Merge pull request #179335 from 06kellyjac/semgrep

semgrep{,-core}: init at 0.103.0
This commit is contained in:
Sandro 2022-07-16 00:59:01 +02:00 committed by GitHub
commit 14f33392eb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 161 additions and 0 deletions

View File

@ -0,0 +1,55 @@
{ lib, fetchFromGitHub, fetchzip }:
rec {
version = "0.103.0";
src = fetchFromGitHub {
owner = "returntocorp";
repo = "semgrep";
rev = "v${version}";
sha256 = "sha256-vk6GBgLsXRLAVu60xW4WWWhhi4b1WLceTxh/TeISIUg=";
};
# submodule dependencies
# these are fetched so we:
# 1. don't fetch the many submodules we don't need
# 2. avoid fetchSubmodules since it's prone to impurities
langsSrc = fetchFromGitHub {
owner = "returntocorp";
repo = "semgrep-langs";
rev = "78e518dad1ce2a7c76854c944245434bd8426439";
sha256 = "sha256-t9F/OzzT6FI9G4Fxz0lUjz6TVrJlenusQNJnFpiKaQs=";
};
interfacesSrc = fetchFromGitHub {
owner = "returntocorp";
repo = "semgrep-interfaces";
rev = "a64a45034ea428ecbe9da6bd849a4f1cfd23cdd2";
sha256 = "sha256-eatuyA5xyfZVHCmHvZIzQK2c5eEWUEZd9LumJQtk8+s=";
};
# fetch pre-built semgrep-core since the ocaml build is complex and relies on
# the opam package manager at some point
coreRelease = fetchzip {
url = "https://github.com/returntocorp/semgrep/releases/download/v${version}/semgrep-v${version}-ubuntu-16.04.tgz";
sha256 = "sha256-L3NbiVYmgJim7H4W1cr75WOItSiHT1YIkUEefuaCYlY=";
};
meta = with lib; {
homepage = "https://semgrep.dev/";
downloadPage = "https://github.com/returntocorp/semgrep/";
changelog = "https://github.com/returntocorp/semgrep/blob/v${version}/CHANGELOG.md";
description = "Lightweight static analysis for many languages";
longDescription = ''
Semgrep is a fast, open-source, static analysis tool for finding bugs and
enforcing code standards at editor, commit, and CI time. Semgrep analyzes
code locally on your computer or in your build environment: code is never
uploaded. Its rules look like the code you already write; no abstract
syntax trees, regex wrestling, or painful DSLs.
'';
license = licenses.lgpl21Plus;
maintainers = with maintainers; [ jk ambroisie ];
# limited by semgrep-core
platforms = [ "x86_64-linux" ];
};
}

View File

@ -0,0 +1,81 @@
{ lib
, fetchFromGitHub
, callPackage
, semgrep-core
, buildPythonApplication
, pythonPackages
, pytestCheckHook
, git
}:
let
common = callPackage ./common.nix { };
in
buildPythonApplication rec {
pname = "semgrep";
inherit (common) version;
src = "${common.src}/cli";
SEMGREP_CORE_BIN = "${semgrep-core}/bin/semgrep-core";
postPatch = ''
substituteInPlace setup.py \
--replace "typing-extensions~=4.2" "typing-extensions" \
--replace "jsonschema~=3.2" "jsonschema" \
--replace "boltons~=21.0" "boltons"
# remove git submodule placeholders
rm -r ./src/semgrep/{lang,semgrep_interfaces}
# link submodule dependencies
ln -s ${common.langsSrc}/ ./src/semgrep/lang
ln -s ${common.interfacesSrc}/ ./src/semgrep/semgrep_interfaces
'';
doCheck = true;
checkInputs = [ git pytestCheckHook ] ++ (with pythonPackages; [
pytest-snapshot
pytest-mock
pytest-freezegun
types-freezegun
]);
disabledTests = [
# requires networking
"tests/unit/test_metric_manager.py"
];
preCheck = ''
# tests need a home directory
export HOME="$(mktemp -d)"
# disabledTestPaths doesn't manage to avoid the e2e tests
# remove them from pyproject.toml
# and remove need for pytest-split
substituteInPlace pyproject.toml \
--replace '"tests/e2e",' "" \
--replace 'addopts = "--splitting-algorithm=least_duration"' ""
'';
propagatedBuildInputs = with pythonPackages; [
attrs
boltons
colorama
click
click-option-group
glom
requests
ruamel-yaml
tqdm
packaging
jsonschema
wcmatch
peewee
defusedxml
urllib3
typing-extensions
python-lsp-jsonrpc
];
meta = common.meta // {
description = common.meta.description + " - cli";
};
}

View File

@ -0,0 +1,22 @@
{ lib, stdenvNoCC, callPackage }:
let
common = callPackage ./common.nix { };
in
stdenvNoCC.mkDerivation rec {
pname = "semgrep-core";
inherit (common) version;
src = common.coreRelease;
installPhase = ''
runHook preInstall
install -Dm 755 -t $out/bin semgrep-core
runHook postInstall
'';
meta = common.meta // {
description = common.meta.description + " - core binary";
sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ];
};
}

View File

@ -10459,6 +10459,9 @@ with pkgs;
seexpr = callPackage ../development/compilers/seexpr { };
semgrep = python3.pkgs.callPackage ../tools/security/semgrep { };
semgrep-core = callPackage ../tools/security/semgrep/semgrep-core.nix { };
setroot = callPackage ../tools/X11/setroot { };
setserial = callPackage ../tools/system/setserial { };