{ lib
, buildPythonApplication
, fetchFromGitHub
, fetchpatch
, jsonschema
, plotly
, beautifulsoup4
, pyyaml
, isort
, py
, jinja2
, rpmfile
, reportlab
, zstandard
, rich
, aiohttp
, toml
, distro
  # aiohttp[speedups]
, aiodns
, brotlipy
, faust-cchardet
, pillow
, pytestCheckHook
, xmlschema
, setuptools
, packaging
, cvss
, google-cloud-sdk
, pip
, testers
, cve-bin-tool
# pinned packaging
, pyparsing
, fetchPypi
, buildPythonPackage
, pretend
, pythonOlder
, wheel
}:

let
  # pin packaging to < 22 until issue related to https://github.com/intel/cve-bin-tool/pull/2436 are resolved by upstream (post-3.2)
  packaging_21_3 = buildPythonPackage rec {
    inherit (packaging) pname passthru meta;
    version = "21.3";
    format = "pyproject";
    disabled = pythonOlder "3.6";

    src = fetchPypi {
      inherit pname version;
      sha256 = "sha256-3UfEKSfYmrkR5gZRiQfMLTofOLvQJjhZcGQ/nFuOz+s=";
    };
    nativeBuildInputs = [
      setuptools
      wheel
    ];
    propagatedBuildInputs = [
      pyparsing
    ];

    nativeCheckInputs = [
      pytestCheckHook
      pretend
    ];

    doCheck = false;
  };
in
buildPythonApplication rec {
  pname = "cve-bin-tool";
  version = "3.2";
  format = "setuptools";

  src = fetchFromGitHub {
    owner = "intel";
    repo = "cve-bin-tool";
    rev = "refs/tags/v${version}";
    hash = "sha256-QOnWt6iit0/F6d/MfZ8qJqDuT3IHh0Qjs6BcJkI/CBw=";
  };

  patches = [
    # Not needed as python dependency, should just be on the PATH
    ./no-gsutil-python-dependency.patch
    # Already merged upstream, to be removed post-3.2
    # https://github.com/intel/cve-bin-tool/pull/2524
    (fetchpatch {
      name = "cve-bin-tool-version-success.patch";
      url = "https://github.com/intel/cve-bin-tool/commit/6f9bd565219932c565c1443ac467fe4163408dd8.patch";
      hash = "sha256-Glj6qiOvmvsuetXn4tysyiN/vrcOPFLORh+u3BoGzCI=";
    })
  ];

  # Wants to open a sqlite database, access the internet, etc
  doCheck = false;

  propagatedNativeBuildInputs = [
    pip
  ];

  propagatedBuildInputs = [
    google-cloud-sdk
    jsonschema
    plotly
    beautifulsoup4
    pyyaml
    isort
    py
    jinja2
    rpmfile
    reportlab
    zstandard
    rich
    aiohttp
    toml
    distro
    # aiohttp[speedups]
    aiodns
    brotlipy
    faust-cchardet
    # needed by brotlipy
    pillow
    setuptools
    xmlschema
    cvss
    packaging_21_3
  ];

  nativeCheckInputs = [
    pytestCheckHook
  ];

  pythonImportsCheck = [
    "cve_bin_tool"
  ];

  passthru.tests.version = testers.testVersion { package = cve-bin-tool; };

  meta = with lib; {
    description = "CVE Binary Checker Tool";
    homepage = "https://github.com/intel/cve-bin-tool";
    license = licenses.gpl3Plus;
    maintainers = [ ];
  };
}