cve-bin-tool: 3.1.2 -> 3.2

Adding pip as a propagated dependency for the python checker Co-Authored-By: Markus S. Wamser <github-dev@mail2013.wamser.eu>
2022-10-25 16:25:14 +02:00 · 2022-10-25 16:25:14 +02:00 · bac62a387d
commit bac62a387d
parent da45bf6ec7
2 changed files with 74 additions and 7 deletions
--- a/pkgs/tools/security/cve-bin-tool/default.nix
+++ b/pkgs/tools/security/cve-bin-tool/default.nix
@ -1,6 +1,7 @@
 { lib
 , buildPythonApplication
 , fetchFromGitHub
+, fetchpatch
 , jsonschema
 , plotly
 , beautifulsoup4
@ -24,22 +25,78 @@
 , xmlschema
 , setuptools
 , packaging
+, cvss
+, google-cloud-sdk
+, pip
+, testers
+, cve-bin-tool
+# pinned packaging
+, pyparsing
+, fetchPypi
+, buildPythonPackage
+, pretend
+, pythonOlder
 }:
+
+let
+  # pin packaging to < 22 until issue related to https://github.com/intel/cve-bin-tool/pull/2436 are resolved by upstream (post-3.2)
+  packaging_21_3 = buildPythonPackage rec {
+    inherit (packaging) pname passthru meta;
+    version = "21.3";
+    format = "pyproject";
+    disabled = pythonOlder "3.6";
+
+    src = fetchPypi {
+      inherit pname version;
+      sha256 = "sha256-3UfEKSfYmrkR5gZRiQfMLTofOLvQJjhZcGQ/nFuOz+s=";
+    };
+    nativeBuildInputs = [
+      setuptools
+    ];
+    propagatedBuildInputs = [
+      pyparsing
+    ];
+
+    nativeCheckInputs = [
+      pytestCheckHook
+      pretend
+    ];
+
+    doCheck = false;
+  };
+in
 buildPythonApplication rec {
  pname = "cve-bin-tool";
-  version = "3.1.2";
+  version = "3.2";

  src = fetchFromGitHub {
    owner = "intel";
    repo = "cve-bin-tool";
    rev = "refs/tags/v${version}";
-    sha256 = "sha256-P2GhGQxa6Y8BmMqFHXSfmqN58E1FbXD9Ndwwr+upK8Q=";
+    hash = "sha256-QOnWt6iit0/F6d/MfZ8qJqDuT3IHh0Qjs6BcJkI/CBw=";
  };

+  patches = [
+    # Not needed as python dependency, should just be on the PATH
+    ./no-gsutil-python-dependency.patch
+    # Already merged upstream, to be removed post-3.2
+    # https://github.com/intel/cve-bin-tool/pull/2524
+    (fetchpatch {
+      name = "cve-bin-tool-version-success.patch";
+      url = "https://github.com/intel/cve-bin-tool/commit/6f9bd565219932c565c1443ac467fe4163408dd8.patch";
+      hash = "sha256-Glj6qiOvmvsuetXn4tysyiN/vrcOPFLORh+u3BoGzCI=";
+    })
+  ];
+
  # Wants to open a sqlite database, access the internet, etc
  doCheck = false;

+  propagatedNativeBuildInputs = [
+    pip
+  ];
+
  propagatedBuildInputs = [
+    google-cloud-sdk
    jsonschema
    plotly
    beautifulsoup4
@ -62,7 +119,8 @@ buildPythonApplication rec {
    pillow
    setuptools
    xmlschema
-    packaging
+    cvss
+    packaging_21_3
  ];

  nativeCheckInputs = [
@ -73,10 +131,7 @@ buildPythonApplication rec {
    "cve_bin_tool"
  ];

-  # required until https://github.com/intel/cve-bin-tool/pull/1665 is merged
-  postPatch = ''
-    sed '/^pytest/d' -i requirements.txt
-  '';
+  passthru.tests.version = testers.testVersion { package = cve-bin-tool; };

  meta = with lib; {
    description = "CVE Binary Checker Tool";
--- a/pkgs/tools/security/cve-bin-tool/no-gsutil-python-dependency.patch
+++ b/pkgs/tools/security/cve-bin-tool/no-gsutil-python-dependency.patch
@ -0,0 +1,12 @@
+diff --git a/requirements.txt b/requirements.txt
+index 1d4aa9a..c9e9171 100644
+--- a/requirements.txt
+++ b/requirements.txt
+@@ -14,6 +14,6 @@ xmlschema
+ importlib_metadata; python_version < "3.8"
+ requests
+ urllib3>=1.26.5 # dependency of requests added explictly to avoid CVEs
+-gsutil
+#gsutil
+ cvss
+ packaging