philipp
/
nixpkgs
1
0
Fork 0
Code Issues Pull Requests Projects Releases Activity

Merge pull request #142264 from fabaff/fix-checkov 

checkov: 1.0.674 -> 2.0.496
conduit-nginx
Fabian Affolter 2021-10-21 09:05:31 +02:00 committed by GitHub
parent d9b7c27119 ea0a2bb3a1
commit 5801e0c5f7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 189 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
pkgs/development/python-modules/bc-python-hcl2/default.nix
View File

@ -1,13 +1,17 @@
{ lib, buildPythonPackage, fetchPypi, nose }:
{ lib
, buildPythonPackage
, fetchPypi
, nose
}:
let
lark-parser = buildPythonPackage rec {
pname = "lark-parser";
version = "0.7.8";
version = "0.10.1";
src = fetchPypi {
inherit pname version;
sha256 = "JiFeuxV+b7LudDGapERbnzt+RW4mviFc4Z/aqpAcIKQ=";
sha256 = "15jr4c1falvgkq664xdgamykk6waklh1psy8v3wlrg0v59hngws2";
};
doCheck = true;
@ -15,11 +19,11 @@ let
in
buildPythonPackage rec {
pname = "bc-python-hcl2";
version = "0.3.11";
version = "0.3.24";
src = fetchPypi {
inherit pname version;
sha256 = "VZhI1oJ2EDZGyz3iI6/KYvJq4BGafzR+rcSgHqlUDrA=";
sha256 = "sha256-YsiMkTPRSKR4511csJOv9/Jf1b3TVUM7N2lInejdNrQ=";
};
# Nose is required during build process, so can not use `checkInputs`.
@ -31,19 +35,23 @@ buildPythonPackage rec {
lark-parser
];
pythonImportsCheck = [ "hcl2" ];
# This fork of python-hcl2 doesn't ship tests
doCheck = false;
pythonImportsCheck = [
"hcl2"
];
meta = with lib; {
description = "A parser for HCL2 written in Python using Lark";
description = "Parser for HCL2 written in Python using Lark";
longDescription = ''
A parser for HCL2 written in Python using Lark.
This parser only supports HCL2 and isn't backwards compatible with HCL v1.
It can be used to parse any HCL2 config file such as Terraform.
This parser only supports HCL2 and isn't backwards compatible with HCL v1.
It can be used to parse any HCL2 config file such as Terraform.
'';
# Although this is the main homepage from PyPi but it is also a homepage
# of another PyPi package (python-hcl2). But these two are different.
homepage = "https://github.com/amplify-education/python-hcl2";
license = licenses.mit;
maintainers = [ maintainers.anhdle14 ];
maintainers = with maintainers; [ anhdle14 ];
};
}

62
pkgs/development/python-modules/cyclonedx-python-lib/default.nix Normal file
View File

@ -0,0 +1,62 @@
{ lib
, buildPythonPackage
, fetchFromGitHub
, importlib-metadata
, packageurl-python
, poetry-core
, pytestCheckHook
, pythonOlder
, requirements-parser
, setuptools
, toml
, tox
}:
buildPythonPackage rec {
pname = "cyclonedx-python-lib";
version = "0.9.1";
format = "pyproject";
disabled = pythonOlder "3.6";
src = fetchFromGitHub {
owner = "CycloneDX";
repo = pname;
rev = "v${version}";
sha256 = "1jzklbypn927xslag2x56mb5cplvhqjcgj43hvww6qxcfr57ywam";
};
nativeBuildInputs = [
poetry-core
];
propagatedBuildInputs = [
importlib-metadata
packageurl-python
requirements-parser
setuptools
toml
];
checkInputs = [
pytestCheckHook
tox
];
postPatch = ''
substituteInPlace pyproject.toml \
--replace 'setuptools = "^50.3.2"' 'setuptools = "*"' \
--replace 'importlib-metadata = "^4.8.1"' 'importlib-metadata = "*"'
'';
pythonImportsCheck = [
"cyclonedx"
];
meta = with lib; {
description = "Python library for generating CycloneDX SBOMs";
homepage = "https://github.com/CycloneDX/cyclonedx-python-lib";
license = with licenses; [ asl20 ];
maintainers = with maintainers; [ fab ];
};
}

163
pkgs/development/tools/analysis/checkov/default.nix
View File

@ -1,75 +1,124 @@
{ pkgs, lib, python3, fetchFromGitHub }:
{ lib
, fetchFromGitHub
, python3
}:
let
py = python3.override {
packageOverrides = self: super: {
boto3 = super.boto3.overridePythonAttrs (oldAttrs: rec {
version = "1.17.112";
src = oldAttrs.src.override {
inherit version;
sha256 = "1byqrffbgpp1mq62gnn3w3hnm54dfar0cwgvmkl7mrgbwz5xmdh8";
};
});
botocore = super.botocore.overridePythonAttrs (oldAttrs: rec {
version = "1.20.112";
src = oldAttrs.src.override {
inherit version;
sha256 = "1ksdjh3mwbzgqgfj58vyrhann23b9gqam8id2svmpdmmdq5vgffh";
};
});
s3transfer = super.s3transfer.overridePythonAttrs (oldAttrs: rec {
version = "0.4.2";
src = oldAttrs.src.override {
inherit version;
sha256 = "1cp169vz9rvng7dwbn33fgdbl3b014zpsdqsnfxxw7jm2r5jy0nb";
};
});
dpath = super.dpath.overridePythonAttrs (oldAttrs: rec {
version = "1.5.0";
src = oldAttrs.src.override {
inherit version;
sha256 = "06rn91n2izw7czncgql71w7acsa8wwni51njw0c6s8w4xas1arj9";
};
doCheck = false;
});
};
};
in
with py.pkgs;
buildPythonApplication rec {
pname = "checkov";
version = "1.0.674";
version = "2.0.496";
disabled = python3.pythonOlder "3.7";
src = fetchFromGitHub {
owner = "bridgecrewio";
repo = pname;
rev = version;
sha256 = "/S8ic5ZVxA2vd/rjRPX5gslbmnULL7BSx34vgWIsheQ=";
sha256 = "sha256-JDKM706z8e+e+LhZ/3bMcVkYGW+gOF2iOUYLQASlXbc=";
};
disabled = pkgs.python3Packages.pythonOlder "3.7";
# CheckOV only work with `dpath 1.5.0`
dpath = pkgs.python3Packages.buildPythonPackage rec {
pname = "dpath";
version = "1.5.0";
src = pkgs.python3Packages.fetchPypi {
inherit pname version;
sha256 = "SWYVtOqEI20Y4NKGEi3nSGmmDg+H4sfsZ4f/KGxINhs=";
};
doCheck = false;
};
in
python3.pkgs.buildPythonPackage rec {
inherit pname version disabled src;
nativeBuildInputs = with python3.pkgs; [ setuptools-scm ];
propagatedBuildInputs = with python3.pkgs; [
pytest
coverage
bandit
bc-python-hcl2
deep_merge
tabulate
colorama
termcolor
junit-xml
dpath
pyyaml
boto3
GitPython
six
jmespath
tqdm
update_checker
semantic-version
packaging
nativeBuildInputs = with py.pkgs; [
setuptools-scm
];
# Both of these tests are pulling from external srouces (https://github.com/bridgecrewio/checkov/blob/f03a4204d291cf47e3753a02a9b8c8d805bbd1be/.github/workflows/build.yml)
preCheck = ''
rm -rf integration_tests/*
rm -rf tests/terraform/*
'';
propagatedBuildInputs = with py.pkgs; [
bc-python-hcl2
boto3
cachetools
cloudsplaining
colorama
configargparse
cyclonedx-python-lib
deep_merge
detect-secrets
docker
dockerfile-parse
dpath
GitPython
jmespath
junit-xml
networkx
packaging
policyuniverse
pyyaml
semantic-version
tabulate
termcolor
tqdm
typing-extensions
update_checker
];
# Wrap the executable so that the python packages are available
# it's just a shebang script which calls `python -m checkov "$@"`
postFixup = ''
wrapProgram $out/bin/checkov \
--set PYTHONPATH $PYTHONPATH
'';
checkInputs = with py.pkgs; [
jsonschema
pytest-xdist
pytestCheckHook
];
disabledTests = [
# No API key available
"api_key"
# Requires network access
"TestSarifReport"
];
disabledTestPaths = [
# Tests are pulling from external sources
# https://github.com/bridgecrewio/checkov/blob/f03a4204d291cf47e3753a02a9b8c8d805bbd1be/.github/workflows/build.yml
"integration_tests/"
"tests/terraform/"
];
pythonImportsCheck = [
"checkov"
];
meta = with lib; {
homepage = "https://github.com/bridgecrewio/checkov";
description = "Static code analysis tool for infrastructure-as-code";
homepage = "https://github.com/bridgecrewio/checkov";
longDescription = ''
Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov by Bridgecrew.
Prevent cloud misconfigurations during build-time for Terraform, Cloudformation,
Kubernetes, Serverless framework and other infrastructure-as-code-languages.
'';
license = licenses.asl20;
maintainers = with maintainers; [ anhdle14 ];

2
pkgs/top-level/python-packages.nix
View File

@ -1822,6 +1822,8 @@ in {
cycler = callPackage ../development/python-modules/cycler { };
cyclonedx-python-lib = callPackage ../development/python-modules/cyclonedx-python-lib { };
cymem = callPackage ../development/python-modules/cymem { };
cypari2 = callPackage ../development/python-modules/cypari2 { };