15 files changed, 123 insertions, 38 deletions

diff --git a/pkgs/applications/version-management/gitea/default.nix b/pkgs/applications/version-management/gitea/default.nix
index 99a6ffb585ada..def74a723a578 100644
--- a/pkgs/applications/version-management/gitea/default.nix
+++ b/pkgs/applications/version-management/gitea/default.nix
@@ -14,12 +14,12 @@
 
 buildGoPackage rec {
   pname = "gitea";
-  version = "1.17.1";
+  version = "1.17.2";
 
   # not fetching directly from the git repo, because that lacks several vendor files for the web UI
   src = fetchurl {
     url = "https://github.com/go-gitea/gitea/releases/download/v${version}/gitea-src-${version}.tar.gz";
-    sha256 = "sha256-ttfhsIiCl5VcqfK7ap/CA7bqXxrc4cTVIX+M2S4YanY=";
+    sha256 = "sha256-pDg+HC3dbWf0RxoLvBtIOaFauP1pUYBOG+Q9cinh3lg=";
   };
 
   patches = [
diff --git a/pkgs/desktops/cinnamon/bulky/default.nix b/pkgs/desktops/cinnamon/bulky/default.nix
index bc60bc6bf9d15..45008a0b7bd0c 100644
--- a/pkgs/desktops/cinnamon/bulky/default.nix
+++ b/pkgs/desktops/cinnamon/bulky/default.nix
@@ -13,13 +13,13 @@
 
 stdenv.mkDerivation rec {
   pname = "bulky";
-  version = "2.4";
+  version = "2.5";
 
   src = fetchFromGitHub {
     owner = "linuxmint";
     repo = "bulky";
     rev = version;
-    hash = "sha256-ynPorkhT/LUkFGNRG6JLDYaQjNPm2vMzthvl0wr7J/M=";
+    hash = "sha256-WgpB/oMA3w7KO7KmkGXsl92siFGQo3Y4mLvMLTi54k8=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/desktops/cinnamon/cinnamon-common/default.nix b/pkgs/desktops/cinnamon/cinnamon-common/default.nix
index 49ef0dee205e5..284371f482160 100644
--- a/pkgs/desktops/cinnamon/cinnamon-common/default.nix
+++ b/pkgs/desktops/cinnamon/cinnamon-common/default.nix
@@ -54,13 +54,13 @@
 
 stdenv.mkDerivation rec {
   pname = "cinnamon-common";
-  version = "5.4.11";
+  version = "5.4.12";
 
   src = fetchFromGitHub {
     owner = "linuxmint";
     repo = "cinnamon";
     rev = version;
-    hash = "sha256-3uQ4t+WXauCM3jV44pSz1yqLxXwLBWv7xMvP7ug3AY0=";
+    hash = "sha256-uyQZXri3V3dKnowB97QlPWboZz1neblyvCuSacsPROg=";
   };
 
   patches = [
diff --git a/pkgs/desktops/cinnamon/cinnamon-control-center/default.nix b/pkgs/desktops/cinnamon/cinnamon-control-center/default.nix
index dded4a9ff6106..d5a6c7a57c515 100644
--- a/pkgs/desktops/cinnamon/cinnamon-control-center/default.nix
+++ b/pkgs/desktops/cinnamon/cinnamon-control-center/default.nix
@@ -36,13 +36,13 @@
 
 stdenv.mkDerivation rec {
   pname = "cinnamon-control-center";
-  version = "5.4.6";
+  version = "5.4.7";
 
   src = fetchFromGitHub {
     owner = "linuxmint";
     repo = pname;
     rev = version;
-    hash = "sha256-8BDmQT/xDnpwR2YC0TGaqWPnZ61IBmVvft2Mcf6YN+A=";
+    hash = "sha256-38n1QCygkBq+wOLwui1oF6MtDWxAFWxp5U1omSVtbro=";
   };
 
   buildInputs = [
diff --git a/pkgs/desktops/cinnamon/muffin/default.nix b/pkgs/desktops/cinnamon/muffin/default.nix
index c4f4b5ce0d518..a2e7811b3d850 100644
--- a/pkgs/desktops/cinnamon/muffin/default.nix
+++ b/pkgs/desktops/cinnamon/muffin/default.nix
@@ -35,7 +35,7 @@
 
 stdenv.mkDerivation rec {
   pname = "muffin";
-  version = "5.4.6";
+  version = "5.4.7";
 
   outputs = [ "out" "dev" "man" ];
 
@@ -50,7 +50,7 @@ stdenv.mkDerivation rec {
     owner = "linuxmint";
     repo = pname;
     rev = version;
-    hash = "sha256-xTpL+o7gFvu8VNbCb8c0Y0Z8ncqb9y2qTiXP3rHAz+M=";
+    hash = "sha256-Zx6au1FXLgK8PRmkh8jaGJ3Zh0YYFj2zmbxhgXAFgDg=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/desktops/cinnamon/warpinator/default.nix b/pkgs/desktops/cinnamon/warpinator/default.nix
index ecd4aeec16c9d..a720c2fb4cbe9 100644
--- a/pkgs/desktops/cinnamon/warpinator/default.nix
+++ b/pkgs/desktops/cinnamon/warpinator/default.nix
@@ -14,7 +14,7 @@
 
 python3.pkgs.buildPythonApplication rec  {
   pname = "warpinator";
-  version = "1.2.13";
+  version = "1.2.14";
 
   format = "other";
 
@@ -22,7 +22,7 @@ python3.pkgs.buildPythonApplication rec  {
     owner = "linuxmint";
     repo = pname;
     rev = version;
-    hash = "sha256-iLImyfUsfn+mWrgMv5NnbOvvOlJnwJG4Btx1wwlgTeM=";
+    hash = "sha256-0OmrviDti843c+nvpt7ennSrso0PD7eZOJ94JiWJT58=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/desktops/cinnamon/xapp/default.nix b/pkgs/desktops/cinnamon/xapp/default.nix
index 655284f20d827..5408c9c50cfd9 100644
--- a/pkgs/desktops/cinnamon/xapp/default.nix
+++ b/pkgs/desktops/cinnamon/xapp/default.nix
@@ -1,5 +1,4 @@
 { fetchFromGitHub
-, fetchpatch
 , glib
 , gobject-introspection
 , gtk3
@@ -23,24 +22,15 @@
 
 stdenv.mkDerivation rec {
   pname = "xapp";
-  version = "2.2.14";
+  version = "2.2.15";
 
   outputs = [ "out" "dev" ];
 
-  patches = [
-    # Add missing gio-unix-2.0 dependency, can be removed on next update
-    # https://github.com/linuxmint/xapp/pull/156
-    (fetchpatch {
-      url = "https://github.com/linuxmint/xapp/commit/052081f75d1c1212aeb6a913772723c81607bcb3.patch";
-      sha256 = "sha256-VL70Y1FIa7lQ/zKjEx0GhaU1QRu4z6Yu400/bDbgZgM=";
-    })
-  ];
-
   src = fetchFromGitHub {
     owner = "linuxmint";
     repo = pname;
     rev = version;
-    hash = "sha256-BebsS7y/hRQSc4rYOIWJ+sSJ5fLZaCpNAE48JnviUUc=";
+    hash = "sha256-X/exXQY/v+TU8HnnquleP21tCYR9h7t43AIw4tTKVOY=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/python-modules/peaqevcore/default.nix b/pkgs/development/python-modules/peaqevcore/default.nix
index dfcfe87c9a935..852d58848fdf2 100644
--- a/pkgs/development/python-modules/peaqevcore/default.nix
+++ b/pkgs/development/python-modules/peaqevcore/default.nix
@@ -6,14 +6,14 @@
 
 buildPythonPackage rec {
   pname = "peaqevcore";
-  version = "5.18.1";
+  version = "5.18.3";
   format = "setuptools";
 
   disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-LKb1sTekBbOKdsdxZbiAMAmOTjS21nvq7UWzVxEqJh0=";
+    hash = "sha256-PCWxhJd2ZK7qt0Co5jKZSP4eOBIO+iVvQHFDbTViDAs=";
   };
 
   postPatch = ''
diff --git a/pkgs/development/python-modules/r2pipe/default.nix b/pkgs/development/python-modules/r2pipe/default.nix
index 54e9f369938db..89548dbc9f0c3 100644
--- a/pkgs/development/python-modules/r2pipe/default.nix
+++ b/pkgs/development/python-modules/r2pipe/default.nix
@@ -9,7 +9,7 @@
 
 buildPythonPackage rec {
   pname = "r2pipe";
-  version = "1.7.2";
+  version = "1.7.3";
 
   postPatch = let
     r2lib = "${lib.getOutput "lib" radare2}/lib";
@@ -27,7 +27,7 @@ buildPythonPackage rec {
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "sha256-XoYIZWlIN54O/8LHre8Ut+2neLER/g7bYBD9+xNCkAU=";
+    sha256 = "sha256-zhKV0+467xFpzmSDswIWPEGpks0X/F+ecBWPWpvakik=";
   };
 
   # Tiny sanity check to make sure r2pipe finds radare2 (since r2pipe doesn't
diff --git a/pkgs/development/tools/sumneko-lua-language-server/default.nix b/pkgs/development/tools/sumneko-lua-language-server/default.nix
index 0c307704dba43..448902327d698 100644
--- a/pkgs/development/tools/sumneko-lua-language-server/default.nix
+++ b/pkgs/development/tools/sumneko-lua-language-server/default.nix
@@ -4,13 +4,13 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "sumneko-lua-language-server";
-  version = "3.5.3";
+  version = "3.5.4";
 
   src = fetchFromGitHub {
     owner = "sumneko";
     repo = "lua-language-server";
     rev = version;
-    sha256 = "sha256-K/B+THEgM6pzW+VOc8pgtH+3zpWEgocEdTsuO0APoT0=";
+    sha256 = "sha256-Tj+9UQoVzsiEq0JF7BjT41Mks+8dAV2Op/zceRmWU/k=";
     fetchSubmodules = true;
   };
 
diff --git a/pkgs/tools/networking/iwgtk/default.nix b/pkgs/tools/networking/iwgtk/default.nix
index 5c89facd3fa32..ef220a8c28e2a 100644
--- a/pkgs/tools/networking/iwgtk/default.nix
+++ b/pkgs/tools/networking/iwgtk/default.nix
@@ -1,21 +1,38 @@
-{ fetchFromGitHub, gtk3, lib, pkg-config, stdenv }:
+{ lib
+, stdenv
+, fetchFromGitHub
+, meson
+, ninja
+, pkg-config
+, scdoc
+, wrapGAppsHook
+, gtk4
+, qrencode
+}:
 
 stdenv.mkDerivation rec {
   pname = "iwgtk";
-  version = "0.4";
+  version = "0.8";
 
   src = fetchFromGitHub {
     owner = "j-lentz";
     repo = pname;
     rev = "v${version}";
-    sha256 = "129h7vq9b1r9a5c79hk8d06bj8lgzrnhq55x54hqri9c471jjh0s";
+    sha256 = "sha256-89rzDxalZtQkwAKS6hKPVY87kOWPySwDeZrPs2rGs/k=";
   };
 
-  nativeBuildInputs = [ pkg-config ];
+  # patch systemd service to pass necessary environments and use absolute paths
+  patches = [ ./systemd-service.patch ];
 
-  buildInputs = [ gtk3 ];
+  nativeBuildInputs = [ meson ninja pkg-config scdoc wrapGAppsHook ];
 
-  makeFlags = [ "prefix=$(out)" ];
+  buildInputs = [ gtk4 qrencode ];
+
+  postInstall = ''
+    mv $out/share/lib/systemd $out/share
+    rmdir $out/share/lib
+    substituteInPlace $out/share/systemd/user/iwgtk.service --subst-var out
+  '';
 
   meta = with lib; {
     description = "Lightweight, graphical wifi management utility for Linux";
diff --git a/pkgs/tools/networking/iwgtk/systemd-service.patch b/pkgs/tools/networking/iwgtk/systemd-service.patch
new file mode 100644
index 0000000000000..fbe9abe0a2179
--- /dev/null
+++ b/pkgs/tools/networking/iwgtk/systemd-service.patch
@@ -0,0 +1,12 @@
+--- a/misc/iwgtk.service
++++ b/misc/iwgtk.service
+@@ -6,7 +6,8 @@ PartOf=graphical-session.target
+ After=graphical-session.target
+ 
+ [Service]
+-ExecStart=iwgtk -i
++ExecStart=@out@/bin/iwgtk -i
++PassEnvironment=DISPLAY XAUTHORITY
+ Restart=on-failure
+ 
+ [Install]
diff --git a/pkgs/tools/security/govulncheck/default.nix b/pkgs/tools/security/govulncheck/default.nix
new file mode 100644
index 0000000000000..9565c11dad5a9
--- /dev/null
+++ b/pkgs/tools/security/govulncheck/default.nix
@@ -0,0 +1,64 @@
+{ lib, buildGoModule, fetchFromGitHub }:
+
+buildGoModule rec {
+  pname = "govulncheck";
+  version = "unstable-2022-09-02";
+
+  src = fetchFromGitHub {
+    owner = "golang";
+    repo = "vuln";
+    rev = "27dd78d2ca392c1738e54efe513a2ecb7bf46000";
+    sha256 = "sha256-G35y1V4W1nLZ+QGvIQwER9whBIBDFUVptrHx78orcI0=";
+  };
+
+  vendorSha256 = "sha256-9FH9nq5cEyhMxrrvfQAOWZ4aThMsU0HwlI+0W0uVHZ4=";
+
+  subPackages = [ "cmd/govulncheck" ];
+
+  preCheck = ''
+    # test all paths
+    unset subPackages
+
+    # remove test that calls checks.bash
+    # the header check and misspell gets upset at the vendor dir
+    rm all_test.go
+
+    # remove tests that generally have "inconsistent vendoring" issues
+    # - tries to builds govulncheck again
+    rm cmd/govulncheck/main_command_118_test.go
+    # - does go builds of example go files
+    rm vulncheck/binary_test.go
+    # - just have resolution issues
+    rm vulncheck/{source,vulncheck}_test.go
+  '';
+
+  ldflags = [ "-s" "-w" ];
+
+  meta = with lib; {
+    homepage = "https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck";
+    description = "The database client and tools for the Go vulnerability database, also known as vuln";
+    longDescription = ''
+      Govulncheck reports known vulnerabilities that affect Go code. It uses
+      static analysis of source code or a binary's symbol table to narrow down
+      reports to only those that could affect the application.
+
+      By default, govulncheck makes requests to the Go vulnerability database at
+      https://vuln.go.dev. Requests to the vulnerability database contain only
+      module paths, not code or other properties of your program. See
+      https://vuln.go.dev/privacy.html for more. Set the GOVULNDB environment
+      variable to specify a different database, which must implement the
+      specification at https://go.dev/security/vuln/database.
+
+      Govulncheck looks for vulnerabilities in Go programs using a specific
+      build configuration. For analyzing source code, that configuration is the
+      operating system, architecture, and Go version specified by GOOS, GOARCH,
+      and the “go” command found on the PATH. For binaries, the build
+      configuration is the one used to build the binary. Note that different
+      build configurations may have different known vulnerabilities. For
+      example, a dependency with a Windows-specific vulnerability will not be
+      reported for a Linux build.
+    '';
+    license = with licenses; [ bsd3 ];
+    maintainers = with maintainers; [ jk ];
+  };
+}
diff --git a/pkgs/tools/security/grype/default.nix b/pkgs/tools/security/grype/default.nix
index aa7b9158adead..182df4ceb967a 100644
--- a/pkgs/tools/security/grype/default.nix
+++ b/pkgs/tools/security/grype/default.nix
@@ -7,13 +7,13 @@
 
 buildGoModule rec {
   pname = "grype";
-  version = "0.42.0";
+  version = "0.49.0";
 
   src = fetchFromGitHub {
     owner = "anchore";
     repo = pname;
     rev = "v${version}";
-    hash = "sha256-MShlKtrorqXRInQ01dEzVeLDRDua9PISkficF02PrBI=";
+    sha256 = "sha256-MShlKtrorqXRInQ01dEzVeLDRDua9PISkficF02PrBI=";
     # populate values that require us to use git. By doing this in postFetch we
     # can delete .git afterwards and maintain better reproducibility of the src.
     leaveDotGit = true;
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index e50949aef8b8b..915e23056427c 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -464,6 +464,8 @@ with pkgs;
 
   gojq = callPackage ../development/tools/gojq { };
 
+  govulncheck = callPackage ../tools/security/govulncheck { };
+
   gpick = callPackage ../tools/misc/gpick { };
 
   hwatch = callPackage ../tools/misc/hwatch { };