{"id":14109813,"url":"https://github.com/nix-community/vulnix","last_synced_at":"2025-04-04T14:07:41.196Z","repository":{"id":44908748,"uuid":"62037471","full_name":"nix-community/vulnix","owner":"nix-community","description":"Vulnerability (CVE) scanner for Nix/NixOS.","archived":false,"fork":false,"pushed_at":"2024-07-03T10:37:50.000Z","size":3988,"stargazers_count":474,"open_issues_count":21,"forks_count":36,"subscribers_count":15,"default_branch":"master","last_synced_at":"2024-10-29T15:58:48.203Z","etag":null,"topics":["cve","nix","nixos","security","vulnerabilities","vulnerability"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nix-community.png","metadata":{"files":{"readme":"README.rst","changelog":"CHANGES.rst","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"open_collective":"nix-community"}},"created_at":"2016-06-27T08:08:54.000Z","updated_at":"2024-10-28T06:50:19.000Z","dependencies_parsed_at":"2024-04-18T02:24:26.468Z","dependency_job_id":"dde7841a-df6f-4b09-88f9-68044bb47532","html_url":"https://github.com/nix-community/vulnix","commit_stats":{"total_commits":292,"total_committers":24,"mean_commits":"12.166666666666666","dds":"0.40410958904109584","last_synced_commit":"afd1a72ea94a23447aacb963b41ab1c3c78be217"},"previous_names":["nix-community/vulnix","flyingcircusio/vulnix"],"tags_count":34,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nix-community%2Fvulnix","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nix-community%2Fvulnix/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nix-community%2Fvulnix/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nix-community%2Fvulnix/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nix-community","download_url":"https://codeload.github.com/nix-community/vulnix/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246944790,"owners_count":20858848,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cve","nix","nixos","security","vulnerabilities","vulnerability"],"created_at":"2024-08-14T10:02:30.623Z","updated_at":"2025-04-04T14:07:41.153Z","avatar_url":"https://github.com/nix-community.png","language":"Python","funding_links":["https://opencollective.com/nix-community"],"categories":["Python","Security"],"sub_categories":[],"readme":"Nix(OS) vulnerability scanner\n=============================\n\nThis is a utility that validates a Nix store for any packages that are\nreachable from live paths and likely to be affected by vulnerabilities\nlisted in the NVD.\n\nIt implements a CLI utility to inspect the current status and a\nmonitoring integration for Sensu.\n\nExample output\n\n.. code:: text\n\n  2 derivations with active advisories\n\n  ------------------------------------------------------------------------\n  binutils-2.31.1\n\n  /nix/store/zc1lbkaf9l9hlsp1jdiq3si56nsglymh-binutils-2.31.1.drv\n  CVE                                                CVSSv3\n  https://nvd.nist.gov/vuln/detail/CVE-2018-1000876  7.8\n  https://nvd.nist.gov/vuln/detail/CVE-2018-20657    7.5\n  https://nvd.nist.gov/vuln/detail/CVE-2018-20712    6.5\n\n  ------------------------------------------------------------------------\n  libssh2-1.9.0\n\n  /nix/store/mfpfclry68r4sv4mcc9hb88z0lb9jk1c-libssh2-1.9.0.drv\n  CVE                                                CVSSv3\n  https://nvd.nist.gov/vuln/detail/CVE-2019-17498    8.1\n\n\nTheory of operation\n-------------------\n\n``vulnix`` pulls all published CVEs from NIST_ and caches them locally. It\nmatches name and version of all derivations referenced from the command line\nagainst known CVE entries. A *whitelist* is used to filter out unwanted results.\n\nMatching Nix package names to NVD products is currently done via a coarse\nheuristic. First, a direct match is tried. If no product can be found,\nvariations with lower case and underscore instead of hyphen are tried. It is\nclear that this mapping is too simplistic and needs to be improved in future\nversions.\n\n\nSystem requirements\n-------------------\n\n- Depends on common Nix tools like ``nix-store``. These are expected to be in\n  $PATH.\n- Depends on being able to interact with the Nix store database\n  (/nix/var/nix/db). This means that it must either run as the same user that\n  owns the Nix store database or ``nix-daemon`` must be active.\n- Parses ``*.drv`` files directly. Tested with Nix \u003e=1.10 and 2.x.\n- It refuses to work without some locale environment settings. Try ``export\n  LANG=C.UTF-8`` if you see encoding errors.\n\n\nUsage Example\n=============\n\n- What vulnerabilities are listed for my current system\n\n.. code:: shell\n\n  vulnix --system\n\n- Check ``nix-build`` output together with its transitive closure\n\n.. code:: shell\n\n  vulnix result/\n\n- Check all passed derivations, but don't determine requisites\n\n.. code:: shell\n\n  vulnix -R /nix/store/*.drv\n\n- JSON output for machine post-processing\n\n.. code:: shell\n\n  vulnix --json /nix/store/my-derivation.drv\n\nSee ``vulnix --help`` for a list of all options.\n\n\nWhitelisting\n============\n\n``vulnix`` output may contain false positives, unfixable packages or stuff which\nis known to be addressed. The *whitelist* feature allows to exclude packages\nmatching certain criteria.\n\nUsage\n-----\n\nLoad whitelists from either local files or HTTP servers\n\n.. code:: shell\n\n  vulnix -w /path/to/whitelist.toml \\\n         -w https://example.org/published-whitelist.toml\n\nSyntax\n------\n\nWhitelists are TOML_ files which contain the package to be filtered as section\nheaders, followed by further per-package options.\n\nSection headings - package selection\n^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n\nExclude a package at a specific version\n\n.. code:: toml\n\n  [\"openjpeg-2.3.0\"]\n\nExclude a package regardless of version (additional CVE filters may apply, see\nbelow)\n\n.. code:: toml\n\n  [\"openjpeg\"]\n\nExclude all packages (see below for CVE filters, again)\n\n.. code:: toml\n\n  [\"*\"]\n\nOptions\n^^^^^^^\n\ncve\n  List of CVE identifiers to match. The whitelist rule is valid as long as the\n  detected CVEs are a subset of the CVEs listed here. If additional CVEs are\n  detected, this whitelist rule is not effective anymore.\n\nuntil\n  Date in the form \"YYYY-MM-DD\" which confines this rule's lifetime. On the\n  specified date and later, this whitelist rule is not effective anymore.\n\nissue_url\n  URL or list of URLs that point to any issue tracker. Informational only.\n\ncomment\n  String or list of strings containing free text. Informational only.\n\n\nExamples\n--------\n\nCreate a ticket on your favourite issue tracker. Estimate the time to get the\nvulnerable package fixed. Create whitelist entry:\n\n.. code:: toml\n\n  [\"ffmpeg-3.4.2\"]\n  cve = [\"CVE-2018-6912\", \"CVE-2018-7557\"]\n  until = \"2018-05-01\"\n  issue_url = \"https://issues.example.com/29952\"\n  comment = \"need to backport patch\"\n\nThis particular version of ffmpeg will be left out from reports until either\nanother CVE gets published or the specified date is reached.\n\n\nCVE patch auto-detection\n========================\n\n``vulnix`` will inspect derivations for patches which supposedly fix specific\nCVEs. When a patch filename contains one or more CVE identifiers, these will not\nreported anymore. Example Nix code:\n\n.. code:: nix\n\n  {\n    patches = [ ./CVE-2018-6951.patch ];\n  }\n\nPatches which fix multiple CVEs should name them all with a non-numeric\nseparator, e.g. ``CVE-2017-14159+CVE-2017-17740.patch``.\n\nAuto-detection even works when patches are pulled via ``fetchpatch`` and friends\nas long as there is a CVE identifier in the name. Example:\n\n.. code:: nix\n\n  {\n    patches = [\n      (fetchpatch {\n        name = \"CVE-2018-9055.patch\";\n        url = http://paste.opensuse.org/view/raw/330751ce;\n        sha256 = \"0m798m6c4v9yyhql7x684j5kppcm6884n1rrb9ljz8p9aqq2jqnm\";\n      })\n    ];\n  }\n\n\n.. _NIST: https://nvd.nist.gov/vuln/\n.. _TOML: https://github.com/toml-lang/toml/\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnix-community%2Fvulnix","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnix-community%2Fvulnix","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnix-community%2Fvulnix/lists"}