From bac62a387df1128671bb6b232d36496f7eeee5d0 Mon Sep 17 00:00:00 2001 From: Arnout Engelen Date: Tue, 25 Oct 2022 16:25:14 +0200 Subject: [PATCH] cve-bin-tool: 3.1.2 -> 3.2 Adding pip as a propagated dependency for the python checker Co-Authored-By: Markus S. Wamser --- pkgs/tools/security/cve-bin-tool/default.nix | 69 +++++++++++++++++-- .../no-gsutil-python-dependency.patch | 12 ++++ 2 files changed, 74 insertions(+), 7 deletions(-) create mode 100644 pkgs/tools/security/cve-bin-tool/no-gsutil-python-dependency.patch diff --git a/pkgs/tools/security/cve-bin-tool/default.nix b/pkgs/tools/security/cve-bin-tool/default.nix index 94a7ce224097..7b0cda0b7382 100644 --- a/pkgs/tools/security/cve-bin-tool/default.nix +++ b/pkgs/tools/security/cve-bin-tool/default.nix @@ -1,6 +1,7 @@ { lib , buildPythonApplication , fetchFromGitHub +, fetchpatch , jsonschema , plotly , beautifulsoup4 @@ -24,22 +25,78 @@ , xmlschema , setuptools , packaging +, cvss +, google-cloud-sdk +, pip +, testers +, cve-bin-tool +# pinned packaging +, pyparsing +, fetchPypi +, buildPythonPackage +, pretend +, pythonOlder }: + +let + # pin packaging to < 22 until issue related to https://github.com/intel/cve-bin-tool/pull/2436 are resolved by upstream (post-3.2) + packaging_21_3 = buildPythonPackage rec { + inherit (packaging) pname passthru meta; + version = "21.3"; + format = "pyproject"; + disabled = pythonOlder "3.6"; + + src = fetchPypi { + inherit pname version; + sha256 = "sha256-3UfEKSfYmrkR5gZRiQfMLTofOLvQJjhZcGQ/nFuOz+s="; + }; + nativeBuildInputs = [ + setuptools + ]; + propagatedBuildInputs = [ + pyparsing + ]; + + nativeCheckInputs = [ + pytestCheckHook + pretend + ]; + + doCheck = false; + }; +in buildPythonApplication rec { pname = "cve-bin-tool"; - version = "3.1.2"; + version = "3.2"; src = fetchFromGitHub { owner = "intel"; repo = "cve-bin-tool"; rev = "refs/tags/v${version}"; - sha256 = "sha256-P2GhGQxa6Y8BmMqFHXSfmqN58E1FbXD9Ndwwr+upK8Q="; + hash = "sha256-QOnWt6iit0/F6d/MfZ8qJqDuT3IHh0Qjs6BcJkI/CBw="; }; + patches = [ + # Not needed as python dependency, should just be on the PATH + ./no-gsutil-python-dependency.patch + # Already merged upstream, to be removed post-3.2 + # https://github.com/intel/cve-bin-tool/pull/2524 + (fetchpatch { + name = "cve-bin-tool-version-success.patch"; + url = "https://github.com/intel/cve-bin-tool/commit/6f9bd565219932c565c1443ac467fe4163408dd8.patch"; + hash = "sha256-Glj6qiOvmvsuetXn4tysyiN/vrcOPFLORh+u3BoGzCI="; + }) + ]; + # Wants to open a sqlite database, access the internet, etc doCheck = false; + propagatedNativeBuildInputs = [ + pip + ]; + propagatedBuildInputs = [ + google-cloud-sdk jsonschema plotly beautifulsoup4 @@ -62,7 +119,8 @@ buildPythonApplication rec { pillow setuptools xmlschema - packaging + cvss + packaging_21_3 ]; nativeCheckInputs = [ @@ -73,10 +131,7 @@ buildPythonApplication rec { "cve_bin_tool" ]; - # required until https://github.com/intel/cve-bin-tool/pull/1665 is merged - postPatch = '' - sed '/^pytest/d' -i requirements.txt - ''; + passthru.tests.version = testers.testVersion { package = cve-bin-tool; }; meta = with lib; { description = "CVE Binary Checker Tool"; diff --git a/pkgs/tools/security/cve-bin-tool/no-gsutil-python-dependency.patch b/pkgs/tools/security/cve-bin-tool/no-gsutil-python-dependency.patch new file mode 100644 index 000000000000..9bbac57b5fb4 --- /dev/null +++ b/pkgs/tools/security/cve-bin-tool/no-gsutil-python-dependency.patch @@ -0,0 +1,12 @@ +diff --git a/requirements.txt b/requirements.txt +index 1d4aa9a..c9e9171 100644 +--- a/requirements.txt ++++ b/requirements.txt +@@ -14,6 +14,6 @@ xmlschema + importlib_metadata; python_version < "3.8" + requests + urllib3>=1.26.5 # dependency of requests added explictly to avoid CVEs +-gsutil ++#gsutil + cvss + packaging