nixpkgs/pkgs/tools/security/flare-floss/default.nix

{ lib
, python3
, fetchFromGitHub
}:
let
  py = python3.override {
    packageOverrides = final: prev: {
      # required for networkx 2.5.1
      decorator = prev.decorator.overridePythonAttrs (o: o // rec {
        version = "4.4.2";
        src = o.src.override {
          inherit version;
          sha256 = "sha256-46YvBSAXJEDKDcyCN0kxk4Ljd/N/FAoLme9F/suEv+c=";
        };
      });

      # flare-floss requires this exact version (newer versions are incompatible)
      networkx = prev.networkx.overridePythonAttrs (o: o // rec {
        version = "2.5.1";
        src = o.src.override {
          inherit version;
          sha256 = "sha256-EJzVhcrEEpf3EQPDxCrG73N58peI61TLdRvlpmO7I1o=";
        };
      });
    };
  };
in
py.pkgs.buildPythonPackage rec {
  pname = "flare-floss";
  version = "2.0.0";

  src = fetchFromGitHub {
    owner = "mandiant";
    repo = "flare-floss";
    rev = "v${version}";
    fetchSubmodules = true; # for tests
    sha256 = "sha256-V4OWYcISyRdjf8x93B6h2hJwRgmRmk32hr8TrgRDu8Q=";
  };

  postPatch = ''
    substituteInPlace setup.py \
      --replace "==" ">="

    substituteInPlace floss/main.py \
      --replace 'sigs_path = os.path.join(get_default_root(), "sigs")' 'sigs_path = "'"$out"'/share/flare-floss/sigs"'
  '';

  propagatedBuildInputs = with py.pkgs; [
    halo
    networkx
    pydantic
    tabulate
    tqdm
    viv-utils
    vivisect
  ] ++ viv-utils.optional-dependencies.flirt;

  nativeCheckInputs = with py.pkgs; [
    pytest-sugar
    pytestCheckHook
    pyyaml
  ];

  postInstall = ''
    mkdir -p $out/share/flare-floss/
    cp -r sigs $out/share/flare-floss/
  '';

  meta = with lib; {
    description = "Automatically extract obfuscated strings from malware";
    homepage = "https://github.com/mandiant/flare-floss";
    license = licenses.asl20;
    maintainers = teams.determinatesystems.members;
  };
}