about summary refs log tree commit diff
path: root/pkgs/tools/security
diff options
context:
space:
mode:
Diffstat (limited to 'pkgs/tools/security')
-rw-r--r--pkgs/tools/security/afl/README.md19
-rw-r--r--pkgs/tools/security/afl/default.nix82
-rw-r--r--pkgs/tools/security/afl/libdislocator.nix35
-rw-r--r--pkgs/tools/security/afl/qemu-patches/no-etc-install.patch13
-rw-r--r--pkgs/tools/security/afl/qemu-patches/syscall-glibc2_30.diff51
-rw-r--r--pkgs/tools/security/afl/qemu.nix77
-rw-r--r--pkgs/tools/security/cnquery/default.nix6
-rw-r--r--pkgs/tools/security/exploitdb/default.nix4
-rw-r--r--pkgs/tools/security/grype/default.nix4
-rw-r--r--pkgs/tools/security/osv-scanner/default.nix17
-rw-r--r--pkgs/tools/security/rbw/default.nix6
-rw-r--r--pkgs/tools/security/snow/default.nix4
-rw-r--r--pkgs/tools/security/step-cli/default.nix2
13 files changed, 23 insertions, 297 deletions
diff --git a/pkgs/tools/security/afl/README.md b/pkgs/tools/security/afl/README.md
deleted file mode 100644
index 180cad6bc4ca6..0000000000000
--- a/pkgs/tools/security/afl/README.md
+++ /dev/null
@@ -1,19 +0,0 @@
-Updating the QEMU patches
-=========================
-
-When updating to the latest American Fuzzy Lop, make sure to check for
-any new patches to qemu for binary fuzzing support:
-
-https://github.com/google/AFL/tree/master/qemu_mode
-
-Be sure to check the build script and make sure it's also using the
-right QEMU version and options in `qemu.nix`:
-
-https://github.com/google/AFL/blob/master/qemu_mode/build_qemu_support.sh
-
-`afl-config.h`, `afl-types.h`, and `afl-qemu-cpu-inl.h` are part of
-the afl source code, and copied from `config.h`, `types.h` and
-`afl-qemu-cpu-inl.h` appropriately. These files and the QEMU patches
-need to be slightly adjusted to fix their `#include`s (the patches
-try to otherwise include files like `../../config.h` which causes the
-build to fail).
diff --git a/pkgs/tools/security/afl/default.nix b/pkgs/tools/security/afl/default.nix
deleted file mode 100644
index ccdbd78716d96..0000000000000
--- a/pkgs/tools/security/afl/default.nix
+++ /dev/null
@@ -1,82 +0,0 @@
-{ lib, stdenv, fetchFromGitHub, callPackage, makeWrapper
-, clang, llvm, which, libcgroup
-}:
-
-let
-  afl-qemu = callPackage ./qemu.nix { inherit afl; };
-  qemu-exe-name = if stdenv.hostPlatform.system == "x86_64-linux" then "qemu-x86_64"
-    else if stdenv.hostPlatform.system == "i686-linux" then "qemu-i386"
-    else throw "afl: no support for ${stdenv.hostPlatform.system}!";
-  afl = stdenv.mkDerivation rec {
-    pname = "afl";
-    version = "2.57b";
-
-    src = fetchFromGitHub {
-      owner = "google";
-      repo = pname;
-      rev = "v${version}";
-      sha256 = "0fqj3g6ds1f21kxz7m9mc1fspi9r4jg9jcmi60inwxijrc5ncvr6";
-    };
-    enableParallelBuilding = true;
-
-    # Note: libcgroup isn't needed for building, just for the afl-cgroup
-    # script.
-    nativeBuildInputs = [ makeWrapper which llvm.dev ];
-    buildInputs = [ llvm ];
-
-    makeFlags = [ "PREFIX=$(out)" ];
-    postBuild = ''
-      make -C llvm_mode $makeFlags -j$NIX_BUILD_CORES
-    '';
-    postInstall = ''
-      # Install the custom QEMU emulator for binary blob fuzzing.
-      cp ${afl-qemu}/bin/${qemu-exe-name} $out/bin/afl-qemu-trace
-
-      # Install the cgroups wrapper for asan-based fuzzing.
-      cp experimental/asan_cgroups/limit_memory.sh $out/bin/afl-cgroup
-      chmod +x $out/bin/afl-cgroup
-      substituteInPlace $out/bin/afl-cgroup \
-        --replace "cgcreate" "${libcgroup}/bin/cgcreate" \
-        --replace "cgexec"   "${libcgroup}/bin/cgexec" \
-        --replace "cgdelete" "${libcgroup}/bin/cgdelete"
-
-      # Patch shebangs before wrapping
-      patchShebangs $out/bin
-
-      # Wrap afl-clang-fast(++) with a *different* AFL_PATH, because it
-      # has totally different semantics in that case(?) - and also set a
-      # proper AFL_CC and AFL_CXX so we don't pick up the wrong one out
-      # of $PATH.
-      # first though we need to replace the afl-clang-fast++ symlink with
-      # a real copy to prevent wrapProgram skipping the symlink and confusing
-      # nix's cc wrapper
-      rm $out/bin/afl-clang-fast++
-      cp $out/bin/afl-clang-fast $out/bin/afl-clang-fast++
-      for x in $out/bin/afl-clang-fast $out/bin/afl-clang-fast++; do
-        wrapProgram $x \
-          --prefix AFL_PATH : "$out/lib/afl" \
-          --run 'export AFL_CC=''${AFL_CC:-${clang}/bin/clang} AFL_CXX=''${AFL_CXX:-${clang}/bin/clang++}'
-      done
-    '';
-
-    passthru.qemu = afl-qemu;
-
-    meta = {
-      description = "Powerful fuzzer via genetic algorithms and instrumentation";
-      longDescription = ''
-        American fuzzy lop is a fuzzer that employs a novel type of
-        compile-time instrumentation and genetic algorithms to
-        automatically discover clean, interesting test cases that
-        trigger new internal states in the targeted binary. This
-        substantially improves the functional coverage for the fuzzed
-        code. The compact synthesized corpora produced by the tool are
-        also useful for seeding other, more labor or resource-intensive
-        testing regimes down the road.
-      '';
-      homepage    = "https://lcamtuf.coredump.cx/afl/";
-      license     = lib.licenses.asl20;
-      platforms   = ["x86_64-linux" "i686-linux"];
-      maintainers = with lib.maintainers; [ thoughtpolice ris ];
-    };
-  };
-in afl
diff --git a/pkgs/tools/security/afl/libdislocator.nix b/pkgs/tools/security/afl/libdislocator.nix
deleted file mode 100644
index 1030ffaf9eb85..0000000000000
--- a/pkgs/tools/security/afl/libdislocator.nix
+++ /dev/null
@@ -1,35 +0,0 @@
-{ lib, stdenv, afl}:
-
-stdenv.mkDerivation {
-  version = lib.getVersion afl;
-  pname = "libdislocator";
-
-  src = afl.src;
-  sourceRoot = "${afl.src.name}/libdislocator";
-
-  makeFlags = [ "PREFIX=$(out)" ];
-
-  preInstall = ''
-    mkdir -p $out/lib/afl
-  '';
-  postInstall = ''
-    mkdir $out/bin
-    cat > $out/bin/get-libdislocator-so <<END
-    #!${stdenv.shell}
-    echo $out/lib/afl/libdislocator.so
-    END
-    chmod +x $out/bin/get-libdislocator-so
-  '';
-
-  meta = with lib; {
-    homepage = "https://lcamtuf.coredump.cx/afl/";
-    description = ''
-      Drop-in replacement for the libc allocator which improves
-      the odds of bumping into heap-related security bugs in
-      several ways.
-    '';
-    mainProgram = "get-libdislocator-so";
-    license = lib.licenses.asl20;
-    maintainers = with maintainers; [ ris ];
-  };
-}
diff --git a/pkgs/tools/security/afl/qemu-patches/no-etc-install.patch b/pkgs/tools/security/afl/qemu-patches/no-etc-install.patch
deleted file mode 100644
index 5dfbfd780f1ca..0000000000000
--- a/pkgs/tools/security/afl/qemu-patches/no-etc-install.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/Makefile b/Makefile
-index d6b9dc1..ce7c493 100644
---- a/Makefile
-+++ b/Makefile
-@@ -601,7 +601,7 @@ install-localstatedir:
- endif
- 
- 
--install: all $(if $(BUILD_DOCS),install-doc) install-datadir install-localstatedir
-+install: all $(if $(BUILD_DOCS),install-doc) install-datadir
- ifneq ($(TOOLS),)
- 	$(call install-prog,$(subst qemu-ga,qemu-ga$(EXESUF),$(TOOLS)),$(DESTDIR)$(bindir))
- endif
diff --git a/pkgs/tools/security/afl/qemu-patches/syscall-glibc2_30.diff b/pkgs/tools/security/afl/qemu-patches/syscall-glibc2_30.diff
deleted file mode 100644
index aa2950bf157c7..0000000000000
--- a/pkgs/tools/security/afl/qemu-patches/syscall-glibc2_30.diff
+++ /dev/null
@@ -1,51 +0,0 @@
---- qemu-2.10.0-clean/linux-user/syscall.c	2020-03-12 18:47:47.898592169 +0100
-+++ qemu-2.10.0/linux-user/syscall.c	2020-03-13 09:13:42.461809699 +0100
-@@ -34,6 +34,7 @@
- #include <sys/resource.h>
- #include <sys/swap.h>
- #include <linux/capability.h>
-+#include <linux/sockios.h> // https://lkml.org/lkml/2019/6/3/988
- #include <sched.h>
- #include <sys/timex.h>
- #ifdef __ia64__
-@@ -256,7 +257,9 @@ static type name (type1 arg1,type2 arg2,
- #endif
- 
- #ifdef __NR_gettid
--_syscall0(int, gettid)
-+// taken from https://patchwork.kernel.org/patch/10862231/
-+#define __NR_sys_gettid __NR_gettid
-+_syscall0(int, sys_gettid)
- #else
- /* This is a replacement for the host gettid() and must return a host
-    errno. */
-@@ -6219,7 +6222,7 @@ static void *clone_func(void *arg)
-     cpu = ENV_GET_CPU(env);
-     thread_cpu = cpu;
-     ts = (TaskState *)cpu->opaque;
--    info->tid = gettid();
-+    info->tid = sys_gettid();
-     task_settid(ts);
-     if (info->child_tidptr)
-         put_user_u32(info->tid, info->child_tidptr);
-@@ -6363,9 +6366,9 @@ static int do_fork(CPUArchState *env, un
-                mapping.  We can't repeat the spinlock hack used above because
-                the child process gets its own copy of the lock.  */
-             if (flags & CLONE_CHILD_SETTID)
--                put_user_u32(gettid(), child_tidptr);
-+                put_user_u32(sys_gettid(), child_tidptr);
-             if (flags & CLONE_PARENT_SETTID)
--                put_user_u32(gettid(), parent_tidptr);
-+                put_user_u32(sys_gettid(), parent_tidptr);
-             ts = (TaskState *)cpu->opaque;
-             if (flags & CLONE_SETTLS)
-                 cpu_set_tls (env, newtls);
-@@ -11402,7 +11405,7 @@ abi_long do_syscall(void *cpu_env, int n
-         break;
- #endif
-     case TARGET_NR_gettid:
--        ret = get_errno(gettid());
-+        ret = get_errno(sys_gettid());
-         break;
- #ifdef TARGET_NR_readahead
-     case TARGET_NR_readahead:
diff --git a/pkgs/tools/security/afl/qemu.nix b/pkgs/tools/security/afl/qemu.nix
deleted file mode 100644
index 845d9fa3e6f15..0000000000000
--- a/pkgs/tools/security/afl/qemu.nix
+++ /dev/null
@@ -1,77 +0,0 @@
-{ lib, stdenv, fetchurl, afl, python2, zlib, pkg-config, glib, perl
-, texinfo, libuuid, flex, bison, pixman, autoconf
-}:
-
-let
-  cpuTarget = if stdenv.hostPlatform.system == "x86_64-linux" then "x86_64-linux-user"
-    else if stdenv.hostPlatform.system == "i686-linux" then "i386-linux-user"
-    else throw "afl: no support for ${stdenv.hostPlatform.system}!";
-in
-stdenv.mkDerivation rec {
-  pname = "afl-qemu";
-  version = "2.10.0";
-
-  srcs = [
-    (fetchurl {
-      url = "https://download.qemu.org/qemu-${version}.tar.bz2";
-      sha256 = "0j3dfxzrzdp1w21k21fjvmakzc6lcha1rsclaicwqvbf63hkk7vy";
-    })
-    afl.src
-  ];
-
-  sourceRoot = "qemu-${version}";
-
-  postUnpack = ''
-    cp ${afl.src.name}/types.h $sourceRoot/afl-types.h
-    substitute ${afl.src.name}/config.h $sourceRoot/afl-config.h \
-      --replace "types.h" "afl-types.h"
-    substitute ${afl.src.name}/qemu_mode/patches/afl-qemu-cpu-inl.h $sourceRoot/afl-qemu-cpu-inl.h \
-      --replace "../../config.h" "afl-config.h"
-    substituteInPlace ${afl.src.name}/qemu_mode/patches/cpu-exec.diff \
-      --replace "../patches/afl-qemu-cpu-inl.h" "afl-qemu-cpu-inl.h"
-  '';
-
-  nativeBuildInputs = [
-    python2 perl pkg-config flex bison autoconf texinfo
-  ];
-
-  buildInputs = [
-    zlib glib pixman libuuid
-  ];
-
-  enableParallelBuilding = true;
-
-  patches = [
-    # patches extracted from afl source
-    "../${afl.src.name}/qemu_mode/patches/cpu-exec.diff"
-    "../${afl.src.name}/qemu_mode/patches/elfload.diff"
-    "../${afl.src.name}/qemu_mode/patches/syscall.diff"
-    "../${afl.src.name}/qemu_mode/patches/configure.diff"
-    "../${afl.src.name}/qemu_mode/patches/memfd.diff"
-    # nix-specific patches to make installation more well-behaved
-    ./qemu-patches/no-etc-install.patch
-    # patch for fixing qemu build on glibc >= 2.30
-    ./qemu-patches/syscall-glibc2_30.diff
-  ];
-
-  configureFlags =
-    [ "--disable-system"
-      "--enable-linux-user"
-      "--disable-gtk"
-      "--disable-sdl"
-      "--disable-vnc"
-      "--disable-kvm"
-      "--target-list=${cpuTarget}"
-      "--enable-pie"
-      "--sysconfdir=/etc"
-      "--localstatedir=/var"
-    ];
-
-  meta = with lib; {
-    homepage = "https://www.qemu.org/";
-    description = "Fork of QEMU with AFL instrumentation support";
-    license = licenses.gpl2Plus;
-    maintainers = with maintainers; [ thoughtpolice ];
-    platforms = platforms.linux;
-  };
-}
diff --git a/pkgs/tools/security/cnquery/default.nix b/pkgs/tools/security/cnquery/default.nix
index f8f1467074bea..a5dafec184fd5 100644
--- a/pkgs/tools/security/cnquery/default.nix
+++ b/pkgs/tools/security/cnquery/default.nix
@@ -6,18 +6,18 @@
 
 buildGoModule rec {
   pname = "cnquery";
-  version = "10.12.2";
+  version = "11.0.2";
 
   src = fetchFromGitHub {
     owner = "mondoohq";
     repo = "cnquery";
     rev = "refs/tags/v${version}";
-    hash = "sha256-TqbE94JmewkYxulF8ePKxQLb2NvQ6FNpfqqedtYM4aY=";
+    hash = "sha256-hWZXt9hUK0IXnmqKvKdowR42NVu+guMPW3krzgI1KqU=";
   };
 
   subPackages = [ "apps/cnquery" ];
 
-  vendorHash = "sha256-dS62XJFdL3Js2i6JwksvU8hEme6+6NojfjdzUZnY1wI=";
+  vendorHash = "sha256-Q1Wz3zHow4UeqgZVP9s9xHuLwrG2LE/tsDUdgs6xMNo=";
 
   ldflags = [
     "-w"
diff --git a/pkgs/tools/security/exploitdb/default.nix b/pkgs/tools/security/exploitdb/default.nix
index 5c3019eb7979f..20bc244781a4d 100644
--- a/pkgs/tools/security/exploitdb/default.nix
+++ b/pkgs/tools/security/exploitdb/default.nix
@@ -7,13 +7,13 @@
 
 stdenv.mkDerivation rec {
   pname = "exploitdb";
-  version = "2024-04-20";
+  version = "2024-04-22";
 
   src = fetchFromGitLab {
     owner = "exploit-database";
     repo = "exploitdb";
     rev = "refs/tags/${version}";
-    hash = "sha256-mz82w3maizWnaWcBqMFYgCNN9uwhSgo9D4j+XCvZDW0=";
+    hash = "sha256-lWWAZwoUFA54uy0qo4H5+MgSv7tYJOerU9X3Or+AhSg=";
   };
 
   nativeBuildInputs = [ makeWrapper ];
diff --git a/pkgs/tools/security/grype/default.nix b/pkgs/tools/security/grype/default.nix
index 927059a248fcf..7d9a7b4bc02b9 100644
--- a/pkgs/tools/security/grype/default.nix
+++ b/pkgs/tools/security/grype/default.nix
@@ -9,13 +9,13 @@
 
 buildGoModule rec {
   pname = "grype";
-  version = "0.76.0";
+  version = "0.77.0";
 
   src = fetchFromGitHub {
     owner = "anchore";
     repo = "grype";
     rev = "refs/tags/v${version}";
-    hash = "sha256-FdxtJVLeH7UQBYjoOuimCoswvIkz/2sBJ4Kn5NGBDWY=";
+    hash = "sha256-EnAMAmoP8rbkOkdPPxkN14lOPVYPqVpmaekfXBboeyI=";
     # populate values that require us to use git. By doing this in postFetch we
     # can delete .git afterwards and maintain better reproducibility of the src.
     leaveDotGit = true;
diff --git a/pkgs/tools/security/osv-scanner/default.nix b/pkgs/tools/security/osv-scanner/default.nix
index e51ce66ad0240..70393cb9aad8c 100644
--- a/pkgs/tools/security/osv-scanner/default.nix
+++ b/pkgs/tools/security/osv-scanner/default.nix
@@ -4,18 +4,19 @@
 , testers
 , osv-scanner
 }:
+
 buildGoModule rec {
   pname = "osv-scanner";
-  version = "1.7.1";
+  version = "1.7.2";
 
   src = fetchFromGitHub {
     owner = "google";
-    repo = pname;
-    rev = "v${version}";
-    hash = "sha256-JlTD8el4hXVYI76+cxGNemkUu0n2QxCqisr6R9aPqdI=";
+    repo = "osv-scanner";
+    rev = "refs/tags/v${version}";
+    hash = "sha256-UE6iCvv/ByODZX+FoLvIw+EeyISWFkHb4xK5L33w1hU=";
   };
 
-  vendorHash = "sha256-J5qLs4EirBOfjnLv8eQBSd9w9nzpxBW5GS28CgQMsN8=";
+  vendorHash = "sha256-c/Wjhpa7upSRMaU+rheGF9dbvK0MQe3ZmPLpR5bRiUI=";
 
   subPackages = [
     "cmd/osv-scanner"
@@ -24,9 +25,9 @@ buildGoModule rec {
   ldflags = [
     "-s"
     "-w"
-    "-X github.com/google/osv-scanner/internal/version.OSVVersion=${version}"
-    "-X main.commit=n/a"
-    "-X main.date=1970-01-01T00:00:00Z"
+    "-X=github.com/google/osv-scanner/internal/version.OSVVersion=${version}"
+    "-X=main.commit=n/a"
+    "-X=main.date=1970-01-01T00:00:00Z"
   ];
 
   # Tests require network connectivity to query https://api.osv.dev.
diff --git a/pkgs/tools/security/rbw/default.nix b/pkgs/tools/security/rbw/default.nix
index 22efd33c6abe1..929282d51276f 100644
--- a/pkgs/tools/security/rbw/default.nix
+++ b/pkgs/tools/security/rbw/default.nix
@@ -25,14 +25,14 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "rbw";
-  version = "1.9.0";
+  version = "1.10.0";
 
   src = fetchzip {
     url = "https://git.tozt.net/rbw/snapshot/rbw-${version}.tar.gz";
-    sha256 = "sha256-NjMH99rmJYbCxDdc7e0iOFoslSrIuwIBxuHxADp0Ks4=";
+    hash = "sha256-uJ1QLEaab/Vb5GiAmbwjve3Y/3SM2XbNTRTvl2vPDYc=";
   };
 
-  cargoHash = "sha256-AH35v61FgUQe9BwDgVnXwoVTSQduxeMbXWy4ga3WU3k=";
+  cargoHash = "sha256-tDgkANbUmNLe3us+05gD9IS0f+RTQBXTGvuz2cr2zYY=";
 
   nativeBuildInputs = [
     installShellFiles
diff --git a/pkgs/tools/security/snow/default.nix b/pkgs/tools/security/snow/default.nix
index dbea144cb1ba6..5e7cb013a4edc 100644
--- a/pkgs/tools/security/snow/default.nix
+++ b/pkgs/tools/security/snow/default.nix
@@ -9,7 +9,9 @@ stdenv.mkDerivation rec {
     sha256 = "0r9q45y55z4i0askkxmxrx0jr1620ypd870vz0hx2a6n9skimdy0";
   };
 
-  makeFlags = [ "CFLAGS=-O2" ];
+  preBuild = ''
+    makeFlagsArray+=(CFLAGS="-O2 -std=c89")
+  '';
 
   installPhase = ''
     install -Dm755 snow -t $out/bin
diff --git a/pkgs/tools/security/step-cli/default.nix b/pkgs/tools/security/step-cli/default.nix
index 2afbec7f9069d..0b7271b5b67a2 100644
--- a/pkgs/tools/security/step-cli/default.nix
+++ b/pkgs/tools/security/step-cli/default.nix
@@ -32,7 +32,7 @@ buildGoModule rec {
     homepage = "https://smallstep.com/cli/";
     changelog = "https://github.com/smallstep/cli/blob/v${version}/CHANGELOG.md";
     license = licenses.asl20;
-    maintainers = with maintainers; [ xfix ];
+    maintainers = with maintainers; [ ];
     platforms = platforms.linux ++ platforms.darwin;
     mainProgram = "step";
   };
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-06-25 22:57:54 +0000