+55

pkgs/tools/security/semgrep/common.nix

··· 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

··· 1 + { lib, fetchFromGitHub, fetchzip }: 2 + 3 + rec { 4 + version = "0.103.0"; 5 + 6 + src = fetchFromGitHub { 7 + owner = "returntocorp"; 8 + repo = "semgrep"; 9 + rev = "v${version}"; 10 + sha256 = "sha256-vk6GBgLsXRLAVu60xW4WWWhhi4b1WLceTxh/TeISIUg="; 11 + }; 12 + 13 + # submodule dependencies 14 + # these are fetched so we: 15 + # 1. don't fetch the many submodules we don't need 16 + # 2. avoid fetchSubmodules since it's prone to impurities 17 + langsSrc = fetchFromGitHub { 18 + owner = "returntocorp"; 19 + repo = "semgrep-langs"; 20 + rev = "78e518dad1ce2a7c76854c944245434bd8426439"; 21 + sha256 = "sha256-t9F/OzzT6FI9G4Fxz0lUjz6TVrJlenusQNJnFpiKaQs="; 22 + }; 23 + 24 + interfacesSrc = fetchFromGitHub { 25 + owner = "returntocorp"; 26 + repo = "semgrep-interfaces"; 27 + rev = "a64a45034ea428ecbe9da6bd849a4f1cfd23cdd2"; 28 + sha256 = "sha256-eatuyA5xyfZVHCmHvZIzQK2c5eEWUEZd9LumJQtk8+s="; 29 + }; 30 + 31 + # fetch pre-built semgrep-core since the ocaml build is complex and relies on 32 + # the opam package manager at some point 33 + coreRelease = fetchzip { 34 + url = "https://github.com/returntocorp/semgrep/releases/download/v${version}/semgrep-v${version}-ubuntu-16.04.tgz"; 35 + sha256 = "sha256-L3NbiVYmgJim7H4W1cr75WOItSiHT1YIkUEefuaCYlY="; 36 + }; 37 + 38 + meta = with lib; { 39 + homepage = "https://semgrep.dev/"; 40 + downloadPage = "https://github.com/returntocorp/semgrep/"; 41 + changelog = "https://github.com/returntocorp/semgrep/blob/v${version}/CHANGELOG.md"; 42 + description = "Lightweight static analysis for many languages"; 43 + longDescription = '' 44 + Semgrep is a fast, open-source, static analysis tool for finding bugs and 45 + enforcing code standards at editor, commit, and CI time. Semgrep analyzes 46 + code locally on your computer or in your build environment: code is never 47 + uploaded. Its rules look like the code you already write; no abstract 48 + syntax trees, regex wrestling, or painful DSLs. 49 + ''; 50 + license = licenses.lgpl21Plus; 51 + maintainers = with maintainers; [ jk ambroisie ]; 52 + # limited by semgrep-core 53 + platforms = [ "x86_64-linux" ]; 54 + }; 55 + }

+81

pkgs/tools/security/semgrep/default.nix

··· 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

··· 1 + { lib 2 + , fetchFromGitHub 3 + , callPackage 4 + , semgrep-core 5 + , buildPythonApplication 6 + , pythonPackages 7 + 8 + , pytestCheckHook 9 + , git 10 + }: 11 + 12 + let 13 + common = callPackage ./common.nix { }; 14 + in 15 + buildPythonApplication rec { 16 + pname = "semgrep"; 17 + inherit (common) version; 18 + src = "${common.src}/cli"; 19 + 20 + SEMGREP_CORE_BIN = "${semgrep-core}/bin/semgrep-core"; 21 + 22 + postPatch = '' 23 + substituteInPlace setup.py \ 24 + --replace "typing-extensions~=4.2" "typing-extensions" \ 25 + --replace "jsonschema~=3.2" "jsonschema" \ 26 + --replace "boltons~=21.0" "boltons" 27 + 28 + # remove git submodule placeholders 29 + rm -r ./src/semgrep/{lang,semgrep_interfaces} 30 + # link submodule dependencies 31 + ln -s ${common.langsSrc}/ ./src/semgrep/lang 32 + ln -s ${common.interfacesSrc}/ ./src/semgrep/semgrep_interfaces 33 + ''; 34 + 35 + doCheck = true; 36 + checkInputs = [ git pytestCheckHook ] ++ (with pythonPackages; [ 37 + pytest-snapshot 38 + pytest-mock 39 + pytest-freezegun 40 + types-freezegun 41 + ]); 42 + disabledTests = [ 43 + # requires networking 44 + "tests/unit/test_metric_manager.py" 45 + ]; 46 + preCheck = '' 47 + # tests need a home directory 48 + export HOME="$(mktemp -d)" 49 + 50 + # disabledTestPaths doesn't manage to avoid the e2e tests 51 + # remove them from pyproject.toml 52 + # and remove need for pytest-split 53 + substituteInPlace pyproject.toml \ 54 + --replace '"tests/e2e",' "" \ 55 + --replace 'addopts = "--splitting-algorithm=least_duration"' "" 56 + ''; 57 + 58 + propagatedBuildInputs = with pythonPackages; [ 59 + attrs 60 + boltons 61 + colorama 62 + click 63 + click-option-group 64 + glom 65 + requests 66 + ruamel-yaml 67 + tqdm 68 + packaging 69 + jsonschema 70 + wcmatch 71 + peewee 72 + defusedxml 73 + urllib3 74 + typing-extensions 75 + python-lsp-jsonrpc 76 + ]; 77 + 78 + meta = common.meta // { 79 + description = common.meta.description + " - cli"; 80 + }; 81 + }

+22

pkgs/tools/security/semgrep/semgrep-core.nix

··· 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

··· 1 + { lib, stdenvNoCC, callPackage }: 2 + 3 + let 4 + common = callPackage ./common.nix { }; 5 + in 6 + stdenvNoCC.mkDerivation rec { 7 + pname = "semgrep-core"; 8 + inherit (common) version; 9 + 10 + src = common.coreRelease; 11 + 12 + installPhase = '' 13 + runHook preInstall 14 + install -Dm 755 -t $out/bin semgrep-core 15 + runHook postInstall 16 + ''; 17 + 18 + meta = common.meta // { 19 + description = common.meta.description + " - core binary"; 20 + sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ]; 21 + }; 22 + }

+3

pkgs/top-level/all-packages.nix

··· 10437 10438 seexpr = callPackage ../development/compilers/seexpr { }; 10439 0 0 0 10440 setroot = callPackage ../tools/X11/setroot { }; 10441 10442 setserial = callPackage ../tools/system/setserial { };

··· 10437 10438 seexpr = callPackage ../development/compilers/seexpr { }; 10439 10440 + semgrep = python3.pkgs.callPackage ../tools/security/semgrep { }; 10441 + semgrep-core = callPackage ../tools/security/semgrep/semgrep-core.nix { }; 10442 + 10443 setroot = callPackage ../tools/X11/setroot { }; 10444 10445 setserial = callPackage ../tools/system/setserial { };