12 files changed, 193 insertions, 39 deletions

diff --git a/pkgs/tools/security/amber/default.nix b/pkgs/tools/security/amber/default.nix
index 5fb88ca9921..c2196cea686 100644
--- a/pkgs/tools/security/amber/default.nix
+++ b/pkgs/tools/security/amber/default.nix
@@ -3,16 +3,16 @@
 rustPlatform.buildRustPackage rec {
   # Renaming it to amber-secret because another package named amber exists
   pname = "amber-secret";
-  version = "0.1.2";
+  version = "0.1.3";
 
   src = fetchFromGitHub {
     owner = "fpco";
     repo = "amber";
     rev = "v${version}";
-    sha256 = "sha256-+vipQl/HWoYnOPkQLjeIedpnnqPVYaUWhks9eCgMOxQ=";
+    sha256 = "sha256-kPDNTwsfI+8nOgsLv2aONrLGSRZhw5YzNntJ2tbE0oI=";
   };
 
-  cargoSha256 = "sha256-xWEQvCyd8auE0q9rBt9iDgU8Dscf4pq/gsAINH2eQY4=";
+  cargoSha256 = "sha256-fTdTgbeOQXEpLHq9tHiPLkttvaxS/WJ86h3jRdrfbJM=";
 
   buildInputs = lib.optionals stdenv.isDarwin [ Security ];
 
diff --git a/pkgs/tools/security/cdk-go/default.nix b/pkgs/tools/security/cdk-go/default.nix
index 317f6092718..88fd089cb68 100644
--- a/pkgs/tools/security/cdk-go/default.nix
+++ b/pkgs/tools/security/cdk-go/default.nix
@@ -6,16 +6,16 @@
 
 buildGoModule rec {
   pname = "cdk-go";
-  version = "1.0.5";
+  version = "1.0.6";
 
   src = fetchFromGitHub {
     owner = "cdk-team";
     repo = "CDK";
     rev = "v${version}";
-    sha256 = "sha256-Ngv+/b9D27ERwjNIC3s3ZBPkV10G+tT8QW8YMOgb8aA=";
+    sha256 = "sha256-XzUSiE03ZbP75ewwBJFwZE0aKNlOFprezeD26japLD8=";
   };
 
-  vendorSha256 = "sha256-9Q7f3keMUEI2cWal2dvp4b8kvTZVM1Cf4iTvH9yCyX0=";
+  vendorSha256 = "sha256-mP49DmOHvS8ewQG7I1J5OEmAOkHEFJfAsEPeiaRBpWc=";
 
   # At least one test is outdated
   doCheck = false;
diff --git a/pkgs/tools/security/dnsx/default.nix b/pkgs/tools/security/dnsx/default.nix
index d81e453f692..c316ab35b6d 100644
--- a/pkgs/tools/security/dnsx/default.nix
+++ b/pkgs/tools/security/dnsx/default.nix
@@ -5,16 +5,16 @@
 
 buildGoModule rec {
   pname = "dnsx";
-  version = "1.0.9";
+  version = "1.1.0";
 
   src = fetchFromGitHub {
     owner = "projectdiscovery";
     repo = "dnsx";
     rev = "v${version}";
-    sha256 = "sha256-8c9gDD/g5oP9GQV1ghb2UN9w5EccvxyDvJUAtgV8q7Y=";
+    sha256 = "sha256-tcUVJ/qcQGivcAjWkcfv1fZxc9F5cYn1stpCHDoJRps=";
   };
 
-  vendorSha256 = "sha256-uvquc0bWwYzeeTuKlYaQp9r+O23MMs1Ajz1DPJ2qrnE=";
+  vendorSha256 = "sha256-hGV44Rx5kX2ZVBsTyeWm5SzpXzlTFNidt7bwzntboQo=";
 
   meta = with lib; {
     description = "Fast and multi-purpose DNS toolkit";
diff --git a/pkgs/tools/security/expliot/default.nix b/pkgs/tools/security/expliot/default.nix
index 848ee536380..eb5fd03416f 100644
--- a/pkgs/tools/security/expliot/default.nix
+++ b/pkgs/tools/security/expliot/default.nix
@@ -26,7 +26,7 @@ buildPythonApplication rec {
     owner = "expliot_framework";
     repo = pname;
     rev = version;
-    sha256 = "sha256-7Cuj3YKKwDxP2KKueJR9ZO5Bduv+lw0Y87Rw4b0jbGY=";
+    hash = "sha256-7Cuj3YKKwDxP2KKueJR9ZO5Bduv+lw0Y87Rw4b0jbGY=";
   };
 
   propagatedBuildInputs = [
@@ -51,7 +51,10 @@ buildPythonApplication rec {
   postPatch = ''
     # https://gitlab.com/expliot_framework/expliot/-/merge_requests/113
     substituteInPlace setup.py \
-      --replace "pynetdicom>=1.5.1,<2" "pynetdicom>=2,<3"
+      --replace "pynetdicom>=1.5.1,<2" "pynetdicom>=2,<3" \
+      --replace "cryptography>=3.0,<4" "cryptography>=35,<40" \
+      --replace "python-can>=3.3.3,<4" "python-can>=3.3.3,<5" \
+      --replace "pyparsing>=2.4.7,<3" "pyparsing>=2.4.7,<4"
   '';
 
   # Project has no tests
diff --git a/pkgs/tools/security/exploitdb/default.nix b/pkgs/tools/security/exploitdb/default.nix
index 14b7d7efab2..a50588fc1f8 100644
--- a/pkgs/tools/security/exploitdb/default.nix
+++ b/pkgs/tools/security/exploitdb/default.nix
@@ -2,13 +2,14 @@
 
 stdenv.mkDerivation rec {
   pname = "exploitdb";
-  version = "2022-03-10";
+  version = "2022-03-11";
 
   src = fetchFromGitHub {
     owner = "offensive-security";
     repo = pname;
     rev = version;
-    sha256 = "sha256-zKFkPRmA2Hl/NksJTf76RcPr1nvaLdZu2fyBp5PcZ0Y=";
+    sha256 = "sha256-dW4cLm//4wROsizRQ59sqEGPRZ26yIU5I7mdPEYC3YU=";
+
   };
 
   nativeBuildInputs = [ makeWrapper ];
diff --git a/pkgs/tools/security/gitleaks/default.nix b/pkgs/tools/security/gitleaks/default.nix
index ff70782dabe..a574c347629 100644
--- a/pkgs/tools/security/gitleaks/default.nix
+++ b/pkgs/tools/security/gitleaks/default.nix
@@ -5,16 +5,16 @@
 
 buildGoModule rec {
   pname = "gitleaks";
-  version = "8.3.0";
+  version = "8.4.0";
 
   src = fetchFromGitHub {
     owner = "zricethezav";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-D6leHpGZNQ9Xt4PSU0Dwte6N3bMge7itkZtcUl0mIrQ=";
+    sha256 = "sha256-z3YGRDgBGpr2hixIayih4wxGWPtYL0EPAuTYVPByzQc=";
   };
 
-  vendorSha256 = "sha256-JZOalUOIeV51Nttm6xeBos+/8fleSBpUiXa8ekVuYJA=";
+  vendorSha256 = "sha256-J1xX+r+Mph1QkqjK87tqGDkYvPZp0lHgdRhd88WZi1c=";
 
   ldflags = [
     "-s"
diff --git a/pkgs/tools/security/gnupg/23.nix b/pkgs/tools/security/gnupg/23.nix
index ef7a5cf85e7..e80804cd002 100644
--- a/pkgs/tools/security/gnupg/23.nix
+++ b/pkgs/tools/security/gnupg/23.nix
@@ -15,11 +15,11 @@ assert guiSupport -> pinentry != null && enableMinimal == false;
 
 stdenv.mkDerivation rec {
   pname = "gnupg";
-  version = "2.3.3";
+  version = "2.3.4";
 
   src = fetchurl {
     url = "mirror://gnupg/gnupg/${pname}-${version}.tar.bz2";
-    sha256 = "0dz9x0r5021bhk1kjh29m1q13xbslwb8yn9qzcp7b9m1lrnvi2ap";
+    sha256 = "sha256-80aOyvsdf5rXtR/R23rr8XzridLvqKBc8vObTUBUAq4=";
   };
 
   depsBuildBuild = [ buildPackages.stdenv.cc ];
@@ -34,19 +34,9 @@ stdenv.mkDerivation rec {
     ./tests-add-test-cases-for-import-without-uid.patch
     ./allow-import-of-previously-known-keys-even-without-UI.patch
     ./accept-subkeys-with-a-good-revocation-but-no-self-sig.patch
-  ] ++ lib.optional stdenv.isDarwin [
-    # Remove an innocent warning printed on systems without procfs
-    # https://dev.gnupg.org/T5656
-    (fetchpatch {
-      url = "https://raw.githubusercontent.com/Homebrew/formula-patches/890be5f6af88e7913d177af87a50129049e681bb/gnupg/2.3.3-proc-error.patch";
-      sha256 = "sha256-oiTa7Nf+AEmhZ683CJEaCb559PXJ6RpSSgRLpxz4CKU=";
-    })
   ];
   postPatch = ''
-    sed -i 's,hkps://hkps.pool.sks-keyservers.net,hkps://keys.openpgp.org,g' configure doc/dirmngr.texi doc/gnupg.info-1
-    # Fix broken SOURCE_DATE_EPOCH usage - remove on the next upstream update
-    sed -i 's/$SOURCE_DATE_EPOCH/''${SOURCE_DATE_EPOCH}/' doc/Makefile.am
-    sed -i 's/$SOURCE_DATE_EPOCH/''${SOURCE_DATE_EPOCH}/' doc/Makefile.in
+    sed -i 's,\(hkps\|https\)://keyserver.ubuntu.com,hkps://keys.openpgp.org,g' configure configure.ac doc/dirmngr.texi doc/gnupg.info-1
   '' + lib.optionalString (stdenv.isLinux && pcsclite != null) ''
     sed -i 's,"libpcsclite\.so[^"]*","${lib.getLib pcsclite}/lib/libpcsclite.so",g' scd/scdaemon.c
   '';
diff --git a/pkgs/tools/security/pomerium-cli/default.nix b/pkgs/tools/security/pomerium-cli/default.nix
new file mode 100644
index 00000000000..7dc7e3a7a90
--- /dev/null
+++ b/pkgs/tools/security/pomerium-cli/default.nix
@@ -0,0 +1,58 @@
+{ buildGoModule
+, fetchFromGitHub
+, lib
+, pomerium
+}:
+
+let
+  inherit (lib) concatStringsSep concatMap id mapAttrsToList;
+in
+buildGoModule rec {
+  pname = "pomerium-cli";
+  version = pomerium.version;
+  src = fetchFromGitHub {
+    owner = "pomerium";
+    repo = "cli";
+    rev = "v${version}";
+    hash = "sha256:0230b22xjnpykj8bcdahzzlsvlrd63z2cmg6yb246c5ngjs835q1";
+  };
+
+  vendorSha256 = "sha256:0xx22lmh6wip1d1bjrp4lgab3q9yilw54v4lg24lf3xhbsr5si9b";
+  subPackages = [
+    "cmd/pomerium-cli"
+  ];
+
+  ldflags = let
+    # Set a variety of useful meta variables for stamping the build with.
+    setVars = {
+      "github.com/pomerium/cli/version" = {
+        Version = "v${version}";
+        BuildMeta = "nixpkgs";
+        ProjectName = "pomerium-cli";
+        ProjectURL = "github.com/pomerium/cli";
+      };
+    };
+    concatStringsSpace = list: concatStringsSep " " list;
+    mapAttrsToFlatList = fn: list: concatMap id (mapAttrsToList fn list);
+    varFlags = concatStringsSpace (
+      mapAttrsToFlatList (package: packageVars:
+        mapAttrsToList (variable: value:
+          "-X ${package}.${variable}=${value}"
+        ) packageVars
+      ) setVars);
+  in [
+    "${varFlags}"
+  ];
+
+  installPhase = ''
+    install -Dm0755 $GOPATH/bin/pomerium-cli $out/bin/pomerium-cli
+  '';
+
+  meta = with lib; {
+    homepage = "https://pomerium.io";
+    description = "Client-side helper for Pomerium authenticating reverse proxy";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ lukegb ];
+    platforms = platforms.unix;
+  };
+}
diff --git a/pkgs/tools/security/sdlookup/default.nix b/pkgs/tools/security/sdlookup/default.nix
new file mode 100644
index 00000000000..80b6d3ba688
--- /dev/null
+++ b/pkgs/tools/security/sdlookup/default.nix
@@ -0,0 +1,25 @@
+{ lib
+, buildGoModule
+, fetchFromGitHub
+}:
+
+buildGoModule rec {
+  pname = "sdlookup";
+  version = "unstable-2022-03-10";
+
+  src = fetchFromGitHub {
+    owner = "j3ssie";
+    repo = pname;
+    rev = "8554bfa27284c4764401dbd8da23800d4ae968a2";
+    hash = "sha256-c6xAgOxle51waiFsSWvwO9eyt1KXuM0dEeepVsRQHkk=";
+  };
+
+  vendorSha256 = "sha256-j0UzucZ6kDwM+6U0ZyIW9u8XG/Bn+VUCO2vV1BbnQo0=";
+
+  meta = with lib; {
+    description = "IP lookups for open ports and vulnerabilities from internetdb.shodan.io";
+    homepage = "https://github.com/j3ssie/sdlookup";
+    license = with licenses; [ mit ];
+    maintainers = with maintainers; [ fab ];
+  };
+}
diff --git a/pkgs/tools/security/sigma-cli/default.nix b/pkgs/tools/security/sigma-cli/default.nix
new file mode 100644
index 00000000000..3bf4e788912
--- /dev/null
+++ b/pkgs/tools/security/sigma-cli/default.nix
@@ -0,0 +1,50 @@
+{ lib
+, fetchFromGitHub
+, python3
+}:
+
+python3.pkgs.buildPythonApplication rec {
+  pname = "sigma-cli";
+  version = "0.3.0";
+  format = "pyproject";
+
+  src = fetchFromGitHub {
+    owner = "SigmaHQ";
+    repo = pname;
+    rev = "v${version}";
+    hash = "sha256-Nfd78Y35naDTzwodcdvJr/02CptcHxS717VGsR/QOuI=";
+  };
+
+  nativeBuildInputs = with python3.pkgs; [
+    poetry-core
+  ];
+
+  propagatedBuildInputs = with python3.pkgs; [
+    click
+    prettytable
+    pysigma
+    pysigma-backend-splunk
+    pysigma-pipeline-crowdstrike
+    pysigma-pipeline-sysmon
+  ];
+
+  checkInputs = with python3.pkgs; [
+    pytestCheckHook
+  ];
+
+  postPatch = ''
+    substituteInPlace pyproject.toml \
+      --replace 'prettytable = "^3.1.1"' 'prettytable = "*"'
+  '';
+
+  pythonImportsCheck = [
+    "sigma.cli"
+  ];
+
+  meta = with lib; {
+    description = "Sigma command line interface";
+    homepage = "https://github.com/SigmaHQ/sigma-cli";
+    license = with licenses; [ lgpl21Plus ];
+    maintainers = with maintainers; [ fab ];
+  };
+}
diff --git a/pkgs/tools/security/sops/default.nix b/pkgs/tools/security/sops/default.nix
index 1cf89143925..9752d78a183 100644
--- a/pkgs/tools/security/sops/default.nix
+++ b/pkgs/tools/security/sops/default.nix
@@ -2,16 +2,16 @@
 
 buildGoModule rec {
   pname = "sops";
-  version = "3.7.1";
+  version = "3.7.2";
 
   src = fetchFromGitHub {
     rev = "v${version}";
     owner = "mozilla";
     repo = pname;
-    sha256 = "0z3jcyl245yjszzjf2h6l1dwa092vxzvfmnivmwi6jvpsdcv33h1";
+    sha256 = "sha256-NMuYMvaBSxKHvpqFkMfnMDvcXxTstqzracuSTT1VB1A=";
   };
 
-  vendorSha256 = "1mnwgsbpi56ql0lbpn7dkaps96x9b1lmhlk5cd6d40da7xj616n7";
+  vendorSha256 = "sha256-00/7O9EcGojUExJPtYWndb16VqrNby/5GsVs8Ak/Isc=";
 
   doCheck = false;
 
diff --git a/pkgs/tools/security/swtpm/default.nix b/pkgs/tools/security/swtpm/default.nix
index 648165d8262..39128084352 100644
--- a/pkgs/tools/security/swtpm/default.nix
+++ b/pkgs/tools/security/swtpm/default.nix
@@ -16,35 +16,40 @@
 
 stdenv.mkDerivation rec {
   pname = "swtpm";
-  version = "0.7.1";
+  version = "0.7.2";
 
   src = fetchFromGitHub {
     owner = "stefanberger";
     repo = "swtpm";
     rev = "v${version}";
-    sha256 = "sha256-LJQF8PlRkhCJ8rjZzDetg1BFuTb7GBJ8lW6u5hO134k=";
+    sha256 = "sha256-qeyPCJTNnwuaCosHzqnrQc0JNznGBfDTLsuDmuKREjU=";
   };
 
   nativeBuildInputs = [
     pkg-config unixtools.netstat expect socat
     perl # for pod2man
+    python3
     autoreconfHook
   ];
 
   checkInputs = [
-    python3 which
+    which
   ];
 
   buildInputs = [
     libtpms
-    openssl libtasn1 libseccomp
-    fuse glib json-glib
+    openssl libtasn1
+    glib json-glib
     gnutls
+  ] ++ lib.optionals stdenv.isLinux [
+    fuse
+    libseccomp
   ];
 
   configureFlags = [
-    "--with-cuse"
     "--localstatedir=/var"
+  ] ++ lib.optionals stdenv.isLinux [
+    "--with-cuse"
   ];
 
   postPatch = ''
@@ -56,9 +61,31 @@ stdenv.mkDerivation rec {
 
     # Use the correct path to the certtool binary
     # instead of relying on it being in the environment
-    substituteInPlace src/swtpm_localca/swtpm_localca.c --replace \
+    substituteInPlace src/swtpm_localca/swtpm_localca.c \
+      --replace \
+        '# define CERTTOOL_NAME "gnutls-certtool"' \
+        '# define CERTTOOL_NAME "${gnutls}/bin/certtool"' \
+      --replace \
         '# define CERTTOOL_NAME "certtool"' \
         '# define CERTTOOL_NAME "${gnutls}/bin/certtool"'
+
+    substituteInPlace tests/common --replace \
+        'CERTTOOL=gnutls-certtool;;' \
+        'CERTTOOL=certtool;;'
+
+    # Fix error on macOS:
+    # stat: invalid option -- '%'
+    # This is caused by the stat program not being the BSD version,
+    # as is expected by the test
+    substituteInPlace tests/common --replace \
+        'if [[ "$(uname -s)" =~ (Linux|CYGWIN_NT-) ]]; then' \
+        'if [[ "$(uname -s)" =~ (Linux|Darwin|CYGWIN_NT-) ]]; then'
+
+    # Otherwise certtool seems to pick up the system language on macOS,
+    # which might cause a test to fail
+    substituteInPlace tests/test_swtpm_setup_create_cert --replace \
+        '$CERTTOOL' \
+        'LC_ALL=C.UTF-8 $CERTTOOL'
   '';
 
   doCheck = true;