diff options
Diffstat (limited to 'pkgs/tools/security')
-rw-r--r-- | pkgs/tools/security/fulcio/default.nix | 52 | ||||
-rw-r--r-- | pkgs/tools/security/grype/default.nix | 19 | ||||
-rw-r--r-- | pkgs/tools/security/spire/default.nix | 7 | ||||
-rw-r--r-- | pkgs/tools/security/volatility3/default.nix | 10 |
4 files changed, 59 insertions, 29 deletions
diff --git a/pkgs/tools/security/fulcio/default.nix b/pkgs/tools/security/fulcio/default.nix index 96ef86d18d1..300b996524d 100644 --- a/pkgs/tools/security/fulcio/default.nix +++ b/pkgs/tools/security/fulcio/default.nix @@ -2,33 +2,61 @@ buildGoModule rec { pname = "fulcio"; - version = "0.1.1"; + version = "0.2.0"; src = fetchFromGitHub { owner = "sigstore"; repo = pname; rev = "v${version}"; - sha256 = "sha256-MvLQMGPyJYqYUljLqsr+qJeeYnxdH9aNGkWpDRvOeh8="; + sha256 = "sha256-tCjFx9Ug8rO8cSxQb2vBG/MHSUJCx17lDeGnSGjZLcI="; + # populate values that require us to use git. By doing this in postFetch we + # can delete .git afterwards and maintain better reproducibility of the src. + leaveDotGit = true; + postFetch = '' + cd "$out" + git rev-parse HEAD > $out/COMMIT + # '0000-00-00T00:00:00Z' + date -u -d "@$(git log -1 --pretty=%ct)" "+'%Y-%m-%dT%H:%M:%SZ'" > $out/SOURCE_DATE_EPOCH + find "$out" -name .git -print0 | xargs -0 rm -rf + ''; }; - vendorSha256 = "sha256-pRL0et+UOi/tzuQz/Q7UmSA+pVhLJYR8lG8NAbPN9PU="; + vendorSha256 = "sha256-CmtsReP0JacgNyRqCrYZRONwR5eluymrQgsj/ukhYNQ="; - ldflags = [ "-s" "-w" ]; - - # Install completions post-install + # install completions post-install nativeBuildInputs = [ installShellFiles ]; + ldflags = [ + "-s" + "-w" + "-X github.com/sigstore/fulcio/cmd/app.gitVersion=v${version}" + "-X github.com/sigstore/fulcio/cmd/app.gitTreeState=clean" + ]; + + # ldflags based on metadata from git and source + preBuild = '' + ldflags+=" -X github.com/sigstore/fulcio/cmd/app.gitCommit=$(cat COMMIT)" + ldflags+=" -X github.com/sigstore/fulcio/cmd/app.buildDate=$(cat SOURCE_DATE_EPOCH)" + ''; + + preCheck = '' + # remove test that requires networking + rm pkg/config/config_test.go + ''; + postInstall = '' - mv $out/bin/fulcio $out/bin/fulcio-server - installShellCompletion --cmd fulcio-server \ - --bash <($out/bin/fulcio-server completion bash) \ - --fish <($out/bin/fulcio-server completion fish) \ - --zsh <($out/bin/fulcio-server completion zsh) + installShellCompletion --cmd fulcio \ + --bash <($out/bin/fulcio completion bash) \ + --fish <($out/bin/fulcio completion fish) \ + --zsh <($out/bin/fulcio completion zsh) ''; doInstallCheck = true; installCheckPhase = '' runHook preInstallCheck - $out/bin/fulcio-server --help + + $out/bin/fulcio --help + $out/bin/fulcio version | grep "v${version}" + runHook postInstallCheck ''; diff --git a/pkgs/tools/security/grype/default.nix b/pkgs/tools/security/grype/default.nix index a6ed2168670..1b80d7ecd88 100644 --- a/pkgs/tools/security/grype/default.nix +++ b/pkgs/tools/security/grype/default.nix @@ -6,23 +6,21 @@ buildGoModule rec { pname = "grype"; - version = "0.34.2"; + version = "0.34.3"; src = fetchFromGitHub { owner = "anchore"; repo = pname; rev = "v${version}"; - sha256 = "sha256-tMkMGM45/LcFllEgQ3UTl6FsLJmdsU8SLcLH/8+zMA4="; + sha256 = "sha256-iWmLfQ08+dhjvKQiK2iy2Tegk4jH9dGopu/6kdDRZd0="; # populate values that require us to use git. By doing this in postFetch we # can delete .git afterwards and maintain better reproducibility of the src. leaveDotGit = true; postFetch = '' cd "$out" - commit="$(git rev-parse HEAD)" - source_date_epoch=$(git log --date=format:'%Y-%m-%dT%H:%M:%SZ' -1 --pretty=%ad) - substituteInPlace "$out/internal/version/build.go" \ - --replace 'gitCommit = valueNotProvided' "gitCommit = \"$commit\"" \ - --replace 'buildDate = valueNotProvided' "buildDate = \"$source_date_epoch\"" + git rev-parse HEAD > $out/COMMIT + # 0000-00-00T00:00:00Z + date -u -d "@$(git log -1 --pretty=%ct)" "+%Y-%m-%dT%H:%M:%SZ" > $out/SOURCE_DATE_EPOCH find "$out" -name .git -print0 | xargs -0 rm -rf ''; }; @@ -37,14 +35,17 @@ buildGoModule rec { "-s" "-w" "-X github.com/anchore/grype/internal/version.version=${version}" + "-X github.com/anchore/grype/internal/version.gitDescription=v${version}" "-X github.com/anchore/grype/internal/version.gitTreeState=clean" ]; preBuild = '' # grype version also displays the version of the syft library used # we need to grab it from the go.sum and add an ldflag for it - SYFTVERSION="$(grep "github.com/anchore/syft" go.sum -m 1 | awk '{print $2}')" - ldflags+=" -X github.com/anchore/grype/internal/version.syftVersion=$SYFTVERSION" + SYFT_VERSION="$(grep "github.com/anchore/syft" go.sum -m 1 | awk '{print $2}')" + ldflags+=" -X github.com/anchore/grype/internal/version.syftVersion=$SYFT_VERSION" + ldflags+=" -X github.com/anchore/grype/internal/version.gitCommit=$(cat COMMIT)" + ldflags+=" -X github.com/anchore/grype/internal/version.buildDate=$(cat SOURCE_DATE_EPOCH)" ''; # Tests require a running Docker instance diff --git a/pkgs/tools/security/spire/default.nix b/pkgs/tools/security/spire/default.nix index 5f06abeda1b..9b9e9e93488 100644 --- a/pkgs/tools/security/spire/default.nix +++ b/pkgs/tools/security/spire/default.nix @@ -2,7 +2,7 @@ buildGoModule rec { pname = "spire"; - version = "1.2.0"; + version = "1.2.1"; outputs = [ "out" "agent" "server" ]; @@ -10,10 +10,10 @@ buildGoModule rec { owner = "spiffe"; repo = pname; rev = "v${version}"; - sha256 = "01ph9jzh18bnidrsbnnxm3gxh0cgfllnjvf7a5haqz51lm6a9pny"; + sha256 = "sha256-LK73RGSTwGhCXOglsqK8RAAldovRzliE78vi2ilTSrw="; }; - vendorSha256 = "1fd1k5by4wcjmzfgi3gnrwnb38b0wa3w67kzjlx8s0nwapyfgx0b"; + vendorSha256 = "sha256-am8ZTUX8Vph1Eg013NObMiSVeupS2hlHdpZ/1mO27dY="; subPackages = [ "cmd/spire-agent" "cmd/spire-server" ]; @@ -30,6 +30,7 @@ buildGoModule rec { meta = with lib; { description = "The SPIFFE Runtime Environment"; homepage = "https://github.com/spiffe/spire"; + changelog = "https://github.com/spiffe/spire/releases/tag/v${version}"; license = licenses.asl20; maintainers = with maintainers; [ jonringer fkautz ]; }; diff --git a/pkgs/tools/security/volatility3/default.nix b/pkgs/tools/security/volatility3/default.nix index 393ac90d316..e019d96129f 100644 --- a/pkgs/tools/security/volatility3/default.nix +++ b/pkgs/tools/security/volatility3/default.nix @@ -5,15 +5,13 @@ python3.pkgs.buildPythonApplication rec { pname = "volatility3"; - version = "2.0.0"; - - disabled = python3.pythonOlder "3.6"; + version = "2.0.1"; src = fetchFromGitHub { owner = "volatilityfoundation"; repo = pname; rev = "v${version}"; - sha256 = "141n09cdc17pfdhs01aw8l4cvsqpcz8ji5l4gi7r88cyf4ix2lnz"; + hash = "sha256-rEqp+V5r4Sk4D+r2ukR1uy4IDj9XQGhYwoYSPeMyKpA="; }; propagatedBuildInputs = with python3.pkgs; [ @@ -31,7 +29,9 @@ python3.pkgs.buildPythonApplication rec { # Project has no tests doCheck = false; - pythonImportsCheck = [ "volatility3" ]; + pythonImportsCheck = [ + "volatility3" + ]; meta = with lib; { description = "Volatile memory extraction frameworks"; |