From 7937f122cc751b945f627a95f5d9c8d2c73c14aa Mon Sep 17 00:00:00 2001 From: 06kellyjac Date: Tue, 6 Sep 2022 17:38:17 +0100 Subject: [PATCH] govulncheck: init at unstable-2022-09-02 --- pkgs/tools/security/govulncheck/default.nix | 64 +++++++++++++++++++++ pkgs/top-level/all-packages.nix | 2 + 2 files changed, 66 insertions(+) create mode 100644 pkgs/tools/security/govulncheck/default.nix diff --git a/pkgs/tools/security/govulncheck/default.nix b/pkgs/tools/security/govulncheck/default.nix new file mode 100644 index 00000000000..9565c11dad5 --- /dev/null +++ b/pkgs/tools/security/govulncheck/default.nix @@ -0,0 +1,64 @@ +{ lib, buildGoModule, fetchFromGitHub }: + +buildGoModule rec { + pname = "govulncheck"; + version = "unstable-2022-09-02"; + + src = fetchFromGitHub { + owner = "golang"; + repo = "vuln"; + rev = "27dd78d2ca392c1738e54efe513a2ecb7bf46000"; + sha256 = "sha256-G35y1V4W1nLZ+QGvIQwER9whBIBDFUVptrHx78orcI0="; + }; + + vendorSha256 = "sha256-9FH9nq5cEyhMxrrvfQAOWZ4aThMsU0HwlI+0W0uVHZ4="; + + subPackages = [ "cmd/govulncheck" ]; + + preCheck = '' + # test all paths + unset subPackages + + # remove test that calls checks.bash + # the header check and misspell gets upset at the vendor dir + rm all_test.go + + # remove tests that generally have "inconsistent vendoring" issues + # - tries to builds govulncheck again + rm cmd/govulncheck/main_command_118_test.go + # - does go builds of example go files + rm vulncheck/binary_test.go + # - just have resolution issues + rm vulncheck/{source,vulncheck}_test.go + ''; + + ldflags = [ "-s" "-w" ]; + + meta = with lib; { + homepage = "https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck"; + description = "The database client and tools for the Go vulnerability database, also known as vuln"; + longDescription = '' + Govulncheck reports known vulnerabilities that affect Go code. It uses + static analysis of source code or a binary's symbol table to narrow down + reports to only those that could affect the application. + + By default, govulncheck makes requests to the Go vulnerability database at + https://vuln.go.dev. Requests to the vulnerability database contain only + module paths, not code or other properties of your program. See + https://vuln.go.dev/privacy.html for more. Set the GOVULNDB environment + variable to specify a different database, which must implement the + specification at https://go.dev/security/vuln/database. + + Govulncheck looks for vulnerabilities in Go programs using a specific + build configuration. For analyzing source code, that configuration is the + operating system, architecture, and Go version specified by GOOS, GOARCH, + and the “go” command found on the PATH. For binaries, the build + configuration is the one used to build the binary. Note that different + build configurations may have different known vulnerabilities. For + example, a dependency with a Windows-specific vulnerability will not be + reported for a Linux build. + ''; + license = with licenses; [ bsd3 ]; + maintainers = with maintainers; [ jk ]; + }; +} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 5d2f6ac66b9..a70f2ef7ebd 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -464,6 +464,8 @@ with pkgs; gojq = callPackage ../development/tools/gojq { }; + govulncheck = callPackage ../tools/security/govulncheck { }; + gpick = callPackage ../tools/misc/gpick { }; hwatch = callPackage ../tools/misc/hwatch { };