Giter Club home page Giter Club logo

vulnix's Introduction

Nix(OS) vulnerability scanner

This is a utility that validates a Nix store for any packages that are reachable from live paths and likely to be affected by vulnerabilities listed in the NVD.

It implements a CLI utility to inspect the current status and a monitoring integration for Sensu.

Example output:

Found 5 advisories for libxslt, pcre, perl, ... (and 2 more)

========================================================================
libxslt-1.1.29

CVEs:
        https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5029

========================================================================
pcre-8.40

CVEs:
        https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7245
        https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7244
        [...]

Theory of operation

vulnix pulls all published CVEs from NIST and caches them locally. It matches name and version of all derivations referenced from the command line against known CVE entries. A whitelist is used to filter out unwanted results.

System requirements

  • Depends on common Nix tools like nix-store. These are expected to be in $PATH.
  • Depends on being able to interact with the Nix store database (/nix/var/nix/db). This means that it must either run as the same user that owns the Nix store database or nix-daemon must be active.
  • Parses *.drv files directly. Tested with Nix 1.10 and 1.11.
  • It refuses to work without some locale environment settings. Try export LANG=C.UTF-8 if you see encoding errors.

Usage Example

  • What vulnerabilities are listed for my current system:

    vulnix --system

  • Check nix-build output together with its transitive closure:

    vulnix result/

  • Check all passed derivations, but don't determine requisites:

    vulnix -R /nix/store/*.drv

  • JSON output for machine post-processing:

    vulnix --json result/

Whitelist

The whitelist file uses a sub-set of the YAML language to define rules which matches shall be ignored or in other words are declared to be trusted or in progress, hence the term whitelist. If the match is partial, e.G. there is a package which is affected by more than one vulnerability, but only one is whitelist, the match will still be printed except for the declared exception.

Syntax

[TBD: the whitelist feature is being revamped at the moment]

vulnix's People

Contributors

adisbladis avatar ctheune avatar garbas avatar ma27 avatar martijnvermaat avatar plumps avatar rickynils avatar

Stargazers

avatar

Watchers

avatar avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.