From bbe893dc254a3e6130086493018e35189242fa85 Mon Sep 17 00:00:00 2001
From: Chris Guest <chrisguest75@users.noreply.github.com>
Date: Sun, 30 Mar 2025 23:12:28 +0100
Subject: [PATCH 1/2] feat(qemu): Add Nix support for building and running
 aarch64 VM

---
 16_qemu/README.md      |  5 +++++
 16_qemu/nix/README.md  | 12 ++++++++++++
 16_qemu/nix/flake.lock | 26 ++++++++++++++++++++++++++
 16_qemu/nix/flake.nix  | 32 ++++++++++++++++++++++++++++++++
 16_qemu/nix/justfile   | 14 ++++++++++++++
 5 files changed, 89 insertions(+)
 create mode 100644 16_qemu/nix/README.md
 create mode 100644 16_qemu/nix/flake.lock
 create mode 100644 16_qemu/nix/flake.nix
 create mode 100644 16_qemu/nix/justfile

diff --git a/16_qemu/README.md b/16_qemu/README.md
index 89a62e5..1519437 100644
--- a/16_qemu/README.md
+++ b/16_qemu/README.md
@@ -2,6 +2,10 @@
 
 Demonstrate how to get aarch64 machine running on qemu (ubuntu)
 
+NOTES:
+
+* `armv6l-linux` & `armv7l-linux` are 32-bit, whereas `aarch64` is 64-bit
+
 ## Prereqs
 
 ```sh
@@ -24,6 +28,7 @@ qemu-system-arm -M  help
 qemu-system-aarch64 -version  
 qemu-system-aarch64 -M  help
 
+# on debian
 apt-file list qemu-kvm
 apt-file list qemu-system   
 ```
diff --git a/16_qemu/nix/README.md b/16_qemu/nix/README.md
new file mode 100644
index 0000000..8f68ffe
--- /dev/null
+++ b/16_qemu/nix/README.md
@@ -0,0 +1,12 @@
+# NIX
+
+Build an image with nix and run as aarch64.  
+
+```sh
+just nix
+```
+
+## Resources
+
+* https://gist.github.com/lheckemann/63c52f2115346e6c9bbc6ecdfde9f43b
+* Spawn a Linux virtual machine on Arm using QEMU (KVM) [here](https://community.arm.com/oss-platforms/w/docs/510/spawn-a-linux-virtual-machine-on-arm-using-qemu-kvm)
\ No newline at end of file
diff --git a/16_qemu/nix/flake.lock b/16_qemu/nix/flake.lock
new file mode 100644
index 0000000..b3c9396
--- /dev/null
+++ b/16_qemu/nix/flake.lock
@@ -0,0 +1,26 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1743231893,
+        "narHash": "sha256-tpJsHMUPEhEnzySoQxx7+kA+KUtgWqvlcUBqROYNNt0=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "c570c1f5304493cafe133b8d843c7c1c4a10d3a6",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-24.11",
+        "type": "indirect"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/16_qemu/nix/flake.nix b/16_qemu/nix/flake.nix
new file mode 100644
index 0000000..92dd6e3
--- /dev/null
+++ b/16_qemu/nix/flake.nix
@@ -0,0 +1,32 @@
+{
+  description = "Nix flake to build and run a NixOS VM for aarch64";
+
+  inputs = {
+    nixpkgs.url = "nixpkgs/nixos-24.11";
+  };
+
+  outputs = { self, nixpkgs }:
+  let
+    pkgs = import nixpkgs { system = "x86_64-linux"; };
+    pkgsAarch64 = import nixpkgs { system = "aarch64-linux"; };
+
+    iso = (pkgsAarch64.nixos {
+      imports = [ "${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-base.nix" ];
+    }).config.system.build.isoImage;
+
+    vmScript = pkgs.writeScriptBin "run-nixos-vm" ''
+      #!${pkgs.runtimeShell}
+      ${pkgs.qemu}/bin/qemu-system-aarch64 \
+        -machine virt,gic-version=max \
+        -cpu max \
+        -m 2G \
+        -smp 4 \
+        -drive file=$(echo ${iso}/iso/*.iso),format=raw,readonly=on \
+        -nographic \
+        -bios ${pkgsAarch64.OVMF.fd}/FV/QEMU_EFI.fd
+    '';
+
+  in {
+    defaultPackage.x86_64-linux = vmScript;
+  };
+}
\ No newline at end of file
diff --git a/16_qemu/nix/justfile b/16_qemu/nix/justfile
new file mode 100644
index 0000000..3776083
--- /dev/null
+++ b/16_qemu/nix/justfile
@@ -0,0 +1,14 @@
+#!/usr/bin/env just --justfile
+# ^ A shebang isn't required, but allows a justfile to be executed
+#   like a script, with `./justfile test`, for example.
+
+set dotenv-load := true
+
+# default lists actions
+default:
+  @just -f justfile --list
+
+nix:
+  #!/usr/bin/env bash
+  set -eufo pipefail
+  nix run

From a64240bd1866ecb3af6775a5bbff578ea4e10e52 Mon Sep 17 00:00:00 2001
From: Chris Guest <chrisguest75@users.noreply.github.com>
Date: Wed, 2 Apr 2025 14:47:19 +0100
Subject: [PATCH 2/2] feat(osv_scanner): Add .gitignore and update README with
 output directory instructions for scanning docker images

---
 48_osv_scanner/.gitignore | 1 +
 48_osv_scanner/README.md  | 4 ++++
 2 files changed, 5 insertions(+)
 create mode 100644 48_osv_scanner/.gitignore

diff --git a/48_osv_scanner/.gitignore b/48_osv_scanner/.gitignore
new file mode 100644
index 0000000..1fcb152
--- /dev/null
+++ b/48_osv_scanner/.gitignore
@@ -0,0 +1 @@
+out
diff --git a/48_osv_scanner/README.md b/48_osv_scanner/README.md
index 7e43fc9..9c5e61d 100644
--- a/48_osv_scanner/README.md
+++ b/48_osv_scanner/README.md
@@ -25,6 +25,10 @@ just scan-repo ../my_repo --json | jq .
 ```sh
 docker pull nginx:1.27.4
 osv-scanner scan --docker nginx:1.27.4
+
+# NOTE: It doesn't seem to be scanning the .venv or pipfile.lock in the container.
+mkdir -p ./out
+osv-scanner scan --experimental-all-packages --format=json --docker nginx:1.27.4 > ./out/nginx1.27.4.json
 ```
 
 ## Resources