Merge pull request #179335 from 06kellyjac/semgrep

semgrep{,-core}: init at 0.103.0

pkgs/tools/security/semgrep/common.nix

@@ -0,0 +1,55 @@
+{ lib, fetchFromGitHub, fetchzip }:
+
+rec {
+  version = "0.103.0";
+
+  src = fetchFromGitHub {
+    owner = "returntocorp";
+    repo = "semgrep";
+    rev = "v${version}";
+    sha256 = "sha256-vk6GBgLsXRLAVu60xW4WWWhhi4b1WLceTxh/TeISIUg=";
+  };
+
+  # submodule dependencies
+  # these are fetched so we:
+  #   1. don't fetch the many submodules we don't need
+  #   2. avoid fetchSubmodules since it's prone to impurities
+  langsSrc = fetchFromGitHub {
+    owner = "returntocorp";
+    repo = "semgrep-langs";
+    rev = "78e518dad1ce2a7c76854c944245434bd8426439";
+    sha256 = "sha256-t9F/OzzT6FI9G4Fxz0lUjz6TVrJlenusQNJnFpiKaQs=";
+  };
+
+  interfacesSrc = fetchFromGitHub {
+    owner = "returntocorp";
+    repo = "semgrep-interfaces";
+    rev = "a64a45034ea428ecbe9da6bd849a4f1cfd23cdd2";
+    sha256 = "sha256-eatuyA5xyfZVHCmHvZIzQK2c5eEWUEZd9LumJQtk8+s=";
+  };
+
+  # fetch pre-built semgrep-core since the ocaml build is complex and relies on
+  # the opam package manager at some point
+  coreRelease = fetchzip {
+    url = "https://github.com/returntocorp/semgrep/releases/download/v${version}/semgrep-v${version}-ubuntu-16.04.tgz";
+    sha256 = "sha256-L3NbiVYmgJim7H4W1cr75WOItSiHT1YIkUEefuaCYlY=";
+  };
+
+  meta = with lib; {
+    homepage = "https://semgrep.dev/";
+    downloadPage = "https://github.com/returntocorp/semgrep/";
+    changelog = "https://github.com/returntocorp/semgrep/blob/v${version}/CHANGELOG.md";
+    description = "Lightweight static analysis for many languages";
+    longDescription = ''
+      Semgrep is a fast, open-source, static analysis tool for finding bugs and
+      enforcing code standards at editor, commit, and CI time. Semgrep analyzes
+      code locally on your computer or in your build environment: code is never
+      uploaded. Its rules look like the code you already write; no abstract
+      syntax trees, regex wrestling, or painful DSLs.
+    '';
+    license = licenses.lgpl21Plus;
+    maintainers = with maintainers; [ jk ambroisie ];
+    # limited by semgrep-core
+    platforms = [ "x86_64-linux" ];
+  };
+}

pkgs/tools/security/semgrep/default.nix

@@ -0,0 +1,81 @@
+{ lib
+, fetchFromGitHub
+, callPackage
+, semgrep-core
+, buildPythonApplication
+, pythonPackages
+
+, pytestCheckHook
+, git
+}:
+
+let
+  common = callPackage ./common.nix { };
+in
+buildPythonApplication rec {
+  pname = "semgrep";
+  inherit (common) version;
+  src = "${common.src}/cli";
+
+  SEMGREP_CORE_BIN = "${semgrep-core}/bin/semgrep-core";
+
+  postPatch = ''
+    substituteInPlace setup.py \
+      --replace "typing-extensions~=4.2" "typing-extensions" \
+      --replace "jsonschema~=3.2" "jsonschema" \
+      --replace "boltons~=21.0" "boltons"
+
+    # remove git submodule placeholders
+    rm -r ./src/semgrep/{lang,semgrep_interfaces}
+    # link submodule dependencies
+    ln -s ${common.langsSrc}/ ./src/semgrep/lang
+    ln -s ${common.interfacesSrc}/ ./src/semgrep/semgrep_interfaces
+  '';
+
+  doCheck = true;
+  checkInputs = [ git pytestCheckHook ] ++ (with pythonPackages; [
+    pytest-snapshot
+    pytest-mock
+    pytest-freezegun
+    types-freezegun
+  ]);
+  disabledTests = [
+    # requires networking
+    "tests/unit/test_metric_manager.py"
+  ];
+  preCheck = ''
+    # tests need a home directory
+    export HOME="$(mktemp -d)"
+
+    # disabledTestPaths doesn't manage to avoid the e2e tests
+    # remove them from pyproject.toml
+    # and remove need for pytest-split
+    substituteInPlace pyproject.toml \
+      --replace '"tests/e2e",' "" \
+      --replace 'addopts = "--splitting-algorithm=least_duration"' ""
+  '';
+
+  propagatedBuildInputs = with pythonPackages; [
+    attrs
+    boltons
+    colorama
+    click
+    click-option-group
+    glom
+    requests
+    ruamel-yaml
+    tqdm
+    packaging
+    jsonschema
+    wcmatch
+    peewee
+    defusedxml
+    urllib3
+    typing-extensions
+    python-lsp-jsonrpc
+  ];
+
+  meta = common.meta // {
+    description = common.meta.description + " - cli";
+  };
+}

pkgs/tools/security/semgrep/semgrep-core.nix

@@ -0,0 +1,22 @@
+{ lib, stdenvNoCC, callPackage }:
+
+let
+  common = callPackage ./common.nix { };
+in
+stdenvNoCC.mkDerivation rec {
+  pname = "semgrep-core";
+  inherit (common) version;
+
+  src = common.coreRelease;
+
+  installPhase = ''
+    runHook preInstall
+    install -Dm 755 -t $out/bin semgrep-core
+    runHook postInstall
+  '';
+
+  meta = common.meta // {
+    description = common.meta.description + " - core binary";
+    sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ];
+  };
+}

pkgs/top-level/all-packages.nix

@@ -10459,6 +10459,9 @@ with pkgs;
 
   seexpr = callPackage ../development/compilers/seexpr { };
 
+  semgrep = python3.pkgs.callPackage ../tools/security/semgrep { };
+  semgrep-core = callPackage ../tools/security/semgrep/semgrep-core.nix { };
+
   setroot = callPackage  ../tools/X11/setroot { };
 
   setserial = callPackage ../tools/system/setserial { };