nix-security-tracker

nix-security-tracker copied to clipboard

GitHub sync doesn't run in production

2

[Deployment through the module uses `daphne`](https://github.com/Nix-Security-WG/nix-security-tracker/blob/main/nix/web-security-tracker.nix#L217-L218), while the initial sync is [only run when doing `manage runserver`](https://github.com/Nix-Security-WG/nix-security-tracker/blob/main/src/website/shared/apps.py#L15). Make sure deployment always syncs on startup and sync can be ran manually...

fricklerhandwerk

Use consistent name for PostgreSQL database across project

2

Found values so far: - web-security-tracker - nix-security-tracker I'd vote for nix-security-tracker, as it's also the repository name.

erictapen

Logging should not be WARNING for management scripts

1

`ingest_bulk_cve` uses WARNING to log information, it should be INFO.

RaitoBezarius

Deploy the complete system to infrastructure managed by the NixOS infra team. - [ ] Production deployment (e.g. security.nixos.org) - [x] #227 Depends on: - https://github.com/Nix-Security-WG/nix-security-tracker/issues/228

fricklerhandwerk

_This issue is not in the scope of our paid work and sprints._ Currently, we have GitHub dependencies in two forms: - OAuth 2 connector - Foreign entities who are...

RaitoBezarius

We should create a common module for SSH keys that can be called by the GH action playbook to render known hosts keys rather than duplicate them.

RaitoBezarius

Display issues with the ingested data

1

As a developer of the security tracker backend, I want to know which errors or inconsistencies there are with the data it is processing. This way we can fix the...

fricklerhandwerk

We have a bunch of performance sensitive code, it doesn't have to be suffering to capture performance data. Let's just have some OTEL integration. I can link this up to...

RaitoBezarius

View a list of pre-computed match suggestions

1

As a security team member, I want to have an overview of untriaged CVEs, displayed as a priority list. Each item in that list should only show the most relevant...

fricklerhandwerk

Currently, ingesting the full CVE list and a copy of nixpkgs can take several hours, dramatically reducing iteration speed. To facilitate faster development, it would be useful to asynchronously generate...

proofconstruction