Unverified Commit bac62a38 authored by Arnout Engelen's avatar Arnout Engelen
Browse files

cve-bin-tool: 3.1.2 -> 3.2 



Adding pip as a propagated dependency for the python checker

Co-Authored-By: default avatarMarkus S. Wamser <github-dev@mail2013.wamser.eu>
parent da45bf6e

pkgs/tools/security/cve-bin-tool/default.nix

+62 −7
Original line number Diff line number Diff line 
{ lib

, buildPythonApplication

, fetchFromGitHub

, fetchpatch

, jsonschema

, plotly

, beautifulsoup4
@@ -24,22 +25,78 @@ 
, xmlschema

, setuptools

, packaging

, cvss

, google-cloud-sdk

, pip

, testers

, cve-bin-tool

# pinned packaging

, pyparsing

, fetchPypi

, buildPythonPackage

, pretend

, pythonOlder

}:



let

  # pin packaging to < 22 until issue related to https://github.com/intel/cve-bin-tool/pull/2436 are resolved by upstream (post-3.2)

  packaging_21_3 = buildPythonPackage rec {

    inherit (packaging) pname passthru meta;

    version = "21.3";

    format = "pyproject";

    disabled = pythonOlder "3.6";



    src = fetchPypi {

      inherit pname version;

      sha256 = "sha256-3UfEKSfYmrkR5gZRiQfMLTofOLvQJjhZcGQ/nFuOz+s=";

    };

    nativeBuildInputs = [

      setuptools

    ];

    propagatedBuildInputs = [

      pyparsing

    ];



    nativeCheckInputs = [

      pytestCheckHook

      pretend

    ];



    doCheck = false;

  };

in

buildPythonApplication rec {

  pname = "cve-bin-tool";

  version = "3.1.2";

  version = "3.2";



  src = fetchFromGitHub {

    owner = "intel";

    repo = "cve-bin-tool";

    rev = "refs/tags/v${version}";

    sha256 = "sha256-P2GhGQxa6Y8BmMqFHXSfmqN58E1FbXD9Ndwwr+upK8Q=";

    hash = "sha256-QOnWt6iit0/F6d/MfZ8qJqDuT3IHh0Qjs6BcJkI/CBw=";

  };



  patches = [

    # Not needed as python dependency, should just be on the PATH

    ./no-gsutil-python-dependency.patch

    # Already merged upstream, to be removed post-3.2

    # https://github.com/intel/cve-bin-tool/pull/2524

    (fetchpatch {

      name = "cve-bin-tool-version-success.patch";

      url = "https://github.com/intel/cve-bin-tool/commit/6f9bd565219932c565c1443ac467fe4163408dd8.patch";

      hash = "sha256-Glj6qiOvmvsuetXn4tysyiN/vrcOPFLORh+u3BoGzCI=";

    })

  ];



  # Wants to open a sqlite database, access the internet, etc

  doCheck = false;



  propagatedNativeBuildInputs = [

    pip

  ];



  propagatedBuildInputs = [

    google-cloud-sdk

    jsonschema

    plotly

    beautifulsoup4
@@ -62,7 +119,8 @@ buildPythonApplication rec { 
    pillow

    setuptools

    xmlschema

    packaging

    cvss

    packaging_21_3

  ];



  nativeCheckInputs = [
@@ -73,10 +131,7 @@ buildPythonApplication rec { 
    "cve_bin_tool"

  ];



  # required until https://github.com/intel/cve-bin-tool/pull/1665 is merged

  postPatch = ''

    sed '/^pytest/d' -i requirements.txt

  '';

  passthru.tests.version = testers.testVersion { package = cve-bin-tool; };



  meta = with lib; {

    description = "CVE Binary Checker Tool";

pkgs/tools/security/cve-bin-tool/no-gsutil-python-dependency.patch

0 → 100644
+12 −0
Original line number Diff line number Diff line 
diff --git a/requirements.txt b/requirements.txt

index 1d4aa9a..c9e9171 100644

--- a/requirements.txt

+++ b/requirements.txt

@@ -14,6 +14,6 @@ xmlschema

 importlib_metadata; python_version < "3.8"

 requests

 urllib3>=1.26.5 # dependency of requests added explictly to avoid CVEs

-gsutil

+#gsutil

 cvss

 packaging