Merge pull request #221082 from fabaff/checkov-deps

python310Packages.bc-detect-secrets: init at 1.4.14, python310Packages.bc-jsonpath-ng: init at 1.5.9
2023-03-14 01:21:06 +01:00 · 2023-03-14 01:21:06 +01:00 · 77044761a4
commit 77044761a4
parent f69a8c2df2 1b1910bf7c
5 changed files with 170 additions and 34 deletions
--- a/pkgs/development/python-modules/bc-detect-secrets/default.nix
+++ b/pkgs/development/python-modules/bc-detect-secrets/default.nix
@ -0,0 +1,80 @@
+{ lib
+, buildPythonPackage
+, fetchFromGitHub
+, gibberish-detector
+, mock
+, pkgs
+, pyahocorasick
+, pytestCheckHook
+, pythonOlder
+, pyyaml
+, requests
+, responses
+, unidiff
+}:
+
+buildPythonPackage rec {
+  pname = "bc-detect-secrets";
+  version = "1.4.14";
+  format = "setuptools";
+
+  disabled = pythonOlder "3.8";
+
+  src = fetchFromGitHub {
+    owner = "bridgecrewio";
+    repo = "detect-secrets";
+    rev = "refs/tags/${version}";
+    hash = "sha256-WgUbVpn5KoayiWv3sYp+hZxqfQg73k0pXkxgUK8wrPg=";
+  };
+
+  propagatedBuildInputs = [
+    pyyaml
+    requests
+    unidiff
+  ];
+
+  passthru.optional-dependencies = {
+    word_list = [
+      pyahocorasick
+    ];
+    gibberish = [
+      gibberish-detector
+    ];
+  };
+
+  nativeCheckInputs = [
+    mock
+    pkgs.gitMinimal
+    pytestCheckHook
+    responses
+  ] ++ lib.flatten (builtins.attrValues passthru.optional-dependencies);
+
+  preCheck = ''
+    export HOME=$(mktemp -d);
+  '';
+
+  disabledTests = [
+    # Tests are failing for various reasons (missing git repo, missing test data, etc.)
+    "test_baseline_filters_out_known_secrets"
+    "test_make_decisions"
+    "test_saves_to_baseline"
+    "test_start_halfway"
+    "TestCreate"
+    "TestDiff"
+    "TestGetFilesToScan"
+    "TestLineNumberChanges"
+    "TestModifiesBaselineFromVersionChange"
+  ];
+
+  pythonImportsCheck = [
+    "detect_secrets"
+  ];
+
+  meta = with lib; {
+    description = "Tool to detect secrets in the code";
+    homepage = "https://github.com/bridgecrewio/detect-secrets";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ fab ];
+  };
+}
+
--- a/pkgs/development/python-modules/bc-jsonpath-ng/default.nix
+++ b/pkgs/development/python-modules/bc-jsonpath-ng/default.nix
@ -0,0 +1,48 @@
+{ lib
+, buildPythonPackage
+, decorator
+, fetchFromGitHub
+, ply
+, pytestCheckHook
+, pythonOlder
+}:
+
+buildPythonPackage rec {
+  pname = "bc-jsonpath-ng";
+  version = "1.5.9";
+  format = "setuptools";
+
+  disabled = pythonOlder "3.7";
+
+  src = fetchFromGitHub {
+    owner = "bridgecrewio";
+    repo = "jsonpath-ng";
+    rev = "refs/tags/${version}";
+    hash = "sha256-Uho+slKmKkTrcJBKi+9GJv1JrvDrTP4/6uqmMn3qptU=";
+  };
+
+  propagatedBuildInputs = [
+    decorator
+    ply
+  ];
+
+  nativeCheckInputs = [
+    pytestCheckHook
+  ];
+
+  disabledTestPaths = [
+    # Exclude tests that require oslotest
+    "tests/test_jsonpath_rw_ext.py"
+  ];
+
+  pythonImportsCheck = [
+    "bc_jsonpath_ng"
+  ];
+
+  meta = with lib; {
+    description = "JSONPath implementation for Python";
+    homepage = "https://github.com/bridgecrewio/jsonpath-ng";
+    license = with licenses; [ asl20 ];
+    maintainers = with maintainers; [ fab ];
+  };
+}
--- a/pkgs/development/tools/analysis/checkov/default.nix
+++ b/pkgs/development/tools/analysis/checkov/default.nix
@ -2,6 +2,7 @@
 , fetchFromGitHub
 , python3
 }:
+
 let
  py = python3.override {
    packageOverrides = self: super: {
@ -14,17 +15,6 @@ let
        };
        doCheck = false;
      });
-
-      jsonschema = super.jsonschema.overridePythonAttrs (oldAttrs: rec {
-        version = "3.2.0";
-        src = oldAttrs.src.override {
-          inherit version;
-          sha256 = "sha256-yKhbKNN3zHc35G4tnytPRO48Dh3qxr9G3e/HGH0weXo=";
-        };
-        SETUPTOOLS_SCM_PRETEND_VERSION = version;
-        doCheck = false;
-      });
-
    };
  };
 in
@ -32,20 +22,26 @@ with py.pkgs;

 buildPythonApplication rec {
  pname = "checkov";
-  version = "2.1.20";
+  version = "2.3.85";
  format = "setuptools";

  src = fetchFromGitHub {
    owner = "bridgecrewio";
    repo = pname;
-    rev = version;
-    hash = "sha256-dXpgm9S++jtBhuzX9db8Pm5LF6Qb4isXx5uyOGdWGUc=";
+    rev = "refs/tags/${version}";
+    hash = "sha256-j//r9ykMCzmpPBAPmfZCMlvcv7jrFaT+fFsLZoOeQF4=";
  };

  patches = [
    ./flake8-compat-5.x.patch
  ];

+  pythonRelaxDeps = [
+    "bc-python-hcl2"
+    "pycep-parser"
+    "networkx"
+  ];
+
  nativeBuildInputs = with py.pkgs; [
    pythonRelaxDepsHook
    setuptools-scm
@ -56,6 +52,8 @@ buildPythonApplication rec {
    aiohttp
    aiomultiprocess
    argcomplete
+    bc-detect-secrets
+    bc-jsonpath-ng
    bc-python-hcl2
    boto3
    cachetools
@ -65,14 +63,13 @@ buildPythonApplication rec {
    configargparse
    cyclonedx-python-lib
    deep_merge
-    detect-secrets
    docker
    dockerfile-parse
    dpath
    flake8
    gitpython
+    igraph
    jmespath
-    jsonpath-ng
    jsonschema
    junit-xml
    networkx
@ -99,11 +96,6 @@ buildPythonApplication rec {
    responses
  ];

-  pythonRelaxDeps = [
-    "bc-python-hcl2"
-    "pycep-parser"
-  ];
-
  preCheck = ''
    export HOME=$(mktemp -d);
  '';
@ -113,28 +105,37 @@ buildPythonApplication rec {
    "api_key"
    # Requires network access
    "TestSarifReport"
-    # Will probably be fixed in one of the next releases
-    "test_valid_cyclonedx_bom"
-    "test_record_relative_path_with"
-    "test_record_relative_path_with_relative_dir"
-    # Requires prettytable release which is only available in staging
-    "test_skipped_check_exists"
-    # AssertionError: 0 not greater than 0
    "test_skip_mapping_default"
-    # Test is failing
-    "test_SQLServerAuditingEnabled"
+    # Flake8 test
+    "test_file_with_class"
+    "test_dataclass_skip"
+    "test_typing_class_skip"
+    # Tests are comparing console output
+    "cli"
+    "console"
  ];

  disabledTestPaths = [
    # Tests are pulling from external sources
    # https://github.com/bridgecrewio/checkov/blob/f03a4204d291cf47e3753a02a9b8c8d805bbd1be/.github/workflows/build.yml
    "integration_tests/"
+    "tests/ansible/"
+    "tests/arm/"
+    "tests/bicep/"
+    "tests/cloudformation/"
+    "tests/common/"
+    "tests/dockerfile/"
+    "tests/generic_json/"
+    "tests/generic_yaml/"
+    "tests/github_actions/"
+    "tests/github/"
+    "tests/kubernetes/"
+    "tests/sca_package_2"
    "tests/terraform/"
    # Performance tests have no value for us
    "performance_tests/test_checkov_performance.py"
-    # Requires prettytable release which is only available in staging
-    "tests/sca_package/"
-    "tests/test_runner_filter.py"
+    # No Helm
+    "dogfood_tests/test_checkov_dogfood.py"
  ];

  pythonImportsCheck = [
@ -148,6 +149,7 @@ buildPythonApplication rec {
  meta = with lib; {
    description = "Static code analysis tool for infrastructure-as-code";
    homepage = "https://github.com/bridgecrewio/checkov";
+    changelog = "https://github.com/bridgecrewio/checkov/releases/tag/${version}";
    longDescription = ''
      Prevent cloud misconfigurations during build-time for Terraform, Cloudformation,
      Kubernetes, Serverless framework and other infrastructure-as-code-languages.
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -402,7 +402,9 @@ with pkgs;

  cewl = callPackage ../tools/security/cewl { };

-  checkov = callPackage ../development/tools/analysis/checkov { };
+  checkov = callPackage ../development/tools/analysis/checkov {
+    python3 = python311;
+  };

  chrysalis = callPackage ../applications/misc/chrysalis { };

--- a/pkgs/top-level/python-packages.nix
+++ b/pkgs/top-level/python-packages.nix
@ -1209,6 +1209,10 @@ self: super: with self; {

  bbox = callPackage ../development/python-modules/bbox { };

+  bc-detect-secrets = callPackage ../development/python-modules/bc-detect-secrets { };
+
+  bc-jsonpath-ng = callPackage ../development/python-modules/bc-jsonpath-ng { };
+
  bc-python-hcl2 = callPackage ../development/python-modules/bc-python-hcl2 { };

  bcdoc = callPackage ../development/python-modules/bcdoc { };