Back in May I introduced you to the development of vulnix, a tool which initially was done to find out whether a system (might) be affected by a security vulnerability. It does this by matching the derivations name with the product and version specified in the cpe language of the so-called CVEs (Common Vulnerabilities and Exposures). In the meantime we introduced the tool to the community at the Berlin NixOS Meetup and got some wonderful input in which directions we might extend the features. We sprinted the next two days to improve the code quality and broaden the feature set.
What we got as a result, is best-demonstrated by showing the usage function.
* Is my NixOS system installation affected? Invoke: vulnix --system * Is my user environment (~/.nix-profile) affected? Invoke: vulnix --user * Is my project affected? Invoke after nix-build: vulnix ./result
With the help of Rok and his recently re-written pypi2nix packaging vulnix for NixOS was a breeze and the installation procedure a simple
git clone https://github.com/flyingcircusio/vulnix.git cd ./vulnix nix-build
For a full set of options go for
From the next release on, vulnix will be part of our platform code and check periodically if the NixOS based VMs are affected or not. In this case operations get informed and can develop counter-measures like introspecting the CVEs, applying patches and or decline the hits as false positives. For instances if the hit is simply coincidental or not relevant in the context of the Flying Circus platform.