diff --git a/maintainers/maintainer-list.nix b/maintainers/maintainer-list.nix index 5f02e8650ff..50efa11c97c 100644 --- a/maintainers/maintainer-list.nix +++ b/maintainers/maintainer-list.nix @@ -610,6 +610,16 @@ githubId = 11699655; name = "Stanislas Lange"; }; + anhdle14 = { + name = "Le Anh Duc"; + email = "anhdle14@icloud.com"; + github = "anhdle14"; + githubId = 9645992; + keys = [{ + longkeyid = "rsa4096/0x0299AFF9ECBB5169"; + fingerprint = "AA4B 8EC3 F971 D350 482E 4E20 0299 AFF9 ECBB 5169"; + }]; + }; ankhers = { email = "me@ankhers.dev"; github = "ankhers"; diff --git a/pkgs/development/python-modules/bc-python-hcl2/default.nix b/pkgs/development/python-modules/bc-python-hcl2/default.nix new file mode 100644 index 00000000000..34eab21bf5d --- /dev/null +++ b/pkgs/development/python-modules/bc-python-hcl2/default.nix @@ -0,0 +1,49 @@ +{ lib, buildPythonPackage, fetchPypi, nose }: + +let + lark-parser = buildPythonPackage rec { + pname = "lark-parser"; + version = "0.7.8"; + + src = fetchPypi { + inherit pname version; + sha256 = "JiFeuxV+b7LudDGapERbnzt+RW4mviFc4Z/aqpAcIKQ="; + }; + + doCheck = true; + }; +in +buildPythonPackage rec { + pname = "bc-python-hcl2"; + version = "0.3.11"; + + src = fetchPypi { + inherit pname version; + sha256 = "VZhI1oJ2EDZGyz3iI6/KYvJq4BGafzR+rcSgHqlUDrA="; + }; + + # Nose is required during build process, so can not use `checkInputs`. + buildInputs = [ + nose + ]; + + propagatedBuildInputs = [ + lark-parser + ]; + + pythonImportsCheck = [ "hcl2" ]; + + meta = with lib; { + description = "A parser for HCL2 written in Python using Lark"; + longDescription = '' + A parser for HCL2 written in Python using Lark. + This parser only supports HCL2 and isn't backwards compatible with HCL v1. + It can be used to parse any HCL2 config file such as Terraform. + ''; + # Although this is the main homepage from PyPi but it is also a homepage + # of another PyPi package (python-hcl2). But these two are different. + homepage = "https://github.com/amplify-education/python-hcl2"; + license = licenses.mit; + maintainers = [ maintainers.anhdle14 ]; + }; +} diff --git a/pkgs/development/python-modules/deep_merge/default.nix b/pkgs/development/python-modules/deep_merge/default.nix new file mode 100644 index 00000000000..533bc6aa347 --- /dev/null +++ b/pkgs/development/python-modules/deep_merge/default.nix @@ -0,0 +1,24 @@ +{ lib, buildPythonPackage, fetchPypi, pytestCheckHook, nose }: + +buildPythonPackage rec { + pname = "deep_merge"; + version = "0.0.4"; + + src = fetchPypi { + inherit pname version; + sha256 = "tUQV+Qk0xC4zQRTihky01OczWzStOW41rYYQyWBlpH4="; + }; + + checkInputs = [ + nose + ]; + + doCheck = false; + + meta = with lib; { + description = "This library contains a simple utility for deep-merging dictionaries and the data structures they contain"; + homepage = "https://github.com/halfak/deep_merge"; + license = licenses.mit; + maintainers = [ maintainers.anhdle14 ]; + }; +} diff --git a/pkgs/development/tools/analysis/checkov/default.nix b/pkgs/development/tools/analysis/checkov/default.nix new file mode 100644 index 00000000000..6277b1d4239 --- /dev/null +++ b/pkgs/development/tools/analysis/checkov/default.nix @@ -0,0 +1,77 @@ +{ stdenv, pkgs, lib, python3, fetchFromGitHub }: + +let + pname = "checkov"; + version = "1.0.674"; + src = fetchFromGitHub { + owner = "bridgecrewio"; + repo = pname; + rev = version; + sha256 = "/S8ic5ZVxA2vd/rjRPX5gslbmnULL7BSx34vgWIsheQ="; + }; + + disabled = pkgs.python3Packages.pythonOlder "3.7"; + + # CheckOV only work with `dpath 1.5.0` + dpath = pkgs.python3Packages.buildPythonPackage rec { + pname = "dpath"; + version = "1.5.0"; + + src = pkgs.python3Packages.fetchPypi { + inherit pname version; + sha256 = "SWYVtOqEI20Y4NKGEi3nSGmmDg+H4sfsZ4f/KGxINhs="; + }; + + doCheck = false; + }; +in +python3.pkgs.buildPythonPackage rec { + inherit pname version disabled src; + + nativeBuildInputs = with python3.pkgs; [ setuptools_scm ]; + + propagatedBuildInputs = with python3.pkgs; [ + pytest + coverage + bandit + bc-python-hcl2 + deep_merge + tabulate + colorama + termcolor + junit-xml + dpath + pyyaml + boto3 + GitPython + six + jmespath + tqdm + update_checker + semantic-version + packaging + ]; + + # Both of these tests are pulling from external srouces (https://github.com/bridgecrewio/checkov/blob/f03a4204d291cf47e3753a02a9b8c8d805bbd1be/.github/workflows/build.yml) + preCheck = '' + rm -rf integration_tests/* + rm -rf tests/terraform/* + ''; + + # Wrap the executable so that the python packages are available + # it's just a shebang script which calls `python -m checkov "$@"` + postFixup = '' + wrapProgram $out/bin/checkov \ + --set PYTHONPATH $PYTHONPATH + ''; + + meta = with lib; { + homepage = "https://github.com/bridgecrewio/checkov"; + description = "Static code analysis tool for infrastructure-as-code"; + longDescription = '' + Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov by Bridgecrew. + ''; + license = licenses.asl20; + maintainers = with maintainers; [ anhdle14 ]; + }; +} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 816c5f3e9c6..355df6b465f 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -182,6 +182,8 @@ in cereal = callPackage ../development/libraries/cereal { }; + checkov = callPackage ../development/tools/analysis/checkov {}; + chrysalis = callPackage ../applications/misc/chrysalis { }; clj-kondo = callPackage ../development/tools/clj-kondo { }; diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix index af5b796ee29..bcf2aa30089 100644 --- a/pkgs/top-level/python-packages.nix +++ b/pkgs/top-level/python-packages.nix @@ -854,6 +854,8 @@ in { bayespy = callPackage ../development/python-modules/bayespy { }; + bc-python-hcl2 = callPackage ../development/python-modules/bc-python-hcl2 { }; + bcdoc = callPackage ../development/python-modules/bcdoc { }; bcrypt = if pythonOlder "3.6" then @@ -1613,6 +1615,8 @@ in { decorator = callPackage ../development/python-modules/decorator { }; + deep_merge = callPackage ../development/python-modules/deep_merge { }; + deepdiff = callPackage ../development/python-modules/deepdiff { }; deepmerge = callPackage ../development/python-modules/deepmerge { };