Arnout Engelen
Arnout Engelen
Currently the flake.nix is still rather developer-oriented, eventually it should package the scanner as a 'user-consumable' package. Remaining tasks: * rename `CVENix`/`local-security-scanner` to something neater? * add a wrapper to...
Running the local scanner on the testcase at https://github.com/Nix-Security-WG/nix-security-tracker/tree/c35f957fc02b101ee06eb5096d7f05cd87e539d73be45b19d4b97520173c48defa4c6747156d6dcf, it reports [CVE-2015-2987](https://www.cve.org/CVERecord?id=CVE-2015-2987) in ed. This is a false positive, because our 'ed' is GNU ed, not the (unrelated) `cpe:2.3:a:type74:ed`. We...
Running the local scanner on the testcase at https://github.com/Nix-Security-WG/nix-security-tracker/tree/c35f957fc02b101ee06eb5096d7f05cd87e539d73be45b19d4b97520173c48defa4c6747156d6dcf, it reports [CVE-2022-26691](https://www.cve.org/CVERecord?id=CVE-2022-26691) in cups. This is a false positive, because this issue was fixed in version 2.4.2 and we are...
Running the local scanner on the testcase at https://github.com/Nix-Security-WG/nix-security-tracker/tree/c35f957fc02b101ee06eb5096d7f05cd87e539d73be45b19d4b97520173c48defa4c6747156d6dcf, it reports [CVE-2023-3341](https://www.cve.org/CVERecord?id=CVE-2023-3341) in bind. This is a false positive, because this image is not actually using the bind daemon, but...
Because a bug in the way we extract version numbers, problems for 'kernel' and 'glibc' are also reported for 'kernel-modules' and 'glibc-locales'.
To best focus your efforts, it is useful to be able to see the severity level assigned to each advisory. Unfortunately, there are different severity systems: CVSS is popular, but...
Running the local scanner on the testcase at https://github.com/Nix-Security-WG/nix-security-tracker/tree/cbe45b19d4b97520173c48defa4c6747156d6dcf, it reports [CVE-2023-38253](https://www.cve.org/CVERecord?id=CVE-2023-38253) in w3m. While this looks like a legitimate DoS vulnerability when w3m is used with untrusted HTML sites,...
As encountered in the example of #31, there might be situations where we might want to assign a different severity based on context. In this case: the `w3m` advisory may...
Part of the challenge of the local scanner is to create an inventory of all currently-installed packages. This is similar to #8 on the server side, but different: locally we...
Apparently they can ingest SBOMs with vulnerability information, which we might be able to semi-easily generate: * https://discourse.nixos.org/t/scanning-nix-packages-with-sonatype-nexus-iq-clm-scan-tool/35583/4 * https://help.sonatype.com/iqserver/automating/rest-apis/third-party-scan-rest-api---v2#ThirdPartyScanRESTAPIv2-Step2 (definitely not for the initial milestone though)