Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Nix flake #234

Closed
wants to merge 1 commit into from
Closed

Add Nix flake #234

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -262,3 +262,6 @@ ghidra/p_code_extractor/lib/

# virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
hs_err_pid*

# nix build
/result*
9 changes: 9 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,11 @@ The following dependencies must be installed in order to build and install the *

Run `make all GHIDRA_PATH=/path/to/ghidra_folder` (with the correct path to the local Ghidra installation inserted) to compile and install the cwe_checker.

### Nix package manager
```bash
nix build 'github:fkie-cad/cwe_checker'
```

## Usage ##

The *cwe_checker* takes a binary as input,
Expand All @@ -63,6 +68,10 @@ If you installed the *cwe_checker* locally, run
```bash
cwe_checker BINARY
```
If you are using Nix package manager, run
```bash
nix run 'github:fkie-cad/cwe_checker' BINARY
```
You can adjust the behavior of most checks via a configuration file located at `src/config.json`.
If you modify it, add the command line flag `--config=src/config.json` to tell the *cwe_checker* to use the modified file.
For information about other available command line flags you can pass the `--help` flag to the *cwe_checker*.
Expand Down
119 changes: 119 additions & 0 deletions flake.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

107 changes: 107 additions & 0 deletions flake.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@
{
description = "cwe_checker finds vulnerable patterns in binary executables";

inputs = {
# use upstream once https://github.com/NixOS/nixpkgs/pull/140208 is accepted
# nixpkgs.url = "nixpkgs/nixos-21.05";
nixpkgs.url = "github:ilkecan/nixpkgs/nixos-21.05";
flake-utils.url = "github:numtide/flake-utils";
nix-filter.url = "github:numtide/nix-filter";

fenix = {
url = "github:nix-community/fenix";
inputs.nixpkgs.follows = "nixpkgs";
};

nix-utils = {
url = "git+https://git.sr.ht/~ilkecan/nix-utils";
inputs.nixpkgs.follows = "nixpkgs";
};
};

outputs = { self, nixpkgs, flake-utils, ... }@inputs:
let
inherit (builtins)
attrNames
attrValues
;
inherit (nixpkgs.lib)
getAttrs
intersectLists
;
inherit (flake-utils.lib)
defaultSystems
eachSystem
;
nix-filter = inputs.nix-filter.lib;
nix-utils = inputs.nix-utils.lib;
inherit (nix-utils)
createOverlays
importCargoLock
;

# ghidra-bin.meta.platforms
ghidraPlatforms = [ "x86_64-linux" "x86_64-darwin" ];
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ghidra derivation in Nixpkgs only supports these two platforms. I think this is a limitation of Nixpkgs rather than upstream project. But since cwe_checker depends on ghidra, I could only support these two platforms.

supportedSystems = intersectLists defaultSystems ghidraPlatforms;
commonArgs = {
version = (importCargoLock ./.).cwe_checker.version;
homepage = "https://github.com/fkie-cad/cwe_checker";
downloadPage = "https://github.com/fkie-cad/cwe_checker/releases";
changelog = "https://raw.githubusercontent.com/fkie-cad/cwe_checker/master/CHANGES.md";
maintainers = [
{
email = "ilkecan@protonmail.com";
github = "ilkecan";
githubId = 40234257;
name = "ilkecan bozdogan";
}
];
platforms = supportedSystems;
};

derivations = {
cwe_checker = import ./nix/cwe_checker.nix commonArgs;
cwe_checker_to_ida = import ./nix/cwe_checker_to_ida.nix commonArgs;
};
in
{
overlays = createOverlays derivations {
inherit
nix-filter
nix-utils
;
};
overlay = self.overlays.cwe_checker;
} // eachSystem supportedSystems (system:
let
pkgs = import nixpkgs {
inherit system;
overlays = attrValues self.overlays ++ [
inputs.fenix.overlay
];
};

packageNames = attrNames derivations;
in
rec {
checks = packages;

packages = getAttrs packageNames pkgs;
defaultPackage = packages.cwe_checker;

hydraJobs = {
build = packages;
};

devShell =
let
packageList = attrValues packages;
in
pkgs.mkShell {
packages = packageList ++ [
defaultPackage.rustToolchain.defaultToolchain
];
inputsFrom = packageList;
};
Comment on lines +100 to +105
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The development shell currently includes the packages provided by the flake and their inputs. It also includes the default profile of the stable channel. Other packages or bash code (aliases or function) can also be added here.

});
}
105 changes: 105 additions & 0 deletions nix/cwe_checker.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
{ version
, changelog
, downloadPage
, homepage
, maintainers
, platforms
}:
{ lib
, fenix
, ghidra-bin
, makeRustPlatform
, makeWrapper
, nix-filter
, writeShellScript
, ...
}:

let
inherit (nix-filter) inDirectory;

rustToolchain = fenix.stable;
rustPlatform = makeRustPlatform {
inherit (rustToolchain) cargo rustc;
};

pname = "cwe_checker";
root = ./..;
# Reading the files in the filtered directory is not possible right now.
# Follow up on how https://github.com/NixOS/nix/pull/5163 will be resolved.
mainProgram = pname;

src = nix-filter {
inherit root;
name = pname;
include = [
"Cargo.lock"
"Cargo.toml"
(inDirectory "src")
(inDirectory "test")
];
};

preRunScript = writeShellScript "preRunScript" ''
config_dir="$HOME/.config/cwe_checker"
config_json="$config_dir/config.json"
if [[ ! -f $config_json ]]; then
install --mode=644 -D ${toString src}/src/config.json $config_json
fi

ghidra_json="$config_dir/ghidra.json"
if [[ ! -f $ghidra_json ]]; then
echo '{ "ghidra_path": "${ghidra-bin}/lib/ghidra" }' > $ghidra_json
fi
'';
in
rustPlatform.buildRustPackage {
inherit pname version src;

cargoHash = "sha256-igAygYTIkV+gfBWVHGVspheTC19TilU3A3/MqSwhd90=";

buildInputs = [
ghidra-bin.out
];

nativeBuildInputs = [
makeWrapper.out
];

patches = [
./patches/0001-use-env-variable-for-ghidra-plugin-path.patch
];

postInstall = ''
wrapProgram "$out/bin/${mainProgram}" \
--set CWE_CHECKER_GHIDRA_PLUGIN_PATH "${toString src}/src/ghidra" \
--run ${preRunScript}
'';

doInstallCheck = true;
installCheckPhase = ''
tmp=$(mktemp)
HOME=$(mktemp -d) # because of the preRunScript
$out/bin/${mainProgram} --version &> $tmp || (cat $tmp; exit 1)
echo "OK"
'';

passthru = {
inherit rustToolchain;
ghidra_plugin = "${toString root}/ghidra_plugin/cwe_checker_ghidra_plugin.py";
};

meta = {
description = "cwe_checker finds vulnerable patterns in binary executables";
longDescription =
"cwe_checker is a suite of checks to detect common bug classes such as" +
"use of dangerous functions and simple integer overflows. These bug" +
"classes are formally known as Common Weakness Enumerations (CWEs). Its" +
"main goal is to aid analysts to quickly find vulnerable code paths.";

inherit homepage downloadPage changelog;

license = lib.licenses.lgpl3Plus;
inherit maintainers mainProgram platforms;
};
}
Loading