NixOS support #1673
Comments
06kellyjac
added
the
kind/feature
|
This issue is stale because it has been labeled with inactivity. |
github-actions
bot
added
the
lifecycle/stale
|
This is still important to me. As I said I'm happy to work on this but I need some guidance |
|
Sorry we missed it. Doesn't it have security advisories? |
|
We just consume advisories from https://nvd.nist.gov & https://openwall.com AFAIK. We automatically put nvd posts into issues (e.g. NixOS/nixpkgs#166626) and vulnix (the tool linked above) also uses NVD Other than that it's just discussion in matrix and sometimes listing them in our packaging: but its quite non-standard atm so pulling those out with a script wouldn't be great right now Would it be possible to just use NVD as the source for now? Or would we need to maintain our own list? |
github-actions
bot
removed
the
lifecycle/stale
As you are aware, other distributions have backport fixes and fixed versions are different from NVD. If we use NVD, it will lead to a lot of false positives. We're concerned about it. |
|
Ok cool. I can have a chat with the NixOS team and see if people want to maintain a list :) |
|
This issue is stale because it has been labeled with inactivity. |
github-actions
bot
added
the
lifecycle/stale
|
Hello @knqyf263 I'm looking into building out a fixes list & the alpine structure looks pretty good https://secdb.alpinelinux.org/v3.10/main.json Is there a standard for these types of lists across alpine, debian, etc or are they all pretty different? Do you have a "favorite" security fix list that I'd be best off reviewing? |
|
Thanks. I might be misunderstanding but having a quick read through OVAL looks like a format for recording vulnerabilities that exist rather than recording what have already been fixed like alpine's secdb? e.g. I want to make it clear that CVE-XYZ has been patched for our copy of busybox v0.0.0 so CVE-XYZ should be skipped instead of matching |
|
OVAL supports patched and unpatched vulnerabilities both. You can refer to Red Hat's feeds. |
|
OK, thanks. Ill have a read through |
I'm interested in having NixOS scanning support
I was looking into adding the feature, basing my code off the existing code for alpine/amazon/rhel and diving into trivy-db but I realized all these distros have official vuln trackers.
I was hoping to just use NVD warnings but I noticed no other scanner explicitly relies on that & it also has the downside of being quite inaccurate since we do apply patches to fix some vulns.
One point on accuracy is it wouldn't be any more inaccurate than https://github.com/flyingcircusio/vulnix/ , which is currently the only nix/nixos CVE scanner I'm aware of, and only relies on NVD
It'd be nice to have another option, especially one written in golang. And I think it'd be good to get this out there ahead of an increase in nix use due to people becoming more interested in Supply Chain, Provenance, SBOM, Hermetic builds, Reproducible builds, SLSA, etc which are areas nix is quite nifty
One other thing I haven't looked into is if trivy follows symlinks. NixOS uses quite a lot of symlinks so this might end up being required. If following symlinks isn't existing behavior maybe it can be optional or only turned on for NixOS? etc
The text was updated successfully, but these errors were encountered: