Merge pull request #308858 from teatwig/cve-bin-tool

{ lib

, python3Packages

, fetchFromGitHub

}:

python3Packages.buildPythonPackage rec {

  pname = "lib4sbom";

  version = "0.7.1";

  format = "setuptools";

  src = fetchFromGitHub {

    owner = "anthonyharrison";

    repo = pname;

    rev = "v${version}";

    hash = "sha256-UQZZYTRDbUqSH6F8hjhp9L70025cRO3zXQ8Aoznotg4=";

  };

  propagatedBuildInputs = with python3Packages; [

    pyyaml

    semantic-version

    defusedxml

  ];

  nativeCheckInputs = with python3Packages; [

    pytestCheckHook

  ];

  disabledTests = [

    # stub tests that always fail

    "TestCycloneDXGenerator"

    "TestCcycloneDX_parser"

    "TestGenerator"

    "TestOutput"

    "TestParser"

    "TestSPDX_Generator"

    "TestSPDX_Parser"

    # tests with missing getters

    "test_set_downloadlocation"

    "test_set_homepage"

    "test_set_checksum"

    "test_set_externalreference"

    # checks for invalid return type

    "test_set_type"

    # wrong capilatization

    "test_set_supplier"

    "test_set_originator"

  ];

  pythonImportsCheck = [ "lib4sbom" ];

  meta = with lib; {

    description = "Library to ingest and generate SBOMs";

    homepage = "https://github.com/anthonyharrison/lib4sbom";

    license = licenses.asl20;

    maintainers = with maintainers; [ teatwig ];

  };

}

{ lib

, buildPythonApplication

, fetchFromGitHub

, fetchpatch

, filetype

, jsonschema

, lib4sbom

, packageurl-python

, python-gnupg

, plotly

, beautifulsoup4

, pyyaml

, pip

, testers

, cve-bin-tool

# pinned packaging

, pyparsing

, fetchPypi

, buildPythonPackage

, pretend

, pythonOlder

, wheel

}:

let

  # pin packaging to < 22 until issue related to https://github.com/intel/cve-bin-tool/pull/2436 are resolved by upstream (post-3.2)

  packaging_21_3 = buildPythonPackage rec {

    inherit (packaging) pname passthru meta;

    version = "21.3";

    format = "pyproject";

    disabled = pythonOlder "3.6";

    src = fetchPypi {

      inherit pname version;

      sha256 = "sha256-3UfEKSfYmrkR5gZRiQfMLTofOLvQJjhZcGQ/nFuOz+s=";

    };

    nativeBuildInputs = [

      setuptools

      wheel

    ];

    propagatedBuildInputs = [

      pyparsing

    ];

    nativeCheckInputs = [

      pytestCheckHook

      pretend

    ];

    doCheck = false;

  };

in

buildPythonApplication rec {

  pname = "cve-bin-tool";

  version = "3.2";

  version = "3.3";

  format = "setuptools";

  src = fetchFromGitHub {

    owner = "intel";

    repo = "cve-bin-tool";

    rev = "refs/tags/v${version}";

    hash = "sha256-QOnWt6iit0/F6d/MfZ8qJqDuT3IHh0Qjs6BcJkI/CBw=";

    hash = "sha256-A5w4U5EDX+UZWNMuz8GTOcubo8N2KfDlVV0aRNsO8/E=";

  };

  patches = [

    # Not needed as python dependency, should just be on the PATH

    ./no-gsutil-python-dependency.patch

    # Already merged upstream, to be removed post-3.2

    # https://github.com/intel/cve-bin-tool/pull/2524

    (fetchpatch {

      name = "cve-bin-tool-version-success.patch";

      url = "https://github.com/intel/cve-bin-tool/commit/6f9bd565219932c565c1443ac467fe4163408dd8.patch";

      hash = "sha256-Glj6qiOvmvsuetXn4tysyiN/vrcOPFLORh+u3BoGzCI=";

    })

  ];

  # Wants to open a sqlite database, access the internet, etc

  doCheck = false;

  propagatedBuildInputs = [

    google-cloud-sdk

    filetype

    jsonschema

    lib4sbom

    packageurl-python

    python-gnupg

    plotly

    beautifulsoup4

    pyyaml

    setuptools

    xmlschema

    cvss

    packaging_21_3

    packaging

  ];

  nativeCheckInputs = [

diff --git a/requirements.txt b/requirements.txt

index 1d4aa9a..c9e9171 100644

--- a/requirements.txt

+++ b/requirements.txt

@@ -14,6 +14,6 @@ xmlschema

 importlib_metadata; python_version < "3.8"

 requests

 urllib3>=1.26.5 # dependency of requests added explictly to avoid CVEs

-gsutil

+#gsutil

 cvss

 packaging