vulnix icon indicating copy to clipboard operation
vulnix copied to clipboard
verified publisher icon nix-community

Scan only runtime dependencies

Open dermetfan opened this issue 4 years ago • 5 comments

This PR adds a --closure flag that scans the closure of an output path.

Currently vulnix scans all dependencies (unless --no-requisites is given) so buildtime-only dependencies are included. Depending on the threat model it may be desirable to scan only runtime dependencies to avoid writing a huge whitelist.

Nix has a deriver field in the JSON output of nix path-info that I hoped we could use. Unfortunately we run into the same problem as #69 so we still have to shell out to Nix every time that path does not exist.

dermetfan avatar Sep 17 '21 17:09 dermetfan

Store paths that appear in the closure but are also inputSrcs (from nix show-derivation) have no deriver and therefore cause an error. These should be excluded from the scan. I will look into this shortly.

dermetfan avatar Sep 20 '21 15:09 dermetfan

Turns out the derivation field in nix path-info --json is already present in stable Nix. I previously stated in the description that it was added in Nix 2.4 which is incorrect. That allows us to check whether it is present and skip the path if it is not, so this PR is ready for review now.

dermetfan avatar Sep 21 '21 15:09 dermetfan

@ckauhaus could we get this merged?

disassembler avatar Jun 03 '22 20:06 disassembler

@ckauhaus 🙏

domenkozar avatar Aug 23 '22 13:08 domenkozar

Seems @ckauhaus no longer works at Flying Circus. You "recently" committed to this repo, maybe you can have a look @delroth @mrrpdt?

dermetfan avatar Feb 22 '23 13:02 dermetfan

Given the context, I assume that @ckauhaus is no longer active. If anybody is interested, I opened a new issue to nominate yourself as a maintainer.

zimbatm avatar Apr 02 '24 10:04 zimbatm