nixpkgs/pkgs/tools/security/wapiti/default.nix

{ lib
, fetchFromGitHub
, python3
}:

python3.pkgs.buildPythonApplication rec {
  pname = "wapiti";
  version = "3.1.3";
  format = "setuptools";

  src = fetchFromGitHub {
    owner = "wapiti-scanner";
    repo = pname;
    rev = version;
    sha256 = "sha256-alrJVe4Miarkk8BziC8Y333b3swJ4b4oQpP2WAdT2rc=";
  };

  propagatedBuildInputs = with python3.pkgs; [
    aiocache
    aiosqlite
    beautifulsoup4
    brotli
    browser-cookie3
    cryptography
    dnspython
    httpcore
    httpx
    humanize
    importlib-metadata
    loguru
    Mako
    markupsafe
    mitmproxy
    six
    sqlalchemy
    tld
    yaswfp
  ] ++ httpx.optional-dependencies.brotli
  ++ httpx.optional-dependencies.socks;

  checkInputs = with python3.pkgs; [
    respx
    pytest-asyncio
    pytestCheckHook
  ];

  postPatch = ''
    # Ignore pinned versions
    sed -i -e "s/==[0-9.]*//;s/>=[0-9.]*//" setup.py
    substituteInPlace setup.py \
      --replace '"pytest-runner"' ""
    substituteInPlace setup.cfg \
      --replace " --cov --cov-report=xml" ""
  '';

  preCheck = ''
    export HOME=$(mktemp -d);
  '';

  disabledTests = [
    # Tests requires network access
    "test_attr"
    "test_bad_separator_used"
    "test_blind"
    "test_chunked_timeout"
    "test_cookies"
    "test_drop_cookies"
    "test_save_and_restore_state"
    "test_explorer_extract_links"
    "test_cookies_detection"
    "test_csrf_cases"
    "test_detection"
    "test_direct"
    "test_escape_with_style"
    "test_explorer_filtering"
    "test_false"
    "test_frame"
    "test_headers_detection"
    "test_html_detection"
    "test_implies_detection"
    "test_inclusion_detection"
    "test_meta_detection"
    "test_no_crash"
    "test_options"
    "test_out_of_band"
    "test_multi_detection"
    "test_vulnerabilities"
    "test_partial_tag_name_escape"
    "test_prefix_and_suffix_detection"
    "test_qs_limit"
    "test_rare_tag_and_event"
    "test_redirect_detection"
    "test_request_object"
    "test_script"
    "test_ssrf"
    "test_merge_with_and_without_redirection"
    "test_tag_name_escape"
    "test_timeout"
    "test_title_false_positive"
    "test_title_positive"
    "test_true_positive_request_count"
    "test_unregistered_cname"
    "test_url_detection"
    "test_verify_dns"
    "test_warning"
    "test_whole"
    "test_xss_inside_tag_input"
    "test_xss_inside_tag_link"
    "test_xss_uppercase_no_script"
    "test_xss_with_strong_csp"
    "test_xss_with_weak_csp"
    "test_xxe"
    # Requires a PHP installation
    "test_timesql"
    "test_cookies"
    "test_redirect"
    # TypeError: Expected bytes or bytes-like object got: <class 'str'>
    "test_persister_upload"
  ];

  disabledTestPaths = [
    # Requires sslyze which is obsolete and was removed
    "tests/attack/test_mod_ssl.py"
  ];

  pythonImportsCheck = [
    "wapitiCore"
  ];

  meta = with lib; {
    description = "Web application vulnerability scanner";
    longDescription = ''
      Wapiti allows you to audit the security of your websites or web applications.
      It performs "black-box" scans (it does not study the source code) of the web
      application by crawling the webpages of the deployed webapp, looking for
      scripts and forms where it can inject data. Once it gets the list of URLs,
      forms and their inputs, Wapiti acts like a fuzzer, injecting payloads to see
      if a script is vulnerable.
    '';
    homepage = "https://wapiti-scanner.github.io/";
    license = with licenses; [ gpl2Only ];
    maintainers = with maintainers; [ fab ];
  };
}
wapiti: init at 3.0.4 2021-03-31 13:43:28 +02:00			`{ lib`
			`, fetchFromGitHub`
			`, python3`
			`}:`

			`python3.pkgs.buildPythonApplication rec {`
			`pname = "wapiti";`
wapiti: 3.1.2 -> 3.1.3 2022-07-11 21:45:55 +02:00			`version = "3.1.3";`
wapiti: 3.0.7 -> 3.0.9 2021-12-28 01:17:16 +01:00			`format = "setuptools";`
wapiti: init at 3.0.4 2021-03-31 13:43:28 +02:00
			`src = fetchFromGitHub {`
			`owner = "wapiti-scanner";`
			`repo = pname;`
			`rev = version;`
wapiti: 3.1.2 -> 3.1.3 2022-07-11 21:45:55 +02:00			`sha256 = "sha256-alrJVe4Miarkk8BziC8Y333b3swJ4b4oQpP2WAdT2rc=";`
wapiti: init at 3.0.4 2021-03-31 13:43:28 +02:00			`};`

			`propagatedBuildInputs = with python3.pkgs; [`
wapiti: 3.0.5 -> 3.0.7 2021-11-05 21:03:55 +01:00			`aiocache`
			`aiosqlite`
wapiti: init at 3.0.4 2021-03-31 13:43:28 +02:00			`beautifulsoup4`
wapiti: 3.0.7 -> 3.0.9 2021-12-28 01:17:16 +01:00			`brotli`
wapiti: init at 3.0.4 2021-03-31 13:43:28 +02:00			`browser-cookie3`
wapiti: 3.0.4 -> 3.0.5 2021-07-31 19:53:32 +02:00			`cryptography`
wapiti: 3.0.5 -> 3.0.7 2021-11-05 21:03:55 +01:00			`dnspython`
wapiti: 3.0.9 -> 3.1.1 2022-04-04 16:27:16 +02:00			`httpcore`
wapiti: 3.0.4 -> 3.0.5 2021-07-31 19:53:32 +02:00			`httpx`
wapiti: 3.0.7 -> 3.0.9 2021-12-28 01:17:16 +01:00			`humanize`
wapiti: remove condition for importlib-metadata 2022-07-03 13:16:53 +02:00			`importlib-metadata`
wapiti: 3.0.5 -> 3.0.7 2021-11-05 21:03:55 +01:00			`loguru`
			`Mako`
			`markupsafe`
wapiti: 3.1.2 -> 3.1.3 2022-07-11 21:45:55 +02:00			`mitmproxy`
wapiti: init at 3.0.4 2021-03-31 13:43:28 +02:00			`six`
wapiti: 3.0.5 -> 3.0.7 2021-11-05 21:03:55 +01:00			`sqlalchemy`
wapiti: init at 3.0.4 2021-03-31 13:43:28 +02:00			`tld`
			`yaswfp`
treewide: migrate python packages to optional-dependencies This follows the term used by PEP 621. 2022-05-22 16:26:11 +02:00			`] ++ httpx.optional-dependencies.brotli`
wapiti: remove condition for importlib-metadata 2022-07-03 13:16:53 +02:00			`++ httpx.optional-dependencies.socks;`
wapiti: init at 3.0.4 2021-03-31 13:43:28 +02:00
			`checkInputs = with python3.pkgs; [`
wapiti: 3.0.4 -> 3.0.5 2021-07-31 19:53:32 +02:00			`respx`
			`pytest-asyncio`
wapiti: init at 3.0.4 2021-03-31 13:43:28 +02:00			`pytestCheckHook`
			`];`

			`postPatch = ''`
wapiti: 3.0.4 -> 3.0.5 2021-07-31 19:53:32 +02:00			`# Ignore pinned versions`
wapiti: 3.0.9 -> 3.1.1 2022-04-04 16:27:16 +02:00			`sed -i -e "s/==[0-9.]//;s/>=[0-9.]//" setup.py`
wapiti: remove condition for importlib-metadata 2022-07-03 13:16:53 +02:00			`substituteInPlace setup.py \`
			`--replace '"pytest-runner"' ""`
wapiti: 3.0.4 -> 3.0.5 2021-07-31 19:53:32 +02:00			`substituteInPlace setup.cfg \`
wapiti: 3.0.5 -> 3.0.7 2021-11-05 21:03:55 +01:00			`--replace " --cov --cov-report=xml" ""`
wapiti: 3.0.4 -> 3.0.5 2021-07-31 19:53:32 +02:00			`'';`

			`preCheck = ''`
			`export HOME=$(mktemp -d);`
wapiti: init at 3.0.4 2021-03-31 13:43:28 +02:00			`'';`

			`disabledTests = [`
			`# Tests requires network access`
			`"test_attr"`
			`"test_bad_separator_used"`
			`"test_blind"`
			`"test_chunked_timeout"`
wapiti: 3.0.4 -> 3.0.5 2021-07-31 19:53:32 +02:00			`"test_cookies"`
			`"test_drop_cookies"`
			`"test_save_and_restore_state"`
			`"test_explorer_extract_links"`
wapiti: init at 3.0.4 2021-03-31 13:43:28 +02:00			`"test_cookies_detection"`
			`"test_csrf_cases"`
			`"test_detection"`
			`"test_direct"`
			`"test_escape_with_style"`
			`"test_explorer_filtering"`
			`"test_false"`
			`"test_frame"`
			`"test_headers_detection"`
			`"test_html_detection"`
			`"test_implies_detection"`
			`"test_inclusion_detection"`
			`"test_meta_detection"`
			`"test_no_crash"`
			`"test_options"`
			`"test_out_of_band"`
wapiti: 3.0.4 -> 3.0.5 2021-07-31 19:53:32 +02:00			`"test_multi_detection"`
			`"test_vulnerabilities"`
wapiti: init at 3.0.4 2021-03-31 13:43:28 +02:00			`"test_partial_tag_name_escape"`
			`"test_prefix_and_suffix_detection"`
			`"test_qs_limit"`
			`"test_rare_tag_and_event"`
			`"test_redirect_detection"`
			`"test_request_object"`
			`"test_script"`
			`"test_ssrf"`
wapiti: 3.0.7 -> 3.0.9 2021-12-28 01:17:16 +01:00			`"test_merge_with_and_without_redirection"`
wapiti: init at 3.0.4 2021-03-31 13:43:28 +02:00			`"test_tag_name_escape"`
			`"test_timeout"`
			`"test_title_false_positive"`
			`"test_title_positive"`
			`"test_true_positive_request_count"`
wapiti: 3.0.5 -> 3.0.7 2021-11-05 21:03:55 +01:00			`"test_unregistered_cname"`
wapiti: init at 3.0.4 2021-03-31 13:43:28 +02:00			`"test_url_detection"`
wapiti: 3.0.9 -> 3.1.1 2022-04-04 16:27:16 +02:00			`"test_verify_dns"`
wapiti: init at 3.0.4 2021-03-31 13:43:28 +02:00			`"test_warning"`
			`"test_whole"`
			`"test_xss_inside_tag_input"`
			`"test_xss_inside_tag_link"`
			`"test_xss_uppercase_no_script"`
			`"test_xss_with_strong_csp"`
			`"test_xss_with_weak_csp"`
			`"test_xxe"`
wapiti: 3.0.4 -> 3.0.5 2021-07-31 19:53:32 +02:00			`# Requires a PHP installation`
			`"test_timesql"`
			`"test_cookies"`
wapiti: 3.0.9 -> 3.1.1 2022-04-04 16:27:16 +02:00			`"test_redirect"`
wapiti: 3.0.7 -> 3.0.9 2021-12-28 01:17:16 +01:00			`# TypeError: Expected bytes or bytes-like object got: <class 'str'>`
wapiti: disable failing test 2021-08-27 12:45:53 +02:00			`"test_persister_upload"`
wapiti: init at 3.0.4 2021-03-31 13:43:28 +02:00			`];`
wapiti: remove condition for importlib-metadata 2022-07-03 13:16:53 +02:00
wapiti: 3.0.9 -> 3.1.1 2022-04-04 16:27:16 +02:00			`disabledTestPaths = [`
wapiti: remove condition for importlib-metadata 2022-07-03 13:16:53 +02:00			`# Requires sslyze which is obsolete and was removed`
wapiti: 3.0.9 -> 3.1.1 2022-04-04 16:27:16 +02:00			`"tests/attack/test_mod_ssl.py"`
			`];`
wapiti: init at 3.0.4 2021-03-31 13:43:28 +02:00
wapiti: 3.0.5 -> 3.0.7 2021-11-05 21:03:55 +01:00			`pythonImportsCheck = [`
			`"wapitiCore"`
			`];`
wapiti: init at 3.0.4 2021-03-31 13:43:28 +02:00
			`meta = with lib; {`
			`description = "Web application vulnerability scanner";`
			`longDescription = ''`
			`Wapiti allows you to audit the security of your websites or web applications.`
			`It performs "black-box" scans (it does not study the source code) of the web`
			`application by crawling the webpages of the deployed webapp, looking for`
			`scripts and forms where it can inject data. Once it gets the list of URLs,`
			`forms and their inputs, Wapiti acts like a fuzzer, injecting payloads to see`
			`if a script is vulnerable.`
			`'';`
			`homepage = "https://wapiti-scanner.github.io/";`
			`license = with licenses; [ gpl2Only ];`
			`maintainers = with maintainers; [ fab ];`
			`};`
			`}`