pyrox.dev / nixpkgs
lol
fork atom

sysdig-cli-scanner: do not use --dbpath arg when --iac is set

Fede Barcelona f7d992d6 cd5bb9cf

+20 -8
unified split
+20 -8
pkgs/by-name/sy/sysdig-cli-scanner/package.nix
··· 2 2 stdenv, 3 3 lib, 4 4 fetchurl, 5 - makeWrapper, 5 + writeShellScript, 6 6 }: 7 7 let 8 8 versionMetadata = import ./sysdig-cli-scanner.versions.nix; 9 9 fetchForSystem = versionMetadata.${stdenv.system} or (throw "unsupported system ${stdenv.system}"); 10 + 11 + wrapper = writeShellScript "sysdig-cli-scanner-wrapper" '' 12 + for arg in "$@"; do 13 + # We must not pass --dbpath to the cli in case it has been called with --iac 14 + # IaC Scanning does not make use of the vulnerability database 15 + if [ "$arg" = "--iac" ]; then 16 + exec @out@/libexec/sysdig-cli-scanner-unwrapped "$@" 17 + fi 18 + done 19 + 20 + # --dbpath argument is needed for vulnerability scanning mode, otherwise it tries to download 21 + # the vulnerability database in the same path as the binary, which is read-only in the case of the 22 + # nix store 23 + exec @out@/libexec/sysdig-cli-scanner-unwrapped \ 24 + --dbpath="$HOME/.cache/sysdig-cli-scanner/" "$@" 25 + ''; 10 26 in 11 27 stdenv.mkDerivation { 12 28 pname = "sysdig-cli-scanner"; 13 29 version = versionMetadata.version; 14 30 15 31 src = fetchurl { inherit (fetchForSystem) url hash; }; 16 - 17 - nativeBuildInputs = [ makeWrapper ]; 18 - 19 32 dontUnpack = true; 20 33 21 34 installPhase = '' 22 35 runHook preInstall 23 36 24 - install -Dm755 -T $src $out/bin/sysdig-cli-scanner 25 - 26 - wrapProgram $out/bin/sysdig-cli-scanner \ 27 - --add-flags --dbpath="\$HOME/.cache/sysdig-cli-scanner/" 37 + install -Dm755 -T $src $out/libexec/sysdig-cli-scanner-unwrapped 38 + install -Dm755 -T ${wrapper} $out/bin/sysdig-cli-scanner 39 + substituteInPlace $out/bin/sysdig-cli-scanner --subst-var out 28 40 29 41 runHook postInstall 30 42 '';