vulnix
vulnix copied to clipboard
nix-community
Vulnerability (CVE) scanner for Nix/NixOS.
This PR adds a `--closure` flag that scans the closure of an output path. Currently vulnix scans all dependencies (unless `--no-requisites` is given) so buildtime-only dependencies are included. Depending on...
Open source vulnerabilities database https://osv.dev/ It's scope seem to be increasing, and they're looking into PyPI packages now as well https://discuss.python.org/t/proposing-a-community-maintained-database-of-pypi-package-vulnerabilities/8374
vulnix thinks my drv is uses jetbrains hub when the drv holds https://github.com/tektoncd/hub This is also the case for other dependencies collected by gomod2nix ``` λ vulnix ./result 22 derivations...
`arch-audit` has an option `--upgradable` where it doesn't report vulnerabilities where upgrading won't fix it. Something similar would be nice for Vulnix. This would allow users to quickly see actionable...
It should be possible to state multiple whitelist entries for the same package. Support `[[...]]` TOML syntax in whitelists.
vulnix currently returns the following exit codes: - `2` if a runtime exception occurred, or if all went well and there were non-whitelisted vulnerabilities - `1` if the `--show-whitelisted` option...
`--gc-roots` is good because it includes all the roots in use by currently-running processes (found by rummaging through /proc/). But `--gc-roots` is bad because it includes all the old profiles....
I've just noticed a few false positives, basically a all duplicates of the following two issues: - https://github.com/NixOS/nixpkgs/issues/88303 - https://github.com/NixOS/nixpkgs/issues/88295 Because e.g. `cpe:2.3:a:jenkins:git:*:*:*:*:*:jenkins:*:*` matched for Git (while it's for the...
See https://github.com/NixOS/nixpkgs/issues/101159