Skip to content

Commit

Permalink
vulnix whitelists: split into separately usable outputs
Browse files Browse the repository at this point in the history
  • Loading branch information
@dermetfan
dermetfan committed Sep 24, 2021
1 parent 6b79f5c commit 60e2a96
Showing 1 changed file with 120 additions and 102 deletions.
222 changes: 120 additions & 102 deletions modules/vulnix-whitelists.nix
View file
@@ -1,110 +1,128 @@
{ config, lib, pkgs, ... }:
{ config, lib, ... }:

# TODO whitelist build-time dependencies?
let
cfg = config.services.vulnix.defaultWhitelists;

{
services.vulnix.whitelists = lib.mkOptionDefault [
resultOption = with lib; mkOption {
readOnly = true;
type = types.attrs;
description = "The computed whitelist.";
};
in {
options.services.vulnix.defaultWhitelists = {
# fix about to be deployed
{
"openssl-1.1.1k" = {
until = "2021-09-15";
cve = [
"CVE-2021-3711"
"CVE-2021-3712"
];
issue_url = "https://github.com/NixOS/nixpkgs/pull/135611";
ephemeral.whitelist = resultOption // {
default = {
"openssl-1.1.1k" = {
until = "2021-09-15";
cve = [
"CVE-2021-3711"
"CVE-2021-3712"
];
issue_url = "https://github.com/NixOS/nixpkgs/pull/135611";
};
"libsndfile-1.0.30" = {
until = "2021-09-15";
cve = [ "2021-3246" ];
issue_url = [
"https://github.com/NixOS/nixpkgs/issues/132138"
"https://github.com/NixOS/nixpkgs/pull/132689"
"https://github.com/NixOS/nixpkgs/pull/134004"
];
};
};
"libsndfile-1.0.30" = {
until = "2021-09-15";
cve = [ "2021-3246" ];
issue_url = [
"https://github.com/NixOS/nixpkgs/issues/132138"
"https://github.com/NixOS/nixpkgs/pull/132689"
"https://github.com/NixOS/nixpkgs/pull/134004"
];
};
}
};

# general false positives
({
"openssl" = {
cve = [
"CVE-2018-16395"
"CVE-2016-7798"
];
comment = "CVEs are about a Ruby library";
issue_url = [
"https://github.com/flyingcircusio/vulnix/issues/62"
"https://github.com/NixOS/nixpkgs/issues/116905"
"https://github.com/NixOS/nixpkgs/issues/109204"
];
};
"network-3.1.1.1" = {
cve = [ "2021-35048" ];
comment = [
"drv is a haskell library, CVE is about SQLi in some web UI"
"build-time dependency of shellcheck through pandoc"
];
};
"zip-3.0" = { # FIXME is it 3 or 3.0?
cve = [ "2018-13410" ];
comment = "disputed";
issue_url = [
"https://github.com/NixOS/nixpkgs/issues/88417"
"https://github.com/NixOS/nixpkgs/issues/70134"
"https://github.com/NixOS/nixpkgs/issues/57192"
];
};
"gnulib" = {
cve = [ "2018-17942" ];
comment = "fixed long ago";
issue_url = [
"https://github.com/NixOS/nixpkgs/issues/34787"
"https://github.com/NixOS/nixpkgs/issues/88310"
];
};
"plexus-utils" = {
cve = [ "2017-1000487" ];
comment = "build-time dependency of mvn2nix";
};
maven = {
cve = [ "2021-26291" ];
comment = "build-time dependency of mvn2nix";
};
commons-collections = {
cve = [ "2017-15708" ];
comment = [
"only affects Apache Synapse"
"build-time dependency of mvn2nix"
];
};
"gradle-4.10.3" = {
cve = [ "2019-15052" ];
comment = "build-time dependency";
};
} // lib.genAttrs [ "shellcheck" "ShellCheck" ] (pname: {
cve = [ "2021-28794" ];
comment = "CVE is about a Visual Studio Code extension";
}) // lib.optionalAttrs (!config.services.xserver.enable) {
"libX11-1.7.0" = {
cve = [ "2021-31535" ];
# XXX nomad jobs might, though very unlikely
comment = "we don't run a graphical session";
};
} // lib.optionalAttrs (
with pkgs.lib.systems;
!inspect.predicates.isWindows (parse.mkSystemFromString pkgs.system)
) {
"ripgrep" = {
cve = [ "2021-3013" ];
comment = "we're not on windows";
# general false positives (nixpkgs-wide)
nixpkgs.whitelist = resultOption // {
default = {
"openssl" = {
cve = [
"CVE-2018-16395"
"CVE-2016-7798"
];
comment = "CVEs are about a Ruby library";
issue_url = [
"https://github.com/flyingcircusio/vulnix/issues/62"
"https://github.com/NixOS/nixpkgs/issues/116905"
"https://github.com/NixOS/nixpkgs/issues/109204"
];
};
"zip-3.0" = { # comes up as version "3" in Grafana, not sure why
cve = [ "2018-13410" ];
comment = "disputed";
issue_url = [
"https://github.com/NixOS/nixpkgs/issues/88417"
"https://github.com/NixOS/nixpkgs/issues/70134"
"https://github.com/NixOS/nixpkgs/issues/57192"
];
};
"gnulib" = {
cve = [ "2018-17942" ];
comment = "fixed long ago";
issue_url = [
"https://github.com/NixOS/nixpkgs/issues/34787"
"https://github.com/NixOS/nixpkgs/issues/88310"
];
};
} // lib.genAttrs [ "shellcheck" "ShellCheck" ] (pname: {
cve = [ "2021-28794" ];
comment = "CVE is about a Visual Studio Code extension";
});
};

systemDependent = {
nixosConfig = with lib; mkOption {
type = types.attrs;
default = config;
description = "NixOS configuration to consider.";
};
} // lib.optionalAttrs (!config.services.httpd.enable) {
"openssl-1.1.1k" = {
cve = [ "CVE-2019-0190" ];
comment = "we don't use Apache";
issue_url = "https://github.com/NixOS/nixpkgs/issues/88371";

whitelist = resultOption // {
default = let
inherit (cfg.systemDependent) nixosConfig;
in (
lib.optionalAttrs (!nixosConfig.services.xserver.enable) {
"libX11-1.7.0" = {
cve = [ "2021-31535" ];
# XXX nomad jobs might, though very unlikely
comment = "we don't run a graphical session";
};
} // lib.optionalAttrs (
!lib.systems.inspect.predicates.isWindows (
# we cannot use `nixosConfig.nixpkgs.pkgs` here
# due to evaluation order as that is in _module.args
with nixosConfig.nixpkgs;
if crossSystem != null
then crossSystem
else localSystem
)
) {
"ripgrep" = {
cve = [ "2021-3013" ];
comment = "we're not on windows";
};
} // lib.optionalAttrs (!nixosConfig.services.httpd.enable) {
"openssl-1.1.1k" = {
cve = [ "CVE-2019-0190" ];
comment = "we don't use Apache";
issue_url = "https://github.com/NixOS/nixpkgs/issues/88371";
};
}
);
};
})
];
};
};

config.services.vulnix = {
whitelists = lib.mkOptionDefault (map
(x: x.whitelist)
(builtins.attrValues cfg)
);

scanNomadJobs.whitelists = lib.mkOptionDefault (map
(x: x.whitelist)
(lib.attrVals [ "ephemeral" "nixpkgs" ] cfg)
);
};
}

0 comments on commit 60e2a96

Please sign in to comment.