diff options
Diffstat (limited to 'pkgs/tools/security')
-rw-r--r-- | pkgs/tools/security/afl/README.md | 19 | ||||
-rw-r--r-- | pkgs/tools/security/afl/default.nix | 82 | ||||
-rw-r--r-- | pkgs/tools/security/afl/libdislocator.nix | 35 | ||||
-rw-r--r-- | pkgs/tools/security/afl/qemu-patches/no-etc-install.patch | 13 | ||||
-rw-r--r-- | pkgs/tools/security/afl/qemu-patches/syscall-glibc2_30.diff | 51 | ||||
-rw-r--r-- | pkgs/tools/security/afl/qemu.nix | 77 | ||||
-rw-r--r-- | pkgs/tools/security/cnquery/default.nix | 6 | ||||
-rw-r--r-- | pkgs/tools/security/exploitdb/default.nix | 4 | ||||
-rw-r--r-- | pkgs/tools/security/grype/default.nix | 4 | ||||
-rw-r--r-- | pkgs/tools/security/osv-scanner/default.nix | 17 | ||||
-rw-r--r-- | pkgs/tools/security/rbw/default.nix | 6 | ||||
-rw-r--r-- | pkgs/tools/security/snow/default.nix | 4 | ||||
-rw-r--r-- | pkgs/tools/security/step-cli/default.nix | 2 |
13 files changed, 23 insertions, 297 deletions
diff --git a/pkgs/tools/security/afl/README.md b/pkgs/tools/security/afl/README.md deleted file mode 100644 index 180cad6bc4ca6..0000000000000 --- a/pkgs/tools/security/afl/README.md +++ /dev/null @@ -1,19 +0,0 @@ -Updating the QEMU patches -========================= - -When updating to the latest American Fuzzy Lop, make sure to check for -any new patches to qemu for binary fuzzing support: - -https://github.com/google/AFL/tree/master/qemu_mode - -Be sure to check the build script and make sure it's also using the -right QEMU version and options in `qemu.nix`: - -https://github.com/google/AFL/blob/master/qemu_mode/build_qemu_support.sh - -`afl-config.h`, `afl-types.h`, and `afl-qemu-cpu-inl.h` are part of -the afl source code, and copied from `config.h`, `types.h` and -`afl-qemu-cpu-inl.h` appropriately. These files and the QEMU patches -need to be slightly adjusted to fix their `#include`s (the patches -try to otherwise include files like `../../config.h` which causes the -build to fail). diff --git a/pkgs/tools/security/afl/default.nix b/pkgs/tools/security/afl/default.nix deleted file mode 100644 index ccdbd78716d96..0000000000000 --- a/pkgs/tools/security/afl/default.nix +++ /dev/null @@ -1,82 +0,0 @@ -{ lib, stdenv, fetchFromGitHub, callPackage, makeWrapper -, clang, llvm, which, libcgroup -}: - -let - afl-qemu = callPackage ./qemu.nix { inherit afl; }; - qemu-exe-name = if stdenv.hostPlatform.system == "x86_64-linux" then "qemu-x86_64" - else if stdenv.hostPlatform.system == "i686-linux" then "qemu-i386" - else throw "afl: no support for ${stdenv.hostPlatform.system}!"; - afl = stdenv.mkDerivation rec { - pname = "afl"; - version = "2.57b"; - - src = fetchFromGitHub { - owner = "google"; - repo = pname; - rev = "v${version}"; - sha256 = "0fqj3g6ds1f21kxz7m9mc1fspi9r4jg9jcmi60inwxijrc5ncvr6"; - }; - enableParallelBuilding = true; - - # Note: libcgroup isn't needed for building, just for the afl-cgroup - # script. - nativeBuildInputs = [ makeWrapper which llvm.dev ]; - buildInputs = [ llvm ]; - - makeFlags = [ "PREFIX=$(out)" ]; - postBuild = '' - make -C llvm_mode $makeFlags -j$NIX_BUILD_CORES - ''; - postInstall = '' - # Install the custom QEMU emulator for binary blob fuzzing. - cp ${afl-qemu}/bin/${qemu-exe-name} $out/bin/afl-qemu-trace - - # Install the cgroups wrapper for asan-based fuzzing. - cp experimental/asan_cgroups/limit_memory.sh $out/bin/afl-cgroup - chmod +x $out/bin/afl-cgroup - substituteInPlace $out/bin/afl-cgroup \ - --replace "cgcreate" "${libcgroup}/bin/cgcreate" \ - --replace "cgexec" "${libcgroup}/bin/cgexec" \ - --replace "cgdelete" "${libcgroup}/bin/cgdelete" - - # Patch shebangs before wrapping - patchShebangs $out/bin - - # Wrap afl-clang-fast(++) with a *different* AFL_PATH, because it - # has totally different semantics in that case(?) - and also set a - # proper AFL_CC and AFL_CXX so we don't pick up the wrong one out - # of $PATH. - # first though we need to replace the afl-clang-fast++ symlink with - # a real copy to prevent wrapProgram skipping the symlink and confusing - # nix's cc wrapper - rm $out/bin/afl-clang-fast++ - cp $out/bin/afl-clang-fast $out/bin/afl-clang-fast++ - for x in $out/bin/afl-clang-fast $out/bin/afl-clang-fast++; do - wrapProgram $x \ - --prefix AFL_PATH : "$out/lib/afl" \ - --run 'export AFL_CC=''${AFL_CC:-${clang}/bin/clang} AFL_CXX=''${AFL_CXX:-${clang}/bin/clang++}' - done - ''; - - passthru.qemu = afl-qemu; - - meta = { - description = "Powerful fuzzer via genetic algorithms and instrumentation"; - longDescription = '' - American fuzzy lop is a fuzzer that employs a novel type of - compile-time instrumentation and genetic algorithms to - automatically discover clean, interesting test cases that - trigger new internal states in the targeted binary. This - substantially improves the functional coverage for the fuzzed - code. The compact synthesized corpora produced by the tool are - also useful for seeding other, more labor or resource-intensive - testing regimes down the road. - ''; - homepage = "https://lcamtuf.coredump.cx/afl/"; - license = lib.licenses.asl20; - platforms = ["x86_64-linux" "i686-linux"]; - maintainers = with lib.maintainers; [ thoughtpolice ris ]; - }; - }; -in afl diff --git a/pkgs/tools/security/afl/libdislocator.nix b/pkgs/tools/security/afl/libdislocator.nix deleted file mode 100644 index 1030ffaf9eb85..0000000000000 --- a/pkgs/tools/security/afl/libdislocator.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ lib, stdenv, afl}: - -stdenv.mkDerivation { - version = lib.getVersion afl; - pname = "libdislocator"; - - src = afl.src; - sourceRoot = "${afl.src.name}/libdislocator"; - - makeFlags = [ "PREFIX=$(out)" ]; - - preInstall = '' - mkdir -p $out/lib/afl - ''; - postInstall = '' - mkdir $out/bin - cat > $out/bin/get-libdislocator-so <<END - #!${stdenv.shell} - echo $out/lib/afl/libdislocator.so - END - chmod +x $out/bin/get-libdislocator-so - ''; - - meta = with lib; { - homepage = "https://lcamtuf.coredump.cx/afl/"; - description = '' - Drop-in replacement for the libc allocator which improves - the odds of bumping into heap-related security bugs in - several ways. - ''; - mainProgram = "get-libdislocator-so"; - license = lib.licenses.asl20; - maintainers = with maintainers; [ ris ]; - }; -} diff --git a/pkgs/tools/security/afl/qemu-patches/no-etc-install.patch b/pkgs/tools/security/afl/qemu-patches/no-etc-install.patch deleted file mode 100644 index 5dfbfd780f1ca..0000000000000 --- a/pkgs/tools/security/afl/qemu-patches/no-etc-install.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/Makefile b/Makefile -index d6b9dc1..ce7c493 100644 ---- a/Makefile -+++ b/Makefile -@@ -601,7 +601,7 @@ install-localstatedir: - endif - - --install: all $(if $(BUILD_DOCS),install-doc) install-datadir install-localstatedir -+install: all $(if $(BUILD_DOCS),install-doc) install-datadir - ifneq ($(TOOLS),) - $(call install-prog,$(subst qemu-ga,qemu-ga$(EXESUF),$(TOOLS)),$(DESTDIR)$(bindir)) - endif diff --git a/pkgs/tools/security/afl/qemu-patches/syscall-glibc2_30.diff b/pkgs/tools/security/afl/qemu-patches/syscall-glibc2_30.diff deleted file mode 100644 index aa2950bf157c7..0000000000000 --- a/pkgs/tools/security/afl/qemu-patches/syscall-glibc2_30.diff +++ /dev/null @@ -1,51 +0,0 @@ ---- qemu-2.10.0-clean/linux-user/syscall.c 2020-03-12 18:47:47.898592169 +0100 -+++ qemu-2.10.0/linux-user/syscall.c 2020-03-13 09:13:42.461809699 +0100 -@@ -34,6 +34,7 @@ - #include <sys/resource.h> - #include <sys/swap.h> - #include <linux/capability.h> -+#include <linux/sockios.h> // https://lkml.org/lkml/2019/6/3/988 - #include <sched.h> - #include <sys/timex.h> - #ifdef __ia64__ -@@ -256,7 +257,9 @@ static type name (type1 arg1,type2 arg2, - #endif - - #ifdef __NR_gettid --_syscall0(int, gettid) -+// taken from https://patchwork.kernel.org/patch/10862231/ -+#define __NR_sys_gettid __NR_gettid -+_syscall0(int, sys_gettid) - #else - /* This is a replacement for the host gettid() and must return a host - errno. */ -@@ -6219,7 +6222,7 @@ static void *clone_func(void *arg) - cpu = ENV_GET_CPU(env); - thread_cpu = cpu; - ts = (TaskState *)cpu->opaque; -- info->tid = gettid(); -+ info->tid = sys_gettid(); - task_settid(ts); - if (info->child_tidptr) - put_user_u32(info->tid, info->child_tidptr); -@@ -6363,9 +6366,9 @@ static int do_fork(CPUArchState *env, un - mapping. We can't repeat the spinlock hack used above because - the child process gets its own copy of the lock. */ - if (flags & CLONE_CHILD_SETTID) -- put_user_u32(gettid(), child_tidptr); -+ put_user_u32(sys_gettid(), child_tidptr); - if (flags & CLONE_PARENT_SETTID) -- put_user_u32(gettid(), parent_tidptr); -+ put_user_u32(sys_gettid(), parent_tidptr); - ts = (TaskState *)cpu->opaque; - if (flags & CLONE_SETTLS) - cpu_set_tls (env, newtls); -@@ -11402,7 +11405,7 @@ abi_long do_syscall(void *cpu_env, int n - break; - #endif - case TARGET_NR_gettid: -- ret = get_errno(gettid()); -+ ret = get_errno(sys_gettid()); - break; - #ifdef TARGET_NR_readahead - case TARGET_NR_readahead: diff --git a/pkgs/tools/security/afl/qemu.nix b/pkgs/tools/security/afl/qemu.nix deleted file mode 100644 index 845d9fa3e6f15..0000000000000 --- a/pkgs/tools/security/afl/qemu.nix +++ /dev/null @@ -1,77 +0,0 @@ -{ lib, stdenv, fetchurl, afl, python2, zlib, pkg-config, glib, perl -, texinfo, libuuid, flex, bison, pixman, autoconf -}: - -let - cpuTarget = if stdenv.hostPlatform.system == "x86_64-linux" then "x86_64-linux-user" - else if stdenv.hostPlatform.system == "i686-linux" then "i386-linux-user" - else throw "afl: no support for ${stdenv.hostPlatform.system}!"; -in -stdenv.mkDerivation rec { - pname = "afl-qemu"; - version = "2.10.0"; - - srcs = [ - (fetchurl { - url = "https://download.qemu.org/qemu-${version}.tar.bz2"; - sha256 = "0j3dfxzrzdp1w21k21fjvmakzc6lcha1rsclaicwqvbf63hkk7vy"; - }) - afl.src - ]; - - sourceRoot = "qemu-${version}"; - - postUnpack = '' - cp ${afl.src.name}/types.h $sourceRoot/afl-types.h - substitute ${afl.src.name}/config.h $sourceRoot/afl-config.h \ - --replace "types.h" "afl-types.h" - substitute ${afl.src.name}/qemu_mode/patches/afl-qemu-cpu-inl.h $sourceRoot/afl-qemu-cpu-inl.h \ - --replace "../../config.h" "afl-config.h" - substituteInPlace ${afl.src.name}/qemu_mode/patches/cpu-exec.diff \ - --replace "../patches/afl-qemu-cpu-inl.h" "afl-qemu-cpu-inl.h" - ''; - - nativeBuildInputs = [ - python2 perl pkg-config flex bison autoconf texinfo - ]; - - buildInputs = [ - zlib glib pixman libuuid - ]; - - enableParallelBuilding = true; - - patches = [ - # patches extracted from afl source - "../${afl.src.name}/qemu_mode/patches/cpu-exec.diff" - "../${afl.src.name}/qemu_mode/patches/elfload.diff" - "../${afl.src.name}/qemu_mode/patches/syscall.diff" - "../${afl.src.name}/qemu_mode/patches/configure.diff" - "../${afl.src.name}/qemu_mode/patches/memfd.diff" - # nix-specific patches to make installation more well-behaved - ./qemu-patches/no-etc-install.patch - # patch for fixing qemu build on glibc >= 2.30 - ./qemu-patches/syscall-glibc2_30.diff - ]; - - configureFlags = - [ "--disable-system" - "--enable-linux-user" - "--disable-gtk" - "--disable-sdl" - "--disable-vnc" - "--disable-kvm" - "--target-list=${cpuTarget}" - "--enable-pie" - "--sysconfdir=/etc" - "--localstatedir=/var" - ]; - - meta = with lib; { - homepage = "https://www.qemu.org/"; - description = "Fork of QEMU with AFL instrumentation support"; - license = licenses.gpl2Plus; - maintainers = with maintainers; [ thoughtpolice ]; - platforms = platforms.linux; - }; -} diff --git a/pkgs/tools/security/cnquery/default.nix b/pkgs/tools/security/cnquery/default.nix index f8f1467074bea..a5dafec184fd5 100644 --- a/pkgs/tools/security/cnquery/default.nix +++ b/pkgs/tools/security/cnquery/default.nix @@ -6,18 +6,18 @@ buildGoModule rec { pname = "cnquery"; - version = "10.12.2"; + version = "11.0.2"; src = fetchFromGitHub { owner = "mondoohq"; repo = "cnquery"; rev = "refs/tags/v${version}"; - hash = "sha256-TqbE94JmewkYxulF8ePKxQLb2NvQ6FNpfqqedtYM4aY="; + hash = "sha256-hWZXt9hUK0IXnmqKvKdowR42NVu+guMPW3krzgI1KqU="; }; subPackages = [ "apps/cnquery" ]; - vendorHash = "sha256-dS62XJFdL3Js2i6JwksvU8hEme6+6NojfjdzUZnY1wI="; + vendorHash = "sha256-Q1Wz3zHow4UeqgZVP9s9xHuLwrG2LE/tsDUdgs6xMNo="; ldflags = [ "-w" diff --git a/pkgs/tools/security/exploitdb/default.nix b/pkgs/tools/security/exploitdb/default.nix index 5c3019eb7979f..20bc244781a4d 100644 --- a/pkgs/tools/security/exploitdb/default.nix +++ b/pkgs/tools/security/exploitdb/default.nix @@ -7,13 +7,13 @@ stdenv.mkDerivation rec { pname = "exploitdb"; - version = "2024-04-20"; + version = "2024-04-22"; src = fetchFromGitLab { owner = "exploit-database"; repo = "exploitdb"; rev = "refs/tags/${version}"; - hash = "sha256-mz82w3maizWnaWcBqMFYgCNN9uwhSgo9D4j+XCvZDW0="; + hash = "sha256-lWWAZwoUFA54uy0qo4H5+MgSv7tYJOerU9X3Or+AhSg="; }; nativeBuildInputs = [ makeWrapper ]; diff --git a/pkgs/tools/security/grype/default.nix b/pkgs/tools/security/grype/default.nix index 927059a248fcf..7d9a7b4bc02b9 100644 --- a/pkgs/tools/security/grype/default.nix +++ b/pkgs/tools/security/grype/default.nix @@ -9,13 +9,13 @@ buildGoModule rec { pname = "grype"; - version = "0.76.0"; + version = "0.77.0"; src = fetchFromGitHub { owner = "anchore"; repo = "grype"; rev = "refs/tags/v${version}"; - hash = "sha256-FdxtJVLeH7UQBYjoOuimCoswvIkz/2sBJ4Kn5NGBDWY="; + hash = "sha256-EnAMAmoP8rbkOkdPPxkN14lOPVYPqVpmaekfXBboeyI="; # populate values that require us to use git. By doing this in postFetch we # can delete .git afterwards and maintain better reproducibility of the src. leaveDotGit = true; diff --git a/pkgs/tools/security/osv-scanner/default.nix b/pkgs/tools/security/osv-scanner/default.nix index e51ce66ad0240..70393cb9aad8c 100644 --- a/pkgs/tools/security/osv-scanner/default.nix +++ b/pkgs/tools/security/osv-scanner/default.nix @@ -4,18 +4,19 @@ , testers , osv-scanner }: + buildGoModule rec { pname = "osv-scanner"; - version = "1.7.1"; + version = "1.7.2"; src = fetchFromGitHub { owner = "google"; - repo = pname; - rev = "v${version}"; - hash = "sha256-JlTD8el4hXVYI76+cxGNemkUu0n2QxCqisr6R9aPqdI="; + repo = "osv-scanner"; + rev = "refs/tags/v${version}"; + hash = "sha256-UE6iCvv/ByODZX+FoLvIw+EeyISWFkHb4xK5L33w1hU="; }; - vendorHash = "sha256-J5qLs4EirBOfjnLv8eQBSd9w9nzpxBW5GS28CgQMsN8="; + vendorHash = "sha256-c/Wjhpa7upSRMaU+rheGF9dbvK0MQe3ZmPLpR5bRiUI="; subPackages = [ "cmd/osv-scanner" @@ -24,9 +25,9 @@ buildGoModule rec { ldflags = [ "-s" "-w" - "-X github.com/google/osv-scanner/internal/version.OSVVersion=${version}" - "-X main.commit=n/a" - "-X main.date=1970-01-01T00:00:00Z" + "-X=github.com/google/osv-scanner/internal/version.OSVVersion=${version}" + "-X=main.commit=n/a" + "-X=main.date=1970-01-01T00:00:00Z" ]; # Tests require network connectivity to query https://api.osv.dev. diff --git a/pkgs/tools/security/rbw/default.nix b/pkgs/tools/security/rbw/default.nix index 22efd33c6abe1..929282d51276f 100644 --- a/pkgs/tools/security/rbw/default.nix +++ b/pkgs/tools/security/rbw/default.nix @@ -25,14 +25,14 @@ rustPlatform.buildRustPackage rec { pname = "rbw"; - version = "1.9.0"; + version = "1.10.0"; src = fetchzip { url = "https://git.tozt.net/rbw/snapshot/rbw-${version}.tar.gz"; - sha256 = "sha256-NjMH99rmJYbCxDdc7e0iOFoslSrIuwIBxuHxADp0Ks4="; + hash = "sha256-uJ1QLEaab/Vb5GiAmbwjve3Y/3SM2XbNTRTvl2vPDYc="; }; - cargoHash = "sha256-AH35v61FgUQe9BwDgVnXwoVTSQduxeMbXWy4ga3WU3k="; + cargoHash = "sha256-tDgkANbUmNLe3us+05gD9IS0f+RTQBXTGvuz2cr2zYY="; nativeBuildInputs = [ installShellFiles diff --git a/pkgs/tools/security/snow/default.nix b/pkgs/tools/security/snow/default.nix index dbea144cb1ba6..5e7cb013a4edc 100644 --- a/pkgs/tools/security/snow/default.nix +++ b/pkgs/tools/security/snow/default.nix @@ -9,7 +9,9 @@ stdenv.mkDerivation rec { sha256 = "0r9q45y55z4i0askkxmxrx0jr1620ypd870vz0hx2a6n9skimdy0"; }; - makeFlags = [ "CFLAGS=-O2" ]; + preBuild = '' + makeFlagsArray+=(CFLAGS="-O2 -std=c89") + ''; installPhase = '' install -Dm755 snow -t $out/bin diff --git a/pkgs/tools/security/step-cli/default.nix b/pkgs/tools/security/step-cli/default.nix index 2afbec7f9069d..0b7271b5b67a2 100644 --- a/pkgs/tools/security/step-cli/default.nix +++ b/pkgs/tools/security/step-cli/default.nix @@ -32,7 +32,7 @@ buildGoModule rec { homepage = "https://smallstep.com/cli/"; changelog = "https://github.com/smallstep/cli/blob/v${version}/CHANGELOG.md"; license = licenses.asl20; - maintainers = with maintainers; [ xfix ]; + maintainers = with maintainers; [ ]; platforms = platforms.linux ++ platforms.darwin; mainProgram = "step"; }; |