From 3dc6b349b310f80ba3bad2c3ab8153eddfa489da Mon Sep 17 00:00:00 2001
From: Felix Ulonska <git@webfoo.de>
Date: Wed, 11 Dec 2024 16:50:17 +0100
Subject: [PATCH] flake.nix: add Nix flake

---
 README.md  |  4 +++
 flake.lock | 27 +++++++++++++++++
 flake.nix  | 86 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 117 insertions(+)
 create mode 100644 flake.lock
 create mode 100644 flake.nix

diff --git a/README.md b/README.md
index ca35e1f86..e2d61ff35 100644
--- a/README.md
+++ b/README.md
@@ -72,6 +72,10 @@ If you installed the *cwe_checker* locally, run
 ```bash
 cwe_checker BINARY
 ```
+If you use nix flakes, run
+```bash
+nix run github:fkie-cad/cwe_checker -- BINARY
+```
 You can adjust the behavior of most checks via a configuration file located at `src/config.json`.
 If you modify it, add the command line flag `--config=src/config.json` to tell the *cwe_checker* to use the modified file.
 For information about other available command line flags you can pass the `--help` flag to the *cwe_checker*.
diff --git a/flake.lock b/flake.lock
new file mode 100644
index 000000000..8fcd25fe1
--- /dev/null
+++ b/flake.lock
@@ -0,0 +1,27 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1733759999,
+        "narHash": "sha256-463SNPWmz46iLzJKRzO3Q2b0Aurff3U1n0nYItxq7jU=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "a73246e2eef4c6ed172979932bc80e1404ba2d56",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/flake.nix b/flake.nix
new file mode 100644
index 000000000..6ba919ea9
--- /dev/null
+++ b/flake.nix
@@ -0,0 +1,86 @@
+{
+  description = "Nix flake for the cwe_checker with patched Ghidra as a dependency.";
+
+  inputs = {
+    # Depend on NixOS-unstable for the latest Rust version.
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+  };
+
+  outputs = { self, nixpkgs }:
+    let
+      pkgs = nixpkgs.legacyPackages."x86_64-linux";
+      # Building Ghidra.
+      ghidra-cwe-checker-plugin = pkgs.ghidra.buildGhidraScripts {
+        pname = "cwe_checker";
+        name = "cwe_checker";
+        src = ./ghidra_plugin;
+      };
+      cwe-ghidra = pkgs.ghidra.withExtensions (p: with p; [ ghidra-cwe-checker-plugin ]);
+      # Path to Java Ghidra plugin.
+      cwe-checker-ghidra-plugins = pkgs.runCommand
+        "cwe-checker-ghidra-plugins" { src = ./src/ghidra/p_code_extractor; }
+        ''
+        mkdir -p $out/p_code_extractor
+        cp -rf $src/* $out/p_code_extractor
+        '';
+      # Build Ghidra package with analyzeHeadless in support/ instead of bin/.
+      # This is where the cwe_checker expects it to be.
+      cwe-ghidra-path-fix = pkgs.stdenv.mkDerivation {
+        name = "analyzeHeadless";
+        pname = "analyzeHeadless";
+        buildInputs = [ cwe-ghidra ];
+        src = cwe-ghidra;
+        buildPhase = ''
+        mkdir -p $out
+        cp -rf ${cwe-ghidra} $out
+        # cwe checker expects
+        mkdir -p $out/support
+        cp ${cwe-ghidra}/bin/ghidra-analyzeHeadless $out/support/analyzeHeadless
+        '';
+      };
+      # Building cwe_checker.
+      cwe-checker-bins = pkgs.rustPlatform.buildRustPackage {
+        pname = "cwe_checker";
+        name = "cwe_checker";
+        src = ./.;
+        cargoLock = {
+          lockFile = ./Cargo.lock;
+        };
+      };
+      # Build ghidra.json
+      cwe-ghidra-json = pkgs.writeTextFile {
+        name = "GhidraConfigFile";
+        text = builtins.toJSON { ghidra_path = ''${cwe-ghidra-path-fix}''; };
+      };
+      # Creates config dir for cwe_checker.
+      cwe-checker-configs = pkgs.runCommand "cwe-checker-configs" { src = ./src; }
+      ''
+      mkdir -p $out
+      cp $src/config.json $out
+      cp $src/lkm_config.json $out
+      ln -s ${cwe-ghidra-json} $out/ghidra.json
+      '';
+      # Target bin for 'nix run'.
+      cwe-checker = pkgs.writeScriptBin "cwe-checker" ''
+      #!/bin/sh
+      CWE_CHECKER_CONFIGS_PATH=${cwe-checker-configs} \
+      CWE_CHECKER_GHIDRA_PLUGINS_PATH=${cwe-checker-ghidra-plugins} \
+      ${cwe-checker-bins}/bin/cwe_checker $@;
+      '';
+    in
+    {
+      devShell.x86_64-linux = pkgs.mkShell {
+        buildInputs = with pkgs; [
+          rustc
+          cargo
+          cwe-ghidra-path-fix
+        ];
+        shellHook = ''
+        export CWE_CHECKER_CONFIGS_PATH=${cwe-checker-configs} \
+        export CWE_CHECKER_GHIDRA_PLUGINS_PATH=${cwe-checker-ghidra-plugins} \
+        '';
+      };
+      packages.x86_64-linux.default = cwe-checker;
+    };
+}
+