Cannot build vulnix with sandbox on

[j-baker]

I'm not sure of the exact circumstances - in any case, I run on MacOS.

error: builder for '/nix/store/72p3497238gfbajfkn120v9vn0vcp09p-vulnix-1.10.1.drv' failed with exit code 1;
       last 10 log lines:
       > Coverage HTML written to dir htmlcov
       >
       > =========================== short test summary info ============================
       > ERROR src/vulnix/tests/nvd_test.py::test_update - PermissionError: [Errno 1] Operation not permitted
       > ERROR src/vulnix/tests/resource_test.py::test_open_remote - socket.gaierror: [Errno 8] nodename nor servname provided, or not known
       > ERROR src/vulnix/tests/resource_test.py::test_multiple_resources - socket.gaierror: [Errno 8] nodename nor servname provided, or not known
       > ERROR src/vulnix/tests/test_derivation.py::test_check_returns_cves - PermissionError: [Errno 1] Operation not permitted
       > ERROR src/vulnix/tests/test_derivation.py::test_ignore_patched_cves_during_check - PermissionError: [Errno 1] Operation not permitted
       > ERROR src/vulnix/tests/vulnerability_test.py::test_product_not_found - PermissionError: [Errno 1] Operation not permitted
       > =================== 59 passed, 9 warnings, 6 errors in 0.78s ===================
       For full logs, run 'nix log /nix/store/72p3497238gfbajfkn120v9vn0vcp09p-vulnix-1.10.1.drv'.

Running the build with sandbox off succeeds. My expectation here is that the vulnix tests access the internet to acquire the CVE database? This means that with sandbox on, the build will fail. Not sure if there's anything difference re: Linux vs MacOS.

I'm wondering if the tests could be fully pure by accessing a copy of the database that's been downloaded as a part of the Nix build, rather than using the network API?

[aciceri]

Related to #88