Merge release-22.11 into staging-next-22.11

nixos/modules/services/misc/etebase-server.nix

@@ -179,21 +179,21 @@ in
       description = "An Etebase (EteSync 2.0) server";
       after = [ "network.target" "systemd-tmpfiles-setup.service" ];
       wantedBy = [ "multi-user.target" ];
+      path = [ pythonEnv ];
       serviceConfig = {
         User = cfg.user;
         Restart = "always";
         WorkingDirectory = cfg.dataDir;
       };
       environment = {
-        PYTHONPATH = "${pythonEnv}/${pkgs.python3.sitePackages}";
         ETEBASE_EASY_CONFIG_PATH = configIni;
       };
       preStart = ''
         # Auto-migrate on first run or if the package has changed
         versionFile="${cfg.dataDir}/src-version"
         if [[ $(cat "$versionFile" 2>/dev/null) != ${pkgs.etebase-server} ]]; then
-          ${pythonEnv}/bin/etebase-server migrate --no-input
-          ${pythonEnv}/bin/etebase-server collectstatic --no-input --clear
+          etebase-server migrate --no-input
+          etebase-server collectstatic --no-input --clear
           echo ${pkgs.etebase-server} > "$versionFile"
         fi
       '';
@@ -204,7 +204,7 @@ in
           else "-b 0.0.0.0 -p ${toString cfg.port}";
         in ''
           cd "${pythonEnv}/lib/etebase-server";
-          ${pythonEnv}/bin/daphne ${networking} \
+          daphne ${networking} \
             etebase_server.asgi:application
         '';
     };

pkgs/development/interpreters/clojure/babashka.nix

@@ -2,11 +2,11 @@
 
 buildGraalvmNativeImage rec {
   pname = "babashka";
-  version = "1.0.167";
+  version = "1.0.168";
 
   src = fetchurl {
     url = "https://github.com/babashka/${pname}/releases/download/v${version}/${pname}-${version}-standalone.jar";
-    sha256 = "sha256-tqhl2d0HZJNVP3EX2y5YiOmCgJsXegUUO91+f9MxQyU=";
+    sha256 = "sha256-K56SEfSq0mjltUwR2VZxGiGn9nnEdDBoZrkaBOIIl7k=";
   };
 
   executable = "bb";

pkgs/development/tools/misc/pkgconf/default.nix

@@ -6,11 +6,11 @@
 
 stdenv.mkDerivation rec {
   pname = "pkgconf";
-  version = "1.9.3";
+  version = "1.9.4";
 
   src = fetchurl {
     url = "https://distfiles.dereferenced.org/${pname}/${pname}-${version}.tar.xz";
-    hash = "sha256-X7NVtIfVT7bTQeTxjU4vfoE6ZiLPA6noev+mpAVlaZ0=";
+    hash = "sha256-2szxu+WjDRSbVWx9L//+r9dte1FOJJJxq91QFTPB2K4=";
   };
 
   outputs = [ "out" "lib" "dev" "man" "doc" ];

pkgs/games/domination/default.nix

@@ -26,7 +26,7 @@ let
 
 in stdenv.mkDerivation {
   pname = "domination";
-  version = "1.2.5";
+  version = "1.2.7";
 
   # The .zip releases do not contain the build.xml file
   src = fetchsvn {
@@ -34,8 +34,8 @@ in stdenv.mkDerivation {
     # There are no tags in the repository.
     # Look for commits like "new version x.y.z info on website"
     # or "website update for x.y.z".
-    rev = "2212";
-    sha256 = "sha256-XuPMxGDap8x7I+U7+1C+DlkQkoV/u2FCwYyTZFWmYHM=";
+    rev = "2261";
+    sha256 = "sha256-xvlPC7M6DaF3g2O3vQDmcdp7914qOaiikY02RTgAVkM=";
   };
 
   nativeBuildInputs = [

pkgs/os-specific/linux/kernel/hardened/patches.json

@@ -2,61 +2,61 @@
     "4.14": {
         "patch": {
             "extra": "-hardened1",
-            "name": "linux-hardened-4.14.303-hardened1.patch",
-            "sha256": "1ihq6kf19fribpyiisv5wdax0467pylmlmsqn88vf50ps3akc4ix",
-            "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.14.303-hardened1/linux-hardened-4.14.303-hardened1.patch"
+            "name": "linux-hardened-4.14.304-hardened1.patch",
+            "sha256": "099fqlfl9p57pfh5jr7cv30476q2cbhrqs6w63cy3mkwj7l4jwln",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.14.304-hardened1/linux-hardened-4.14.304-hardened1.patch"
         },
-        "sha256": "17pxl4fgzpz48y7nx1z8891mll64givxgch3z5an6dkr13c2xy2b",
-        "version": "4.14.303"
+        "sha256": "1ma9qpsx0nvi0szlivf8v5l3pjykqwrv4x6y5g0nn6bcwhsb5jv4",
+        "version": "4.14.304"
     },
     "4.19": {
         "patch": {
             "extra": "-hardened1",
-            "name": "linux-hardened-4.19.270-hardened1.patch",
-            "sha256": "1xii5xchbxnswy7qhhvvivx6c6a5n7iw920yrvm2chrnp5s9mikh",
-            "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.19.270-hardened1/linux-hardened-4.19.270-hardened1.patch"
+            "name": "linux-hardened-4.19.271-hardened1.patch",
+            "sha256": "0xvd9n2fqmr863a4vljki2saa85dccj7mflcfwaslj9g2ygbrf93",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.19.271-hardened1/linux-hardened-4.19.271-hardened1.patch"
         },
-        "sha256": "14nj1skd73rn59v2ah80vgpc8fh37jvpc75wafpa4glfphx88i11",
-        "version": "4.19.270"
+        "sha256": "06lxh9skp9213n29ynx7a9cinz7wggaxjsz52kghdbwfnjf3yvb3",
+        "version": "4.19.271"
     },
     "5.10": {
         "patch": {
             "extra": "-hardened1",
-            "name": "linux-hardened-5.10.164-hardened1.patch",
-            "sha256": "1z2qd460wnna658zi8mbz2rqjwbvkxrk03ncicqszfjbinigxp6x",
-            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.164-hardened1/linux-hardened-5.10.164-hardened1.patch"
+            "name": "linux-hardened-5.10.165-hardened1.patch",
+            "sha256": "0gnvnywagqqdsdrbd9fbl671pzfv49mf2xqan9bk3q41mgcyyfgg",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.165-hardened1/linux-hardened-5.10.165-hardened1.patch"
         },
-        "sha256": "0y42xgpmg2mhx81d3bswhk0n3f8vdvmf4k0g8ii6cb01gflalzhc",
-        "version": "5.10.164"
+        "sha256": "03dg8yx0gdzm8zbwd1f9jn4c5jhr8qilhjzxgwm0mv8riz2fy7cp",
+        "version": "5.10.165"
     },
     "5.15": {
         "patch": {
             "extra": "-hardened1",
-            "name": "linux-hardened-5.15.89-hardened1.patch",
-            "sha256": "0gwgdgmc9c7cpgp5vcyxwqxc5y2br3ghi6x3r11frs1kcwvqjix9",
-            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.15.89-hardened1/linux-hardened-5.15.89-hardened1.patch"
+            "name": "linux-hardened-5.15.90-hardened1.patch",
+            "sha256": "1zj80v6xpgz00z1lpw5j9qdm0gp44pk7vkflrngbk8m3cwmpw5ha",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.15.90-hardened1/linux-hardened-5.15.90-hardened1.patch"
         },
-        "sha256": "1s1gflnzvfza5m94c9f3l42kskjadayij4q5gk9vcjq19s3incg7",
-        "version": "5.15.89"
+        "sha256": "0hiv74mxkp3v04lphnyw16akgavaz527bzhnfnpm6rv848047zg6",
+        "version": "5.15.90"
     },
     "5.4": {
         "patch": {
             "extra": "-hardened1",
-            "name": "linux-hardened-5.4.229-hardened1.patch",
-            "sha256": "0cww74kkh2n7apzqbdz72d04x39wkasxj5mi7giivpp0s2f0c24a",
-            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.229-hardened1/linux-hardened-5.4.229-hardened1.patch"
+            "name": "linux-hardened-5.4.230-hardened1.patch",
+            "sha256": "0xk80i6wddd909wzhcp7b64sbsjjqpwyjr8gknpc83zcdzv3y892",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.230-hardened1/linux-hardened-5.4.230-hardened1.patch"
         },
-        "sha256": "1bx77x4x10v38ygfiz0dcw938ybczq7f3srg11ifzvwm243r5if5",
-        "version": "5.4.229"
+        "sha256": "0bz6hfhsahymys2g9s4nzf862z0zfq4346577cpvf98hrhnd6kx7",
+        "version": "5.4.230"
     },
     "6.1": {
         "patch": {
             "extra": "-hardened1",
-            "name": "linux-hardened-6.1.7-hardened1.patch",
-            "sha256": "1hp3mbl8vfd2cwpxbhmqqy77nzyk265k1rcf1rz048ivnsppw4cx",
-            "url": "https://github.com/anthraxx/linux-hardened/releases/download/6.1.7-hardened1/linux-hardened-6.1.7-hardened1.patch"
+            "name": "linux-hardened-6.1.8-hardened1.patch",
+            "sha256": "1ry0cb1dsq84n6cxn8ndx47qz1g69kqlfkb16rrlgk49w81i8y8z",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/6.1.8-hardened1/linux-hardened-6.1.8-hardened1.patch"
         },
-        "sha256": "03v0pvg831qzbpc09ip1h0p4zz6js9das7vzh8xhsf77sax4ic2a",
-        "version": "6.1.7"
+        "sha256": "0vc1ggjy4wvna7g6xgbjzhk93whssj9ixcal0hkhldxsp0xba2xn",
+        "version": "6.1.8"
     }
 }

pkgs/os-specific/linux/kernel/linux-4.14.nix

@@ -3,7 +3,7 @@
 with lib;
 
 buildLinux (args // rec {
-  version = "4.14.303";
+  version = "4.14.304";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,6 +13,6 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "17pxl4fgzpz48y7nx1z8891mll64givxgch3z5an6dkr13c2xy2b";
+    sha256 = "1ma9qpsx0nvi0szlivf8v5l3pjykqwrv4x6y5g0nn6bcwhsb5jv4";
   };
 } // (args.argsOverride or {}))

pkgs/os-specific/linux/kernel/linux-4.19.nix

@@ -3,7 +3,7 @@
 with lib;
 
 buildLinux (args // rec {
-  version = "4.19.270";
+  version = "4.19.271";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,6 +13,6 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "14nj1skd73rn59v2ah80vgpc8fh37jvpc75wafpa4glfphx88i11";
+    sha256 = "06lxh9skp9213n29ynx7a9cinz7wggaxjsz52kghdbwfnjf3yvb3";
   };
 } // (args.argsOverride or {}))

pkgs/os-specific/linux/kernel/linux-5.10.nix

@@ -3,7 +3,7 @@
 with lib;
 
 buildLinux (args // rec {
-  version = "5.10.164";
+  version = "5.10.165";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,6 +13,6 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
-    sha256 = "0y42xgpmg2mhx81d3bswhk0n3f8vdvmf4k0g8ii6cb01gflalzhc";
+    sha256 = "03dg8yx0gdzm8zbwd1f9jn4c5jhr8qilhjzxgwm0mv8riz2fy7cp";
   };
 } // (args.argsOverride or {}))

pkgs/os-specific/linux/kernel/linux-5.15.nix

@@ -3,7 +3,7 @@
 with lib;
 
 buildLinux (args // rec {
-  version = "5.15.89";
+  version = "5.15.90";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,6 +13,6 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
-    sha256 = "1s1gflnzvfza5m94c9f3l42kskjadayij4q5gk9vcjq19s3incg7";
+    sha256 = "0hiv74mxkp3v04lphnyw16akgavaz527bzhnfnpm6rv848047zg6";
   };
 } // (args.argsOverride or { }))

pkgs/os-specific/linux/kernel/linux-5.4.nix

@@ -3,7 +3,7 @@
 with lib;
 
 buildLinux (args // rec {
-  version = "5.4.229";
+  version = "5.4.230";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,6 +13,6 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
-    sha256 = "1bx77x4x10v38ygfiz0dcw938ybczq7f3srg11ifzvwm243r5if5";
+    sha256 = "0bz6hfhsahymys2g9s4nzf862z0zfq4346577cpvf98hrhnd6kx7";
   };
 } // (args.argsOverride or {}))

pkgs/os-specific/linux/kernel/linux-6.1.nix

@@ -3,7 +3,7 @@
 with lib;
 
 buildLinux (args // rec {
-  version = "6.1.7";
+  version = "6.1.8";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,6 +13,6 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v6.x/linux-${version}.tar.xz";
-    sha256 = "03v0pvg831qzbpc09ip1h0p4zz6js9das7vzh8xhsf77sax4ic2a";
+    sha256 = "0vc1ggjy4wvna7g6xgbjzhk93whssj9ixcal0hkhldxsp0xba2xn";
   };
 } // (args.argsOverride or { }))

pkgs/os-specific/linux/kernel/xanmod-kernels.nix

@@ -3,14 +3,14 @@
 let
   # These names are how they are designated in https://xanmod.org.
   ltsVariant = {
-    version = "5.15.84";
-    hash = "sha256-CN3GOuwSicJ6Oa9BiKTyZg7fpzWc846v2SV9JRiOu3M=";
+    version = "5.15.89";
+    hash = "sha256-wlb6er8L2EaqgJbmbATBdSxx1BGcJXNcsu+/4UBmYdQ=";
     variant = "lts";
   };
 
   mainVariant = {
-    version = "6.1.3";
-    hash = "sha256-YtkmbbFEfvww7yJ4MpLQ3M6QjbBXSU9Pjwu0Dq/dIcs=";
+    version = "6.1.7";
+    hash = "sha256-cgUxM40cDl4lzoF4St3ckKAtsle2PRehfSag3VaycrY=";
     variant = "main";
   };
 

pkgs/servers/http/apache-httpd/2.4.nix

@@ -11,11 +11,11 @@
 
 stdenv.mkDerivation rec {
   pname = "apache-httpd";
-  version = "2.4.54";
+  version = "2.4.55";
 
   src = fetchurl {
     url = "mirror://apache/httpd/httpd-${version}.tar.bz2";
-    sha256 = "sha256-6zl/7u/MryVPjUXeN2jZ1o6Oc4UcSa/VtxdtHs+Aw0A=";
+    sha256 = "sha256-Eda6GeNsC5PKYuR+b/wtLyiElCaUvODyPznHG9xfaaw=";
   };
 
   # FIXME: -dev depends on -doc

pkgs/servers/roundcube/default.nix

@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "roundcube";
-  version = "1.6.0";
+  version = "1.6.1";
 
   src = fetchurl {
     url = "https://github.com/roundcube/roundcubemail/releases/download/${version}/roundcubemail-${version}-complete.tar.gz";
-    sha256 = "sha256-JAnM3+LkZfCGy5/BjIjf4Kr2zMI5JFZJdQYSCZIWlLo=";
+    sha256 = "sha256-RsL2ujS8t+V+R8sDS/M45fx9zO3dqSEqLvO9MUbZe+0=";
   };
 
   patches = [ ./0001-Don-t-resolve-symlinks-when-trying-to-find-INSTALL_P.patch ];

pkgs/tools/misc/changelogger/default.nix

@@ -6,16 +6,16 @@
 
 buildGoModule rec {
   pname = "changelogger";
-  version = "0.5.3";
+  version = "0.6.0";
 
   src = fetchFromGitHub {
     owner = "MarkusFreitag";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-AP5cuXAuh5LX6FTsku38Zh1Y4SVaa4l5XEBTMZnYr6g=";
+    sha256 = "sha256-g3d4BEVMQGBEKx+YVPjPrypWQNtEun/pSRgAsJY/RT4=";
   };
 
-  vendorSha256 = "sha256-RmLSuLZdYpA557xN7fkPZm5ektxvRHil1E2u1qR7EO0=";
+  vendorHash = "sha256-E6J+0tZriskBnXdhQOQA240c3z+laXM5honoREjHPfM=";
 
   ldflags = [
     "-s"

pkgs/tools/networking/eternal-terminal/default.nix

@@ -12,13 +12,13 @@
 
 stdenv.mkDerivation rec {
   pname = "eternal-terminal";
-  version = "6.2.1";
+  version = "6.2.4";
 
   src = fetchFromGitHub {
     owner = "MisterTea";
     repo = "EternalTerminal";
-    rev = "et-v${version}";
-    hash = "sha256-YQ8Qx6RTmDoNWY8AQlnBJJendQl+tF1QA+Z6h/ar9qs=";
+    rev = "refs/tags/et-v${version}";
+    hash = "sha256-9W9Pz0VrFU+HNpf98I3CLrn8+kpjjNLOUK8gGcDJcI8=";
   };
 
   nativeBuildInputs = [
@@ -52,6 +52,7 @@ stdenv.mkDerivation rec {
   meta = with lib; {
     description = "Remote shell that automatically reconnects without interrupting the session";
     homepage = "https://eternalterminal.dev/";
+    changelog = "https://github.com/MisterTea/EternalTerminal/releases/tag/et-v${version}";
     license = licenses.asl20;
     maintainers = with maintainers; [ dezgeg ];
     platforms = platforms.linux ++ platforms.darwin;

pkgs/tools/security/semgrep/common.nix

@@ -1,41 +1,55 @@
 { lib, fetchFromGitHub, fetchzip, stdenv }:
 
 rec {
-  version = "0.112.1";
+  version = "1.0.0";
 
   src = fetchFromGitHub {
     owner = "returntocorp";
     repo = "semgrep";
     rev = "v${version}";
-    sha256 = "sha256-SZtxZz4x6YUKw1uO5HQTU4lRY989SoCNsPQphJr+L0Y=";
+    sha256 = "sha256-4fNBpokHKCtMB3P0ot1TzcuzOs5hlyH8nIw+bCGqThA=";
   };
 
   # submodule dependencies
   # these are fetched so we:
   #   1. don't fetch the many submodules we don't need
   #   2. avoid fetchSubmodules since it's prone to impurities
-  langsSrc = fetchFromGitHub {
-    owner = "returntocorp";
-    repo = "semgrep-langs";
-    rev = "91e288062eb794e8a5e6967d1009624237793491";
-    sha256 = "sha256-z2t2bTRyj5zu9h/GBg2YeRFimpJsd3dA7dK8VBaKzHo=";
-  };
-
-  interfacesSrc = fetchFromGitHub {
-    owner = "returntocorp";
-    repo = "semgrep-interfaces";
-    rev = "7bc457a32e088ef21adf1529fa0ddeea634b9131";
-    sha256 = "sha256-xN8Qm1/YLa49k9fZKDoPPmHASI2ipI3mkKlwEK2ajO4=";
+  submodules = {
+    "cli/src/semgrep/lang" = fetchFromGitHub {
+      owner = "returntocorp";
+      repo = "semgrep-langs";
+      rev = "65cb2ed80e31e01b122f893fef8428d14432da75";
+      sha256 = "sha256-HdPJdOlMM1l7vNSATkEu5KrCkpt2feEAH8LFDU84KUM=";
+    };
+    "cli/src/semgrep/semgrep_interfaces" = fetchFromGitHub {
+      owner = "returntocorp";
+      repo = "semgrep-interfaces";
+      rev = "c69e30a4cf39f11cab5378700f5e193e8282079e";
+      sha256 = "sha256-Wr3/TWx/LHiTFCoGY4sqdsn3dHvMsEIVYA3RGiv88xQ=";
+    };
   };
 
   # fetch pre-built semgrep-core since the ocaml build is complex and relies on
   # the opam package manager at some point
-  coreRelease = if stdenv.isDarwin then fetchzip {
-      url = "https://github.com/returntocorp/semgrep/releases/download/v${version}/semgrep-v${version}-osx.zip";
-      sha256 = "sha256-JiOH39vMDL6r9WKuPO0CDkRwGZtzl/GIFoSegVddFpw=";
-  } else fetchzip {
-      url = "https://github.com/returntocorp/semgrep/releases/download/v${version}/semgrep-v${version}-ubuntu-16.04.tgz";
-      sha256 = "sha256-V6r+VQrgz8uVSbRa2AmW4lnLxovk63FL7LqVKD46RBw=";
+  core = rec {
+    data = {
+      x86_64-linux = {
+        suffix = "-ubuntu-16.04.tgz";
+        sha256 = "sha256-SsaAuhcDyO3nr6H2xOtdxzOoEQd6aIe0mlpehvDWzU0=";
+      };
+      x86_64-darwin = {
+        suffix = "-osx.zip";
+        sha256 = "sha256-DAcAB/q6XeljCp4mVljIJB4AUjUuzMSRMFzIuyjWMew=";
+      };
+    };
+    src = let
+      inherit (stdenv.hostPlatform) system;
+      selectSystemData = data: data.${system} or (throw "Unsupported system: ${system}");
+      inherit (selectSystemData data) suffix sha256;
+    in fetchzip {
+      url = "https://github.com/returntocorp/semgrep/releases/download/v${version}/semgrep-v${version}${suffix}";
+      inherit sha256;
+    };
   };
 
   meta = with lib; {

pkgs/tools/security/semgrep/default.nix

@@ -15,12 +15,26 @@ let
 in
 buildPythonApplication rec {
   pname = "semgrep";
-  inherit (common) version;
-  src = "${common.src}/cli";
+  inherit (common) src version;
 
-  SEMGREP_CORE_BIN = "${semgrep-core}/bin/semgrep-core";
+  postPatch = (lib.concatStringsSep "\n" (lib.mapAttrsToList (
+    path: submodule: ''
+      # substitute ${path}
+      # remove git submodule placeholder
+      rm -r ${path}
+      # link submodule
+      ln -s ${submodule}/ ${path}
+    ''
+  ) common.submodules)) + ''
+    cd cli
+  '';
 
   nativeBuildInputs = [ pythonRelaxDepsHook ];
+  # tell cli/setup.py to not copy semgrep-core into the result
+  # this means we can share a copy of semgrep-core and avoid an issue where it
+  # copies the binary but doesn't retain the executable bit
+  SEMGREP_SKIP_BIN = true;
+
   pythonRelaxDeps = [
     "attrs"
     "boltons"
@@ -28,37 +42,6 @@ buildPythonApplication rec {
     "typing-extensions"
   ];
 
-  postPatch = ''
-    # remove git submodule placeholders
-    rm -r ./src/semgrep/{lang,semgrep_interfaces}
-    # link submodule dependencies
-    ln -s ${common.langsSrc}/ ./src/semgrep/lang
-    ln -s ${common.interfacesSrc}/ ./src/semgrep/semgrep_interfaces
-  '';
-
-  doCheck = true;
-  checkInputs = [ git pytestCheckHook ] ++ (with pythonPackages; [
-    pytest-snapshot
-    pytest-mock
-    pytest-freezegun
-    types-freezegun
-  ]);
-  disabledTests = [
-    # requires networking
-    "tests/unit/test_metric_manager.py"
-  ];
-  preCheck = ''
-    # tests need a home directory
-    export HOME="$(mktemp -d)"
-
-    # disabledTestPaths doesn't manage to avoid the e2e tests
-    # remove them from pyproject.toml
-    # and remove need for pytest-split
-    substituteInPlace pyproject.toml \
-      --replace '"tests/e2e",' "" \
-      --replace 'addopts = "--splitting-algorithm=least_duration"' ""
-  '';
-
   propagatedBuildInputs = with pythonPackages; [
     attrs
     boltons
@@ -77,8 +60,45 @@ buildPythonApplication rec {
     urllib3
     typing-extensions
     python-lsp-jsonrpc
+    tomli
   ];
 
+  doCheck = true;
+  checkInputs = [ git pytestCheckHook ] ++ (with pythonPackages; [
+    pytest-snapshot
+    pytest-mock
+    pytest-freezegun
+    types-freezegun
+  ]);
+  disabledTests = [
+    # requires networking
+    "test_send"
+    # requires networking
+    "test_parse_exclude_rules_auto"
+  ];
+  preCheck = ''
+    # tests need a home directory
+    export HOME="$(mktemp -d)"
+
+    # disabledTestPaths doesn't manage to avoid the e2e tests
+    # remove them from pyproject.toml
+    # and remove need for pytest-split
+    substituteInPlace pyproject.toml \
+      --replace '"tests/e2e",' "" \
+      --replace 'addopts = "--splitting-algorithm=least_duration"' ""
+  '';
+
+  # since we stop cli/setup.py from finding semgrep-core and copying it into
+  # the result we need to provide it on the PATH
+  preFixup = ''
+    makeWrapperArgs+=(--prefix PATH : ${lib.makeBinPath [ semgrep-core ]})
+  '';
+
+  passthru = {
+    inherit common;
+    updateScript = ./update.sh;
+  };
+
   meta = common.meta // {
     description = common.meta.description + " - cli";
   };

pkgs/tools/security/semgrep/semgrep-core.nix

@@ -6,8 +6,7 @@ in
 stdenvNoCC.mkDerivation rec {
   pname = "semgrep-core";
   inherit (common) version;
-
-  src = common.coreRelease;
+  inherit (common.core) src;
 
   installPhase = ''
     runHook preInstall

pkgs/tools/security/semgrep/update.sh

@@ -0,0 +1,139 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p curl gnused jq
+
+set -euxo pipefail
+
+# provide a github token so you don't get rate limited
+# if you use gh cli you can use:
+#     `export GITHUB_TOKEN="$(cat ~/.config/gh/config.yml | yq '.hosts."github.com".oauth_token' -r)"`
+# or just set your token by hand:
+#     `read -s -p "Enter your token: " GITHUB_TOKEN; export GITHUB_TOKEN`
+#     (we use read so it doesn't show in our shell history and in secret mode so the token you paste isn't visible)
+if [ -z "${GITHUB_TOKEN:-}" ]; then
+    echo "no GITHUB_TOKEN provided - you could meet API request limiting" >&2
+fi
+
+ROOT="$(dirname "$(readlink -f "$0")")"
+NIXPKGS_ROOT="$ROOT/../../../.."
+NIX_DRV="$ROOT/default.nix"
+
+COMMON_FILE="$ROOT/common.nix"
+
+instantiateClean() {
+    nix-instantiate -A "$1" --eval --strict | cut -d\" -f2
+}
+
+# get latest version
+NEW_VERSION=$(
+  curl -s -H
+    "Accept: application/vnd.github.v3+json" \
+    ${GITHUB_TOKEN:+ -H "Authorization: bearer $GITHUB_TOKEN"} \
+    https://api.github.com/repos/returntocorp/semgrep/releases/latest \
+  | jq -r '.tag_name'
+)
+# trim v prefix
+NEW_VERSION="${NEW_VERSION:1}"
+OLD_VERSION="$(instantiateClean semgrep.common.version)"
+
+if [[ "$OLD_VERSION" == "$NEW_VERSION" ]]; then
+    echo "Already up to date"
+    exit
+fi
+
+replace() {
+    sed -i "s@$1@$2@g" "$3"
+}
+
+fetchgithub() {
+    set +eo pipefail
+    nix-build -A "$1" 2>&1 >/dev/null | grep "got:" | cut -d':' -f2 | sed 's| ||g'
+    set -eo pipefail
+}
+
+fetchzip() {
+    set +eo pipefail
+    nix-build -E "with import $NIXPKGS_ROOT {}; fetchzip {url = \"$1\"; sha256 = lib.fakeSha256; }" 2>&1 >/dev/null | grep "got:" | cut -d':' -f2 | sed 's| ||g'
+    set -eo pipefail
+}
+
+replace "$OLD_VERSION" "$NEW_VERSION" "$COMMON_FILE"
+
+echo "Updating src"
+
+OLD_HASH="$(instantiateClean semgrep.common.src.outputHash)"
+echo "Old hash $OLD_HASH"
+TMP_HASH="sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
+replace "$OLD_HASH" "$TMP_HASH" "$COMMON_FILE"
+NEW_HASH="$(fetchgithub semgrep.common.src)"
+echo "New hash $NEW_HASH"
+replace "$TMP_HASH" "$NEW_HASH" "$COMMON_FILE"
+
+echo "Updated src"
+
+# loop through platforms for core
+nix-instantiate -E "with import $NIXPKGS_ROOT {}; builtins.attrNames semgrep.common.core.data" --eval --strict --json \
+| jq '.[]' -r \
+| while read -r PLATFORM; do
+    echo "Updating core for $PLATFORM"
+    SUFFIX=$(instantiateClean semgrep.common.core.data."$1".suffix "$PLATFORM")
+    OLD_HASH=$(instantiateClean semgrep.common.core.data."$1".sha256 "$PLATFORM")
+    echo "Old hash $OLD_HASH"
+
+    NEW_URL="https://github.com/returntocorp/semgrep/releases/download/v$NEW_VERSION/semgrep-v$NEW_VERSION$SUFFIX"
+    NEW_HASH="$(fetchzip "$NEW_URL")"
+    echo "New hash $NEW_HASH"
+
+    replace "$OLD_HASH" "$NEW_HASH" "$COMMON_FILE"
+
+    echo "Updated core for $PLATFORM"
+done
+
+OLD_PWD=$PWD
+TMPDIR="$(mktemp -d)"
+# shallow clone to check submodule commits, don't actually need the submodules
+git clone https://github.com/returntocorp/semgrep "$TMPDIR/semgrep" --depth 1 --branch "v$NEW_VERSION"
+
+get_submodule_commit() {
+    OLD_PWD=$PWD
+    (
+        cd "$TMPDIR/semgrep"
+        git ls-tree --object-only HEAD "$1"
+        cd "$OLD_PWD"
+    )
+}
+
+# loop through submodules
+nix-instantiate -E "with import $NIXPKGS_ROOT {}; builtins.attrNames semgrep.passthru.common.submodules" --eval --strict --json \
+| jq '.[]' -r \
+| while read -r SUBMODULE; do
+    echo "Updating $SUBMODULE"
+    OLD_REV=$(instantiateClean semgrep.passthru.common.submodules."$SUBMODULE".rev)
+    echo "Old commit $OLD_REV"
+    OLD_HASH=$(instantiateClean semgrep.passthru.common.submodules."$SUBMODULE".outputHash)
+    echo "Old hash $OLD_HASH"
+
+    NEW_REV=$(get_submodule_commit "$SUBMODULE")
+    echo "New commit $NEW_REV"
+
+    if [[ "$OLD_REV" == "$NEW_REV" ]]; then
+      echo "$SUBMODULE already up to date"
+      continue
+    fi
+
+    NEW_URL=$(instantiateClean semgrep.passthru.common.submodules."$SUBMODULE".url | sed "s@$OLD_REV@$NEW_REV@g")
+    NEW_HASH=$(nix --experimental-features nix-command hash to-sri "sha256:$(nix-prefetch-url "$NEW_URL")")
+
+    TMP_HASH="sha256-ABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
+    replace "$OLD_REV" "$NEW_REV" "$COMMON_FILE"
+    replace "$OLD_HASH" "$TMP_HASH" "$COMMON_FILE"
+    NEW_HASH="$(fetchgithub semgrep.passthru.common.submodules."$SUBMODULE")"
+    echo "New hash $NEW_HASH"
+    replace "$TMP_HASH" "$NEW_HASH" "$COMMON_FILE"
+
+    echo "Updated $SUBMODULE"
+done
+
+rm -rf "$TMPDIR"
+
+echo "Finished"
+

pkgs/tools/system/awstats/default.nix

@@ -1,12 +1,16 @@
-{ lib, fetchurl, perlPackages, jdk }:
+{ lib
+, fetchurl
+, perlPackages
+, jdk
+}:
 
 perlPackages.buildPerlPackage rec {
   pname = "awstats";
-  version = "7.8";
+  version = "7.9";
 
   src = fetchurl {
     url = "mirror://sourceforge/awstats/${pname}-${version}.tar.gz";
-    sha256 = "1f6l0hd01jmz7hpg0py8qixxiq50n8gl37iypayskxmy05z8craa";
+    sha256 = "sha256-YVF47TE9NDFfFaUi2xpdEsqcOV43hbsGKAq/+V2aBUY=";
   };
 
   postPatch = ''
@@ -15,6 +19,7 @@ perlPackages.buildPerlPackage rec {
   '';
 
   outputs = [ "bin" "out" "doc" ]; # bin just links the user-run executable
+
   propagatedBuildOutputs = [ ]; # otherwise out propagates bin -> cycle
 
   buildInputs = with perlPackages; [ ]; # plugins will need some
@@ -53,10 +58,10 @@ perlPackages.buildPerlPackage rec {
   '';
 
   meta = with lib; {
+    changelog = "https://www.awstats.org/docs/awstats_changelog.txt";
     description = "Real-time logfile analyzer to get advanced statistics";
     homepage = "https://awstats.org";
     license = licenses.gpl3Plus;
     platforms = platforms.unix;
   };
 }
-