-
Notifications
You must be signed in to change notification settings - Fork 15
/
vulnix-whitelists.nix
128 lines (121 loc) · 3.85 KB
/
vulnix-whitelists.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
{ config, lib, ... }:
let
cfg = config.services.vulnix.defaultWhitelists;
resultOption = with lib; mkOption {
readOnly = true;
type = types.attrs;
description = "The computed whitelist.";
};
in {
options.services.vulnix.defaultWhitelists = {
# fix about to be deployed
ephemeral.whitelist = resultOption // {
default = {
"openssl-1.1.1k" = {
until = "2021-09-15";
cve = [
"CVE-2021-3711"
"CVE-2021-3712"
];
issue_url = "https://github.com/NixOS/nixpkgs/pull/135611";
};
"libsndfile-1.0.30" = {
until = "2021-09-15";
cve = [ "2021-3246" ];
issue_url = [
"https://github.com/NixOS/nixpkgs/issues/132138"
"https://github.com/NixOS/nixpkgs/pull/132689"
"https://github.com/NixOS/nixpkgs/pull/134004"
];
};
};
};
# general false positives (nixpkgs-wide)
nixpkgs.whitelist = resultOption // {
default = {
"openssl" = {
cve = [
"CVE-2018-16395"
"CVE-2016-7798"
];
comment = "CVEs are about a Ruby library";
issue_url = [
"https://github.com/flyingcircusio/vulnix/issues/62"
"https://github.com/NixOS/nixpkgs/issues/116905"
"https://github.com/NixOS/nixpkgs/issues/109204"
];
};
"zip-3.0" = { # comes up as version "3" in Grafana, not sure why
cve = [ "2018-13410" ];
comment = "disputed";
issue_url = [
"https://github.com/NixOS/nixpkgs/issues/88417"
"https://github.com/NixOS/nixpkgs/issues/70134"
"https://github.com/NixOS/nixpkgs/issues/57192"
];
};
"gnulib" = {
cve = [ "2018-17942" ];
comment = "fixed long ago";
issue_url = [
"https://github.com/NixOS/nixpkgs/issues/34787"
"https://github.com/NixOS/nixpkgs/issues/88310"
];
};
} // lib.genAttrs [ "shellcheck" "ShellCheck" ] (pname: {
cve = [ "2021-28794" ];
comment = "CVE is about a Visual Studio Code extension";
});
};
systemDependent = {
nixosConfig = with lib; mkOption {
type = types.attrs;
default = config;
description = "NixOS configuration to consider.";
};
whitelist = resultOption // {
default = let
inherit (cfg.systemDependent) nixosConfig;
in (
lib.optionalAttrs (!nixosConfig.services.xserver.enable) {
"libX11-1.7.0" = {
cve = [ "2021-31535" ];
# XXX nomad jobs might, though very unlikely
comment = "we don't run a graphical session";
};
} // lib.optionalAttrs (
!lib.systems.inspect.predicates.isWindows (
# we cannot use `nixosConfig.nixpkgs.pkgs` here
# due to evaluation order as that is in _module.args
with nixosConfig.nixpkgs;
if crossSystem != null
then crossSystem
else localSystem
)
) {
"ripgrep" = {
cve = [ "2021-3013" ];
comment = "we're not on windows";
};
} // lib.optionalAttrs (!nixosConfig.services.httpd.enable) {
"openssl-1.1.1k" = {
cve = [ "CVE-2019-0190" ];
comment = "we don't use Apache";
issue_url = "https://github.com/NixOS/nixpkgs/issues/88371";
};
}
);
};
};
};
config.services.vulnix = {
whitelists = lib.mkOptionDefault (map
(x: x.whitelist)
(builtins.attrValues cfg)
);
scanNomadJobs.whitelists = lib.mkOptionDefault (map
(x: x.whitelist)
(lib.attrVals [ "ephemeral" "nixpkgs" ] cfg)
);
};
}