Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/katexochen/govulncheck-nixpkgs

Scanning nixpkgs for vulnerabilities in Go packages
https://github.com/katexochen/govulncheck-nixpkgs

go golang nix nixos nixpkgs security

Last synced: 3 months ago
JSON representation

Scanning nixpkgs for vulnerabilities in Go packages

Host: GitHub
URL: https://github.com/katexochen/govulncheck-nixpkgs
Owner: katexochen
License: isc
Created: 2024-04-22T20:33:20.000Z (9 months ago)
Default Branch: main
Last Pushed: 2024-08-12T06:23:22.000Z (5 months ago)
Last Synced: 2024-09-28T09:03:49.623Z (3 months ago)
Topics: go, golang, nix, nixos, nixpkgs, security
Language: Shell
Homepage:
Size: 3.98 MB
Stars: 6
Watchers: 1
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        ## Govulncheck on nixpkgs

This project runs [govulncheck](https://go.dev/blog/govulncheck) on the source of Go packages

in [nixpkgs](https://github.com/NixOS/nixpkgs) to identify security vulnerabilities not handled

downstream (due to missing updates) or upstream (unmaintained or unaware projects).

Scans use a pinned version of nixpkgs and the [govulndb](https://vuln.go.dev/) so that the results

are reproducible. The [scan report](https://github.com/katexochen/govulncheck-nixpkgs/blob/main/report.txt)

is tracked as part of this repo. It can be inspected with the `report-tool`, which gives an overview and

allows easy access to the relevant part of the report.

```

❯ report-tool stats

Packages discovered:   2207

Packages failed:       387 (17%)

Packages scanned:      1820 (82%)

Packages vulnerable:   595 (32% of scanned)

Total vulnerabilities: 1507

```

### Current limitations

- Primitive package discovery (see `isGoPkg`)

  - Only looking at package attributes to identify Go packages

  - Not recuring into nested attribute sets

  - `rg -c 'buildGo\d*Module (|rec )\{' | awk -F: '{s+=$2} END {print s}'` on nixpkgs gives 2074 findings,

    so the 2090 packages found by the heuristic might should at least be somewhat close

- Checks are running directly on `src`

  - `patches` not taken into account

  - `cgo` dependencies are not present (see `report-tool failed`)

  - `srcRoot`, `subPackages` etc not taken into account (some failures as `go.mod` is not found)

  - `goModules` isn't used by the govulncheck invocation

- Scan is not running in the sandbox

- All the [limitations of govulncheck](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck#hdr-Limitations)

- Only covers nixpkgs-unstable (support for releases upcoming)

- Report lacks a structured format. I couldn't befriend with the JSONline output of govulncheck, it misses

  some important info like scan failures, which won't be part of the structured output. The current report

  can be somehow worked with using the report-tool. In the future, some kind of website would be nice to

  present the results.

### `report-tool`

```

Usage: report-tool  [args]

Commands:

    stats

        Show statistics about the report.

    discovered

        List packages which were tried to be checked.

    failed

        List packages for which the check failed.

    scanned

        List packages that were successfully scanned.

    vulnerable

        List packages that have vulnerabilities.

    non-vulnerable

        List packages that do not have vulnerabilities.

    report 

        Show the report for a specific package.

    findings 

        List the found vulnerabilities (URL) for a specific package.

    mark 

        Show the vulnerabilities for a specific package in a format that can be

        used to mark the package as vulnerable in the nixpkgs repository.

    fix 

        Show the commands to fix the vulnerabilities upstream.

```