nixos/tests/dep-scan.nix at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / dep-scan.nix
at master 2.1 kB view raw
 1{
 2  lib,
 3  pkgs,
 4  ...
 5}:
 6
 7{
 8  name = "owasp dep-scan test";
 9
10  meta.maintainers = with lib; [
11    maintainers.ethancedwards8
12    teams.ngi
13  ];
14
15  nodes.machine = {
16    environment.systemPackages = with pkgs; [
17      dep-scan
18      jq
19    ];
20
21    # code repo to scan for vulnerabilites, could be anything
22    # I just happened to pick the source of the package
23    environment.etc."dep-scan-source".source = pkgs.fetchFromGitHub {
24      owner = "owasp-dep-scan";
25      repo = "dep-scan";
26      tag = "v6.0.0b3";
27      hash = "sha256-GdrFsECcBZ2J47ojM33flqOtrY3avchGpsZk6pt8Aks=";
28    };
29
30    # we need to download the database before the vm starts, otherwise
31    # the program will try to download them at runtime.
32    # https://github.com/owasp-dep-scan/dep-scan/issues/443
33    environment.etc."vdb/data.index.vdb6".source = pkgs.fetchurl {
34      url = "https://huggingface.co/datasets/AppThreat/vdb/resolve/72377024f9742c6e700a113fc7059b18f738081c/app-2y/data.index.vdb6";
35      hash = "sha256-/9RIL6KVwmUmcKteOhWlnzjtZzGUbmRzua5o4Z8Mu9I=";
36    };
37    environment.etc."vdb/data.vdb6".source = pkgs.fetchurl {
38      url = "https://huggingface.co/datasets/AppThreat/vdb/resolve/72377024f9742c6e700a113fc7059b18f738081c/app-2y/data.vdb6";
39      hash = "sha256-6gCftnjal9ZMXV+25fVANdJRuI/CN083OOnc8yA5TTw=";
40    };
41    environment.etc."vdb/vdb.meta".source = pkgs.fetchurl {
42      url = "https://huggingface.co/datasets/AppThreat/vdb/resolve/72377024f9742c6e700a113fc7059b18f738081c/app-2y/vdb.meta";
43      hash = "sha256-i0oI3ODrmm8PF9UGJ9gy9QzQ0SKjLo9DdqYX/kqoHak=";
44    };
45    environment.variables = {
46      VDB_HOME = "/tmp/vdb";
47      # the cache will try to auto refresh if the age is met (requires internet access)
48      VDB_AGE_HOURS = 999999;
49    };
50  };
51
52  testScript =
53    { nodes, ... }:
54    ''
55      start_all()
56
57      # vdb needs to be copied to tmp as it needs to write to dir
58      # and etc is RO
59      machine.succeed('cp -rL /etc/vdb /tmp/vdb')
60      machine.succeed('depscan --src /etc/dep-scan-source --reports-dir /tmp/reports')
61      machine.succeed('jq . /tmp/reports/*.json')
62    '';
63}