wapiti: 3.1.7 -> 3.1.8

[tjni]

Description of changes

wapiti-scanner/wapiti@3.1.7...3.1.8

The goal is to pick up upstream's change to pyproject.toml, which fixes a bug involving duplicate scripts breaking installer when it installs the wheel.

A couple of other changes are needed to dependencies (which I audited from the new pyproject.toml). One thing to call out is that there is a new extra called ssl which I could not add because it depends on sslyze, which depends on nassl and tries to download OpenSSL and build it from source. It's more work than I have time for to untangle that right now.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 23.11 Release Notes (or backporting 23.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

[tjni]

@ofborg build wapiti

[fabaff]

Result of nixpkgs-review pr 250814 run on x86_64-linux 1

2 packages failed to build:

• wapiti
• wapiti.dist

I get this with nix-review:

error: builder for '/nix/store/l2f6lnf8122xp8xg362dzi4rgjy1s96i-wapiti-3.1.8.drv' failed with exit code 1;
       last 10 log lines:
       > =============================== warnings summary ===============================
       > ../../nix/store/xm0kn6advd10ygwd6014qp6lv7dv73kn-python3.10-arsenic-21.8/lib/python3.10/site-packages/arsenic/services.py:5
       >   /nix/store/xm0kn6advd10ygwd6014qp6lv7dv73kn-python3.10-arsenic-21.8/lib/python3.10/site-packages/arsenic/services.py:5: DeprecationWarning: The distutils package is deprecated and slated for removal in Python 3.12. Use setuptools or check PEP 632 for potential alternatives
       >     from distutils.version import StrictVersion
       >
       > -- Docs: https://docs.pytest.org/en/stable/how-to/capture-warnings.html
       > =========================== short test summary info ============================
       > FAILED tests/attack/test_mod_log4shell.py::test_attack_unifi - AttributeError: 'ModuleLog4Shell' object has no attribute '_dns_host'
       > ========== 1 failed, 149 passed, 103 deselected, 1 warning in 30.08s ===========

[tjni]

Wow, thank you for checking. I think this slipped through because I was testing on aarch64-darwin, and when the hole is punched through the sandbox for localhost, it might also allow arbitrary DNS lookups?

Essentially, this line creates the _dns_host property:

try:
    self._dns_host = socket.gethostbyname(dns_endpoint)
except (OSError, TypeError):
    logging.error(f"Error: {dns_endpoint} is not a valid domain name")
    self.finished = True

and the new test test_attack_unifi is trying to resolve http://perdu.com/. I will disable the test.

[tjni]

@ofborg build wapiti

[fabaff]

Result of nixpkgs-review pr 250814 run on x86_64-linux 1

2 packages built:

• wapiti
• wapiti.dist

[fabaff]

Change looks good to me.