nix-security-tracker icon indicating copy to clipboard operation
nix-security-tracker copied to clipboard

Published 20 hours ago verified publisher icon Nix-Security-WG

Creating the inventory of locally installed derivations

Open raboof opened this issue 1 year ago • 1 comments

Part of the challenge of the local scanner is to create an inventory of all currently-installed packages.

This is similar to #8 on the server side, but different: locally we only care about the runtime closure of the package, which means the packages actually need to be build. Luckily that isn't a problem: since we're reporting on installed derivations, we can assume they have been downloaded/built anyway.

Possible existing components to build on here are:

In the future the things we do in the security tracker project might be upstreamed back into those tools or something new like Genealogos.

I have tested sbomnix /nix/var/nix/profiles/system will happily create an inventory of the current state of the system. This is great, because it means we can also do this when packaging the local scanner as a service: this saves us from needing to have a somewhat-circular reference to 'ourselves'/'our own inventory'.

Notably absent from the sbomnix output is that 'attribute path' of the derivation in nixpkgs. Not all derivations have an attribute path, but it is often informally used as "package name" (and sometimes distinct from the attribute name).

Future evolution of this component, but likely outside the scope of the initial milestone, include:

  • Look into vendored dependencies
  • Keeping the 'tree view' of the dependencies and applying filters (like "component X has a vulnerability but it is known that project Y which depends on X is not affected"). sbomnix will report on the dependencies between derivations in its CycloneDX output.
  • Taking into account applied patches. sbomnix will report on 'patches' in its .csv output
  • Catching any derivations installed by nix-env, in nix shells etc. Longer-term it might be interesting to for example scan all GC roots, or even all contents of the cache, but for the first milestone that seems reasonable to keep out of scope.

raboof avatar Nov 14 '23 14:11 raboof