Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

leverage third-party databases in order to map packages to CVEs #94

Open
lolbinarycat opened this issue Mar 31, 2024 · 5 comments
Open

leverage third-party databases in order to map packages to CVEs #94

lolbinarycat opened this issue Mar 31, 2024 · 5 comments

Comments

@lolbinarycat
Copy link

there a few existing vulnerability databases that have an "upstream source code" field. (eg. github and arch linux both have one, also NVE has some metadata links on each CPE)

using the various metadata urls in nixpkgs (as well as src.url) it should be possible to use these to build a more accurate database of mappings.
@lolbinarycat
Copy link
Author

here's a prototype script that outputs metadata urls for a given vulnerability

#!/usr/bin/env fish

set -l cveId $argv[1]

set -l cpeCriteriaMatchList (curl 'https://services.nvd.nist.gov/rest/json/cves/2.0?cveId='$cveId | jq -r '.vulnerabilities.[].cve.configurations.[].nodes.[].cpeMatch.[].matchCriteriaId')

for matchCriteriaId in $cpeCriteriaMatchList
	echo >&2 checking $matchCriteriaId
	curl 'https://services.nvd.nist.gov/rest/json/cpes/2.0?matchCriteriaId='$matchCriteriaId | jq -r '.products.[].cpe.refs.[]?.ref'
end | sort -u

calling that with CVE-2023-45853 as an argument yields both the zlib github repo and zlib.net, so it seems to work pretty well.

these values could then be matched against meta.homepage and src.url to find attrpaths that are affected by a given CVE

@lolbinarycat
Copy link
Author

and here's another quick script, this time for extracting the source urls from a derivation.

#!/usr/bin/env fish

function scrape_drv
	if test (count $argv) = 0
		return
	end
	scrape_drv (nix derivation show $argv | jq -r '.[keys.[]].env.src | select(type == "string")')
	nix derivation show $argv | jq -r '.[keys.[]].env.urls | select(type == "string")'
end

scrape_drv $argv

these are usually a bit more specific (eg. passing nixpkgs#zlib outputs https://github.com/madler/zlib/releases/download/v1.3/zlib-1.3.tar.gz), so for these i would recommend downloading the CPE dictionary and using a longest-matching-prefix heuristic.

@lolbinarycat
Copy link
Author

the advantage of the second approach is it fits the way vulnix currently works better, acting on store derivations instead of package attrsets.

@lolbinarycat
Copy link
Author

possibly also of use for the second case: https://git.envs.net/binarycat/nixpkgs-resolve-mirror

quickly and safely translates mirror:// urls into their http equivalents. there is also the showURLs option, but executing a possibly compromised derivation seems like a bad idea.

@ketzacoatl
Copy link

I think this would be a useful improvement to vulnix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ketzacoatl @lolbinarycat