Loading pkgs/tools/security/cve-bin-tool/default.nix +62 −7 Original line number Diff line number Diff line { lib , buildPythonApplication , fetchFromGitHub , fetchpatch , jsonschema , plotly , beautifulsoup4 Loading @@ -24,22 +25,78 @@ , xmlschema , setuptools , packaging , cvss , google-cloud-sdk , pip , testers , cve-bin-tool # pinned packaging , pyparsing , fetchPypi , buildPythonPackage , pretend , pythonOlder }: let # pin packaging to < 22 until issue related to https://github.com/intel/cve-bin-tool/pull/2436 are resolved by upstream (post-3.2) packaging_21_3 = buildPythonPackage rec { inherit (packaging) pname passthru meta; version = "21.3"; format = "pyproject"; disabled = pythonOlder "3.6"; src = fetchPypi { inherit pname version; sha256 = "sha256-3UfEKSfYmrkR5gZRiQfMLTofOLvQJjhZcGQ/nFuOz+s="; }; nativeBuildInputs = [ setuptools ]; propagatedBuildInputs = [ pyparsing ]; nativeCheckInputs = [ pytestCheckHook pretend ]; doCheck = false; }; in buildPythonApplication rec { pname = "cve-bin-tool"; version = "3.1.2"; version = "3.2"; src = fetchFromGitHub { owner = "intel"; repo = "cve-bin-tool"; rev = "refs/tags/v${version}"; sha256 = "sha256-P2GhGQxa6Y8BmMqFHXSfmqN58E1FbXD9Ndwwr+upK8Q="; hash = "sha256-QOnWt6iit0/F6d/MfZ8qJqDuT3IHh0Qjs6BcJkI/CBw="; }; patches = [ # Not needed as python dependency, should just be on the PATH ./no-gsutil-python-dependency.patch # Already merged upstream, to be removed post-3.2 # https://github.com/intel/cve-bin-tool/pull/2524 (fetchpatch { name = "cve-bin-tool-version-success.patch"; url = "https://github.com/intel/cve-bin-tool/commit/6f9bd565219932c565c1443ac467fe4163408dd8.patch"; hash = "sha256-Glj6qiOvmvsuetXn4tysyiN/vrcOPFLORh+u3BoGzCI="; }) ]; # Wants to open a sqlite database, access the internet, etc doCheck = false; propagatedNativeBuildInputs = [ pip ]; propagatedBuildInputs = [ google-cloud-sdk jsonschema plotly beautifulsoup4 Loading @@ -62,7 +119,8 @@ buildPythonApplication rec { pillow setuptools xmlschema packaging cvss packaging_21_3 ]; nativeCheckInputs = [ Loading @@ -73,10 +131,7 @@ buildPythonApplication rec { "cve_bin_tool" ]; # required until https://github.com/intel/cve-bin-tool/pull/1665 is merged postPatch = '' sed '/^pytest/d' -i requirements.txt ''; passthru.tests.version = testers.testVersion { package = cve-bin-tool; }; meta = with lib; { description = "CVE Binary Checker Tool"; Loading pkgs/tools/security/cve-bin-tool/no-gsutil-python-dependency.patch 0 → 100644 +12 −0 Original line number Diff line number Diff line diff --git a/requirements.txt b/requirements.txt index 1d4aa9a..c9e9171 100644 --- a/requirements.txt +++ b/requirements.txt @@ -14,6 +14,6 @@ xmlschema importlib_metadata; python_version < "3.8" requests urllib3>=1.26.5 # dependency of requests added explictly to avoid CVEs -gsutil +#gsutil cvss packaging Loading
pkgs/tools/security/cve-bin-tool/default.nix +62 −7 Original line number Diff line number Diff line { lib , buildPythonApplication , fetchFromGitHub , fetchpatch , jsonschema , plotly , beautifulsoup4 Loading @@ -24,22 +25,78 @@ , xmlschema , setuptools , packaging , cvss , google-cloud-sdk , pip , testers , cve-bin-tool # pinned packaging , pyparsing , fetchPypi , buildPythonPackage , pretend , pythonOlder }: let # pin packaging to < 22 until issue related to https://github.com/intel/cve-bin-tool/pull/2436 are resolved by upstream (post-3.2) packaging_21_3 = buildPythonPackage rec { inherit (packaging) pname passthru meta; version = "21.3"; format = "pyproject"; disabled = pythonOlder "3.6"; src = fetchPypi { inherit pname version; sha256 = "sha256-3UfEKSfYmrkR5gZRiQfMLTofOLvQJjhZcGQ/nFuOz+s="; }; nativeBuildInputs = [ setuptools ]; propagatedBuildInputs = [ pyparsing ]; nativeCheckInputs = [ pytestCheckHook pretend ]; doCheck = false; }; in buildPythonApplication rec { pname = "cve-bin-tool"; version = "3.1.2"; version = "3.2"; src = fetchFromGitHub { owner = "intel"; repo = "cve-bin-tool"; rev = "refs/tags/v${version}"; sha256 = "sha256-P2GhGQxa6Y8BmMqFHXSfmqN58E1FbXD9Ndwwr+upK8Q="; hash = "sha256-QOnWt6iit0/F6d/MfZ8qJqDuT3IHh0Qjs6BcJkI/CBw="; }; patches = [ # Not needed as python dependency, should just be on the PATH ./no-gsutil-python-dependency.patch # Already merged upstream, to be removed post-3.2 # https://github.com/intel/cve-bin-tool/pull/2524 (fetchpatch { name = "cve-bin-tool-version-success.patch"; url = "https://github.com/intel/cve-bin-tool/commit/6f9bd565219932c565c1443ac467fe4163408dd8.patch"; hash = "sha256-Glj6qiOvmvsuetXn4tysyiN/vrcOPFLORh+u3BoGzCI="; }) ]; # Wants to open a sqlite database, access the internet, etc doCheck = false; propagatedNativeBuildInputs = [ pip ]; propagatedBuildInputs = [ google-cloud-sdk jsonschema plotly beautifulsoup4 Loading @@ -62,7 +119,8 @@ buildPythonApplication rec { pillow setuptools xmlschema packaging cvss packaging_21_3 ]; nativeCheckInputs = [ Loading @@ -73,10 +131,7 @@ buildPythonApplication rec { "cve_bin_tool" ]; # required until https://github.com/intel/cve-bin-tool/pull/1665 is merged postPatch = '' sed '/^pytest/d' -i requirements.txt ''; passthru.tests.version = testers.testVersion { package = cve-bin-tool; }; meta = with lib; { description = "CVE Binary Checker Tool"; Loading
pkgs/tools/security/cve-bin-tool/no-gsutil-python-dependency.patch 0 → 100644 +12 −0 Original line number Diff line number Diff line diff --git a/requirements.txt b/requirements.txt index 1d4aa9a..c9e9171 100644 --- a/requirements.txt +++ b/requirements.txt @@ -14,6 +14,6 @@ xmlschema importlib_metadata; python_version < "3.8" requests urllib3>=1.26.5 # dependency of requests added explictly to avoid CVEs -gsutil +#gsutil cvss packaging
