pyrox.dev / nixpkgs
lol
fork atom

nixos/tests/dep-scan: init

Signed-off-by: Ethan Carter Edwards <ethan@ethancedwards.com>

Ethan Carter Edwards 5781a1e2 ed3d5795

options
unified split
Changed files
+67
nixos
tests
all-tests.nix
dep-scan.nix
pkgs
by-name
de
dep-scan
package.nix
+1
nixos/tests/all-tests.nix 
···

       
499

       
499

       
 

       
  etcd-cluster = runTestOn [ "aarch64-linux" "x86_64-linux" ] ./etcd/etcd-cluster.nix;


     

       
500

       
500

       
 

       
  etebase-server = runTest ./etebase-server.nix;


     

       
501

       
501

       
 

       
  etesync-dav = runTest ./etesync-dav.nix;


     

       

       
502

       
+

       
  dep-scan = runTest ./dep-scan.nix;


     

       
502

       
503

       
 

       
  evcc = runTest ./evcc.nix;


     

       
503

       
504

       
 

       
  fail2ban = runTest ./fail2ban.nix;


     

       
504

       
505

       
 

       
  fakeroute = runTest ./fakeroute.nix;
+63
nixos/tests/dep-scan.nix 
···

       

       
1

       
+

       
{


     

       

       
2

       
+

       
  lib,


     

       

       
3

       
+

       
  pkgs,


     

       

       
4

       
+

       
  ...


     

       

       
5

       
+

       
}:


     

       

       
6

       
+

       



     

       

       
7

       
+

       
{


     

       

       
8

       
+

       
  name = "owasp dep-scan test";


     

       

       
9

       
+

       



     

       

       
10

       
+

       
  meta.maintainers = with lib; [


     

       

       
11

       
+

       
    maintainers.ethancedwards8


     

       

       
12

       
+

       
    teams.ngi


     

       

       
13

       
+

       
  ];


     

       

       
14

       
+

       



     

       

       
15

       
+

       
  nodes.machine = {


     

       

       
16

       
+

       
    environment.systemPackages = with pkgs; [


     

       

       
17

       
+

       
      dep-scan


     

       

       
18

       
+

       
      jq


     

       

       
19

       
+

       
    ];


     

       

       
20

       
+

       



     

       

       
21

       
+

       
    # code repo to scan for vulnerabilites, could be anything


     

       

       
22

       
+

       
    # I just happened to pick the source of the package


     

       

       
23

       
+

       
    environment.etc."dep-scan-source".source = pkgs.fetchFromGitHub {


     

       

       
24

       
+

       
      owner = "owasp-dep-scan";


     

       

       
25

       
+

       
      repo = "dep-scan";


     

       

       
26

       
+

       
      tag = "v6.0.0b3";


     

       

       
27

       
+

       
      hash = "sha256-GdrFsECcBZ2J47ojM33flqOtrY3avchGpsZk6pt8Aks=";


     

       

       
28

       
+

       
    };


     

       

       
29

       
+

       



     

       

       
30

       
+

       
    # we need to download the database before the vm starts, otherwise


     

       

       
31

       
+

       
    # the program will try to download them at runtime.


     

       

       
32

       
+

       
    # https://github.com/owasp-dep-scan/dep-scan/issues/443


     

       

       
33

       
+

       
    environment.etc."vdb/data.index.vdb6".source = pkgs.fetchurl {


     

       

       
34

       
+

       
      url = "https://huggingface.co/datasets/AppThreat/vdb/resolve/72377024f9742c6e700a113fc7059b18f738081c/app-2y/data.index.vdb6";


     

       

       
35

       
+

       
      hash = "sha256-/9RIL6KVwmUmcKteOhWlnzjtZzGUbmRzua5o4Z8Mu9I=";


     

       

       
36

       
+

       
    };


     

       

       
37

       
+

       
    environment.etc."vdb/data.vdb6".source = pkgs.fetchurl {


     

       

       
38

       
+

       
      url = "https://huggingface.co/datasets/AppThreat/vdb/resolve/72377024f9742c6e700a113fc7059b18f738081c/app-2y/data.vdb6";


     

       

       
39

       
+

       
      hash = "sha256-6gCftnjal9ZMXV+25fVANdJRuI/CN083OOnc8yA5TTw=";


     

       

       
40

       
+

       
    };


     

       

       
41

       
+

       
    environment.etc."vdb/vdb.meta".source = pkgs.fetchurl {


     

       

       
42

       
+

       
      url = "https://huggingface.co/datasets/AppThreat/vdb/resolve/72377024f9742c6e700a113fc7059b18f738081c/app-2y/vdb.meta";


     

       

       
43

       
+

       
      hash = "sha256-i0oI3ODrmm8PF9UGJ9gy9QzQ0SKjLo9DdqYX/kqoHak=";


     

       

       
44

       
+

       
    };


     

       

       
45

       
+

       
    environment.variables = {


     

       

       
46

       
+

       
      VDB_HOME = "/tmp/vdb";


     

       

       
47

       
+

       
      # the cache will try to auto refresh if the age is met (requires internet access)


     

       

       
48

       
+

       
      VDB_AGE_HOURS = 999999;


     

       

       
49

       
+

       
    };


     

       

       
50

       
+

       
  };


     

       

       
51

       
+

       



     

       

       
52

       
+

       
  testScript =


     

       

       
53

       
+

       
    { nodes, ... }:


     

       

       
54

       
+

       
    ''


     

       

       
55

       
+

       
      start_all()


     

       

       
56

       
+

       



     

       

       
57

       
+

       
      # vdb needs to be copied to tmp as it needs to write to dir


     

       

       
58

       
+

       
      # and etc is RO


     

       

       
59

       
+

       
      machine.succeed('cp -rL /etc/vdb /tmp/vdb')


     

       

       
60

       
+

       
      machine.succeed('depscan --src /etc/dep-scan-source --reports-dir /tmp/reports')


     

       

       
61

       
+

       
      machine.succeed('jq . /tmp/reports/*.json')


     

       

       
62

       
+

       
    '';


     

       

       
63

       
+

       
}
+3
pkgs/by-name/de/dep-scan/package.nix 
···

       
5

       
5

       
 

       
  writableTmpDirAsHomeHook,


     

       
6

       
6

       
 

       
  makeWrapper,


     

       
7

       
7

       
 

       
  cdxgen,


     

       

       
8

       
+

       
  nixosTests,


     

       
8

       
9

       
 

       
}:


     

       
9

       
10

       
 

       



     

       
10

       
11

       
 

       
python3Packages.buildPythonApplication rec {


     
···

       
67

       
68

       
 

       
      ]


     

       
68

       
69

       
 

       
    }"


     

       
69

       
70

       
 

       
  ];


     

       

       
71

       
+

       



     

       

       
72

       
+

       
  passthru.tests = { inherit (nixosTests) dep-scan; };


     

       
70

       
73

       
 

       



     

       
71

       
74

       
 

       
  meta = {


     

       
72

       
75

       
 

       
    description = "Security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies";