diff options
Diffstat (limited to 'pkgs/tools/security/grype/default.nix')
-rw-r--r-- | pkgs/tools/security/grype/default.nix | 52 |
1 files changed, 42 insertions, 10 deletions
diff --git a/pkgs/tools/security/grype/default.nix b/pkgs/tools/security/grype/default.nix index 9d327f37af6a3..30206fab0eb96 100644 --- a/pkgs/tools/security/grype/default.nix +++ b/pkgs/tools/security/grype/default.nix @@ -1,39 +1,71 @@ { lib , buildGoModule -, docker , fetchFromGitHub +, installShellFiles }: buildGoModule rec { pname = "grype"; - version = "0.28.0"; + version = "0.33.0"; src = fetchFromGitHub { owner = "anchore"; repo = pname; rev = "v${version}"; - sha256 = "sha256-Mc0bO9BDcIXEoHwhQDbX9g84kagcT3gVz8PPxXpG7dw="; + sha256 = "sha256-RXEeJZeC6hA6DetZnUNWFtNZEy4HJpxviL8pySBLfts="; + # populate values that require us to use git. By doing this in postFetch we + # can delete .git afterwards and maintain better reproducibility of the src. + leaveDotGit = true; + postFetch = '' + cd "$out" + commit="$(git rev-parse HEAD)" + source_date_epoch=$(git log --date=format:'%Y-%m-%dT%H:%M:%SZ' -1 --pretty=%ad) + substituteInPlace "$out/internal/version/build.go" \ + --replace 'gitCommit = valueNotProvided' "gitCommit = \"$commit\"" \ + --replace 'buildDate = valueNotProvided' "buildDate = \"$source_date_epoch\"" + find "$out" -name .git -print0 | xargs -0 rm -rf + ''; }; - vendorSha256 = "sha256-su0dg9Gidd8tQKM5IzX6/GC5jk8SCIO+qsI3UGlvpwg="; + vendorSha256 = "sha256-2T2fw1nOycP1LxUuMSmz1ke2bg4yox/tIAveXCNJG9Y="; - propagatedBuildInputs = [ docker ]; + nativeBuildInputs = [ + installShellFiles + ]; ldflags = [ - "-s" "-w" "-X github.com/anchore/grype/internal/version.version=${version}" + "-s" + "-w" + "-X github.com/anchore/grype/internal/version.version=${version}" + "-X github.com/anchore/grype/internal/version.gitTreeState=clean" ]; + preBuild = '' + # grype version also displays the version of the syft library used + # we need to grab it from the go.sum and add an ldflag for it + SYFTVERSION="$(grep "github.com/anchore/syft" go.sum -m 1 | awk '{print $2}')" + ldflags+=" -X github.com/anchore/grype/internal/version.syftVersion=$SYFTVERSION" + ''; + # Tests require a running Docker instance doCheck = false; + postInstall = '' + installShellCompletion --cmd grype \ + --bash <($out/bin/grype completion bash) \ + --fish <($out/bin/grype completion fish) \ + --zsh <($out/bin/grype completion zsh) + ''; + meta = with lib; { + homepage = "https://github.com/anchore/grype"; + changelog = "https://github.com/anchore/grype/releases/tag/v${version}"; description = "Vulnerability scanner for container images and filesystems"; longDescription = '' - As a vulnerability scanner is grype abale to scan the contents of a container - image or filesystem to find known vulnerabilities. + As a vulnerability scanner grype is able to scan the contents of a + container image or filesystem to find known vulnerabilities. ''; - homepage = "https://github.com/anchore/grype"; license = with licenses; [ asl20 ]; - maintainers = with maintainers; [ fab ]; + maintainers = with maintainers; [ fab jk ]; }; } |