From c41af66278c414ee5e4f792630a2b4e5d3491019 Mon Sep 17 00:00:00 2001 From: 06kellyjac Date: Fri, 29 Sep 2023 17:34:00 +0100 Subject: [PATCH 1/2] octant{,-desktop}: mark as vulnerable --- pkgs/applications/networking/cluster/octant/default.nix | 1 + pkgs/applications/networking/cluster/octant/desktop.nix | 1 + 2 files changed, 2 insertions(+) diff --git a/pkgs/applications/networking/cluster/octant/default.nix b/pkgs/applications/networking/cluster/octant/default.nix index 733e4c04a9cc..b638a157f261 100644 --- a/pkgs/applications/networking/cluster/octant/default.nix +++ b/pkgs/applications/networking/cluster/octant/default.nix @@ -63,5 +63,6 @@ stdenv.mkDerivation rec { license = licenses.asl20; maintainers = with maintainers; [ jk ]; platforms = [ "x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin" ]; + knownVulnerabilities = [ "CVE-2023-5217" ]; }; } diff --git a/pkgs/applications/networking/cluster/octant/desktop.nix b/pkgs/applications/networking/cluster/octant/desktop.nix index fc48ce1e9ef4..ef37a73f1b2e 100644 --- a/pkgs/applications/networking/cluster/octant/desktop.nix +++ b/pkgs/applications/networking/cluster/octant/desktop.nix @@ -69,6 +69,7 @@ let license = licenses.asl20; maintainers = with maintainers; [ jk ]; platforms = [ "x86_64-linux" "x86_64-darwin" ]; + knownVulnerabilities = [ "CVE-2023-5217" ]; }; in From 153d4fab7b05ed242221fc278ada95f996670fb6 Mon Sep 17 00:00:00 2001 From: 06kellyjac Date: Fri, 29 Sep 2023 17:44:01 +0100 Subject: [PATCH 2/2] octant{,-desktop},starboard-octant-plugin: drop octant is archived and vulnerable to CVE-2023-5217 --- .../networking/cluster/octant/default.nix | 68 ---------------- .../networking/cluster/octant/desktop.nix | 78 ------------------- .../plugins/starboard-octant-plugin.nix | 31 -------- .../cluster/octant/update-desktop.sh | 36 --------- .../networking/cluster/octant/update.sh | 40 ---------- pkgs/top-level/aliases.nix | 3 + pkgs/top-level/all-packages.nix | 4 - 7 files changed, 3 insertions(+), 257 deletions(-) delete mode 100644 pkgs/applications/networking/cluster/octant/default.nix delete mode 100644 pkgs/applications/networking/cluster/octant/desktop.nix delete mode 100644 pkgs/applications/networking/cluster/octant/plugins/starboard-octant-plugin.nix delete mode 100755 pkgs/applications/networking/cluster/octant/update-desktop.sh delete mode 100755 pkgs/applications/networking/cluster/octant/update.sh diff --git a/pkgs/applications/networking/cluster/octant/default.nix b/pkgs/applications/networking/cluster/octant/default.nix deleted file mode 100644 index b638a157f261..000000000000 --- a/pkgs/applications/networking/cluster/octant/default.nix +++ /dev/null @@ -1,68 +0,0 @@ -{ lib, stdenv, fetchzip }: - -stdenv.mkDerivation rec { - pname = "octant"; - version = "0.25.1"; - - src = - let - inherit (stdenv.hostPlatform) system; - suffix = { - x86_64-linux = "Linux-64bit"; - aarch64-linux = "Linux-arm64"; - x86_64-darwin = "macOS-64bit"; - aarch64-darwin = "macOS-arm64"; - }.${system} or (throw "Unsupported system: ${system}"); - fetchsrc = version: sha256: fetchzip { - url = "https://github.com/vmware-tanzu/octant/releases/download/v${version}/octant_${version}_${suffix}.tar.gz"; - sha256 = sha256.${system}; - }; - in - fetchsrc version { - x86_64-linux = "sha256-bYqycTB036J8trojySPNkC+jrw76F7+N4I4puGCyalU="; - aarch64-linux = "sha256-DlzSIZCAASPnflXQ8ndPU7/0jXA18U4bGGOfmgLXPr0="; - x86_64-darwin = "sha256-FaPyrPzO7AzC6LHQP5c58NjLTqU+ei8vFffT8x6mUhQ="; - aarch64-darwin = "sha256-31CYhAsHYIVAenp8hFHYj8LhFf3lSiOTw7gULBu3gio="; - }; - - dontConfigure = true; - dontBuild = true; - - installPhase = '' - runHook preInstall - install -D octant $out/bin/octant - runHook postInstall - ''; - - doInstallCheck = true; - installCheckPhase = '' - runHook preInstallCheck - $out/bin/octant --help - $out/bin/octant version | grep "${version}" - runHook postInstallCheck - ''; - - dontPatchELF = true; - dontPatchShebangs = true; - - passthru.updateScript = ./update.sh; - - meta = with lib; { - homepage = "https://octant.dev/"; - changelog = "https://github.com/vmware-tanzu/octant/blob/v${version}/CHANGELOG.md"; - description = "Highly extensible platform for developers to better understand the complexity of Kubernetes clusters"; - longDescription = '' - Octant is a tool for developers to understand how applications run on a - Kubernetes cluster. - It aims to be part of the developer's toolkit for gaining insight and - approaching complexity found in Kubernetes. Octant offers a combination of - introspective tooling, cluster navigation, and object management along - with a plugin system to further extend its capabilities. - ''; - sourceProvenance = with sourceTypes; [ binaryNativeCode ]; - license = licenses.asl20; - maintainers = with maintainers; [ jk ]; - platforms = [ "x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin" ]; - knownVulnerabilities = [ "CVE-2023-5217" ]; - }; -} diff --git a/pkgs/applications/networking/cluster/octant/desktop.nix b/pkgs/applications/networking/cluster/octant/desktop.nix deleted file mode 100644 index ef37a73f1b2e..000000000000 --- a/pkgs/applications/networking/cluster/octant/desktop.nix +++ /dev/null @@ -1,78 +0,0 @@ -{ lib, stdenv, appimageTools, fetchurl, undmg }: - -let - pname = "octant-desktop"; - version = "0.23.0"; - name = "${pname}-${version}"; - - inherit (stdenv.hostPlatform) system; - - suffix = { - x86_64-linux = "AppImage"; - x86_64-darwin = "dmg"; - }.${system} or (throw "Unsupported system: ${system}"); - - src = fetchurl { - url = "https://github.com/vmware-tanzu/octant/releases/download/v${version}/Octant-${version}.${suffix}"; - sha256 = { - x86_64-linux = "sha256-K4z6SVCiuqy3xkWMWpm8KM7iYVXyKcnERljMG3NEFMw="; - x86_64-darwin = "sha256-WYra0yw/aPW/wUGrlIn5ud3kjFTkekYEi2LWZcYO5Nw="; - }.${system}; - }; - - linux = appimageTools.wrapType2 { - inherit name src passthru meta; - - profile = '' - export LC_ALL=C.UTF-8 - ''; - - multiArch = false; # no 32bit needed - extraPkgs = appimageTools.defaultFhsEnvArgs.multiPkgs; - extraInstallCommands = - let appimageContents = appimageTools.extractType2 { inherit name src; }; in - '' - mv $out/bin/{${name},${pname}} - install -Dm444 ${appimageContents}/octant.desktop -t $out/share/applications - substituteInPlace $out/share/applications/octant.desktop \ - --replace 'Exec=AppRun --no-sandbox' 'Exec=${pname}' - install -m 444 -D ${appimageContents}/octant.png \ - $out/share/icons/hicolor/512x512/apps/octant.png - ''; - }; - - darwin = stdenv.mkDerivation { - inherit name src passthru meta; - - nativeBuildInputs = [ undmg ]; - sourceRoot = "Octant.app"; - installPhase = '' - mkdir -p $out/Applications/Octant.app - cp -R . $out/Applications/Octant.app - ''; - }; - - passthru = { updateScript = ./update-desktop.sh; }; - - meta = with lib; { - homepage = "https://octant.dev/"; - changelog = "https://github.com/vmware-tanzu/octant/blob/v${version}/CHANGELOG.md"; - description = "Highly extensible platform for developers to better understand the complexity of Kubernetes clusters"; - longDescription = '' - Octant is a tool for developers to understand how applications run on a - Kubernetes cluster. - It aims to be part of the developer's toolkit for gaining insight and - approaching complexity found in Kubernetes. Octant offers a combination of - introspective tooling, cluster navigation, and object management along - with a plugin system to further extend its capabilities. - ''; - license = licenses.asl20; - maintainers = with maintainers; [ jk ]; - platforms = [ "x86_64-linux" "x86_64-darwin" ]; - knownVulnerabilities = [ "CVE-2023-5217" ]; - }; - -in -if stdenv.isDarwin -then darwin -else linux diff --git a/pkgs/applications/networking/cluster/octant/plugins/starboard-octant-plugin.nix b/pkgs/applications/networking/cluster/octant/plugins/starboard-octant-plugin.nix deleted file mode 100644 index f59b8d26de08..000000000000 --- a/pkgs/applications/networking/cluster/octant/plugins/starboard-octant-plugin.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ lib, buildGoModule, fetchFromGitHub }: - -buildGoModule rec { - pname = "starboard-octant-plugin"; - version = "0.12.0"; - - src = fetchFromGitHub { - owner = "aquasecurity"; - repo = pname; - rev = "v${version}"; - sha256 = "sha256-JTSZtIRVFdUjhQsp2EMukeoVIo6nNx4xofq+3iOZUIk="; - }; - - vendorHash = "sha256-1zrB+CobUBgdpBHRJPpfDYCD6oVWY4j4Met9EqNQQbE="; - - ldflags = [ - "-s" "-w" - ]; - - meta = with lib; { - homepage = "https://github.com/aquasecurity/starboard-octant-plugin"; - changelog = "https://github.com/aquasecurity/starboard-octant-plugin/releases/tag/v${version}"; - description = "Octant plugin for viewing Starboard security information"; - longDescription = '' - This is an Octant plugin for Starboard which provides visibility into vulnerability assessment reports for - Kubernetes workloads stored as custom security resources. - ''; - license = licenses.asl20; - maintainers = with maintainers; [ jk ]; - }; -} diff --git a/pkgs/applications/networking/cluster/octant/update-desktop.sh b/pkgs/applications/networking/cluster/octant/update-desktop.sh deleted file mode 100755 index 4450834b4b70..000000000000 --- a/pkgs/applications/networking/cluster/octant/update-desktop.sh +++ /dev/null @@ -1,36 +0,0 @@ -#!/usr/bin/env nix-shell -#!nix-shell -i bash -p curl gnused gawk nix-prefetch - -set -euo pipefail - -ROOT="$(dirname "$(readlink -f "$0")")" -NIX_DRV="$ROOT/desktop.nix" -if [ ! -f "$NIX_DRV" ]; then - echo "ERROR: cannot find desktop.nix in $ROOT" - exit 1 -fi - -fetch_arch() { - VER="$1"; SUFFIX="$2" - URL="https://github.com/vmware-tanzu/octant/releases/download/v${VER}/Octant-${VER}.${SUFFIX}" - nix-prefetch "{ stdenv, fetchurl }: -stdenv.mkDerivation rec { - pname = \"octant-desktop\"; version = \"${VER}\"; - src = fetchurl { url = \"$URL\"; }; -} -" -} - -replace_sha() { - sed -i "s#$1 = \"sha256-.\{44\}\"#$1 = \"$2\"#" "$NIX_DRV" -} - -OCTANT_VER=$(curl -Ls -w "%{url_effective}" -o /dev/null https://github.com/vmware-tanzu/octant/releases/latest | awk -F'/' '{print $NF}' | sed 's/v//') - -OCTANT_DESKTOP_LINUX_X64_SHA256=$(fetch_arch "$OCTANT_VER" "AppImage") -OCTANT_DESKTOP_DARWIN_X64_SHA256=$(fetch_arch "$OCTANT_VER" "dmg") - -sed -i "s/version = \".*\"/version = \"$OCTANT_VER\"/" "$NIX_DRV" - -replace_sha "x86_64-linux" "$OCTANT_DESKTOP_LINUX_X64_SHA256" -replace_sha "x86_64-darwin" "$OCTANT_DESKTOP_DARWIN_X64_SHA256" diff --git a/pkgs/applications/networking/cluster/octant/update.sh b/pkgs/applications/networking/cluster/octant/update.sh deleted file mode 100755 index 3e2b56b7a619..000000000000 --- a/pkgs/applications/networking/cluster/octant/update.sh +++ /dev/null @@ -1,40 +0,0 @@ -#!/usr/bin/env nix-shell -#!nix-shell -i bash -p curl gnused gawk nix-prefetch - -set -euo pipefail - -ROOT="$(dirname "$(readlink -f "$0")")" -NIX_DRV="$ROOT/default.nix" -if [ ! -f "$NIX_DRV" ]; then - echo "ERROR: cannot find default.nix in $ROOT" - exit 1 -fi - -fetch_arch() { - VER="$1"; ARCH="$2" - URL="https://github.com/vmware-tanzu/octant/releases/download/v${VER}/octant_${VER}_${ARCH}.tar.gz" - nix-prefetch "{ stdenv, fetchzip }: -stdenv.mkDerivation rec { - pname = \"octant\"; version = \"${VER}\"; - src = fetchzip { url = \"$URL\"; }; -} -" -} - -replace_sha() { - sed -i "s#$1 = \"sha256-.\{44\}\"#$1 = \"$2\"#" "$NIX_DRV" -} - -OCTANT_VER=$(curl -Ls -w "%{url_effective}" -o /dev/null https://github.com/vmware-tanzu/octant/releases/latest | awk -F'/' '{print $NF}' | sed 's/v//') - -OCTANT_LINUX_X64_SHA256=$(fetch_arch "$OCTANT_VER" "Linux-64bit") -OCTANT_LINUX_AARCH64_SHA256=$(fetch_arch "$OCTANT_VER" "Linux-arm64") -OCTANT_DARWIN_X64_SHA256=$(fetch_arch "$OCTANT_VER" "macOS-64bit") -OCTANT_DARWIN_AARCH64_SHA256=$(fetch_arch "$OCTANT_VER" "macOS-arm64") - -sed -i "s/version = \".*\"/version = \"$OCTANT_VER\"/" "$NIX_DRV" - -replace_sha "x86_64-linux" "$OCTANT_LINUX_X64_SHA256" -replace_sha "aarch64-linux" "$OCTANT_LINUX_AARCH64_SHA256" -replace_sha "x86_64-darwin" "$OCTANT_DARWIN_X64_SHA256" -replace_sha "aarch64-darwin" "$OCTANT_DARWIN_AARCH64_SHA256" diff --git a/pkgs/top-level/aliases.nix b/pkgs/top-level/aliases.nix index e50ac7e69e81..24dd88f84a99 100644 --- a/pkgs/top-level/aliases.nix +++ b/pkgs/top-level/aliases.nix @@ -1253,6 +1253,8 @@ mapAliases ({ ocropus = throw "ocropus has been removed: abandoned by upstream"; # Added 2022-04-24 octoprint-plugins = throw "octoprint-plugins are now part of the octoprint.python.pkgs package set"; # Added 2021-01-24 ocz-ssd-guru = throw "ocz-ssd-guru has been removed due to there being no source available"; # Added 2021-07-12 + octant = throw "octant has been dropped due to being archived and vulnerable"; # Added 2023-09-29 + octant-desktop = throw "octant-desktop has been dropped due to being archived and vulnerable"; # Added 2023-09-29 odpdown = throw "odpdown has been removed because it lacks python3 support"; # Added 2022-04-25 ofp = throw "ofp is not compatible with odp-dpdk"; ogre1_9 = throw "ogre1_9 has been removed, use ogre instead"; # Added 2023-03-22 @@ -1720,6 +1722,7 @@ mapAliases ({ ssmtp = throw "'ssmtp' has been removed due to the software being unmaintained. 'msmtp' can be used as a replacement"; # Added 2022-04-17 ssr = throw "ssr has been removed, because it was unmaintained in nixpkgs and depended on qt4"; # Added 2022-05-26 stanchion = throw "Stanchion was part of riak-cs which is not maintained anymore"; # added 2020-10-14 + starboard-octant-plugin = throw "starboard-octant-plugin has been dropped due to needing octant which is archived"; # Added 2023-09-29 steam-run-native = steam-run; # added 2022-02-21 stride = throw "'stride' aka. Atlassian Stride is dead since 2019 (bought by Slack)"; # added 2022-06-15 structure-synth = throw "structure-synth has been removed, because it was unmaintained"; # Added 2022-05-09 diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 2b20db5644b5..d8eb0321cf8a 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -1304,10 +1304,6 @@ with pkgs; ociTools = callPackage ../build-support/oci-tools { }; - octant = callPackage ../applications/networking/cluster/octant { }; - octant-desktop = callPackage ../applications/networking/cluster/octant/desktop.nix { }; - starboard-octant-plugin = callPackage ../applications/networking/cluster/octant/plugins/starboard-octant-plugin.nix { }; - inherit ( callPackages ../build-support/setup-hooks/patch-rc-path-hooks { } ) patchRcPathBash patchRcPathCsh patchRcPathFish patchRcPathPosix;