Merge pull request #179335 from 06kellyjac/semgrep
semgrep{,-core}: init at 0.103.0
This commit is contained in:
commit
14f33392eb
55
pkgs/tools/security/semgrep/common.nix
Normal file
55
pkgs/tools/security/semgrep/common.nix
Normal file
@ -0,0 +1,55 @@
|
||||
{ lib, fetchFromGitHub, fetchzip }:
|
||||
|
||||
rec {
|
||||
version = "0.103.0";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "returntocorp";
|
||||
repo = "semgrep";
|
||||
rev = "v${version}";
|
||||
sha256 = "sha256-vk6GBgLsXRLAVu60xW4WWWhhi4b1WLceTxh/TeISIUg=";
|
||||
};
|
||||
|
||||
# submodule dependencies
|
||||
# these are fetched so we:
|
||||
# 1. don't fetch the many submodules we don't need
|
||||
# 2. avoid fetchSubmodules since it's prone to impurities
|
||||
langsSrc = fetchFromGitHub {
|
||||
owner = "returntocorp";
|
||||
repo = "semgrep-langs";
|
||||
rev = "78e518dad1ce2a7c76854c944245434bd8426439";
|
||||
sha256 = "sha256-t9F/OzzT6FI9G4Fxz0lUjz6TVrJlenusQNJnFpiKaQs=";
|
||||
};
|
||||
|
||||
interfacesSrc = fetchFromGitHub {
|
||||
owner = "returntocorp";
|
||||
repo = "semgrep-interfaces";
|
||||
rev = "a64a45034ea428ecbe9da6bd849a4f1cfd23cdd2";
|
||||
sha256 = "sha256-eatuyA5xyfZVHCmHvZIzQK2c5eEWUEZd9LumJQtk8+s=";
|
||||
};
|
||||
|
||||
# fetch pre-built semgrep-core since the ocaml build is complex and relies on
|
||||
# the opam package manager at some point
|
||||
coreRelease = fetchzip {
|
||||
url = "https://github.com/returntocorp/semgrep/releases/download/v${version}/semgrep-v${version}-ubuntu-16.04.tgz";
|
||||
sha256 = "sha256-L3NbiVYmgJim7H4W1cr75WOItSiHT1YIkUEefuaCYlY=";
|
||||
};
|
||||
|
||||
meta = with lib; {
|
||||
homepage = "https://semgrep.dev/";
|
||||
downloadPage = "https://github.com/returntocorp/semgrep/";
|
||||
changelog = "https://github.com/returntocorp/semgrep/blob/v${version}/CHANGELOG.md";
|
||||
description = "Lightweight static analysis for many languages";
|
||||
longDescription = ''
|
||||
Semgrep is a fast, open-source, static analysis tool for finding bugs and
|
||||
enforcing code standards at editor, commit, and CI time. Semgrep analyzes
|
||||
code locally on your computer or in your build environment: code is never
|
||||
uploaded. Its rules look like the code you already write; no abstract
|
||||
syntax trees, regex wrestling, or painful DSLs.
|
||||
'';
|
||||
license = licenses.lgpl21Plus;
|
||||
maintainers = with maintainers; [ jk ambroisie ];
|
||||
# limited by semgrep-core
|
||||
platforms = [ "x86_64-linux" ];
|
||||
};
|
||||
}
|
81
pkgs/tools/security/semgrep/default.nix
Normal file
81
pkgs/tools/security/semgrep/default.nix
Normal file
@ -0,0 +1,81 @@
|
||||
{ lib
|
||||
, fetchFromGitHub
|
||||
, callPackage
|
||||
, semgrep-core
|
||||
, buildPythonApplication
|
||||
, pythonPackages
|
||||
|
||||
, pytestCheckHook
|
||||
, git
|
||||
}:
|
||||
|
||||
let
|
||||
common = callPackage ./common.nix { };
|
||||
in
|
||||
buildPythonApplication rec {
|
||||
pname = "semgrep";
|
||||
inherit (common) version;
|
||||
src = "${common.src}/cli";
|
||||
|
||||
SEMGREP_CORE_BIN = "${semgrep-core}/bin/semgrep-core";
|
||||
|
||||
postPatch = ''
|
||||
substituteInPlace setup.py \
|
||||
--replace "typing-extensions~=4.2" "typing-extensions" \
|
||||
--replace "jsonschema~=3.2" "jsonschema" \
|
||||
--replace "boltons~=21.0" "boltons"
|
||||
|
||||
# remove git submodule placeholders
|
||||
rm -r ./src/semgrep/{lang,semgrep_interfaces}
|
||||
# link submodule dependencies
|
||||
ln -s ${common.langsSrc}/ ./src/semgrep/lang
|
||||
ln -s ${common.interfacesSrc}/ ./src/semgrep/semgrep_interfaces
|
||||
'';
|
||||
|
||||
doCheck = true;
|
||||
checkInputs = [ git pytestCheckHook ] ++ (with pythonPackages; [
|
||||
pytest-snapshot
|
||||
pytest-mock
|
||||
pytest-freezegun
|
||||
types-freezegun
|
||||
]);
|
||||
disabledTests = [
|
||||
# requires networking
|
||||
"tests/unit/test_metric_manager.py"
|
||||
];
|
||||
preCheck = ''
|
||||
# tests need a home directory
|
||||
export HOME="$(mktemp -d)"
|
||||
|
||||
# disabledTestPaths doesn't manage to avoid the e2e tests
|
||||
# remove them from pyproject.toml
|
||||
# and remove need for pytest-split
|
||||
substituteInPlace pyproject.toml \
|
||||
--replace '"tests/e2e",' "" \
|
||||
--replace 'addopts = "--splitting-algorithm=least_duration"' ""
|
||||
'';
|
||||
|
||||
propagatedBuildInputs = with pythonPackages; [
|
||||
attrs
|
||||
boltons
|
||||
colorama
|
||||
click
|
||||
click-option-group
|
||||
glom
|
||||
requests
|
||||
ruamel-yaml
|
||||
tqdm
|
||||
packaging
|
||||
jsonschema
|
||||
wcmatch
|
||||
peewee
|
||||
defusedxml
|
||||
urllib3
|
||||
typing-extensions
|
||||
python-lsp-jsonrpc
|
||||
];
|
||||
|
||||
meta = common.meta // {
|
||||
description = common.meta.description + " - cli";
|
||||
};
|
||||
}
|
22
pkgs/tools/security/semgrep/semgrep-core.nix
Normal file
22
pkgs/tools/security/semgrep/semgrep-core.nix
Normal file
@ -0,0 +1,22 @@
|
||||
{ lib, stdenvNoCC, callPackage }:
|
||||
|
||||
let
|
||||
common = callPackage ./common.nix { };
|
||||
in
|
||||
stdenvNoCC.mkDerivation rec {
|
||||
pname = "semgrep-core";
|
||||
inherit (common) version;
|
||||
|
||||
src = common.coreRelease;
|
||||
|
||||
installPhase = ''
|
||||
runHook preInstall
|
||||
install -Dm 755 -t $out/bin semgrep-core
|
||||
runHook postInstall
|
||||
'';
|
||||
|
||||
meta = common.meta // {
|
||||
description = common.meta.description + " - core binary";
|
||||
sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ];
|
||||
};
|
||||
}
|
@ -10459,6 +10459,9 @@ with pkgs;
|
||||
|
||||
seexpr = callPackage ../development/compilers/seexpr { };
|
||||
|
||||
semgrep = python3.pkgs.callPackage ../tools/security/semgrep { };
|
||||
semgrep-core = callPackage ../tools/security/semgrep/semgrep-core.nix { };
|
||||
|
||||
setroot = callPackage ../tools/X11/setroot { };
|
||||
|
||||
setserial = callPackage ../tools/system/setserial { };
|
||||
|
Loading…
Reference in New Issue
Block a user