Ability to blacklist CPE patterns for specific Nixpkgs packages? #62
Comments
|
Interesting idea. Need to think about how to extend vulnix' matching code. |
|
See also NixOS/nixpkgs#75974 |
|
See also https://nvd.nist.gov/vuln/detail/CVE-2019-11644 (from NixOS/nixpkgs#88393) |
|
See also NixOS/nixpkgs#88405 (comment) |
|
See also NixOS/nixpkgs#88371 |
|
Another instance: NixOS/nixpkgs#90831 (comment) |
|
NixOS/nixpkgs#92864 - disregard gitlab enterprise edition |
|
Misinterpretation of terraform-provide-aws NixOS/nixpkgs#96829 |
|
Need to disambiguate between firefox and firefox_esr, e.g. in https://nvd.nist.gov/vuln/detail/CVE-2020-15655 Seen in NixOS/nixpkgs#101152 |
|
Jenkins InfluxDB plugin: NixOS/nixpkgs#102795 |
|
Jenkins Kanboard plugin: NixOS/nixpkgs#102798 |
|
KeystoneJS NixOS/nixpkgs#102800 |
|
MySQL component of Oracle SQL: NixOS/nixpkgs#102883 |
|
matrix-synapse: NixOS/nixpkgs#102901 |
|
Jetbrains Scala project (plugin) NixOS/nixpkgs#100322 |
|
Styx: Java reverse proxy (https://github.com/HotelsDotCom/styx) vs static site generator: NixOS/nixpkgs#90985 |
|
HP/Aruba airwave vs Airwave media player: NixOS/nixpkgs#99730 (comment) |
|
diamond-0.8.36: cryptocurrency vs bioinformatics NixOS/nixpkgs#90781 |
|
connect-1.105: proxy vs Adobe product NixOS/nixpkgs#90741 |
|
unicode-2.6: nodejs vs Python lib |
|
st-0.8.3: node.js app vs. terminal emulator |
|
gatling-0.15: Jenkins plugin vs webserver |
|
fastjson-0.99.8: Java vs C library |
|
drive-0.3.8.1: Synology app vs Google drive client |
|
drill-0.6.0: Apache drill vs. Rust-based load tester |
|
gogs-0.12.3: Jenkins plugin vs standalone Go app |
|
openssl C library vs Ruby gem: NixOS/nixpkgs#106218 (comment) |
|
Aviatrix OpenVPN client vs. openvpn core: NixOS/nixpkgs#106219 (comment) |
|
Jenkins findbugs plugin: NixOS/nixpkgs#106190 (comment) |
|
Jenkins InfluxDB plugin: NixOS/nixpkgs#106198 (comment) |
|
built-in php calendar extension vs. PECL calendera extension: NixOS/nixpkgs#106226 (comment) |
|
GNOME Orca vs. Spinnaker Orca: NixOS/nixpkgs#106220 (comment) |
|
HashiCorp Vault vs. TIBCO Managed File Transfer Internet Server: NixOS/nixpkgs#109227 (comment) |
|
A lot of stuff. I've been tinkering with this issues for a while now and my current idea is not to use a blacklist but to include a |
|
firefox ESR/regular, Linux/Android: NixOS/nixpkgs#113435 (comment) |
Was pondering the same. Have you discussed this possibility with Eelco and/or other Nixpkgs contributors? "Polluting" Nixpkgs might not be the nicest thing, but |
I've just noticed a few false positives, basically a all duplicates of the following two issues:
Because e.g.
cpe:2.3:a:jenkins:git:*:*:*:*:*:jenkins:*:*matched for Git (while it's for the Jenkins Git plugin) andcpe:2.3:a:redhat:fuse:*:*:*:*:*:*:*:*matched for fuse (while it's for Red Hat Fuse instead of libfuse).There will obviously always be some false positive but I was wondering if we could do something about these two cases. Either by changing the matching algorithm or maintaining a blacklist (e.g.
jenkins:git != git(there's alsogitFullso maybe usingpnamewould actually be better))?(Note: I'm unfortunately not familiar with the current implementation.)
The text was updated successfully, but these errors were encountered: