depot/third_party/nixpkgs/pkgs/tools/security/semgrep/default.nix

156 lines
3.6 KiB
Nix
Raw Normal View History

{ lib
, fetchFromGitHub
, fetchpatch
, semgrep-core
, buildPythonApplication
, pythonPackages
, pythonRelaxDepsHook
, pytestCheckHook
, git
}:
# testing locally post build:
# ./result/bin/semgrep scan --metrics=off --config 'r/generic.unicode.security.bidi.contains-bidirectional-characters'
let
common = import ./common.nix { inherit lib; };
semgrepBinPath = lib.makeBinPath [ semgrep-core ];
in
buildPythonApplication rec {
pname = "semgrep";
inherit (common) version;
src = fetchFromGitHub {
owner = "semgrep";
repo = "semgrep";
rev = "v${version}";
hash = common.srcHash;
};
patches = [
(fetchpatch {
name = "fix-test_dump_engine-test-for-nix-store-path.patch";
url = "https://github.com/semgrep/semgrep/commit/c7553c1a61251146773617f80a2d360e6b6ab3f9.patch";
hash = "sha256-A3QdL0DDh/pbDpRIBACUie7PEvC17iG4t6qTnmPIwA4=";
})
];
# prepare a subset of the submodules as we only need a handful
# and there are many many submodules total
postPatch = (lib.concatStringsSep "\n" (lib.mapAttrsToList
(
path: submodule: ''
# substitute ${path}
# remove git submodule placeholder
rm -r ${path}
# link submodule
ln -s ${submodule}/ ${path}
''
)
passthru.submodulesSubset)) + ''
cd cli
'';
nativeBuildInputs = [ pythonRelaxDepsHook ];
# tell cli/setup.py to not copy semgrep-core into the result
# this means we can share a copy of semgrep-core and avoid an issue where it
# copies the binary but doesn't retain the executable bit
SEMGREP_SKIP_BIN = true;
pythonRelaxDeps = [
"boltons"
"glom"
];
propagatedBuildInputs = with pythonPackages; [
attrs
boltons
colorama
click
click-option-group
glom
requests
rich
ruamel-yaml
tqdm
packaging
jsonschema
wcmatch
peewee
defusedxml
urllib3
typing-extensions
python-lsp-jsonrpc
tomli
];
doCheck = true;
nativeCheckInputs = [ git pytestCheckHook ] ++ (with pythonPackages; [
flaky
pytest-snapshot
pytest-mock
pytest-freezegun
types-freezegun
]);
disabledTests = [
# requires networking
"test_send"
# requires networking
"test_parse_exclude_rules_auto"
# many child tests require networking to download files
"TestConfigLoaderForProducts"
# doesn't start flaky plugin correctly
"test_debug_performance"
];
preCheck = ''
# tests need a home directory
export HOME="$(mktemp -d)"
# tests need access to `semgrep-core`
export OLD_PATH="$PATH"
export PATH="$PATH:${semgrepBinPath}"
# we're in cli
# replace old semgrep with wrapped one
rm ./bin/semgrep
ln -s $out/bin/semgrep ./bin/semgrep
# disabledTestPaths doesn't manage to avoid the e2e tests
# remove them from pyproject.toml
# and remove need for pytest-split
substituteInPlace pyproject.toml \
--replace '"tests/e2e",' "" \
--replace '"tests/e2e-pro",' "" \
--replace 'addopts = "--splitting-algorithm=least_duration"' ""
'';
postCheck = ''
export PATH="$OLD_PATH"
unset OLD_PATH
'';
# since we stop cli/setup.py from finding semgrep-core and copying it into
# the result we need to provide it on the PATH
preFixup = ''
makeWrapperArgs+=(--prefix PATH : ${semgrepBinPath})
'';
postInstall = ''
chmod +x $out/bin/{,py}semgrep
'';
passthru = {
inherit common;
submodulesSubset = lib.mapAttrs (k: args: fetchFromGitHub args) common.submodules;
updateScript = ./update.sh;
};
meta = common.meta // {
description = common.meta.description + " - cli";
inherit (semgrep-core.meta) platforms;
};
}