checkov: 1.0.674 -> 2.0.496

1 files changed, 98 insertions, 49 deletions

diff --git a/pkgs/development/tools/analysis/checkov/default.nix b/pkgs/development/tools/analysis/checkov/default.nix
index 8750b61c48f..da72bbbf6ed 100644
--- a/pkgs/development/tools/analysis/checkov/default.nix
+++ b/pkgs/development/tools/analysis/checkov/default.nix
@@ -1,75 +1,124 @@
-{ pkgs, lib, python3, fetchFromGitHub }:
-
+{ lib
+, fetchFromGitHub
+, python3
+}:
 let
-  pname = "checkov";
-  version = "1.0.674";
-  src = fetchFromGitHub {
-    owner = "bridgecrewio";
-    repo = pname;
-    rev = version;
-    sha256 = "/S8ic5ZVxA2vd/rjRPX5gslbmnULL7BSx34vgWIsheQ=";
-  };
+  py = python3.override {
+    packageOverrides = self: super: {
 
-  disabled = pkgs.python3Packages.pythonOlder "3.7";
+      boto3 = super.boto3.overridePythonAttrs (oldAttrs: rec {
+        version = "1.17.112";
+        src = oldAttrs.src.override {
+          inherit version;
+          sha256 = "1byqrffbgpp1mq62gnn3w3hnm54dfar0cwgvmkl7mrgbwz5xmdh8";
+        };
+      });
 
-  # CheckOV only work with `dpath 1.5.0`
-  dpath = pkgs.python3Packages.buildPythonPackage rec {
-    pname = "dpath";
-    version = "1.5.0";
+      botocore = super.botocore.overridePythonAttrs (oldAttrs: rec {
+        version = "1.20.112";
+        src = oldAttrs.src.override {
+          inherit version;
+          sha256 = "1ksdjh3mwbzgqgfj58vyrhann23b9gqam8id2svmpdmmdq5vgffh";
+        };
+      });
 
-    src = pkgs.python3Packages.fetchPypi {
-      inherit pname version;
-      sha256 = "SWYVtOqEI20Y4NKGEi3nSGmmDg+H4sfsZ4f/KGxINhs=";
-    };
+      s3transfer = super.s3transfer.overridePythonAttrs (oldAttrs: rec {
+        version = "0.4.2";
+        src = oldAttrs.src.override {
+          inherit version;
+          sha256 = "1cp169vz9rvng7dwbn33fgdbl3b014zpsdqsnfxxw7jm2r5jy0nb";
+        };
+      });
+
+      dpath = super.dpath.overridePythonAttrs (oldAttrs: rec {
+        version = "1.5.0";
+        src = oldAttrs.src.override {
+          inherit version;
+          sha256 = "06rn91n2izw7czncgql71w7acsa8wwni51njw0c6s8w4xas1arj9";
+        };
+        doCheck = false;
+      });
 
-    doCheck = false;
+    };
   };
 in
-python3.pkgs.buildPythonPackage rec {
-  inherit pname version disabled src;
+with py.pkgs;
+
+buildPythonApplication rec {
+  pname = "checkov";
+  version = "2.0.496";
 
-  nativeBuildInputs = with python3.pkgs; [ setuptools-scm ];
+  disabled = python3.pythonOlder "3.7";
 
-  propagatedBuildInputs = with python3.pkgs; [
-    pytest
-    coverage
-    bandit
+  src = fetchFromGitHub {
+    owner = "bridgecrewio";
+    repo = pname;
+    rev = version;
+    sha256 = "sha256-JDKM706z8e+e+LhZ/3bMcVkYGW+gOF2iOUYLQASlXbc=";
+  };
+
+  nativeBuildInputs = with py.pkgs; [
+    setuptools-scm
+  ];
+
+  propagatedBuildInputs = with py.pkgs; [
     bc-python-hcl2
-    deep_merge
-    tabulate
+    boto3
+    cachetools
+    cloudsplaining
     colorama
-    termcolor
-    junit-xml
+    configargparse
+    cyclonedx-python-lib
+    deep_merge
+    detect-secrets
+    docker
+    dockerfile-parse
     dpath
-    pyyaml
-    boto3
     GitPython
-    six
     jmespath
+    junit-xml
+    networkx
+    packaging
+    policyuniverse
+    pyyaml
+    semantic-version
+    tabulate
+    termcolor
     tqdm
+    typing-extensions
     update_checker
-    semantic-version
-    packaging
   ];
 
-  # Both of these tests are pulling from external srouces (https://github.com/bridgecrewio/checkov/blob/f03a4204d291cf47e3753a02a9b8c8d805bbd1be/.github/workflows/build.yml)
-  preCheck = ''
-    rm -rf integration_tests/*
-    rm -rf tests/terraform/*
-  '';
+  checkInputs = with py.pkgs; [
+    jsonschema
+    pytest-xdist
+    pytestCheckHook
+  ];
 
-  # Wrap the executable so that the python packages are available
-  # it's just a shebang script which calls `python -m checkov "$@"`
-  postFixup = ''
-    wrapProgram $out/bin/checkov \
-      --set PYTHONPATH $PYTHONPATH
-  '';
+  disabledTests = [
+    # No API key available
+    "api_key"
+    # Requires network access
+    "TestSarifReport"
+  ];
+
+  disabledTestPaths = [
+    # Tests are pulling from external sources
+    # https://github.com/bridgecrewio/checkov/blob/f03a4204d291cf47e3753a02a9b8c8d805bbd1be/.github/workflows/build.yml
+    "integration_tests/"
+    "tests/terraform/"
+  ];
+
+  pythonImportsCheck = [
+    "checkov"
+  ];
 
   meta = with lib; {
-    homepage = "https://github.com/bridgecrewio/checkov";
     description = "Static code analysis tool for infrastructure-as-code";
+    homepage = "https://github.com/bridgecrewio/checkov";
     longDescription = ''
-    Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov by Bridgecrew.
+      Prevent cloud misconfigurations during build-time for Terraform, Cloudformation,
+      Kubernetes, Serverless framework and other infrastructure-as-code-languages.
     '';
     license = licenses.asl20;
     maintainers = with maintainers; [ anhdle14 ];