jolheiser/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
64f3a304db
nixpkgs/pkgs/tools/security/grype/default.nix
Guillaume Girol 33afbf39f6 treewide: switch to nativeCheckInputs 
checkInputs used to be added to nativeBuildInputs. Now we have
nativeCheckInputs to do that instead. Doing this treewide change allows
to keep hashes identical to before the introduction of
nativeCheckInputs.
2023-01-21 12:00:00 +00:00

108 lines
3.6 KiB
Nix
Raw Blame History

{ lib
, buildGoModule
, fetchFromGitHub
, installShellFiles
, openssl
}:
buildGoModule rec {
pname = "grype";
version = "0.55.0";
src = fetchFromGitHub {
owner = "anchore";
repo = pname;
rev = "v${version}";
hash = "sha256-Y72h1YCf42RinGw2mKZb8Bz8ip+LUW377xwJht67Q1s=";
# populate values that require us to use git. By doing this in postFetch we
# can delete .git afterwards and maintain better reproducibility of the src.
leaveDotGit = true;
postFetch = ''
cd "$out"
git rev-parse HEAD > $out/COMMIT
# 0000-00-00T00:00:00Z
date -u -d "@$(git log -1 --pretty=%ct)" "+%Y-%m-%dT%H:%M:%SZ" > $out/SOURCE_DATE_EPOCH
find "$out" -name .git -print0 | xargs -0 rm -rf
'';
};
proxyVendor = true;
vendorHash = "sha256-xzBOZyzwxVFTFgtmu7DLBpdkV9bwzJ9RETkdyV2HtQo=";
nativeBuildInputs = [
installShellFiles
];
subPackages = [ "." ];
excludedPackages = "test/integration";
ldflags = [
"-s"
"-w"
"-X github.com/anchore/grype/internal/version.version=${version}"
"-X github.com/anchore/grype/internal/version.gitDescription=v${version}"
"-X github.com/anchore/grype/internal/version.gitTreeState=clean"
];
preBuild = ''
# grype version also displays the version of the syft library used
# we need to grab it from the go.sum and add an ldflag for it
SYFT_VERSION="$(grep "github.com/anchore/syft" go.sum -m 1 | awk '{print $2}')"
ldflags+=" -X github.com/anchore/grype/internal/version.syftVersion=$SYFT_VERSION"
ldflags+=" -X github.com/anchore/grype/internal/version.gitCommit=$(cat COMMIT)"
ldflags+=" -X github.com/anchore/grype/internal/version.buildDate=$(cat SOURCE_DATE_EPOCH)"
'';
nativeCheckInputs = [ openssl ];
preCheck = ''
# test all dirs (except excluded)
unset subPackages
# test goldenfiles expect no version
unset ldflags
# patch utility script
patchShebangs grype/db/test-fixtures/tls/generate-x509-cert-pair.sh
# remove tests that depend on docker
substituteInPlace test/cli/cmd_test.go \
--replace "TestCmd" "SkipCmd"
substituteInPlace grype/pkg/provider_test.go \
--replace "TestSyftLocationExcludes" "SkipSyftLocationExcludes"
# remove tests that depend on git
substituteInPlace test/cli/db_validations_test.go \
--replace "TestDBValidations" "SkipDBValidations"
substituteInPlace test/cli/registry_auth_test.go \
--replace "TestRegistryAuth" "SkipRegistryAuth"
substituteInPlace test/cli/sbom_input_test.go \
--replace "TestSBOMInput_FromStdin" "SkipSBOMInput_FromStdin" \
--replace "TestSBOMInput_AsArgument" "SkipSBOMInput_AsArgument" \
--replace "TestAttestationInput_AsArgument" "SkipAttestationInput_AsArgument"
substituteInPlace test/cli/subprocess_test.go \
--replace "TestSubprocessStdin" "SkipSubprocessStdin"
# segfault
rm grype/db/v5/namespace/cpe/namespace_test.go
'';
postInstall = ''
installShellCompletion --cmd grype \
--bash <($out/bin/grype completion bash) \
--fish <($out/bin/grype completion fish) \
--zsh <($out/bin/grype completion zsh)
'';
meta = with lib; {
homepage = "https://github.com/anchore/grype";
changelog = "https://github.com/anchore/grype/releases/tag/v${version}";
description = "Vulnerability scanner for container images and filesystems";
longDescription = ''
As a vulnerability scanner grype is able to scan the contents of a
container image or filesystem to find known vulnerabilities.
'';
license = with licenses; [ asl20 ];
maintainers = with maintainers; [ fab jk ];
};
}
Reference in New Issue View Git Blame Copy Permalink