37.cp38.cp39.py37.py38.py39"; + inherit (data) platform hash; + }; + + nativeBuildInputs = [ unzip ]; + + # _tryUnzip from unzip's setup-hook doesn't recognise .whl + # "do not know how to unpack source archive" + # perform unpack by hand + unpackPhase = '' + runHook preUnpack + LANG=en_US.UTF-8 unzip -qq "$src" + runHook postUnpack + ''; + + dontConfigure = true; + dontBuild = true; installPhase = '' runHook preInstall - install -Dm 755 -t $out/bin semgrep-core + install -Dm 755 -t $out/bin semgrep-${version}.data/purelib/semgrep/bin/semgrep-core runHook postInstall ''; meta = common.meta // { description = common.meta.description + " - core binary"; sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ]; + platforms = lib.attrNames common.core; }; } diff --git a/pkgs/tools/security/semgrep/update.sh b/pkgs/tools/security/semgrep/update.sh index 25b18edd6e2f..090d607a6928 100755 --- a/pkgs/tools/security/semgrep/update.sh +++ b/pkgs/tools/security/semgrep/update.sh @@ -1,5 +1,5 @@ #!/usr/bin/env nix-shell -#!nix-shell -i bash -p curl gnused jq +#!nix-shell -i bash -p curl gnused jq nix-prefetch set -euxo pipefail @@ -33,7 +33,7 @@ NEW_VERSION=$( ) # trim v prefix NEW_VERSION="${NEW_VERSION:1}" -OLD_VERSION="$(instantiateClean semgrep.common.version)" +OLD_VERSION="$(instantiateClean semgrep.passthru.common.version)" if [[ "$OLD_VERSION" == "$NEW_VERSION" ]]; then echo "Already up to date" @@ -50,43 +50,54 @@ fetchgithub() { set -eo pipefail } -fetchzip() { - set +eo pipefail - nix-build -E "with import $NIXPKGS_ROOT {}; fetchzip {url = \"$1\"; sha256 = lib.fakeSha256; }" 2>&1 >/dev/null | grep "got:" | cut -d':' -f2 | sed 's| ||g' - set -eo pipefail +fetch_arch() { + VERSION=$1 + PLATFORM=$2 + nix-prefetch "{ fetchPypi }: +fetchPypi rec { + pname = \"semgrep\"; + version = \"$VERSION\"; + format = \"wheel\"; + dist = python; + python = \"cp37.cp38.cp39.py37.py38.py39\"; + platform = \"$PLATFORM\"; +} +" } replace "$OLD_VERSION" "$NEW_VERSION" "$COMMON_FILE" echo "Updating src" -OLD_HASH="$(instantiateClean semgrep.common.src.outputHash)" +OLD_HASH="$(instantiateClean semgrep.passthru.common.srcHash)" echo "Old hash $OLD_HASH" TMP_HASH="sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" replace "$OLD_HASH" "$TMP_HASH" "$COMMON_FILE" -NEW_HASH="$(fetchgithub semgrep.common.src)" +NEW_HASH="$(fetchgithub semgrep.src)" echo "New hash $NEW_HASH" replace "$TMP_HASH" "$NEW_HASH" "$COMMON_FILE" echo "Updated src" -# loop through platforms for core -nix-instantiate -E "with import $NIXPKGS_ROOT {}; builtins.attrNames semgrep.common.core.data" --eval --strict --json \ -| jq '.[]' -r \ -| while read -r PLATFORM; do - echo "Updating core for $PLATFORM" - SUFFIX=$(instantiateClean semgrep.common.core.data."$PLATFORM".suffix) - OLD_HASH=$(instantiateClean semgrep.common.core.data."$PLATFORM".sha256) - echo "Old hash $OLD_HASH" - NEW_URL="https://github.com/returntocorp/semgrep/releases/download/v$NEW_VERSION/semgrep-v$NEW_VERSION$SUFFIX" - NEW_HASH="$(fetchzip "$NEW_URL")" - echo "New hash $NEW_HASH" +update_core_platform() { + SYSTEM=$1 + echo "Updating core src $SYSTEM" + + PLATFORM="$(instantiateClean "semgrep.passthru.common.core.$SYSTEM.platform")" + OLD_HASH="$(instantiateClean "semgrep.passthru.common.core.$SYSTEM.hash")" + echo "Old core hash $OLD_HASH" + NEW_HASH="$(fetch_arch "$NEW_VERSION" "$PLATFORM")" + echo "New core hash $NEW_HASH" replace "$OLD_HASH" "$NEW_HASH" "$COMMON_FILE" - echo "Updated core for $PLATFORM" -done + echo "Updated core src $SYSTEM" +} + +update_core_platform "x86_64-linux" +update_core_platform "x86_64-darwin" +update_core_platform "aarch64-darwin" OLD_PWD=$PWD TMPDIR="$(mktemp -d)" @@ -109,7 +120,7 @@ nix-instantiate -E "with import $NIXPKGS_ROOT {}; builtins.attrNames semgrep.pas echo "Updating $SUBMODULE" OLD_REV=$(instantiateClean semgrep.passthru.common.submodules."$SUBMODULE".rev) echo "Old commit $OLD_REV" - OLD_HASH=$(instantiateClean semgrep.passthru.common.submodules."$SUBMODULE".outputHash) + OLD_HASH=$(instantiateClean semgrep.passthru.common.submodules."$SUBMODULE".hash) echo "Old hash $OLD_HASH" NEW_REV=$(get_submodule_commit "$SUBMODULE") @@ -120,13 +131,12 @@ nix-instantiate -E "with import $NIXPKGS_ROOT {}; builtins.attrNames semgrep.pas continue fi - NEW_URL=$(instantiateClean semgrep.passthru.common.submodules."$SUBMODULE".url | sed "s@$OLD_REV@$NEW_REV@g") - NEW_HASH=$(nix --experimental-features nix-command hash to-sri "sha256:$(nix-prefetch-url "$NEW_URL")") + NEW_URL=$(instantiateClean semgrep.passthru.submodulesSubset."$SUBMODULE".url | sed "s@$OLD_REV@$NEW_REV@g") TMP_HASH="sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" replace "$OLD_REV" "$NEW_REV" "$COMMON_FILE" replace "$OLD_HASH" "$TMP_HASH" "$COMMON_FILE" - NEW_HASH="$(fetchgithub semgrep.passthru.common.submodules."$SUBMODULE")" + NEW_HASH="$(fetchgithub semgrep.passthru.submodulesSubset."$SUBMODULE")" echo "New hash $NEW_HASH" replace "$TMP_HASH" "$NEW_HASH" "$COMMON_FILE" diff --git a/pkgs/tools/security/ssh-to-age/default.nix b/pkgs/tools/security/ssh-to-age/default.nix index 2d0b7330e3ee..93cbedf367f4 100644 --- a/pkgs/tools/security/ssh-to-age/default.nix +++ b/pkgs/tools/security/ssh-to-age/default.nix @@ -2,16 +2,16 @@ buildGoModule rec { pname = "ssh-to-age"; - version = "1.1.3"; + version = "1.1.4"; src = fetchFromGitHub { owner = "Mic92"; repo = "ssh-to-age"; rev = version; - sha256 = "sha256-1YCo1Jm52S7hdJQFt/+OkdpWdvWP8eBsThZk5Gi4JiE="; + sha256 = "sha256-guBwwIXKAr9rtkiitFPs+usdzCQacnXcn5bTtQY77AY="; }; - vendorHash = "sha256-L6mjCKMabnLRmiT8jcNCPEsTceYxRBHxhE0CpOvu3Sk="; + vendorHash = "sha256-NEHZ2ZakkO6Yw2pZdKIfCp9NzjgIRIVxARpcQOBGse4="; checkPhase = '' runHook preCheck diff --git a/pkgs/tools/security/vault/default.nix b/pkgs/tools/security/vault/default.nix index 8d50e8c029bc..87d4e02cb293 100644 --- a/pkgs/tools/security/vault/default.nix +++ b/pkgs/tools/security/vault/default.nix @@ -6,16 +6,16 @@ buildGoModule rec { pname = "vault"; - version = "1.13.3"; + version = "1.14.0"; src = fetchFromGitHub { owner = "hashicorp"; repo = "vault"; rev = "v${version}"; - sha256 = "sha256-/AqUsjZArL4KjAzSkb1sM/xhKCIlg+2uvkV0TVwI1Q4="; + sha256 = "sha256-kx60OMIw7F9osF1u6GGp/xfUXo9XUhHmsrh3gCud0iI="; }; - vendorHash = "sha256-Wt5VahshNI/etzQQdcKgD/TBuD4NMi5eVPMHiJYfScY="; + vendorHash = "sha256-gQ+n/UtZn07lyi48sRCulZ7R4gtwKVu1tklFwRAUIZo="; subPackages = [ "." ]; diff --git a/pkgs/tools/security/vault/vault-bin.nix b/pkgs/tools/security/vault/vault-bin.nix index a5484339b46d..e3c9d77735cd 100644 --- a/pkgs/tools/security/vault/vault-bin.nix +++ b/pkgs/tools/security/vault/vault-bin.nix @@ -2,7 +2,7 @@ stdenv.mkDerivation rec { pname = "vault-bin"; - version = "1.13.2"; + version = "1.13.3"; src = let @@ -16,11 +16,11 @@ stdenv.mkDerivation rec { aarch64-darwin = "darwin_arm64"; }; sha256 = selectSystem { - x86_64-linux = "sha256-RVqhObAw1M4zNK5cXzbD+cbITtsUPBXoc7O7zqVRJhI="; - aarch64-linux = "sha256-WLw6GKNZc5a7HGTAI4kzsel8N9EwoTWda7Z05pXNeDA="; - i686-linux = "sha256-v1f5yDrarKmWFtL9fIr03H5tH/bDi83XVYsTnLgLq5Q="; - x86_64-darwin = "sha256-f1f6KFgr/A62PxEZEzzkNkQF4YI/xISYKVczcXn3r0k="; - aarch64-darwin = "sha256-TQ9Wi6rBXWCYBkkvCyoMMbRiUOEBykvbwp6hdqUUO4I="; + x86_64-linux = "sha256-heC2VX656nAlYoTwfa4Tv+tlkclfKxNTTpWa+Y6XWLA="; + aarch64-linux = "sha256-Alx8Lacb0IO8kSjYwkeytGxQkCM57zTSk+JXATxZ1eU="; + i686-linux = "sha256-eJW6boE0KG4oF/Sf1UxWVXkwLOx5R6ohrpog3YXKfvY="; + x86_64-darwin = "sha256-lWLEr0arVR7fpgxGEZqkoj/w4YHzNQo+jILZRQ53Eok="; + aarch64-darwin = "sha256-hGlmOKLpb9P/pO8ilxG2dLYDULXarp55/e8HoSbHz98="; }; in fetchzip { |