[Package Request]: StackHawk HawkScan

[untra]

Package Requested

• I would like help so I can submit the manifest.
• I would like someone else to build the manifest.
• I have performed a search and couldn't find this package.
• I have checked that the installer for this package is not contained in a .zip file
• I think there is a new version available and I have provided the URL.

Please provide the following information

Okay so yes it is contained in a zip file, and yes .zip installers are not available until winget-cli 1.4 goes GA and reaches 50% adoption.

However even with zip installer support I'm unsure if our package and similar others can be fully supported.
The provided manifest passes winget validate on v1.4.2161-preview:

# yaml-language-server: $schema=https://aka.ms/winget-manifest.singleton.1.4.0.schema.json

PackageIdentifier: stackhawk.hawkscan
PackageVersion: 2.9.0
PackageName: hawkscan
PackageLocale: en-US
Publisher: StackHawk
License: Proprietary
Copyright: (c) 2022 StackHawk
MinimumOSVersion: 10.0.0.0
InstallerType: zip
InstallModes:
- silentWithProgress
- silent
UpgradeBehavior: uninstallPrevious
Installers:
  - Architecture: neutral
    InstallerType: zip
    InstallerUrl: https://download.stackhawk.com/hawk/cli/hawk-2.9.0.zip
    InstallerSha256: e31ec72c0f7196cd67afad624a14f70bf5a02fa4031191d85cc1d998a39db72f
    NestedInstallerType: portable
    NestedInstallerFiles:
      - RelativeFilePath: hawk.ps1
        PortableCommandAlias: hawk
PublisherUrl: https://www.stackhawk.com
PublisherSupportUrl: https://support.stackhawk.com
PrivacyUrl: https://www.stackhawk.com/privacy-policy
LicenseUrl: https://www.stackhawk.com/terms-of-service
PackageUrl: https://docs.stackhawk.com/stackhawk-cli
ReleaseNotesUrl: https://docs.stackhawk.com/changelog.html
ShortDescription: KaaKaww! Helping developers to find, triage and fix security bugs!
Documentations:
  - DocumentLabel: Documentation
  - DocumentUrl: https://docs.stackhawk.com/
  - DocumentLabel: API Docs
  - DocumentUrl: https://apidocs.stackhawk.com
Moniker: hawkscan
Tags:
- api
- application
- security
- appsec
- hawk
- scan
- kaakaww
- stackhawk
ManifestType: singleton
ManifestVersion: 1.4.0

StackHawk HawkScan is a CLI for scanning running web applications for software vulnerabilities. hawk is the alias for the bash/powershell file that we supply that calls java -jar ... to run the java executable. Our package doesn't have an installer, rather it can unpack a hawk.ps1 script to alias.

A few questions:

• This scenario of portable java applications launched from shell scripts and no formal installer also applies to [Package Request]: Apache Maven #65391 [Package Request]: Apache JMeter #30972 Add Gradle 6.5.1 #2964 Add manifest for ZAP #756 and a bunch of other java ecosystem packages I bet. Given the upcoming roadmap and experimental support for zipInstall, could our manifest submission be supported with the anticipated 1.4 winget release ?

• These packages depend on a java runtime environment being installed, which might relate to package dependencies. I don't think this requirement is as critical, and theres plenty of flavors of java as it is to choose from, but is the experimental dependencies support also slated for 1.4 and could that address the JRE requirements of packages?

• Did I get the singleton manifest file format correct? and package updates will be supported with the singleton format as part of the 1.4 release?

• Running winget install manifests/s/stackhawk/hawkscan/2.9.0/stackhawk.hawkscan.yaml reports No package found matching input criteria. I don't think that means success but how do I debug further?

We look forward to adding our sweet CLI to the winget-pkgs repository 🦅

[warshanks]

I figured I'd try this manifest on my machine to see if I yielded any different results and here's what I got

Experimental features in winget:

"experimentalFeatures": {
      "zipInstall": true,
      "dependencies": true,
      "portablePackageUserRoot": "C:/Users/Ben/Packages",
      "portablePackageMachineRoot": "C:/Program Files/Packages/Portable"
   }

 ~\manifests\s\stackhawk\hawkscan > winget validate --manifest .\2.9.0\
Manifest validation succeeded.
 ~\manifests\s\stackhawk\hawkscan > winget install -m .\2.9.0\
Installing a portable package from an archive is not yet supported

Everything else looks good as far as I can tell. It just doesn't like that it's a nested portable unfortunately. I can't speak to the roadmap or Java but hopefully this helps in some way.

[Trenly]

is the experimental dependencies support also slated for 1.4 and could that address the JRE requirements of packages?

No; Dependency support is still experimental in 1.4

Did I get the singleton manifest file format correct? and package updates will be supported with the singleton format as part of the 1.4 release?

Yes. However, using the multi-manifest format is much more preferred, as it allows for better updates and parsing in the future

I don't think that means success but how do I debug further?

You will need to use the --manifest flag like winget install --manifest <path. This requires enabling localManifestFiles from an elevated terminal - winget settings --enable LocalManifestFiles. As @warshanks showed, Portable in Zip isn’t supported with the latest prerelease client - you will need a local build of winget (wingetdev)