colmena
colmena copied to clipboard
Use of `vulnix` with colmena
I wanted to use vulnix
to check for known vulnerabilities, and I didn't find a way to run it for every host. Any idea how this could do it?
You can use colmena eval
to extract arbitrary information from your configuration. Since vulnix parses .drv
s directly, you can get the derivations of the system profiles:
$ colmena eval --instantiate -E '{ nodes, ... }: nodes.node-a.config.system.build.toplevel'
[...]
/nix/store/yc7ql9nxwlxyf4y2g7jqafff3n24008n-nixos-system-node-a-22.11pre-git.drv
$ vulnix $(colmena eval --instantiate -E '{ nodes, ... }: nodes.node-a.config.system.build.toplevel')
[...]
websockets-0.12.7.3
/nix/store/11zmv5pvd90qixi5x8mmav7dnd8xyxpn-websockets-0.12.7.3.drv
CVE CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2021-33880 5.9
[...]
# You can evaluate all nodes at once
$ colmena eval -E '{ nodes, ... }: mapAttrs (name: node: node.config.system.build.toplevel.drvPath) nodes'
{"node-a":"/nix/store/yc7ql9nxwlxyf4y2g7jqafff3n24008n-nixos-system-node-a-22.11pre-git.drv"}