From 5781a1e202e5d32cd130e16a7e0ef0931ee58fef Mon Sep 17 00:00:00 2001 From: Ethan Carter Edwards Date: Thu, 7 Aug 2025 10:01:47 -0400 Subject: [PATCH] nixos/tests/dep-scan: init Signed-off-by: Ethan Carter Edwards --- nixos/tests/all-tests.nix | 1 + nixos/tests/dep-scan.nix | 63 ++++++++++++++++++++++++++++ pkgs/by-name/de/dep-scan/package.nix | 3 ++ 3 files changed, 67 insertions(+) create mode 100644 nixos/tests/dep-scan.nix diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 4ce282532ef7..1be83a2dbc33 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -499,6 +499,7 @@ in etcd-cluster = runTestOn [ "aarch64-linux" "x86_64-linux" ] ./etcd/etcd-cluster.nix; etebase-server = runTest ./etebase-server.nix; etesync-dav = runTest ./etesync-dav.nix; + dep-scan = runTest ./dep-scan.nix; evcc = runTest ./evcc.nix; fail2ban = runTest ./fail2ban.nix; fakeroute = runTest ./fakeroute.nix; diff --git a/nixos/tests/dep-scan.nix b/nixos/tests/dep-scan.nix new file mode 100644 index 000000000000..7bfe6e9b94e4 --- /dev/null +++ b/nixos/tests/dep-scan.nix @@ -0,0 +1,63 @@ +{ + lib, + pkgs, + ... +}: + +{ + name = "owasp dep-scan test"; + + meta.maintainers = with lib; [ + maintainers.ethancedwards8 + teams.ngi + ]; + + nodes.machine = { + environment.systemPackages = with pkgs; [ + dep-scan + jq + ]; + + # code repo to scan for vulnerabilites, could be anything + # I just happened to pick the source of the package + environment.etc."dep-scan-source".source = pkgs.fetchFromGitHub { + owner = "owasp-dep-scan"; + repo = "dep-scan"; + tag = "v6.0.0b3"; + hash = "sha256-GdrFsECcBZ2J47ojM33flqOtrY3avchGpsZk6pt8Aks="; + }; + + # we need to download the database before the vm starts, otherwise + # the program will try to download them at runtime. + # https://github.com/owasp-dep-scan/dep-scan/issues/443 + environment.etc."vdb/data.index.vdb6".source = pkgs.fetchurl { + url = "https://huggingface.co/datasets/AppThreat/vdb/resolve/72377024f9742c6e700a113fc7059b18f738081c/app-2y/data.index.vdb6"; + hash = "sha256-/9RIL6KVwmUmcKteOhWlnzjtZzGUbmRzua5o4Z8Mu9I="; + }; + environment.etc."vdb/data.vdb6".source = pkgs.fetchurl { + url = "https://huggingface.co/datasets/AppThreat/vdb/resolve/72377024f9742c6e700a113fc7059b18f738081c/app-2y/data.vdb6"; + hash = "sha256-6gCftnjal9ZMXV+25fVANdJRuI/CN083OOnc8yA5TTw="; + }; + environment.etc."vdb/vdb.meta".source = pkgs.fetchurl { + url = "https://huggingface.co/datasets/AppThreat/vdb/resolve/72377024f9742c6e700a113fc7059b18f738081c/app-2y/vdb.meta"; + hash = "sha256-i0oI3ODrmm8PF9UGJ9gy9QzQ0SKjLo9DdqYX/kqoHak="; + }; + environment.variables = { + VDB_HOME = "/tmp/vdb"; + # the cache will try to auto refresh if the age is met (requires internet access) + VDB_AGE_HOURS = 999999; + }; + }; + + testScript = + { nodes, ... }: + '' + start_all() + + # vdb needs to be copied to tmp as it needs to write to dir + # and etc is RO + machine.succeed('cp -rL /etc/vdb /tmp/vdb') + machine.succeed('depscan --src /etc/dep-scan-source --reports-dir /tmp/reports') + machine.succeed('jq . /tmp/reports/*.json') + ''; +} diff --git a/pkgs/by-name/de/dep-scan/package.nix b/pkgs/by-name/de/dep-scan/package.nix index 58fa53c24581..9defda91b7f5 100644 --- a/pkgs/by-name/de/dep-scan/package.nix +++ b/pkgs/by-name/de/dep-scan/package.nix @@ -5,6 +5,7 @@ writableTmpDirAsHomeHook, makeWrapper, cdxgen, + nixosTests, }: python3Packages.buildPythonApplication rec { @@ -68,6 +69,8 @@ python3Packages.buildPythonApplication rec { }" ]; + passthru.tests = { inherit (nixosTests) dep-scan; }; + meta = { description = "Security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies"; homepage = "https://github.com/owasp-dep-scan/dep-scan";