summary refs log tree commit diff
path: root/pkgs/tools/security
diff options
context:
space:
mode:
Diffstat (limited to 'pkgs/tools/security')
-rw-r--r--pkgs/tools/security/fulcio/default.nix52
-rw-r--r--pkgs/tools/security/grype/default.nix19
-rw-r--r--pkgs/tools/security/spire/default.nix7
-rw-r--r--pkgs/tools/security/volatility3/default.nix10
4 files changed, 59 insertions, 29 deletions
diff --git a/pkgs/tools/security/fulcio/default.nix b/pkgs/tools/security/fulcio/default.nix
index 96ef86d18d1..300b996524d 100644
--- a/pkgs/tools/security/fulcio/default.nix
+++ b/pkgs/tools/security/fulcio/default.nix
@@ -2,33 +2,61 @@
 
 buildGoModule rec {
   pname = "fulcio";
-  version = "0.1.1";
+  version = "0.2.0";
 
   src = fetchFromGitHub {
     owner = "sigstore";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-MvLQMGPyJYqYUljLqsr+qJeeYnxdH9aNGkWpDRvOeh8=";
+    sha256 = "sha256-tCjFx9Ug8rO8cSxQb2vBG/MHSUJCx17lDeGnSGjZLcI=";
+    # populate values that require us to use git. By doing this in postFetch we
+    # can delete .git afterwards and maintain better reproducibility of the src.
+    leaveDotGit = true;
+    postFetch = ''
+      cd "$out"
+      git rev-parse HEAD > $out/COMMIT
+      # '0000-00-00T00:00:00Z'
+      date -u -d "@$(git log -1 --pretty=%ct)" "+'%Y-%m-%dT%H:%M:%SZ'" > $out/SOURCE_DATE_EPOCH
+      find "$out" -name .git -print0 | xargs -0 rm -rf
+    '';
   };
-  vendorSha256 = "sha256-pRL0et+UOi/tzuQz/Q7UmSA+pVhLJYR8lG8NAbPN9PU=";
+  vendorSha256 = "sha256-CmtsReP0JacgNyRqCrYZRONwR5eluymrQgsj/ukhYNQ=";
 
-  ldflags = [ "-s" "-w" ];
-
-  # Install completions post-install
+  # install completions post-install
   nativeBuildInputs = [ installShellFiles ];
 
+  ldflags = [
+    "-s"
+    "-w"
+    "-X github.com/sigstore/fulcio/cmd/app.gitVersion=v${version}"
+    "-X github.com/sigstore/fulcio/cmd/app.gitTreeState=clean"
+  ];
+
+  # ldflags based on metadata from git and source
+  preBuild = ''
+    ldflags+=" -X github.com/sigstore/fulcio/cmd/app.gitCommit=$(cat COMMIT)"
+    ldflags+=" -X github.com/sigstore/fulcio/cmd/app.buildDate=$(cat SOURCE_DATE_EPOCH)"
+  '';
+
+  preCheck = ''
+    # remove test that requires networking
+    rm pkg/config/config_test.go
+  '';
+
   postInstall = ''
-    mv $out/bin/fulcio $out/bin/fulcio-server
-    installShellCompletion --cmd fulcio-server \
-      --bash <($out/bin/fulcio-server completion bash) \
-      --fish <($out/bin/fulcio-server completion fish) \
-      --zsh <($out/bin/fulcio-server completion zsh)
+    installShellCompletion --cmd fulcio \
+      --bash <($out/bin/fulcio completion bash) \
+      --fish <($out/bin/fulcio completion fish) \
+      --zsh <($out/bin/fulcio completion zsh)
   '';
 
   doInstallCheck = true;
   installCheckPhase = ''
     runHook preInstallCheck
-    $out/bin/fulcio-server --help
+
+    $out/bin/fulcio --help
+    $out/bin/fulcio version | grep "v${version}"
+
     runHook postInstallCheck
   '';
 
diff --git a/pkgs/tools/security/grype/default.nix b/pkgs/tools/security/grype/default.nix
index a6ed2168670..1b80d7ecd88 100644
--- a/pkgs/tools/security/grype/default.nix
+++ b/pkgs/tools/security/grype/default.nix
@@ -6,23 +6,21 @@
 
 buildGoModule rec {
   pname = "grype";
-  version = "0.34.2";
+  version = "0.34.3";
 
   src = fetchFromGitHub {
     owner = "anchore";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-tMkMGM45/LcFllEgQ3UTl6FsLJmdsU8SLcLH/8+zMA4=";
+    sha256 = "sha256-iWmLfQ08+dhjvKQiK2iy2Tegk4jH9dGopu/6kdDRZd0=";
     # populate values that require us to use git. By doing this in postFetch we
     # can delete .git afterwards and maintain better reproducibility of the src.
     leaveDotGit = true;
     postFetch = ''
       cd "$out"
-      commit="$(git rev-parse HEAD)"
-      source_date_epoch=$(git log --date=format:'%Y-%m-%dT%H:%M:%SZ' -1 --pretty=%ad)
-      substituteInPlace "$out/internal/version/build.go" \
-        --replace 'gitCommit = valueNotProvided' "gitCommit = \"$commit\"" \
-        --replace 'buildDate = valueNotProvided' "buildDate = \"$source_date_epoch\""
+      git rev-parse HEAD > $out/COMMIT
+      # 0000-00-00T00:00:00Z
+      date -u -d "@$(git log -1 --pretty=%ct)" "+%Y-%m-%dT%H:%M:%SZ" > $out/SOURCE_DATE_EPOCH
       find "$out" -name .git -print0 | xargs -0 rm -rf
     '';
   };
@@ -37,14 +35,17 @@ buildGoModule rec {
     "-s"
     "-w"
     "-X github.com/anchore/grype/internal/version.version=${version}"
+    "-X github.com/anchore/grype/internal/version.gitDescription=v${version}"
     "-X github.com/anchore/grype/internal/version.gitTreeState=clean"
   ];
 
   preBuild = ''
     # grype version also displays the version of the syft library used
     # we need to grab it from the go.sum and add an ldflag for it
-    SYFTVERSION="$(grep "github.com/anchore/syft" go.sum -m 1 | awk '{print $2}')"
-    ldflags+=" -X github.com/anchore/grype/internal/version.syftVersion=$SYFTVERSION"
+    SYFT_VERSION="$(grep "github.com/anchore/syft" go.sum -m 1 | awk '{print $2}')"
+    ldflags+=" -X github.com/anchore/grype/internal/version.syftVersion=$SYFT_VERSION"
+    ldflags+=" -X github.com/anchore/grype/internal/version.gitCommit=$(cat COMMIT)"
+    ldflags+=" -X github.com/anchore/grype/internal/version.buildDate=$(cat SOURCE_DATE_EPOCH)"
   '';
 
   # Tests require a running Docker instance
diff --git a/pkgs/tools/security/spire/default.nix b/pkgs/tools/security/spire/default.nix
index 5f06abeda1b..9b9e9e93488 100644
--- a/pkgs/tools/security/spire/default.nix
+++ b/pkgs/tools/security/spire/default.nix
@@ -2,7 +2,7 @@
 
 buildGoModule rec {
   pname = "spire";
-  version = "1.2.0";
+  version = "1.2.1";
 
   outputs = [ "out" "agent" "server" ];
 
@@ -10,10 +10,10 @@ buildGoModule rec {
     owner = "spiffe";
     repo = pname;
     rev = "v${version}";
-    sha256 = "01ph9jzh18bnidrsbnnxm3gxh0cgfllnjvf7a5haqz51lm6a9pny";
+    sha256 = "sha256-LK73RGSTwGhCXOglsqK8RAAldovRzliE78vi2ilTSrw=";
   };
 
-  vendorSha256 = "1fd1k5by4wcjmzfgi3gnrwnb38b0wa3w67kzjlx8s0nwapyfgx0b";
+  vendorSha256 = "sha256-am8ZTUX8Vph1Eg013NObMiSVeupS2hlHdpZ/1mO27dY=";
 
   subPackages = [ "cmd/spire-agent" "cmd/spire-server" ];
 
@@ -30,6 +30,7 @@ buildGoModule rec {
   meta = with lib; {
     description = "The SPIFFE Runtime Environment";
     homepage = "https://github.com/spiffe/spire";
+    changelog = "https://github.com/spiffe/spire/releases/tag/v${version}";
     license = licenses.asl20;
     maintainers = with maintainers; [ jonringer fkautz ];
   };
diff --git a/pkgs/tools/security/volatility3/default.nix b/pkgs/tools/security/volatility3/default.nix
index 393ac90d316..e019d96129f 100644
--- a/pkgs/tools/security/volatility3/default.nix
+++ b/pkgs/tools/security/volatility3/default.nix
@@ -5,15 +5,13 @@
 
 python3.pkgs.buildPythonApplication rec {
   pname = "volatility3";
-  version = "2.0.0";
-
-  disabled = python3.pythonOlder "3.6";
+  version = "2.0.1";
 
   src = fetchFromGitHub {
     owner = "volatilityfoundation";
     repo = pname;
     rev = "v${version}";
-    sha256 = "141n09cdc17pfdhs01aw8l4cvsqpcz8ji5l4gi7r88cyf4ix2lnz";
+    hash = "sha256-rEqp+V5r4Sk4D+r2ukR1uy4IDj9XQGhYwoYSPeMyKpA=";
   };
 
   propagatedBuildInputs = with python3.pkgs; [
@@ -31,7 +29,9 @@ python3.pkgs.buildPythonApplication rec {
   # Project has no tests
   doCheck = false;
 
-  pythonImportsCheck = [ "volatility3" ];
+  pythonImportsCheck = [
+    "volatility3"
+  ];
 
   meta = with lib; {
     description = "Volatile memory extraction frameworks";
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-06-10 21:06:10 +0000