nist-feed: init at 0-unstable-2024-01-20

nixos/doc/manual/release-notes/rl-2405.section.md

@@ -71,7 +71,11 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 
 - [TuxClocker](https://github.com/Lurkki14/tuxclocker), a hardware control and monitoring program. Available as [programs.tuxclocker](#opt-programs.tuxclocker.enable).
 
+<<<<<<< HEAD
+- [NIST-Feed](https://github.com/d3vil0p3r/nist-feed), notifies you about the newest published CVEs from NIST. Available as [programs.nist-feed](#opt-programs.nist-feed.enable).
+=======
 - [ALVR](https://github.com/alvr-org/alvr), a VR desktop streamer. Available as [programs.alvr](#opt-programs.alvr.enable)
+>>>>>>> master
 
 - [RustDesk](https://rustdesk.com), a full-featured open source remote control alternative for self-hosting and security with minimal configuration. Alternative to TeamViewer.
 

nixos/modules/module-list.nix

@@ -223,6 +223,7 @@
   ./programs/neovim.nix
   ./programs/nethoscope.nix
   ./programs/nexttrace.nix
+  ./programs/nist-feed.nix
   ./programs/nix-index.nix
   ./programs/nix-ld.nix
   ./programs/nm-applet.nix

nixos/modules/programs/nist-feed.nix

@@ -0,0 +1,54 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.programs.nist-feed;
+in
+{
+  options = {
+    programs.nist-feed = {
+      enable = mkEnableOption (mdDoc "NIST Feed, which notifies you about the newest published CVEs");
+      package = mkPackageOption pkgs "nist-feed" { };
+      extraArgs = mkOption {
+        type = with types; listOf str;
+        default = [ "-l" "-s" "CRITICAL" ];
+        description = mdDoc ''
+          Arguments to provide to NIST-Feed, see a full list at
+          <https://github.com/D3vil0p3r/NIST-Feed/blob/main/README.md#nist-feed>
+        '';
+      };
+
+      onCalendar = mkOption {
+        type = types.str;
+        default = "*:0/30";
+        description = mdDoc ''
+          How often NIST-Feed executes.
+        '';
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = [ cfg.package ];
+    systemd.user.services.nist-feed = {
+        wantedBy = [ "default.target" ];
+        description = "A notification daemon for CVEs";
+        serviceConfig = {
+          Type = "oneshot";
+          ExecStart = "${cfg.package}/bin/nist-feed ${escapeShellArgs cfg.extraArgs}";
+        };
+    };
+
+    systemd.user.timers.nist-feed = {
+        wantedBy = [ "default.target" ];
+        timerConfig = {
+          Unit = "nist-feed.service";
+          OnCalendar = cfg.onCalendar;
+          Persistent = "true";
+        };
+    };
+  };
+
+  meta.maintainers = with maintainers; [octodi];
+}

pkgs/by-name/ni/nist-feed/cron.patch

@@ -0,0 +1,56 @@
+--- a/nist-feed	2024-01-28 19:03:44.721621784 +0530
++++ b/nist-feed	2024-01-29 18:58:25.981732803 +0530
+@@ -1,7 +1,5 @@
+ #!/bin/sh
+
+-pkill -f "/usr/bin/gjs /usr/share/gnome-shell/org.gnome.Shell.Notifications"
+-
+ ############################################################
+ # Colors                                                   #
+ ############################################################
+@@ -67,7 +65,7 @@
+    echo "-i                        Filter by integrity metric (NONE='I:N', LOW='I:L' or HIGH='I:H')."
+    echo "-l                        Retrieve the latest CVE according to the filters."
+    echo "-m                        Filter by the specified CVSSv3 metric codes. It is used mainly for managing all filters selected by the user when the notification popup must be created."
+-   echo "-n                        Enable desktop notification for the latest CVE according the applied filters by crontab."
++   echo "-n                        Notification option has been removed for nix, to enable notifications use programs.nist-feed.enable = true; "
+    echo "-P                        Filter by privileges required metric (NONE='PR:N', LOW='PR:L' or HIGH='PR:H')."
+    echo "-r                        Specify the maximum number of results that are returned based on the request parameters. The default value is 20. For network considerations, maximum allowable limit is 2,000."
+    echo "-S                        Filter by scope metric (UNCHANGED='S:U' or CHANGED='S:C')."
+@@ -237,7 +235,6 @@
+
+ if [ "$end" ]; then
+    echo "Disabling NIST NVD feed popup notification..."
+-   crontab -l | sed '/nist-feed/d' | crontab
+    rm -rf $last_cve_file
+    rm -rf $cve_json_file
+    exit 0
+@@ -336,27 +333,13 @@
+    fi
+ fi
+
+-if [[ "$id" != "$LAST_CVE" ]] || [ $(crontab -l | wc -c) -eq 0 ];then #if the previous CVE is different from the current one, OR the crontab is empty, popup notification
++if [[ "$id" != "$LAST_CVE" ]];then #if the previous CVE is different from the current one, OR the crontab is empty, popup notification
+    if [[ ! "$notify" ]]; then #LAST_CVE must be set only if the user does not set the notification parameters, otherwise when crontab will call the 1st time nist-feed, $id is already = to $LAST_CVE
+       echo "$id" > $last_cve_file
+       #Generate the popup notification
+       killall dunst;notify-send -u normal "$id" "$description\n\n<b>$nvdURL</b>"
+    fi
+
+-   if [[ "$notify" -eq 1 ]] && [ ! "$severity" ] && [ ! "$metric" ]; then
+-      crontab -l | sed '/nist-feed/d' | crontab
+-      (crontab -l 2>/dev/null; echo "*/30 * * * * ( killall dunst ; XDG_RUNTIME_DIR=/run/user/$(id -u) /usr/local/bin/nist-feed -l)") | crontab -
+-   elif [[ "$notify" -eq 1 ]] && [ "$severity" ] && [ ! "$metric" ]; then
+-      crontab -l | sed '/nist-feed/d' | crontab
+-      (crontab -l 2>/dev/null; echo "*/30 * * * * ( killall dunst ; XDG_RUNTIME_DIR=/run/user/$(id -u) /usr/local/bin/nist-feed -l -s $severity)") | crontab -
+-   elif [[ "$notify" -eq 1 ]] && [ ! "$severity" ] && [ "$metric" ]; then
+-      crontab -l | sed '/nist-feed/d' | crontab
+-      (crontab -l 2>/dev/null; echo "*/30 * * * * ( killall dunst ; XDG_RUNTIME_DIR=/run/user/$(id -u) /usr/local/bin/nist-feed -l -m $metric)") | crontab -
+-   elif [[ "$notify" -eq 1 ]] && [ "$severity" ] && [ "$metric" ]; then
+-      crontab -l | sed '/nist-feed/d' | crontab
+-      (crontab -l 2>/dev/null; echo "*/30 * * * * ( killall dunst ; XDG_RUNTIME_DIR=/run/user/$(id -u) /usr/local/bin/nist-feed -l -s $severity -m $metric)") | crontab -
+-   fi
+-   
+ fi
+
+ rm -rf $cve_json_file

pkgs/by-name/ni/nist-feed/package.nix

@@ -0,0 +1,50 @@
+{ stdenvNoCC
+, lib
+, fetchFromGitHub
+, makeWrapper
+, bash
+, jq
+, killall
+, libnotify
+, curl
+, busybox
+}:
+
+stdenvNoCC.mkDerivation {
+  pname = "nist-feed";
+  version = "0-unstable-2024-01-20";
+
+  src = fetchFromGitHub {
+    owner = "D3vil0p3r";
+    repo = "NIST-Feed";
+    rev = "775bd871490b680784a1855cdc1d4958a83a7866";
+    hash = "sha256-OcVf766q7vELYkGOEzQMLS6zH8Nn96ibGP+6kizHN28=";
+  };
+
+  patches = [
+    ./cron.patch
+  ];
+
+  nativeBuildInputs = [ makeWrapper ];
+
+  postPatch = ''
+    substituteInPlace nist-feed \
+      --replace "/usr/local/bin/nist-feed" $out/bin/nist-feed
+  '';
+
+  installPhase = ''
+    runHook preInstall
+    install -Dm555 nist-feed $out/bin/nist-feed
+    wrapProgram "$out/bin/nist-feed" \
+      --prefix PATH : "$out/bin:${lib.makeBinPath [ jq killall libnotify curl busybox ]}"
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Notification daemon for CVEs from the NIST National Vulnerability Database";
+    homepage = "https://github.com/D3vil0p3r/NIST-Feed/";
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ octodi ];
+    mainProgram = "nist-feed";
+  };
+}