diff options
Diffstat (limited to 'pkgs/tools/security')
38 files changed, 621 insertions, 226 deletions
diff --git a/pkgs/tools/security/apkleaks/default.nix b/pkgs/tools/security/apkleaks/default.nix index 29a0b17ccb326..a8be3c4323c81 100644 --- a/pkgs/tools/security/apkleaks/default.nix +++ b/pkgs/tools/security/apkleaks/default.nix @@ -1,23 +1,25 @@ -{ lib -, fetchFromGitHub -, jadx -, python3 +{ + lib, + fetchFromGitHub, + jadx, + python3, }: python3.pkgs.buildPythonApplication rec { pname = "apkleaks"; - version = "2.6.1"; - - disabled = python3.pythonOlder "3.6"; + version = "2.6.2"; + pyproject = true; src = fetchFromGitHub { owner = "dwisiswant0"; - repo = pname; - rev = "v${version}"; - sha256 = "0ysciv643p8gkqw2wp7zy4n07hihdcyil8d20lj86cpgga71rd64"; + repo = "apkleaks"; + rev = "refs/tags/v${version}"; + hash = "sha256-a7zOowvhV9H91RwNDImN2+ecixY8g3WUotlBQVdmLgA="; }; - propagatedBuildInputs = with python3.pkgs; [ + build-system = with python3.pkgs; [ setuptools ]; + + dependencies = with python3.pkgs; [ jadx pyaxmlparser setuptools @@ -31,7 +33,8 @@ python3.pkgs.buildPythonApplication rec { meta = with lib; { description = "Scanning APK file for URIs, endpoints and secrets"; homepage = "https://github.com/dwisiswant0/apkleaks"; - license = with licenses; [ asl20 ]; + changelog = "https://github.com/dwisiswant0/apkleaks/releases/tag/v${version}"; + license = licenses.asl20; maintainers = with maintainers; [ fab ]; mainProgram = "apkleaks"; }; diff --git a/pkgs/tools/security/cdk-go/default.nix b/pkgs/tools/security/cdk-go/default.nix index 79040fb2749d3..93c0c1aa49646 100644 --- a/pkgs/tools/security/cdk-go/default.nix +++ b/pkgs/tools/security/cdk-go/default.nix @@ -6,13 +6,13 @@ buildGoModule rec { pname = "cdk-go"; - version = "1.5.2"; + version = "1.5.3"; src = fetchFromGitHub { owner = "cdk-team"; repo = "CDK"; rev = "refs/tags/v${version}"; - hash = "sha256-jgGOSlhlLO1MU1mHWZgw+ov4IrZwMo2GdG6L25ah9Z8="; + hash = "sha256-0cg2o98BcE4H6EW/yAkJOJtIJXEq2cFG6pNaRPtQofo="; }; vendorHash = "sha256-aJN/d/BxmleRXKw6++k6e0Vb0Gs5zg1QfakviABYTog="; diff --git a/pkgs/tools/security/cnquery/default.nix b/pkgs/tools/security/cnquery/default.nix index d797861c26e8b..ad09b62e713ac 100644 --- a/pkgs/tools/security/cnquery/default.nix +++ b/pkgs/tools/security/cnquery/default.nix @@ -6,18 +6,18 @@ buildGoModule rec { pname = "cnquery"; - version = "11.3.1"; + version = "11.4.3"; src = fetchFromGitHub { owner = "mondoohq"; repo = "cnquery"; rev = "refs/tags/v${version}"; - hash = "sha256-LcU4U2mxNrLJyp/V5d8TDo9DAcRBb4aRK+aEKoMCsZ0="; + hash = "sha256-j2cBoeUpxZV8NlC0D3e6bF533LVN0eIRqE7PSIWBGEw="; }; subPackages = [ "apps/cnquery" ]; - vendorHash = "sha256-z12/OKkrDru8jO4R1I/XfzGCBPHAD+KhJKv3dyyYCdw="; + vendorHash = "sha256-kovSP+ru32vxve8tmeTRS1fsWTpyBTWhLp5iexKo0Fk="; ldflags = [ "-w" diff --git a/pkgs/tools/security/cnspec/default.nix b/pkgs/tools/security/cnspec/default.nix index 2835576a8d6a0..d534a4977a14b 100644 --- a/pkgs/tools/security/cnspec/default.nix +++ b/pkgs/tools/security/cnspec/default.nix @@ -6,18 +6,18 @@ buildGoModule rec { pname = "cnspec"; - version = "11.4.3"; + version = "11.5.0"; src = fetchFromGitHub { owner = "mondoohq"; repo = "cnspec"; rev = "refs/tags/v${version}"; - hash = "sha256-vLkGysRhcSzSu++p71hZLbA0RNCDcukC3HqPrUugd/s="; + hash = "sha256-MQrWZ3nFE/gEU7/AoSIr91LMteo/+68MDwiJBxiosvM="; }; proxyVendor = true; - vendorHash = "sha256-wL0cXNfJ8qyonUQRE7w2cRoqGLa6NGhv3EPFie/9/Z4="; + vendorHash = "sha256-1ytyebfUyeAQcx1HPxn6X0p4t5VlB4uflZJF1f+HhPU="; subPackages = [ "apps/cnspec" ]; diff --git a/pkgs/tools/security/exploitdb/default.nix b/pkgs/tools/security/exploitdb/default.nix index 56367fcc64c22..6e16722f2373a 100644 --- a/pkgs/tools/security/exploitdb/default.nix +++ b/pkgs/tools/security/exploitdb/default.nix @@ -7,13 +7,13 @@ stdenv.mkDerivation rec { pname = "exploitdb"; - version = "2024-05-16"; + version = "2024-05-20"; src = fetchFromGitLab { owner = "exploit-database"; repo = "exploitdb"; rev = "refs/tags/${version}"; - hash = "sha256-m00hnTu8PEUmWHO9ei9DYU10DAgn1zaKATt6yVJ7R1o="; + hash = "sha256-Cizs0dUP0wuwo3jYaL73gXUdxsMEBH91DgdQD6GbHrc="; }; nativeBuildInputs = [ makeWrapper ]; diff --git a/pkgs/tools/security/fcrackzip/default.nix b/pkgs/tools/security/fcrackzip/default.nix index b3b82a0151158..6a60878c88d76 100644 --- a/pkgs/tools/security/fcrackzip/default.nix +++ b/pkgs/tools/security/fcrackzip/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "0l1qsk949vnz18k4vjf3ppq8p497966x4c7f2yx18x8pk35whn2a"; }; + CFLAGS = "-std=gnu89"; + # 'fcrackzip --use-unzip' cannot deal with file names containing a single quote # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=430387 patches = [ ./fcrackzip_forkexec.patch ]; diff --git a/pkgs/tools/security/feroxbuster/default.nix b/pkgs/tools/security/feroxbuster/default.nix index 0459519c43f76..f4e361332e96e 100644 --- a/pkgs/tools/security/feroxbuster/default.nix +++ b/pkgs/tools/security/feroxbuster/default.nix @@ -5,6 +5,7 @@ , pkg-config , rustPlatform , Security +, SystemConfiguration }: rustPlatform.buildRustPackage rec { @@ -35,6 +36,7 @@ rustPlatform.buildRustPackage rec { openssl ] ++ lib.optionals stdenv.isDarwin [ Security + SystemConfiguration ]; # Tests require network access diff --git a/pkgs/tools/security/ghauri/default.nix b/pkgs/tools/security/ghauri/default.nix index c4d176eb2a276..fc7cfd2bb1e15 100644 --- a/pkgs/tools/security/ghauri/default.nix +++ b/pkgs/tools/security/ghauri/default.nix @@ -5,14 +5,14 @@ python3.pkgs.buildPythonApplication rec { pname = "ghauri"; - version = "1.3.1"; + version = "1.3.2"; format = "setuptools"; src = fetchFromGitHub { owner = "r0oth3x49"; repo = "ghauri"; rev = "refs/tags/${version}"; - hash = "sha256-QO4/dkJU/uhP1AT1kIxDBIGBfLI1rOhOe/cHC8GwhkA="; + hash = "sha256-zd+Uf2t8yBWi07+BJYYYQ+4fIissuBdXjj877ul4gAQ="; }; propagatedBuildInputs = with python3.pkgs; [ diff --git a/pkgs/tools/security/ghidra/0002-Load-nix-extensions.patch b/pkgs/tools/security/ghidra/0002-Load-nix-extensions.patch new file mode 100644 index 0000000000000..0e87aa71a4073 --- /dev/null +++ b/pkgs/tools/security/ghidra/0002-Load-nix-extensions.patch @@ -0,0 +1,15 @@ +diff --git a/Ghidra/Framework/Utility/src/main/java/utility/application/ApplicationUtilities.java b/Ghidra/Framework/Utility/src/main/java/utility/application/ApplicationUtilities.java +index ea12a661f0..da7779b07f 100644 +--- a/Ghidra/Framework/Utility/src/main/java/utility/application/ApplicationUtilities.java ++++ b/Ghidra/Framework/Utility/src/main/java/utility/application/ApplicationUtilities.java +@@ -36,6 +36,10 @@ public class ApplicationUtilities { + */ + public static Collection<ResourceFile> findDefaultApplicationRootDirs() { + Collection<ResourceFile> applicationRootDirs = new ArrayList<>(); ++ String nixGhidraHome = System.getenv("NIX_GHIDRAHOME"); ++ if (nixGhidraHome != null) { ++ applicationRootDirs.add(new ResourceFile(nixGhidraHome)); ++ }; + ResourceFile applicationRootDir = findPrimaryApplicationRootDir(); + if (applicationRootDir != null) { + applicationRootDirs.add(applicationRootDir); diff --git a/pkgs/tools/security/ghidra/0003-Remove-build-datestamp.patch b/pkgs/tools/security/ghidra/0003-Remove-build-datestamp.patch new file mode 100644 index 0000000000000..0a89487015024 --- /dev/null +++ b/pkgs/tools/security/ghidra/0003-Remove-build-datestamp.patch @@ -0,0 +1,26 @@ +diff --git a/Ghidra/RuntimeScripts/Common/support/buildExtension.gradle b/Ghidra/RuntimeScripts/Common/support/buildExtension.gradle +index bc194f219..94b00fabd 100644 +--- a/Ghidra/RuntimeScripts/Common/support/buildExtension.gradle ++++ b/Ghidra/RuntimeScripts/Common/support/buildExtension.gradle +@@ -82,7 +82,7 @@ dependencies { + helpPath fileTree(dir: ghidraDir + '/Features/Base', include: "**/Base.jar") + } + +-def ZIP_NAME_PREFIX = "${DISTRO_PREFIX}_${RELEASE_NAME}_${getCurrentDate()}" ++def ZIP_NAME_PREFIX = "${DISTRO_PREFIX}_${RELEASE_NAME}" + def DISTRIBUTION_DIR = file("dist") + + def pathInZip = "${project.name}" +diff --git a/gradle/root/distribution.gradle b/gradle/root/distribution.gradle +index f44c8267b..f6231c417 100644 +--- a/gradle/root/distribution.gradle ++++ b/gradle/root/distribution.gradle +@@ -32,7 +32,7 @@ apply from: "$rootProject.projectDir/gradle/support/sbom.gradle" + def currentPlatform = getCurrentPlatformName() + def PROJECT_DIR = file (rootProject.projectDir.absolutePath) + ext.DISTRIBUTION_DIR = file("$buildDir/dist") +-ext.ZIP_NAME_PREFIX = "${rootProject.DISTRO_PREFIX}_${rootProject.BUILD_DATE_SHORT}" ++ext.ZIP_NAME_PREFIX = "${rootProject.DISTRO_PREFIX}" + ext.ZIP_DIR_PREFIX = "${rootProject.DISTRO_PREFIX}" + ext.ALL_REPOS = [rootProject.file('.').getName()] + diff --git a/pkgs/tools/security/ghidra/build-extension.nix b/pkgs/tools/security/ghidra/build-extension.nix new file mode 100644 index 0000000000000..373f35784e546 --- /dev/null +++ b/pkgs/tools/security/ghidra/build-extension.nix @@ -0,0 +1,78 @@ +{ lib +, stdenv +, unzip +, jdk +, gradle +, ghidra +}: + +let + metaCommon = oldMeta: + oldMeta // (with lib; { + maintainers = (oldMeta.maintainers or []) ++ (with maintainers; [ vringar ]); + platforms = oldMeta.platforms or ghidra.meta.platforms; + }); + + buildGhidraExtension = { + pname, nativeBuildInputs ? [], meta ? { }, ... + }@args: + stdenv.mkDerivation (args // { + nativeBuildInputs = nativeBuildInputs ++ [ + unzip + jdk + gradle + ]; + + buildPhase = args.buildPhase or '' + runHook preBuild + + # Set project name, otherwise defaults to directory name + echo -e '\nrootProject.name = "${pname}"' >> settings.gradle + + export GRADLE_USER_HOME=$(mktemp -d) + gradle \ + --offline \ + --no-daemon \ + -PGHIDRA_INSTALL_DIR=${ghidra}/lib/ghidra + + runHook postBuild + ''; + + installPhase = args.installPhase or '' + runHook preInstall + + mkdir -p $out/lib/ghidra/Ghidra/Extensions + unzip -d $out/lib/ghidra/Ghidra/Extensions dist/*.zip + + runHook postInstall + ''; + + meta = metaCommon meta; + }); + + buildGhidraScripts = { pname, meta ? { }, ... }@args: + stdenv.mkDerivation (args // { + installPhase = '' + runHook preInstall + + GHIDRA_HOME=$out/lib/ghidra/Ghidra/Extensions/${pname} + mkdir -p $GHIDRA_HOME + cp -r . $GHIDRA_HOME/ghidra_scripts + + touch $GHIDRA_HOME/Module.manifest + cat <<'EOF' > extension.properties + name=${pname} + description=${meta.description or ""} + author= + createdOn= + version=${lib.getVersion ghidra} + + EOF + + runHook postInstall + ''; + + meta = metaCommon meta; + }); +in + { inherit buildGhidraExtension buildGhidraScripts; } diff --git a/pkgs/tools/security/ghidra/build.nix b/pkgs/tools/security/ghidra/build.nix index f8f0fb3ae5a81..c0a8dca4cd0e8 100644 --- a/pkgs/tools/security/ghidra/build.nix +++ b/pkgs/tools/security/ghidra/build.nix @@ -1,6 +1,7 @@ { stdenv , fetchFromGitHub , lib +, callPackage , gradle_7 , perl , makeWrapper @@ -10,6 +11,7 @@ , icoutils , xcbuild , protobuf +, ghidra-extensions }: let @@ -17,15 +19,40 @@ let pname = "ghidra"; version = "11.0.3"; + releaseName = "NIX"; + distroPrefix = "ghidra_${version}_${releaseName}"; src = fetchFromGitHub { owner = "NationalSecurityAgency"; repo = "Ghidra"; rev = "Ghidra_${version}_build"; - hash = "sha256-Id595aKYHP1R3Zw9sV1oL32nAUAr7D/K4wn6Zs7q3Jo="; + hash = "sha256-IiLxaJvfJcK275FDZEsUCGp7haJjp8O2fUIoM4F9H30="; + # populate values that require us to use git. By doing this in postFetch we + # can delete .git afterwards and maintain better reproducibility of the src. + leaveDotGit = true; + postFetch = '' + cd "$out" + git rev-parse HEAD > $out/COMMIT + # 1970-Jan-01 + date -u -d "@$(git log -1 --pretty=%ct)" "+%Y-%b-%d" > $out/SOURCE_DATE_EPOCH + # 19700101 + date -u -d "@$(git log -1 --pretty=%ct)" "+%Y%m%d" > $out/SOURCE_DATE_EPOCH_SHORT + find "$out" -name .git -print0 | xargs -0 rm -rf + ''; }; gradle = gradle_7; + patches = [ + # Use our own protoc binary instead of the prebuilt one + ./0001-Use-protobuf-gradle-plugin.patch + + # Override installation directory to allow loading extensions + ./0002-Load-nix-extensions.patch + + # Remove build dates from output filenames for easier reference + ./0003-Remove-build-datestamp.patch + ]; + desktopItem = makeDesktopItem { name = "ghidra"; exec = "ghidra"; @@ -35,7 +62,25 @@ let categories = [ "Development" ]; }; - # postPatch scripts. + postPatch = '' + # Set name of release (eg. PUBLIC, DEV, etc.) + sed -i -e 's/application\.release\.name=.*/application.release.name=${releaseName}/' Ghidra/application.properties + + # Set build date and git revision + echo "application.build.date=$(cat SOURCE_DATE_EPOCH)" >> Ghidra/application.properties + echo "application.build.date.short=$(cat SOURCE_DATE_EPOCH_SHORT)" >> Ghidra/application.properties + echo "application.revision.ghidra=$(cat COMMIT)" >> Ghidra/application.properties + + # Tells ghidra to use our own protoc binary instead of the prebuilt one. + cat >>Ghidra/Debug/Debugger-gadp/build.gradle <<HERE + protobuf { + protoc { + path = '${protobuf}/bin/protoc' + } + } + HERE + ''; + # Adds a gradle step that downloads all the dependencies to the gradle cache. addResolveStep = '' cat >>build.gradle <<HERE @@ -64,9 +109,8 @@ HERE # Taken from mindustry derivation. deps = stdenv.mkDerivation { pname = "${pname}-deps"; - inherit version src; + inherit version src patches; - patches = [ ./0001-Use-protobuf-gradle-plugin.patch ]; postPatch = addResolveStep; nativeBuildInputs = [ gradle perl ] ++ lib.optional stdenv.isDarwin xcbuild; @@ -98,8 +142,8 @@ HERE outputHash = "sha256-nKfJiGoZlDEpbCmYVKNZXz2PYIosCd4nPFdy3MfprHc="; }; -in stdenv.mkDerivation { - inherit pname version src; +in stdenv.mkDerivation (finalAttrs: { + inherit pname version src patches postPatch; nativeBuildInputs = [ gradle unzip makeWrapper icoutils protobuf @@ -107,9 +151,7 @@ in stdenv.mkDerivation { dontStrip = true; - patches = [ - ./0001-Use-protobuf-gradle-plugin.patch - ]; + __darwinAllowLocalNetworking = true; buildPhase = '' runHook preBuild @@ -152,9 +194,17 @@ in stdenv.mkDerivation { mkdir -p "$out/bin" ln -s "${pkg_path}/ghidraRun" "$out/bin/ghidra" wrapProgram "${pkg_path}/support/launch.sh" \ + --set-default NIX_GHIDRAHOME "${pkg_path}/Ghidra" \ --prefix PATH : ${lib.makeBinPath [ openjdk17 ]} ''; + passthru = { + inherit releaseName distroPrefix; + inherit (ghidra-extensions.override { ghidra = finalAttrs.finalPackage; }) buildGhidraExtension buildGhidraScripts; + + withExtensions = callPackage ./with-extensions.nix { ghidra = finalAttrs.finalPackage; }; + }; + meta = with lib; { description = "A software reverse engineering (SRE) suite of tools developed by NSA's Research Directorate in support of the Cybersecurity mission"; mainProgram = "ghidra"; @@ -165,8 +215,8 @@ in stdenv.mkDerivation { binaryBytecode # deps ]; license = licenses.asl20; - maintainers = with maintainers; [ roblabla ]; + maintainers = with maintainers; [ roblabla vringar ]; broken = stdenv.isDarwin && stdenv.isx86_64; }; -} +}) diff --git a/pkgs/tools/security/ghidra/extensions.nix b/pkgs/tools/security/ghidra/extensions.nix new file mode 100644 index 0000000000000..3f30dd8ab40a6 --- /dev/null +++ b/pkgs/tools/security/ghidra/extensions.nix @@ -0,0 +1,14 @@ +{ lib, newScope, callPackage, ghidra }: + +lib.makeScope newScope (self: { + inherit (callPackage ./build-extension.nix { inherit ghidra; }) buildGhidraExtension buildGhidraScripts; + + ghidraninja-ghidra-scripts = self.callPackage ./extensions/ghidraninja-ghidra-scripts { }; + + gnudisassembler = self.callPackage ./extensions/gnudisassembler { inherit ghidra; }; + + machinelearning = self.callPackage ./extensions/machinelearning { inherit ghidra; }; + + sleighdevtools = self.callPackage ./extensions/sleighdevtools { inherit ghidra; }; + +}) diff --git a/pkgs/tools/security/ghidra/extensions/ghidraninja-ghidra-scripts/default.nix b/pkgs/tools/security/ghidra/extensions/ghidraninja-ghidra-scripts/default.nix new file mode 100644 index 0000000000000..6c5e2ec2ea2af --- /dev/null +++ b/pkgs/tools/security/ghidra/extensions/ghidraninja-ghidra-scripts/default.nix @@ -0,0 +1,36 @@ +{ lib +, fetchFromGitHub +, buildGhidraScripts +, binwalk +, swift +, yara +}: + +buildGhidraScripts { + pname = "ghidraninja-ghidra-scripts"; + version = "unstable-2020-10-07"; + + src = fetchFromGitHub { + owner = "ghidraninja"; + repo = "ghidra_scripts"; + rev = "99f2a8644a29479618f51e2d4e28f10ba5e9ac48"; + sha256 = "aElx0mp66/OHQRfXwTkqdLL0gT2T/yL00bOobYleME8="; + }; + + postPatch = '' + # Replace subprocesses with store versions + substituteInPlace binwalk.py --replace-fail 'subprocess.call(["binwalk"' 'subprocess.call(["${binwalk}/bin/binwalk"' + substituteInPlace swift_demangler.py --replace-fail '"swift"' '"${swift}/bin/swift"' + substituteInPlace yara.py --replace-fail 'subprocess.check_output(["yara"' 'subprocess.check_output(["${yara}/bin/yara"' + substituteInPlace YaraSearch.py --replace-fail '"yara "' '"${yara}/bin/yara "' + ''; + + meta = with lib; { + description = "Scripts for the Ghidra software reverse engineering suite"; + homepage = "https://github.com/ghidraninja/ghidra_scripts"; + license = with licenses; [ + gpl3Only + gpl2Only + ]; + }; +} diff --git a/pkgs/tools/security/ghidra/extensions/gnudisassembler/default.nix b/pkgs/tools/security/ghidra/extensions/gnudisassembler/default.nix new file mode 100644 index 0000000000000..7ca4b056842e9 --- /dev/null +++ b/pkgs/tools/security/ghidra/extensions/gnudisassembler/default.nix @@ -0,0 +1,71 @@ +{ lib +, stdenv +, fetchurl +, buildGhidraExtension +, ghidra +, flex +, bison +, texinfo +, perl +, zlib +, xcbuild +}: + +let + # Incorporates source from binutils + # https://github.com/NationalSecurityAgency/ghidra/blob/7ab9bf6abffb6938d61d072040fc34ad3331332b/GPL/GnuDisassembler/build.gradle#L34-L35 + binutils-version = "2.41"; + binutils-src = fetchurl { + url = "mirror://gnu/binutils/binutils-${binutils-version}.tar.bz2"; + sha256 = "sha256-pMS+wFL3uDcAJOYDieGUN38/SLVmGEGOpRBn9nqqsws="; + }; +in +buildGhidraExtension { + pname = "gnudisassembler"; + version = lib.getVersion ghidra; + + src = "${ghidra}/lib/ghidra/Extensions/Ghidra/${ghidra.distroPrefix}_GnuDisassembler.zip"; + + postPatch = '' + ln -s ${binutils-src} binutils-${binutils-version}.tar.bz2 + ''; + + # Don't modify ELF stub resources + dontPatchELF = true; + dontStrip = true; + + __darwinAllowLocalNetworking = true; + + nativeBuildInputs = [ + flex + bison + texinfo + perl + ] ++ lib.optionals stdenv.hostPlatform.isDarwin [ + xcbuild + ]; + + buildInputs = [ + zlib + ]; + + installPhase = '' + runHook preInstall + + EXTENSIONS_ROOT=$out/lib/ghidra/Ghidra/Extensions + mkdir -p $EXTENSIONS_ROOT + unzip -d $EXTENSIONS_ROOT $src + + mkdir -p $EXTENSIONS_ROOT/GnuDisassembler/build + cp -r build/os $EXTENSIONS_ROOT/GnuDisassembler/build/ + + runHook postInstall + ''; + + meta = with lib; { + description = "Leverage the binutils disassembler capabilities for various processors"; + homepage = "https://ghidra-sre.org/"; + downloadPage = "https://github.com/NationalSecurityAgency/ghidra/tree/master/GPL/GnuDisassembler"; + license = licenses.gpl2Only; + }; +} diff --git a/pkgs/tools/security/ghidra/extensions/machinelearning/default.nix b/pkgs/tools/security/ghidra/extensions/machinelearning/default.nix new file mode 100644 index 0000000000000..ba1e315c75126 --- /dev/null +++ b/pkgs/tools/security/ghidra/extensions/machinelearning/default.nix @@ -0,0 +1,34 @@ +{ lib +, buildGhidraExtension +, ghidra +}: + +buildGhidraExtension { + pname = "machinelearning"; + version = lib.getVersion ghidra; + + src = "${ghidra}/lib/ghidra/Extensions/Ghidra/${ghidra.distroPrefix}_MachineLearning.zip"; + dontUnpack = true; + + # Built as part ghidra + dontBuild = true; + + installPhase = '' + runHook preInstall + + mkdir -p $out/lib/ghidra/Ghidra/Extensions + unzip -d $out/lib/ghidra/Ghidra/Extensions $src + + runHook postInstall + ''; + + meta = with lib; { + inherit (ghidra.meta) homepage license; + description = "Finds functions using ML"; + downloadPage = "https://github.com/NationalSecurityAgency/ghidra/tree/master/Ghidra/Extensions/MachineLearning"; + sourceProvenance = with sourceTypes; [ + fromSource + binaryBytecode # deps + ]; + }; +} diff --git a/pkgs/tools/security/ghidra/extensions/sleighdevtools/default.nix b/pkgs/tools/security/ghidra/extensions/sleighdevtools/default.nix new file mode 100644 index 0000000000000..d8fd0182ab9d3 --- /dev/null +++ b/pkgs/tools/security/ghidra/extensions/sleighdevtools/default.nix @@ -0,0 +1,40 @@ +{ lib +, buildGhidraExtension +, ghidra +, python3 +}: + +buildGhidraExtension { + pname = "sleighdevtools"; + version = lib.getVersion ghidra; + + src = "${ghidra}/lib/ghidra/Extensions/Ghidra/${ghidra.distroPrefix}_SleighDevTools.zip"; + dontUnpack = true; + + # Built as part ghidra + dontBuild = true; + buildInputs = [ python3 ]; + + installPhase = '' + runHook preInstall + + mkdir -p $out/lib/ghidra/Ghidra/Extensions + unzip -d $out/lib/ghidra/Ghidra/Extensions $src + + runHook postInstall + ''; + + meta = with lib; { + inherit (ghidra.meta) homepage license; + description = "Sleigh language development tools including external disassembler capabilities"; + longDescription = '' + Sleigh language development tools including external disassembler capabilities. + The GnuDisassembler extension may be also be required as a disassembly provider. + ''; + downloadPage = "https://github.com/NationalSecurityAgency/ghidra/tree/master/Ghidra/Extensions/SleighDevTools"; + sourceProvenance = with sourceTypes; [ + fromSource + binaryBytecode # deps + ]; + }; +} diff --git a/pkgs/tools/security/ghidra/with-extensions.nix b/pkgs/tools/security/ghidra/with-extensions.nix new file mode 100644 index 0000000000000..8ce4a04c2d460 --- /dev/null +++ b/pkgs/tools/security/ghidra/with-extensions.nix @@ -0,0 +1,30 @@ +{ lib +, callPackage +, symlinkJoin +, makeBinaryWrapper +, ghidra +}: + +let + ghidra-extensions = callPackage ./extensions.nix { inherit ghidra; }; + allExtensions = lib.filterAttrs (n: pkg: lib.isDerivation pkg) ghidra-extensions; + + /* Make Ghidra with additional extensions + Example: + pkgs.ghidra.withExtensions (p: with p; [ + ghostrings + ]); + => /nix/store/3yn0rbnz5mbrxf0x70jbjq73wgkszr5c-ghidra-with-extensions-10.2.2 + */ + withExtensions = f: (symlinkJoin { + name = "${ghidra.pname}-with-extensions-${lib.getVersion ghidra}"; + paths = (f allExtensions); + nativeBuildInputs = [ makeBinaryWrapper ]; + postBuild = '' + makeWrapper '${ghidra}/bin/ghidra' "$out/bin/ghidra" \ + --set NIX_GHIDRAHOME "$out/lib/ghidra/Ghidra" + ''; + inherit (ghidra) meta; + }); +in + withExtensions diff --git a/pkgs/tools/security/httpx/default.nix b/pkgs/tools/security/httpx/default.nix index 80a7404be0026..a0a6c0e9e9e21 100644 --- a/pkgs/tools/security/httpx/default.nix +++ b/pkgs/tools/security/httpx/default.nix @@ -1,24 +1,23 @@ -{ buildGoModule -, fetchFromGitHub -, lib +{ + lib, + buildGoModule, + fetchFromGitHub, }: buildGoModule rec { pname = "httpx"; - version = "1.6.0"; + version = "1.6.1"; src = fetchFromGitHub { owner = "projectdiscovery"; repo = "httpx"; rev = "refs/tags/v${version}"; - hash = "sha256-q8R3X1U2Dma0A9WRWIFPSRQHndNJFE2YdfMyPEM6dr8="; + hash = "sha256-LW5zJqJqUD5v50OZuPqMYefrcIsjEIr7a4rogveiLA0="; }; - vendorHash = "sha256-M7oxM0hMaOT78CxbSGyYk0nhGJC8dLWAlzi/b//EiHw="; + vendorHash = "sha256-A82eMV9MegJt3wAkK0YbyMQqt7zlX01DmZ2z3YIGrQ8="; - subPackages = [ - "cmd/httpx" - ]; + subPackages = [ "cmd/httpx" ]; ldflags = [ "-s" @@ -30,7 +29,6 @@ buildGoModule rec { meta = with lib; { description = "Fast and multi-purpose HTTP toolkit"; - mainProgram = "httpx"; longDescription = '' httpx is a fast and multi-purpose HTTP toolkit allow to run multiple probers using retryablehttp library, it is designed to maintain the @@ -40,5 +38,6 @@ buildGoModule rec { changelog = "https://github.com/projectdiscovery/httpx/releases/tag/v${version}"; license = licenses.mit; maintainers = with maintainers; [ fab ]; + mainProgram = "httpx"; }; } diff --git a/pkgs/tools/security/metasploit/Gemfile b/pkgs/tools/security/metasploit/Gemfile index 03770b1cc6609..ae2b6975af12b 100644 --- a/pkgs/tools/security/metasploit/Gemfile +++ b/pkgs/tools/security/metasploit/Gemfile @@ -1,4 +1,4 @@ # frozen_string_literal: true source "https://rubygems.org" -gem "metasploit-framework", git: "https://github.com/rapid7/metasploit-framework", ref: "refs/tags/6.4.8" +gem "metasploit-framework", git: "https://github.com/rapid7/metasploit-framework", ref: "refs/tags/6.4.9" diff --git a/pkgs/tools/security/metasploit/Gemfile.lock b/pkgs/tools/security/metasploit/Gemfile.lock index 0cbc2a918ad4e..bfb9433561018 100644 --- a/pkgs/tools/security/metasploit/Gemfile.lock +++ b/pkgs/tools/security/metasploit/Gemfile.lock @@ -1,9 +1,9 @@ GIT remote: https://github.com/rapid7/metasploit-framework - revision: e9f897a525576857abd73c96ac64beb0094ad547 - ref: refs/tags/6.4.8 + revision: eac2a919309b9ec735cae13ceead0f4aa0e412e8 + ref: refs/tags/6.4.9 specs: - metasploit-framework (6.4.8) + metasploit-framework (6.4.9) actionpack (~> 7.0.0) activerecord (~> 7.0.0) activesupport (~> 7.0.0) @@ -468,4 +468,4 @@ DEPENDENCIES metasploit-framework! BUNDLED WITH - 2.5.7 + 2.5.9 diff --git a/pkgs/tools/security/metasploit/default.nix b/pkgs/tools/security/metasploit/default.nix index e9600b703bf87..7779f954b6195 100644 --- a/pkgs/tools/security/metasploit/default.nix +++ b/pkgs/tools/security/metasploit/default.nix @@ -15,13 +15,13 @@ let }; in stdenv.mkDerivation rec { pname = "metasploit-framework"; - version = "6.4.8"; + version = "6.4.9"; src = fetchFromGitHub { owner = "rapid7"; repo = "metasploit-framework"; rev = "refs/tags/${version}"; - hash = "sha256-a5Igd8i5K9qt6r5dHuzRMWLrXZn95PJtYnW4A4HcUNE="; + hash = "sha256-0f7kpzeOY6EbFb7LRZc/J5lFYcf21HC6H6q0+qtTcao="; }; nativeBuildInputs = [ diff --git a/pkgs/tools/security/metasploit/gemset.nix b/pkgs/tools/security/metasploit/gemset.nix index ee104260ca7bf..901b70c29cc2c 100644 --- a/pkgs/tools/security/metasploit/gemset.nix +++ b/pkgs/tools/security/metasploit/gemset.nix @@ -674,12 +674,12 @@ platforms = []; source = { fetchSubmodules = false; - rev = "e9f897a525576857abd73c96ac64beb0094ad547"; - sha256 = "1lahvj0h7f3mc9nz5r7xk5fynqiis7n1wpdyxanxlaxrr1vj14kb"; + rev = "eac2a919309b9ec735cae13ceead0f4aa0e412e8"; + sha256 = "1akiafmzmd5a3yx71m7nqxhlb6977yblbjxy2lds2qwf6yky9zni"; type = "git"; url = "https://github.com/rapid7/metasploit-framework"; }; - version = "6.4.8"; + version = "6.4.9"; }; metasploit-model = { groups = ["default"]; diff --git a/pkgs/tools/security/ospd-openvas/default.nix b/pkgs/tools/security/ospd-openvas/default.nix index 9b20f221447ec..f047958c24929 100644 --- a/pkgs/tools/security/ospd-openvas/default.nix +++ b/pkgs/tools/security/ospd-openvas/default.nix @@ -1,6 +1,7 @@ -{ lib -, fetchFromGitHub -, python3 +{ + lib, + fetchFromGitHub, + python3, }: python3.pkgs.buildPythonApplication rec { @@ -20,13 +21,9 @@ python3.pkgs.buildPythonApplication rec { "python-gnupg" ]; - build-system = with python3.pkgs; [ - poetry-core - ]; + build-system = with python3.pkgs; [ poetry-core ]; - nativeBuildInputs = with python3.pkgs; [ - pythonRelaxDepsHook - ]; + nativeBuildInputs = with python3.pkgs; [ pythonRelaxDepsHook ]; propagatedBuildInputs = with python3.pkgs; [ defusedxml @@ -40,13 +37,9 @@ python3.pkgs.buildPythonApplication rec { sentry-sdk ]; - nativeCheckInputs = with python3.pkgs; [ - pytestCheckHook - ]; + nativeCheckInputs = with python3.pkgs; [ pytestCheckHook ]; - pythonImportsCheck = [ - "ospd_openvas" - ]; + pythonImportsCheck = [ "ospd_openvas" ]; meta = with lib; { description = "OSP server implementation to allow GVM to remotely control an OpenVAS Scanner"; @@ -54,5 +47,6 @@ python3.pkgs.buildPythonApplication rec { changelog = "https://github.com/greenbone/ospd-openvas/releases/tag/v${version}"; license = licenses.agpl3Only; maintainers = with maintainers; [ fab ]; + platforms = platforms.linux; }; } diff --git a/pkgs/tools/security/pass/extensions/import.nix b/pkgs/tools/security/pass/extensions/import.nix index cbba33c1373a6..0be41525ea289 100644 --- a/pkgs/tools/security/pass/extensions/import.nix +++ b/pkgs/tools/security/pass/extensions/import.nix @@ -1,5 +1,5 @@ { lib -, fetchFromGitHub +, fetchurl , fetchpatch , python3Packages , gnupg @@ -8,30 +8,23 @@ python3Packages.buildPythonApplication rec { pname = "pass-import"; - version = "3.2"; + version = "3.5"; - src = fetchFromGitHub { - owner = "roddhjav"; - repo = "pass-import"; - rev = "v${version}"; - sha256 = "0hrpg7yiv50xmbajfy0zdilsyhbj5iv0qnlrgkfv99q1dvd5qy56"; + src = fetchurl { + url = "https://github.com/roddhjav/${pname}/releases/download/v${version}/${pname}-${version}.tar.gz"; + hash = "sha256-+wrff3OxPkAGu1Mn4Kl0KN4FmvIAb+MnaERcD5ScDNc="; }; - patches = [ - (fetchpatch { - name = "support-for-pykeepass-4.0.3.patch"; - url = "https://github.com/roddhjav/pass-import/commit/f1b167578916d971ee4f99be99ba0e86ef49015e.patch"; - hash = "sha256-u6bJbV3/QTfRaPauKSyCWNodpy6CKsreMXUZWKRbee0="; - }) - ]; - propagatedBuildInputs = with python3Packages; [ cryptography defusedxml + jsonpath-ng pyaml pykeepass python-magic # similar API to "file-magic", but already in nixpkgs. + requests secretstorage + zxcvbn ]; nativeCheckInputs = [ @@ -46,12 +39,12 @@ python3Packages.buildPythonApplication rec { postInstall = '' mkdir -p $out/lib/password-store/extensions - cp ${src}/import.bash $out/lib/password-store/extensions/import.bash + cp import.bash $out/lib/password-store/extensions/import.bash wrapProgram $out/lib/password-store/extensions/import.bash \ --prefix PATH : "${python3Packages.python.withPackages (_: propagatedBuildInputs)}/bin" \ --prefix PYTHONPATH : "$out/${python3Packages.python.sitePackages}" \ --run "export PREFIX" - cp -r ${src}/share $out/ + cp -r share $out/ ''; postCheck = '' diff --git a/pkgs/tools/security/rbw/default.nix b/pkgs/tools/security/rbw/default.nix index 177ec8d35e416..596257f90c9e8 100644 --- a/pkgs/tools/security/rbw/default.nix +++ b/pkgs/tools/security/rbw/default.nix @@ -25,14 +25,14 @@ rustPlatform.buildRustPackage rec { pname = "rbw"; - version = "1.10.1"; + version = "1.10.2"; src = fetchzip { url = "https://git.tozt.net/rbw/snapshot/rbw-${version}.tar.gz"; - hash = "sha256-56QlWVEx6bWxQz3u/s9+bXsGVPSDaDEdFNj4nVw0SLY="; + hash = "sha256-ScVXtNk2QtfAQn6PtQkbDJNLWAu49l55s6Zpf1fiVjM="; }; - cargoHash = "sha256-mQrplqu9yiCTwsiChGPjfLDx3dZTofmrp+ouDFuwYO8="; + cargoHash = "sha256-ii0401TTDm1ySRGOcSmPts/10wTguxsx8h7wA4FsgQk="; nativeBuildInputs = [ installShellFiles diff --git a/pkgs/tools/security/rhash/default.nix b/pkgs/tools/security/rhash/default.nix index e789eeba05394..cdad16bb4b43c 100644 --- a/pkgs/tools/security/rhash/default.nix +++ b/pkgs/tools/security/rhash/default.nix @@ -3,6 +3,7 @@ , fetchFromGitHub , which , enableStatic ? stdenv.hostPlatform.isStatic +, gettext }: stdenv.mkDerivation rec { @@ -16,7 +17,10 @@ stdenv.mkDerivation rec { sha256 = "sha256-3CW41ULdXoID4cOgrcG2j85tgIJ/sz5hU7A83qpuxf4="; }; + patches = [ ./dont-fail-ln.patch ./do-link-so.patch ]; + nativeBuildInputs = [ which ]; + buildInputs = lib.optionals stdenv.hostPlatform.isFreeBSD [ gettext ]; # configure script is not autotools-based, doesn't support these options dontAddStaticConfigureFlags = true; diff --git a/pkgs/tools/security/rhash/do-link-so.patch b/pkgs/tools/security/rhash/do-link-so.patch new file mode 100644 index 0000000000000..d75df2d048cdb --- /dev/null +++ b/pkgs/tools/security/rhash/do-link-so.patch @@ -0,0 +1,22 @@ +From b8c91ea6551e99e10352386cd46ea26973bb4a4d Mon Sep 17 00:00:00 2001 +From: Aleksey Kravchenko <rhash.admin@gmail.com> +Date: Mon, 11 Sep 2023 03:49:20 +0300 +Subject: [PATCH] Fix #238: Build on Unix + +--- + librhash/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/librhash/Makefile b/librhash/Makefile +index e8ee862..34f1263 100644 +--- a/librhash/Makefile ++++ b/librhash/Makefile +@@ -27,7 +27,7 @@ install-lib-static: $(LIBRHASH_STATIC) + install-lib-shared: $(LIBRHASH_SHARED) $(EXTRA_INSTALL_LIBSHARED) + $(INSTALL) -d $(SO_DIR) + $(INSTALL_SHARED) $(LIBRHASH_SHARED) $(SO_DIR)/ +- test "x$(LIBRHASH_SO_MAJ)" != "x$(LIBRHASH_SHARED)" || ( \ ++ test "x$(LIBRHASH_SO_MAJ)" = "x$(LIBRHASH_SHARED)" || ( \ + rm -f $(LIBDIR)/$(LIBRHASH_SO_MAJ) && \ + ln -s $(LIBRHASH_SHARED) $(LIBDIR)/$(LIBRHASH_SO_MAJ) ) + diff --git a/pkgs/tools/security/rhash/dont-fail-ln.patch b/pkgs/tools/security/rhash/dont-fail-ln.patch new file mode 100644 index 0000000000000..7703db5feb241 --- /dev/null +++ b/pkgs/tools/security/rhash/dont-fail-ln.patch @@ -0,0 +1,59 @@ +From 9ef90b958b7ae50aeeb5c269468034d73d6e2efe Mon Sep 17 00:00:00 2001 +From: Aleksey Kravchenko <rhash.admin@gmail.com> +Date: Mon, 31 Jul 2023 02:48:15 +0300 +Subject: [PATCH] Fix #238: Build on *BSD + +--- + configure | 3 ++- + librhash/Makefile | 8 ++++---- + 2 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/configure b/configure +index dae76d5..39ef8c1 100755 +--- a/configure ++++ b/configure +@@ -567,6 +567,7 @@ qnx() { test "$OS_LC" = "qnx"; } + sunos() { test "$OS_LC" = "sunos"; } + wine() { test "$OS_LC" = "wine"; } + win32() { cygwin || mingw32 || mingw64 || msys || wine; } ++bsd() { dragonfly || freebsd || netbsd || openbsd ; } + posix_make() { aix || bsdos || hpux || irix || qnx || sunos; } + + ##################################################################### +@@ -713,7 +714,7 @@ if win32; then + elif darwin; then + SHARED_EXT=".${RHASH_VERSION_MAJOR}.dylib" + SOLINK_EXT=".dylib" +-elif linux; then ++elif linux || bsd; then + # use the full library version for the library file extension + SHARED_EXT=".so.${RHASH_VERSION}" + fi +diff --git a/librhash/Makefile b/librhash/Makefile +index d48e06e..e8ee862 100644 +--- a/librhash/Makefile ++++ b/librhash/Makefile +@@ -27,9 +27,9 @@ install-lib-static: $(LIBRHASH_STATIC) + install-lib-shared: $(LIBRHASH_SHARED) $(EXTRA_INSTALL_LIBSHARED) + $(INSTALL) -d $(SO_DIR) + $(INSTALL_SHARED) $(LIBRHASH_SHARED) $(SO_DIR)/ +- test "x$(LIBRHASH_SO_MAJ)" != "x$(LIBRHASH_SHARED)" && \ ++ test "x$(LIBRHASH_SO_MAJ)" != "x$(LIBRHASH_SHARED)" || ( \ + rm -f $(LIBDIR)/$(LIBRHASH_SO_MAJ) && \ +- ln -s $(LIBRHASH_SHARED) $(LIBDIR)/$(LIBRHASH_SO_MAJ) ++ ln -s $(LIBRHASH_SHARED) $(LIBDIR)/$(LIBRHASH_SO_MAJ) ) + + install-implib: + $(INSTALL) -d $(LIBDIR) +@@ -175,9 +175,9 @@ $(EXPORTS_FILE): $(LIB_HEADERS) + $(LIB_HEADERS) | grep -v "$(EXPORTS_SKIP)" > $@ + + $(LIBRHASH_SOLINK): +- test "x$(LIBRHASH_SO_MAJ)" != "x$(LIBRHASH_SHARED)" && \ ++ test "x$(LIBRHASH_SO_MAJ)" = "x$(LIBRHASH_SHARED)" || ( \ + rm -f $(LIBRHASH_SO_MAJ) && \ +- ln -s $(LIBRHASH_SHARED) $(LIBRHASH_SO_MAJ) ++ ln -s $(LIBRHASH_SHARED) $(LIBRHASH_SO_MAJ) ) + rm -f $(LIBRHASH_SOLINK) + ln -s $(LIBRHASH_SO_MAJ) $(LIBRHASH_SOLINK) + diff --git a/pkgs/tools/security/semgrep/common.nix b/pkgs/tools/security/semgrep/common.nix index 49f7080ce072f..1ae95ed6572ac 100644 --- a/pkgs/tools/security/semgrep/common.nix +++ b/pkgs/tools/security/semgrep/common.nix @@ -1,9 +1,9 @@ { lib }: rec { - version = "1.72.0"; + version = "1.73.0"; - srcHash = "sha256-Rfu4ymNQ9AXuj5nkx01eUtIVMXDmunNTvUH/2Y7VaXM="; + srcHash = "sha256-INgc1rTN5K5mcV3u4Jktn7cqu87Z5sLnn70CxuZlbPA="; # submodule dependencies # these are fetched so we: @@ -13,8 +13,8 @@ rec { "cli/src/semgrep/semgrep_interfaces" = { owner = "semgrep"; repo = "semgrep-interfaces"; - rev = "75abf193687b84ab341d8267d865ad68d81a89c9"; - hash = "sha256-pS95f9oZLtzCEOQrjJP6aGm6lrltumG4ZjSTaUcRDpU="; + rev = "9f38254957c50c68ea402eebae0f7aa40dd01cbf"; + hash = "sha256-/P8b7nSwNZSrm7dUFkehDaGz+r+bofrlFfuIo4U7tJM="; }; }; @@ -25,19 +25,19 @@ rec { core = { x86_64-linux = { platform = "any"; - hash = "sha256-/XZzzDbsW6pw8LC8DgofZ1Gr7eeQyH719NzJDCoXhpk="; + hash = "sha256-NSleztCh9+VEsezypbIS74Ll+KP/Nb/zqAWum7tdoMc="; }; aarch64-linux = { platform = "musllinux_1_0_aarch64.manylinux2014_aarch64"; - hash = "sha256-7zCy2IbxsNO1Jl/efu9dwSyvv6a0HYvqEBzxVpTzqAM="; + hash = "sha256-tySsh+CLciJRXpr4oJa/h6Zh0Fw8c+EDdSNNRwOfKpg="; }; x86_64-darwin = { platform = "macosx_10_14_x86_64"; - hash = "sha256-jykFOXOCtEtlTxN6z17m8E2g2Wpb7qdXx6w4L6w+DbY="; + hash = "sha256-jO8H0wSjW34ynx+WN0oP8mpuAsfMva7H86gg72WrsBY="; }; aarch64-darwin = { platform = "macosx_11_0_arm64"; - hash = "sha256-0dBki3y9tMdjRRfYbxtl0fVTDXO8tLpx76EPISxtCy4="; + hash = "sha256-EizxrTI7b4qSp8nLwXCnvJqKwZje7+WXyw5z+Yk6bvQ="; }; }; diff --git a/pkgs/tools/security/sequoia-sqop/default.nix b/pkgs/tools/security/sequoia-sqop/default.nix index b9be021608982..9bd5684f30c69 100644 --- a/pkgs/tools/security/sequoia-sqop/default.nix +++ b/pkgs/tools/security/sequoia-sqop/default.nix @@ -9,7 +9,7 @@ rustPlatform.buildRustPackage rec { pname = "sequoia-sqop"; - version = "0.32.0"; + version = "0.33.0"; src = fetchFromGitLab { owner = "sequoia-pgp"; @@ -17,10 +17,10 @@ rustPlatform.buildRustPackage rec { # generated etc repo = "sequoia-sop"; rev = "v${version}"; - hash = "sha256-6g6JVNlLi++XboU/ewHM7KM0tJlDayCoz1octKloQro="; + hash = "sha256-5XK5Cec6ojrpIncAtlp9jYr9KxmNYJKPhbsJraA0FA0="; }; - cargoHash = "sha256-Vci29mnFiRRbI45Qkj6t8aVrEaJdKVB01zTXHQT5ckw="; + cargoHash = "sha256-8ujQyG9qLuG8vjHoRtvpn4ka/Ft39u+NoxSZrD9NsfY="; nativeBuildInputs = [ pkg-config diff --git a/pkgs/tools/security/sherlock/default.nix b/pkgs/tools/security/sherlock/default.nix index aaae216f1f27f..2a475e13d3d5f 100644 --- a/pkgs/tools/security/sherlock/default.nix +++ b/pkgs/tools/security/sherlock/default.nix @@ -7,14 +7,14 @@ python3.pkgs.buildPythonApplication rec { pname = "sherlock"; - version = "unstable-2024-05-12"; + version = "0-unstable-2024-05-15"; format = "other"; src = fetchFromGitHub { owner = "sherlock-project"; repo = "sherlock"; - rev = "3e978d774b428dce6eed7afbb6606444e7a74924"; - hash = "sha256-wa32CSQ9+/PJPep84Tqtzmr6EjD1Bb3guZe5pTOZVnA="; + rev = "0ecb496ae91bc36476e3e6800aa3928c5dcd82f8"; + hash = "sha256-CikQaQsiwKz0yEk3rA6hi570LIobEaxxgQ5I/B6OxWk="; }; nativeBuildInputs = [ makeWrapper ]; diff --git a/pkgs/tools/security/sirikali/default.nix b/pkgs/tools/security/sirikali/default.nix deleted file mode 100644 index 6ae689d95fd4c..0000000000000 --- a/pkgs/tools/security/sirikali/default.nix +++ /dev/null @@ -1,87 +0,0 @@ -{ lib -, stdenv -, qtbase -, libpwquality -, hicolor-icon-theme -, fetchFromGitHub -, wrapQtAppsHook -, cmake -, pkg-config -, libgcrypt -, cryfs -, encfs -, fscrypt-experimental -, gocryptfs -, securefs -, sshfs -, libsecret -, kwallet -, withKWallet ? true -, withLibsecret ? true -}: - -stdenv.mkDerivation rec { - pname = "sirikali"; - version = "1.5.1"; - - src = fetchFromGitHub { - owner = "mhogomchungu"; - repo = "sirikali"; - rev = version; - hash = "sha256-1bY8cCMMK4Jie4+9c7eUEBrPEYDaOqFHZ5252TPSotA="; - }; - - buildInputs = [ - qtbase - libpwquality - hicolor-icon-theme - libgcrypt - cryfs - encfs - fscrypt-experimental - gocryptfs - securefs - sshfs - ] - ++ lib.optionals withKWallet [ libsecret ] - ++ lib.optionals withLibsecret [ kwallet ] - ; - - nativeBuildInputs = [ - wrapQtAppsHook - cmake - pkg-config - ]; - - qtWrapperArgs = [ - ''--prefix PATH : ${lib.makeBinPath [ - cryfs - encfs - fscrypt-experimental - gocryptfs - securefs - sshfs - ]}'' - ]; - - postPatch = '' - substituteInPlace "src/engines.cpp" --replace "/sbin/" "/run/wrappers/bin/" - ''; - - doCheck = true; - - cmakeFlags = [ - "-DINTERNAL_LXQT_WALLET=false" - "-DNOKDESUPPORT=${if withKWallet then "false" else "true"}" - "-DNOSECRETSUPPORT=${if withLibsecret then "false" else "true"}" - "-DQT5=true" - ]; - - meta = with lib; { - description = "A Qt/C++ GUI front end to sshfs, ecryptfs-simple, cryfs, gocryptfs, securefs, fscrypt and encfs"; - homepage = "https://github.com/mhogomchungu/sirikali"; - changelog = "https://github.com/mhogomchungu/sirikali/blob/${src.rev}/changelog"; - license = licenses.gpl3Only; - maintainers = with maintainers; [ linuxissuper ]; - }; -} diff --git a/pkgs/tools/security/step-ca/default.nix b/pkgs/tools/security/step-ca/default.nix index 72f80c3c79eac..1b227b3cdfdf1 100644 --- a/pkgs/tools/security/step-ca/default.nix +++ b/pkgs/tools/security/step-ca/default.nix @@ -24,6 +24,11 @@ buildGoModule rec { vendorHash = "sha256-XlfdIg8YHCeCvc7kZczUxlxUonyZSQATgsxLTMvNDk4="; + ldflags = [ + "-w" + "-X main.Version=${version}" + ]; + nativeBuildInputs = lib.optionals hsmSupport [ pkg-config ]; buildInputs = diff --git a/pkgs/tools/security/vaultwarden/webvault.nix b/pkgs/tools/security/vaultwarden/webvault.nix index 041b7ae3154a5..1b07086846da6 100644 --- a/pkgs/tools/security/vaultwarden/webvault.nix +++ b/pkgs/tools/security/vaultwarden/webvault.nix @@ -8,13 +8,13 @@ }: let - version = "2024.3.1"; + version = "2024.5.0"; bw_web_builds = fetchFromGitHub { owner = "dani-garcia"; repo = "bw_web_builds"; rev = "v${version}"; - hash = "sha256-oi0H8TIQwtpzxKoQGnKaOY0bcWu7avTtrY+NgNRiq8k="; + hash = "sha256-di0oOM3ju3rkDVGmKpvS6sCaIXL/QGawr0TUrQjZ8dM="; }; in buildNpmPackage rec { @@ -25,10 +25,10 @@ in buildNpmPackage rec { owner = "bitwarden"; repo = "clients"; rev = "web-v${lib.removeSuffix "b" version}"; - hash = "sha256-JBEP4dNGL4rYKl2qNyhB2y/wZunikaGFltGVXLxgMWI="; + hash = "sha256-kQ2tWfkkG5aifA8UGb5X1wQkGZr6dcVlrb+b78RFX/k="; }; - npmDepsHash = "sha256-vNudSHIMmF7oXGz+ZymQahyHebs/CBDc6Oy1g0A5nqA="; + npmDepsHash = "sha256-gprJGOE/uSSM3NHpcbelB7sueObEl4o522WRHIRFmwo="; postPatch = '' ln -s ${bw_web_builds}/{patches,resources} .. diff --git a/pkgs/tools/security/witness/default.nix b/pkgs/tools/security/witness/default.nix index 0b62b31d94e17..2aa26b7e6080c 100644 --- a/pkgs/tools/security/witness/default.nix +++ b/pkgs/tools/security/witness/default.nix @@ -10,15 +10,15 @@ buildGoModule rec { pname = "witness"; - version = "0.3.1"; + version = "0.4.0"; src = fetchFromGitHub { owner = "in-toto"; repo = "witness"; rev = "v${version}"; - sha256 = "sha256-uv/HxPYOKxZskmlAxUS2I1sW4YsSAmIeNHjoJeR7VWs="; + sha256 = "sha256-QnZZVQZMkh9GH6io19mlE3gHaiX73TgH7ibFT1H5DB4="; }; - vendorHash = "sha256-9IkDBaDRJGWfPRN5+rYU4uH6nAsfnytDkF518rfNpyc="; + vendorHash = "sha256-5q405OP8VPChhxiH2tjh2H+ailQRjGmLZvul7CubjJo="; nativeBuildInputs = [ installShellFiles ]; diff --git a/pkgs/tools/security/yara/default.nix b/pkgs/tools/security/yara/default.nix index 26eea76f016be..44b1544ab935f 100644 --- a/pkgs/tools/security/yara/default.nix +++ b/pkgs/tools/security/yara/default.nix @@ -1,17 +1,22 @@ -{ lib, stdenv -, fetchFromGitHub -, fetchpatch -, autoreconfHook -, pcre -, pkg-config -, protobufc -, withCrypto ? true, openssl -, enableCuckoo ? true, jansson -, enableDex ? true -, enableDotNet ? true -, enableMacho ? true -, enableMagic ? true, file -, enableStatic ? false +{ + lib, + stdenv, + fetchFromGitHub, + fetchpatch, + autoreconfHook, + pcre, + pkg-config, + protobufc, + withCrypto ? true, + openssl, + enableCuckoo ? true, + jansson, + enableDex ? true, + enableDotNet ? true, + enableMacho ? true, + enableMagic ? true, + file, + enableStatic ? false, }: stdenv.mkDerivation rec { @@ -20,8 +25,8 @@ stdenv.mkDerivation rec { src = fetchFromGitHub { owner = "VirusTotal"; - repo = pname; - rev = "v${version}"; + repo = "yara"; + rev = "refs/tags/v${version}"; hash = "sha256-AecHsUBtBleUkWuYMQ4Tx/PY8cs9j7JwqncBziJD0hA="; }; @@ -38,16 +43,14 @@ stdenv.mkDerivation rec { pkg-config ]; - buildInputs = [ - pcre - protobufc - ] ++ lib.optionals withCrypto [ - openssl - ] ++ lib.optionals enableMagic [ - file - ] ++ lib.optionals enableCuckoo [ - jansson - ]; + buildInputs = + [ + pcre + protobufc + ] + ++ lib.optionals withCrypto [ openssl ] + ++ lib.optionals enableMagic [ file ] + ++ lib.optionals enableCuckoo [ jansson ]; preConfigure = "./bootstrap.sh"; @@ -64,10 +67,12 @@ stdenv.mkDerivation rec { doCheck = enableStatic; meta = with lib; { - description = "The pattern matching swiss knife for malware researchers"; + description = "Tool to perform pattern matching for malware-related tasks"; homepage = "http://Virustotal.github.io/yara/"; + changelog = "https://github.com/VirusTotal/yara/releases/tag/v${version}"; license = licenses.asl20; maintainers = with maintainers; [ fab ]; + mainProgram = "yara"; platforms = platforms.all; }; } diff --git a/pkgs/tools/security/yubikey-touch-detector/default.nix b/pkgs/tools/security/yubikey-touch-detector/default.nix index 36822b6728e60..b6ce85819cee6 100644 --- a/pkgs/tools/security/yubikey-touch-detector/default.nix +++ b/pkgs/tools/security/yubikey-touch-detector/default.nix @@ -1,4 +1,4 @@ -{ lib, libnotify, gpgme, buildGoModule, fetchFromGitHub, fetchurl, pkg-config }: +{ lib, libnotify, gpgme, buildGoModule, fetchFromGitHub, pkg-config }: buildGoModule rec { pname = "yubikey-touch-detector"; |