nix-security-tracker

nix-security-tracker copied to clipboard

Some fields in the data model are empty on ingestion: - [ ] `NixDerivationOutput.outputs` - [ ] `NixDerivation.dependencies`

fricklerhandwerk

Currently the flake.nix is still rather developer-oriented, eventually it should package the scanner as a 'user-consumable' package. Remaining tasks: * rename `CVENix`/`local-security-scanner` to something neater? * add a wrapper to...

raboof

Running the local scanner on the testcase at https://github.com/Nix-Security-WG/nix-security-tracker/tree/c35f957fc02b101ee06eb5096d7f05cd87e539d73be45b19d4b97520173c48defa4c6747156d6dcf, it reports [CVE-2015-2987](https://www.cve.org/CVERecord?id=CVE-2015-2987) in ed. This is a false positive, because our 'ed' is GNU ed, not the (unrelated) `cpe:2.3:a:type74:ed`. We...

raboof

Running the local scanner on the testcase at https://github.com/Nix-Security-WG/nix-security-tracker/tree/c35f957fc02b101ee06eb5096d7f05cd87e539d73be45b19d4b97520173c48defa4c6747156d6dcf, it reports [CVE-2022-26691](https://www.cve.org/CVERecord?id=CVE-2022-26691) in cups. This is a false positive, because this issue was fixed in version 2.4.2 and we are...

raboof

Running the local scanner on the testcase at https://github.com/Nix-Security-WG/nix-security-tracker/tree/c35f957fc02b101ee06eb5096d7f05cd87e539d73be45b19d4b97520173c48defa4c6747156d6dcf, it reports [CVE-2023-3341](https://www.cve.org/CVERecord?id=CVE-2023-3341) in bind. This is a false positive, because this image is not actually using the bind daemon, but...

raboof

False positive: wrong match on jenkins git plugin

1

the CPE for the jenkins git plugin says the package is "git" instead of "git-jenkins-plugin" or similar. The solution would be parsing/heuristics for the vendor, though we don't really get...

cidkidnix

As always, in data stuff, our data source can have quality issues. Here's a compilation of known problems. - `meta` is `null` for ``` {'attr': 'stdenvBootstrapTools.aarch64-unknown-linux-gnu.test', 'attrPath': ['stdenvBootstrapTools', 'aarch64-unknown-linux-gnu', 'test'],...

RaitoBezarius

False positives: various in 'kernel-modules' and 'glibc-locales'

1

Because a bug in the way we extract version numbers, problems for 'kernel' and 'glibc' are also reported for 'kernel-modules' and 'glibc-locales'.

raboof

Show severity

2

To best focus your efforts, it is useful to be able to see the severity level assigned to each advisory. Unfortunately, there are different severity systems: CVSS is popular, but...

raboof

Running the local scanner on the testcase at https://github.com/Nix-Security-WG/nix-security-tracker/tree/cbe45b19d4b97520173c48defa4c6747156d6dcf, it reports [CVE-2023-38253](https://www.cve.org/CVERecord?id=CVE-2023-38253) in w3m. While this looks like a legitimate DoS vulnerability when w3m is used with untrusted HTML sites,...

raboof