colmena Use of `vulnix` with colmena

Use of `vulnix` with colmena

Open otavio opened this issue 2 years ago • 1 comments

I wanted to use vulnix to check for known vulnerabilities, and I didn't find a way to run it for every host. Any idea how this could do it?

Jul 02 '22 14:07 otavio

You can use colmena eval to extract arbitrary information from your configuration. Since vulnix parses .drvs directly, you can get the derivations of the system profiles:

$ colmena eval --instantiate -E '{ nodes, ... }: nodes.node-a.config.system.build.toplevel'
[...]
/nix/store/yc7ql9nxwlxyf4y2g7jqafff3n24008n-nixos-system-node-a-22.11pre-git.drv

$ vulnix $(colmena eval --instantiate -E '{ nodes, ... }: nodes.node-a.config.system.build.toplevel')
[...]
websockets-0.12.7.3

/nix/store/11zmv5pvd90qixi5x8mmav7dnd8xyxpn-websockets-0.12.7.3.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2021-33880    5.9
[...]

# You can evaluate all nodes at once
$ colmena eval -E '{ nodes, ... }: mapAttrs (name: node: node.config.system.build.toplevel.drvPath) nodes'
{"node-a":"/nix/store/yc7ql9nxwlxyf4y2g7jqafff3n24008n-nixos-system-node-a-22.11pre-git.drv"}

Jul 03 '22 00:07 zhaofengli

colmena colmena copied to clipboard

Use of `vulnix` with colmena

colmena
colmena copied to clipboard