nix-security-tracker
nix-security-tracker copied to clipboard
Nix-Security-WG
Web service for managing information on vulnerabilities in software distributed through Nixpkgs
As encountered in the example of #31, there might be situations where we might want to assign a different severity based on context. In this case: the `w3m` advisory may...
Part of the challenge of the local scanner is to create an inventory of all currently-installed packages. This is similar to #8 on the server side, but different: locally we...
Apparently they can ingest SBOMs with vulnerability information, which we might be able to semi-easily generate: * https://discourse.nixos.org/t/scanning-nix-packages-with-sonatype-nexus-iq-clm-scan-tool/35583/4 * https://help.sonatype.com/iqserver/automating/rest-apis/third-party-scan-rest-api---v2#ThirdPartyScanRESTAPIv2-Step2 (definitely not for the initial milestone though)
At our meeting 2023-11-15, we defined our demo target to be a CLI tool which does these four things: 1. scan dependencies used locally (from some combination of derivation graphs,...
(personal notes ; will be expanded upon later.) In the event, someone will write a daemon or a tool to scan (continuously) NixOS closures for security vulnerability, it would be...
Currently, ingesting of the initial 230K of CVEs takes around 25 minutes on a very fast CPU (130-200 CVE/s). In practice, SQLite can do much more than that (96K inserts/s...
The security tracker should have a "bot" account that can opens PRs on behalf of another user, but not as the other user. https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-with-a-github-app-on-behalf-of-a-user should not be used as it...
As noted in https://github.com/Nix-Security-WG/nix-security-tracker/pull/165#discussion_r1682547683, the following refactor will improve the readability of the Github sync code and its test suite: - Move `set_groups_for_new_user` inside the `GithubState` class, and connect it...
Delta CVE should error if the gap is too large. We should also create a new toplevel management command called `ingest_cve` which does either bulk ingestion or delta ingestion based...
Metadata
Owner
Metadata
Web service for managing information on vulnerabilities in software distributed through Nixpkgs