Scans a Nix store for derivations that are affected by vulnerabilities.
Project description
Nix(OS) vulnerability scanner
=============================
This is a utility that validates a Nix store for any packages that are
reachable from live paths and likely to be affected by vulnerabilities
listed in the NVD.
It implements a CLI utility to inspect the current status and a
monitoring integration for Sensu.
Example output::
Security issues for sqlite, libxml2, ... (and 10 more)
sqlite-2.9.3 (inprogress)
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2073
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8710
See https://plan.flyingcircus.io/issues/18544
libxml2-2.9.3
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3717
Usage::
$ nix-build
$ ./result/bin/vulnix
Whitelist
=========
The whitelist file uses a sub-set of the
`YAML <https://en.wikipedia.org/wiki/YAML>`__ language to define rules
which matches shall be ignored or in other words are declared to be
trusted or in progress, hence the term whitelist. If the match is
**partial**, e.G. there is a package which is affected by more than one
vulnerability, but only one is whitelist, the match will still be
printed except for the declared exception.
Syntax
------
Every rule starts with the ``-`` and a new-line, declaring a list
element.
+----------+----------------+--------------+
| Element | Example value | Description |
+==========+================+==============+
| cve | cve: | Ignores all |
| | CVE-2015-2503 | matches |
| | | which are |
| | | referred by |
| | | the CVE |
+----------+----------------+--------------+
| comment | comment: | comments the |
| | microsoft | rule |
| | access, | |
| | accidently | |
| | matching the | |
| | 'access' | |
| | derivation | |
+----------+----------------+--------------+
| name | name: libxslt | refers to |
| | | the name |
| | | attribute of |
| | | a package |
| | | derivation |
+----------+----------------+--------------+
| version | version: 2.0 | refers to |
| | | the name |
| | | attribute of |
| | | a package |
| | | derivation |
+----------+----------------+--------------+
| vendor | microsoft | refers to |
| | | the [NIST] |
| | | (https://nvd |
| | | .nist.gov/cp |
| | | e.cfm) |
| | | term of the |
| | | person or |
| | | organization |
| | | which |
| | | created the |
| | | software |
+----------+----------------+--------------+
| product | access | Like vendor |
| | | it's a term |
| | | coined by |
| | | NIST and is |
| | | an analogy |
| | | to what name |
| | | means for |
| | | Nix |
+----------+----------------+--------------+
Example
-------
There is an `example <src/vulnix/default_whitelist.yaml>`__ for a
working whitelist file as part of the unit tests.
1.1.4 (2016-08-25)
==================
- Add `src` to PYTHONPATH so that tests run also on older NixOS versions
(tested on 15.09).
- Correct URL, add metadata.
- Add nix to propagatedBuildInputs, as vulnix calls `nix-store` at runtime.
1.1.3 (2016-08-16)
==================
- pinned the Python version to 3.4 (Nix only)
1.1.2 (2016-08-15)
==================
- added nix expressions (Nix/NixOS) to MANIFEST.in
1.1.1 (2016-08-12)
==================
- added VERSION to MANIFEST.in
1.1 (2016-08-11)
================
- Scans the whole system (NixOS only), the current user environment, or a
project-specific path (e.g., ./result). #1
- Allow to specify site-specific whitelists in addition to the builtin default
whitelist. #4
- Fully repeatale install using default.nix. Thanks to Rok Garbas. #4
- Cache pre-parsed NVD files for improved scanning speed. #2
- Support multiple whitelists (repeat -w option). #3
- Cache NVD files in `~/.cache/vulnix`. #7
- Document whitelist file format. #10
- Fix Nix build on macOS. #11
=============================
This is a utility that validates a Nix store for any packages that are
reachable from live paths and likely to be affected by vulnerabilities
listed in the NVD.
It implements a CLI utility to inspect the current status and a
monitoring integration for Sensu.
Example output::
Security issues for sqlite, libxml2, ... (and 10 more)
sqlite-2.9.3 (inprogress)
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2073
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8710
See https://plan.flyingcircus.io/issues/18544
libxml2-2.9.3
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3717
Usage::
$ nix-build
$ ./result/bin/vulnix
Whitelist
=========
The whitelist file uses a sub-set of the
`YAML <https://en.wikipedia.org/wiki/YAML>`__ language to define rules
which matches shall be ignored or in other words are declared to be
trusted or in progress, hence the term whitelist. If the match is
**partial**, e.G. there is a package which is affected by more than one
vulnerability, but only one is whitelist, the match will still be
printed except for the declared exception.
Syntax
------
Every rule starts with the ``-`` and a new-line, declaring a list
element.
+----------+----------------+--------------+
| Element | Example value | Description |
+==========+================+==============+
| cve | cve: | Ignores all |
| | CVE-2015-2503 | matches |
| | | which are |
| | | referred by |
| | | the CVE |
+----------+----------------+--------------+
| comment | comment: | comments the |
| | microsoft | rule |
| | access, | |
| | accidently | |
| | matching the | |
| | 'access' | |
| | derivation | |
+----------+----------------+--------------+
| name | name: libxslt | refers to |
| | | the name |
| | | attribute of |
| | | a package |
| | | derivation |
+----------+----------------+--------------+
| version | version: 2.0 | refers to |
| | | the name |
| | | attribute of |
| | | a package |
| | | derivation |
+----------+----------------+--------------+
| vendor | microsoft | refers to |
| | | the [NIST] |
| | | (https://nvd |
| | | .nist.gov/cp |
| | | e.cfm) |
| | | term of the |
| | | person or |
| | | organization |
| | | which |
| | | created the |
| | | software |
+----------+----------------+--------------+
| product | access | Like vendor |
| | | it's a term |
| | | coined by |
| | | NIST and is |
| | | an analogy |
| | | to what name |
| | | means for |
| | | Nix |
+----------+----------------+--------------+
Example
-------
There is an `example <src/vulnix/default_whitelist.yaml>`__ for a
working whitelist file as part of the unit tests.
1.1.4 (2016-08-25)
==================
- Add `src` to PYTHONPATH so that tests run also on older NixOS versions
(tested on 15.09).
- Correct URL, add metadata.
- Add nix to propagatedBuildInputs, as vulnix calls `nix-store` at runtime.
1.1.3 (2016-08-16)
==================
- pinned the Python version to 3.4 (Nix only)
1.1.2 (2016-08-15)
==================
- added nix expressions (Nix/NixOS) to MANIFEST.in
1.1.1 (2016-08-12)
==================
- added VERSION to MANIFEST.in
1.1 (2016-08-11)
================
- Scans the whole system (NixOS only), the current user environment, or a
project-specific path (e.g., ./result). #1
- Allow to specify site-specific whitelists in addition to the builtin default
whitelist. #4
- Fully repeatale install using default.nix. Thanks to Rok Garbas. #4
- Cache pre-parsed NVD files for improved scanning speed. #2
- Support multiple whitelists (repeat -w option). #3
- Cache NVD files in `~/.cache/vulnix`. #7
- Document whitelist file format. #10
- Fix Nix build on macOS. #11
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
vulnix-1.1.4.tar.gz
(16.0 kB
view hashes)
