nixos/tests/dep-scan: init

Signed-off-by: Ethan Carter Edwards <ethan@ethancedwards.com>
2025-08-07 10:01:47 -04:00 · 2025-08-07 10:01:47 -04:00 · 5781a1e202
commit 5781a1e202
parent ed3d57951e
3 changed files with 67 additions and 0 deletions
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@ -499,6 +499,7 @@ in
  etcd-cluster = runTestOn [ "aarch64-linux" "x86_64-linux" ] ./etcd/etcd-cluster.nix;
  etebase-server = runTest ./etebase-server.nix;
  etesync-dav = runTest ./etesync-dav.nix;
+  dep-scan = runTest ./dep-scan.nix;
  evcc = runTest ./evcc.nix;
  fail2ban = runTest ./fail2ban.nix;
  fakeroute = runTest ./fakeroute.nix;
--- a/nixos/tests/dep-scan.nix
+++ b/nixos/tests/dep-scan.nix
@ -0,0 +1,63 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  name = "owasp dep-scan test";
+
+  meta.maintainers = with lib; [
+    maintainers.ethancedwards8
+    teams.ngi
+  ];
+
+  nodes.machine = {
+    environment.systemPackages = with pkgs; [
+      dep-scan
+      jq
+    ];
+
+    # code repo to scan for vulnerabilites, could be anything
+    # I just happened to pick the source of the package
+    environment.etc."dep-scan-source".source = pkgs.fetchFromGitHub {
+      owner = "owasp-dep-scan";
+      repo = "dep-scan";
+      tag = "v6.0.0b3";
+      hash = "sha256-GdrFsECcBZ2J47ojM33flqOtrY3avchGpsZk6pt8Aks=";
+    };
+
+    # we need to download the database before the vm starts, otherwise
+    # the program will try to download them at runtime.
+    # https://github.com/owasp-dep-scan/dep-scan/issues/443
+    environment.etc."vdb/data.index.vdb6".source = pkgs.fetchurl {
+      url = "https://huggingface.co/datasets/AppThreat/vdb/resolve/72377024f9742c6e700a113fc7059b18f738081c/app-2y/data.index.vdb6";
+      hash = "sha256-/9RIL6KVwmUmcKteOhWlnzjtZzGUbmRzua5o4Z8Mu9I=";
+    };
+    environment.etc."vdb/data.vdb6".source = pkgs.fetchurl {
+      url = "https://huggingface.co/datasets/AppThreat/vdb/resolve/72377024f9742c6e700a113fc7059b18f738081c/app-2y/data.vdb6";
+      hash = "sha256-6gCftnjal9ZMXV+25fVANdJRuI/CN083OOnc8yA5TTw=";
+    };
+    environment.etc."vdb/vdb.meta".source = pkgs.fetchurl {
+      url = "https://huggingface.co/datasets/AppThreat/vdb/resolve/72377024f9742c6e700a113fc7059b18f738081c/app-2y/vdb.meta";
+      hash = "sha256-i0oI3ODrmm8PF9UGJ9gy9QzQ0SKjLo9DdqYX/kqoHak=";
+    };
+    environment.variables = {
+      VDB_HOME = "/tmp/vdb";
+      # the cache will try to auto refresh if the age is met (requires internet access)
+      VDB_AGE_HOURS = 999999;
+    };
+  };
+
+  testScript =
+    { nodes, ... }:
+    ''
+      start_all()
+
+      # vdb needs to be copied to tmp as it needs to write to dir
+      # and etc is RO
+      machine.succeed('cp -rL /etc/vdb /tmp/vdb')
+      machine.succeed('depscan --src /etc/dep-scan-source --reports-dir /tmp/reports')
+      machine.succeed('jq . /tmp/reports/*.json')
+    '';
+}
--- a/pkgs/by-name/de/dep-scan/package.nix
+++ b/pkgs/by-name/de/dep-scan/package.nix
@ -5,6 +5,7 @@
  writableTmpDirAsHomeHook,
  makeWrapper,
  cdxgen,
+  nixosTests,
 }:

 python3Packages.buildPythonApplication rec {
@ -68,6 +69,8 @@ python3Packages.buildPythonApplication rec {
    }"
  ];

+  passthru.tests = { inherit (nixosTests) dep-scan; };
+
  meta = {
    description = "Security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies";
    homepage = "https://github.com/owasp-dep-scan/dep-scan";