nixpkgs/pkgs/tools/security/wapiti/default.nix

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

145 lines
3.5 KiB
Nix
Raw Normal View History

2021-03-31 11:43:28 +00:00
{ lib
, fetchFromGitHub
, python3
}:
python3.pkgs.buildPythonApplication rec {
pname = "wapiti";
2022-07-11 19:45:55 +00:00
version = "3.1.3";
2021-12-28 00:17:16 +00:00
format = "setuptools";
2021-03-31 11:43:28 +00:00
src = fetchFromGitHub {
owner = "wapiti-scanner";
repo = pname;
rev = version;
2022-07-11 19:45:55 +00:00
sha256 = "sha256-alrJVe4Miarkk8BziC8Y333b3swJ4b4oQpP2WAdT2rc=";
2021-03-31 11:43:28 +00:00
};
propagatedBuildInputs = with python3.pkgs; [
2021-11-05 20:03:55 +00:00
aiocache
aiosqlite
2021-03-31 11:43:28 +00:00
beautifulsoup4
2021-12-28 00:17:16 +00:00
brotli
2021-03-31 11:43:28 +00:00
browser-cookie3
2021-07-31 17:53:32 +00:00
cryptography
2021-11-05 20:03:55 +00:00
dnspython
2022-04-04 14:27:16 +00:00
httpcore
2021-07-31 17:53:32 +00:00
httpx
2021-12-28 00:17:16 +00:00
humanize
importlib-metadata
2021-11-05 20:03:55 +00:00
loguru
Mako
markupsafe
2022-07-11 19:45:55 +00:00
mitmproxy
2021-03-31 11:43:28 +00:00
six
2021-11-05 20:03:55 +00:00
sqlalchemy
2021-03-31 11:43:28 +00:00
tld
yaswfp
] ++ httpx.optional-dependencies.brotli
++ httpx.optional-dependencies.socks;
2021-03-31 11:43:28 +00:00
checkInputs = with python3.pkgs; [
2021-07-31 17:53:32 +00:00
respx
pytest-asyncio
2021-03-31 11:43:28 +00:00
pytestCheckHook
];
postPatch = ''
2021-07-31 17:53:32 +00:00
# Ignore pinned versions
2022-04-04 14:27:16 +00:00
sed -i -e "s/==[0-9.]*//;s/>=[0-9.]*//" setup.py
substituteInPlace setup.py \
--replace '"pytest-runner"' ""
2021-07-31 17:53:32 +00:00
substituteInPlace setup.cfg \
2021-11-05 20:03:55 +00:00
--replace " --cov --cov-report=xml" ""
2021-07-31 17:53:32 +00:00
'';
preCheck = ''
export HOME=$(mktemp -d);
2021-03-31 11:43:28 +00:00
'';
disabledTests = [
# Tests requires network access
"test_attr"
"test_bad_separator_used"
"test_blind"
"test_chunked_timeout"
2021-07-31 17:53:32 +00:00
"test_cookies"
"test_drop_cookies"
"test_save_and_restore_state"
"test_explorer_extract_links"
2021-03-31 11:43:28 +00:00
"test_cookies_detection"
"test_csrf_cases"
"test_detection"
"test_direct"
"test_escape_with_style"
"test_explorer_filtering"
"test_false"
"test_frame"
"test_headers_detection"
"test_html_detection"
"test_implies_detection"
"test_inclusion_detection"
"test_meta_detection"
"test_no_crash"
"test_options"
"test_out_of_band"
2021-07-31 17:53:32 +00:00
"test_multi_detection"
"test_vulnerabilities"
2021-03-31 11:43:28 +00:00
"test_partial_tag_name_escape"
"test_prefix_and_suffix_detection"
"test_qs_limit"
"test_rare_tag_and_event"
"test_redirect_detection"
"test_request_object"
"test_script"
"test_ssrf"
2021-12-28 00:17:16 +00:00
"test_merge_with_and_without_redirection"
2021-03-31 11:43:28 +00:00
"test_tag_name_escape"
"test_timeout"
"test_title_false_positive"
"test_title_positive"
"test_true_positive_request_count"
2021-11-05 20:03:55 +00:00
"test_unregistered_cname"
2021-03-31 11:43:28 +00:00
"test_url_detection"
2022-04-04 14:27:16 +00:00
"test_verify_dns"
2021-03-31 11:43:28 +00:00
"test_warning"
"test_whole"
"test_xss_inside_tag_input"
"test_xss_inside_tag_link"
"test_xss_uppercase_no_script"
"test_xss_with_strong_csp"
"test_xss_with_weak_csp"
"test_xxe"
2021-07-31 17:53:32 +00:00
# Requires a PHP installation
"test_timesql"
"test_cookies"
2022-04-04 14:27:16 +00:00
"test_redirect"
2021-12-28 00:17:16 +00:00
# TypeError: Expected bytes or bytes-like object got: <class 'str'>
2021-08-27 10:45:53 +00:00
"test_persister_upload"
2021-03-31 11:43:28 +00:00
];
2022-04-04 14:27:16 +00:00
disabledTestPaths = [
# Requires sslyze which is obsolete and was removed
2022-04-04 14:27:16 +00:00
"tests/attack/test_mod_ssl.py"
];
2021-03-31 11:43:28 +00:00
2021-11-05 20:03:55 +00:00
pythonImportsCheck = [
"wapitiCore"
];
2021-03-31 11:43:28 +00:00
meta = with lib; {
description = "Web application vulnerability scanner";
longDescription = ''
Wapiti allows you to audit the security of your websites or web applications.
It performs "black-box" scans (it does not study the source code) of the web
application by crawling the webpages of the deployed webapp, looking for
scripts and forms where it can inject data. Once it gets the list of URLs,
forms and their inputs, Wapiti acts like a fuzzer, injecting payloads to see
if a script is vulnerable.
'';
homepage = "https://wapiti-scanner.github.io/";
license = with licenses; [ gpl2Only ];
maintainers = with maintainers; [ fab ];
};
}