nixos/tests/dep-scan: init (#431760) · tjh.dev/nixpkgs@1ef5867

tjh.dev / nixpkgs

fork atom

nixpkgs mirror (for testing) github.com/NixOS/nixpkgs

nix

fork atom

nixos/tests/dep-scan: init (#431760)

authored by

Paul Haerle and committed by

GitHub 8 months ago 1ef58671 4d1ce91d

+67

3 changed files

expand all

nixos

tests

all-tests.nix

dep-scan.nix

pkgs

by-name

dep-scan

package.nix

nixos/tests/all-tests.nix

··· 500 500 etcd-cluster = runTestOn [ "aarch64-linux" "x86_64-linux" ] ./etcd/etcd-cluster.nix; 501 501 etebase-server = runTest ./etebase-server.nix; 502 502 etesync-dav = runTest ./etesync-dav.nix; 503 + dep-scan = runTest ./dep-scan.nix; 503 504 evcc = runTest ./evcc.nix; 504 505 fail2ban = runTest ./fail2ban.nix; 505 506 fakeroute = runTest ./fakeroute.nix;

+63

nixos/tests/dep-scan.nix

··· 1 + { 2 + lib, 3 + pkgs, 4 + ... 5 + }: 6 + 7 + { 8 + name = "owasp dep-scan test"; 9 + 10 + meta.maintainers = with lib; [ 11 + maintainers.ethancedwards8 12 + teams.ngi 13 + ]; 14 + 15 + nodes.machine = { 16 + environment.systemPackages = with pkgs; [ 17 + dep-scan 18 + jq 19 + ]; 20 + 21 + # code repo to scan for vulnerabilites, could be anything 22 + # I just happened to pick the source of the package 23 + environment.etc."dep-scan-source".source = pkgs.fetchFromGitHub { 24 + owner = "owasp-dep-scan"; 25 + repo = "dep-scan"; 26 + tag = "v6.0.0b3"; 27 + hash = "sha256-GdrFsECcBZ2J47ojM33flqOtrY3avchGpsZk6pt8Aks="; 28 + }; 29 + 30 + # we need to download the database before the vm starts, otherwise 31 + # the program will try to download them at runtime. 32 + # https://github.com/owasp-dep-scan/dep-scan/issues/443 33 + environment.etc."vdb/data.index.vdb6".source = pkgs.fetchurl { 34 + url = "https://huggingface.co/datasets/AppThreat/vdb/resolve/72377024f9742c6e700a113fc7059b18f738081c/app-2y/data.index.vdb6"; 35 + hash = "sha256-/9RIL6KVwmUmcKteOhWlnzjtZzGUbmRzua5o4Z8Mu9I="; 36 + }; 37 + environment.etc."vdb/data.vdb6".source = pkgs.fetchurl { 38 + url = "https://huggingface.co/datasets/AppThreat/vdb/resolve/72377024f9742c6e700a113fc7059b18f738081c/app-2y/data.vdb6"; 39 + hash = "sha256-6gCftnjal9ZMXV+25fVANdJRuI/CN083OOnc8yA5TTw="; 40 + }; 41 + environment.etc."vdb/vdb.meta".source = pkgs.fetchurl { 42 + url = "https://huggingface.co/datasets/AppThreat/vdb/resolve/72377024f9742c6e700a113fc7059b18f738081c/app-2y/vdb.meta"; 43 + hash = "sha256-i0oI3ODrmm8PF9UGJ9gy9QzQ0SKjLo9DdqYX/kqoHak="; 44 + }; 45 + environment.variables = { 46 + VDB_HOME = "/tmp/vdb"; 47 + # the cache will try to auto refresh if the age is met (requires internet access) 48 + VDB_AGE_HOURS = 999999; 49 + }; 50 + }; 51 + 52 + testScript = 53 + { nodes, ... }: 54 + '' 55 + start_all() 56 + 57 + # vdb needs to be copied to tmp as it needs to write to dir 58 + # and etc is RO 59 + machine.succeed('cp -rL /etc/vdb /tmp/vdb') 60 + machine.succeed('depscan --src /etc/dep-scan-source --reports-dir /tmp/reports') 61 + machine.succeed('jq . /tmp/reports/*.json') 62 + ''; 63 + }

pkgs/by-name/de/dep-scan/package.nix

··· 5 5 writableTmpDirAsHomeHook, 6 6 makeWrapper, 7 7 cdxgen, 8 + nixosTests, 8 9 }: 9 10 10 11 python3Packages.buildPythonApplication rec { ··· 68 67 ] 69 68 }" 70 69 ]; 70 + 71 + passthru.tests = { inherit (nixosTests) dep-scan; }; 71 72 72 73 meta = { 73 74 description = "Security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies";