vuls icon indicating copy to clipboard operation
vuls copied to clipboard
verified publisher icon future-architect

request: more BOM sources and general CVE scans

Open mcandre opened this issue 2 years ago • 2 comments

I love how vuls supports scanning for CVE's in some common package managers. I would like to see this list extended, in order to catch security problems on more machines.

(If you already include support for some of these, please lemme know which ones!)

  • App Store (macOS)
  • adb (Android)
  • arch-audit (Arch Linux)
  • pkg-audit (FreeBSD, DragonflyBSD, HardenedBSD)
  • pkg_admin audit (NetBSD)
  • pkg for more FreeBSD variants, including DragonflyBSD, HardenedBSD, NetBSD, OpenBSD, etc.
  • pkgin
  • pkgsrc
  • Snap (Linux)
  • Flatpak (Linux)
  • apk (Alpine Linux)
  • apt (Debian Linux family)
  • ipkg (busybox/toybox Linux)
  • opkg (OpenWrt Linux)
  • PPA's (Ubuntu Linux family)
  • urpmi (Mageia Linux)
  • Homebrew (macOS and Linux)
  • Chocolatey (Windows)
  • winget (Windows)
  • various WSL package managers, when vuls is run directly on a Windows host shell outside of WSL
  • Windows Store (Windows)
  • Cygwin / MSYS2 / MinGW / Strawberry Perl (Windows)
  • cpan-audit (Perl programming language)
  • entries registered as Installed Programs (Windows)
  • arbitrary files in "C:\Program Files" and "C:\Program Files (x86)" (Windows)
  • yast (OpenSuSE)
  • yum (RHEL Linux family)
  • Cargo (Rust programming language, essentially just run cargo audit)
  • pip (Python programming language, essentially just run the third party safety check command)
  • Snyk CLI (many programming languages)
  • RubyGems (Ruby programming language, essentially just run gem audit)
  • NPM (JavaScript programming language family, essentially just run npm audit)
  • Ansible
  • Terraform
  • Salt
  • Chef
  • Puppet ( see the vulnerability module https://forge.puppet.com/modules/enterprisemodules/vulnerability/readme )
  • entries in archives (zip, tar/gz/tgz/tar.gz/bz2/tbz2/tar.bz2/xz/txz/tar.xz, rar, jar, war, lzma, 7z, etc.)
  • Cabal (Haskell programming language)
  • Dub (D programming language)
  • Conan (C/C++ programming languages)
  • vcpkg (C/C++ programming languages)
  • ASDF (the Common Lisp package manager, not the version manager)
  • various Scheme language package managers
  • ShellCheck (POSIX sh family programming languages)
  • ohmyzsh and various other zsh, bash, etc. shell package managers
  • Kubernetes (with KICS, checkov, etc.)
  • go mod (Go programming language, just run snyk test)
  • vendor source trees (various programming languages)
  • git submodules

I think a lot of vulnerabilities hide out in these kinds of alleys, so the more of these we can include in vuls scans, the stronger our security posture will be.

mcandre avatar Apr 12 '23 17:04 mcandre

It may be more valuable to summarize the availability of security advisories than on a per-package manager basis.

MaineK00n avatar Apr 13 '23 04:04 MaineK00n

Please refer to the following for the status of Vuls support.

  • https://vuls.io/docs/en/supported-os.html
  • https://vuls.io/docs/en/usage-scan-non-os-packages.html

MaineK00n avatar Apr 13 '23 04:04 MaineK00n