vulnix

Scans a Nix store for derivations that are affected by vulnerabilities.

These details have not been verified by PyPI

Project links

Homepage

Project description

Nix(OS) vulnerability scanner

This is a utility that validates a Nix store for any packages that are reachable from live paths and likely to be affected by vulnerabilities listed in the NVD.

It implements a CLI utility to inspect the current status and a monitoring integration for Sensu.

Example output:

Security issues for sqlite, libxml2, ... (and 10 more)

sqlite-2.9.3 (inprogress)
    https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2073
    https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8710

    See https://plan.flyingcircus.io/issues/18544


libxml2-2.9.3
    https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3717

Usage:

$ nix-build
$ ./result/bin/vulnix

Whitelist

The whitelist file uses a sub-set of the YAML language to define rules which matches shall be ignored or in other words are declared to be trusted or in progress, hence the term whitelist. If the match is partial, e.G. there is a package which is affected by more than one vulnerability, but only one is whitelist, the match will still be printed except for the declared exception.

Syntax

Every rule starts with the - and a new-line, declaring a list element.

Element	Example value	Description
cve	cve: CVE-2015-2503	Ignores all matches which are referred by the CVE
comment	comment: microsoft access, accidently matching the ‘access’ derivation	comments the rule
name	name: libxslt	refers to the name attribute of a package derivation
version	version: 2.0	refers to the name attribute of a package derivation
vendor	microsoft	refers to the [NIST] (https://nvd .nist.gov/cp e.cfm) term of the person or organization which created the software
product	access	Like vendor it’s a term coined by NIST and is an analogy to what name means for Nix

Example

There is an example for a working whitelist file as part of the unit tests.

1.1.2 (2016-08-15)

added nix expressions (Nix/NixOS) to MANIFEST.in

1.1.1 (2016-08-12)

added VERSION to MANIFEST.in

1.1 (2016-08-11)

Scans the whole system (NixOS only), the current user environment, or a project-specific path (e.g., ./result). #1
Allow to specify site-specific whitelists in addition to the builtin default whitelist. #4
Fully repeatale install using default.nix. Thanks to Rok Garbas. #4
Cache pre-parsed NVD files for improved scanning speed. #2
Support multiple whitelists (repeat -w option). #3
Cache NVD files in ~/.cache/vulnix. #7
Document whitelist file format. #10
Fix Nix build on macOS. #11

Project details

These details have not been verified by PyPI

Project links

Homepage

Release history Release notifications | RSS feed

1.10.1

Feb 6, 2022

1.10.0

Jul 16, 2021

1.9.6

Jul 2, 2020

1.9.5

Jun 30, 2020

1.9.4

Dec 11, 2019

1.9.3

Nov 26, 2019

1.9.2

Nov 16, 2019

1.9.1

Nov 14, 2019

1.8.2

Jun 17, 2019

1.8.1

Apr 8, 2019

1.8.0

Mar 9, 2019

1.7.1

Jul 23, 2018

1.7

Jul 20, 2018

1.6.3

May 2, 2018

1.6.1

Apr 20, 2018

1.6.0

Apr 19, 2018

1.4.0

Nov 27, 2017

1.3.4

Oct 29, 2017

1.3.3

Oct 16, 2017

1.3.2

Oct 6, 2017

1.3.0

Sep 18, 2017

1.2.2

Jan 28, 2017

1.2.1

Jan 27, 2017

1.2

Dec 22, 2016

1.1.5

Oct 13, 2016

1.1.4

Aug 25, 2016

1.1.3

Aug 16, 2016

This version

1.1.2

Aug 15, 2016

1.1.1

Aug 12, 2016

1.1

Aug 11, 2016

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

vulnix-1.1.2.tar.gz (16.4 kB view hashes)

Uploaded Aug 15, 2016 Source

Hashes for vulnix-1.1.2.tar.gz

Hashes for vulnix-1.1.2.tar.gz
Algorithm	Hash digest
SHA256	`bd6fce4468d5068a02fd1e93db3b4ee82694fe937ea9d86a1817b4f82ad62caa`
MD5	`668bbc3f74f046b5391d28c0bd0d0355`
BLAKE2b-256	`b134cfdadba4503de5953c38f11e5dc484159de8b40eb59987de0e1b0806f9e2`