vulnix module: use seperate whitelists for system scans and Nomad job…

… scans
input-output-hk · Sep 23, 2021 · b84a973 · b84a973
1 parent 4de9755
commit b84a973
Showing 1 changed file with 22 additions and 7 deletions.
diff --git a/modules/vulnix.nix b/modules/vulnix.nix
@@ -46,12 +46,22 @@ in {
         type = types.path;
         description = "The netrc file to use for private Git repos.";
       };
+
+      whitelists = mkOption {
+        type = types.listOf whitelistFormat.type;
+        default = [];
+        description = "Whitelists to respect.";
+      };
     };
 
     whitelists = mkOption {
       type = types.listOf whitelistFormat.type;
       default = [];
-      description = "Whitelists to respect.";
+      description = ''
+        Whitelists to respect.
+        These are not considered for scans of Nomad jobs, use the option
+        <option>services.vulnix.scanNomadJobs.whitelists</option> instead.
+      '';
     };
 
     paths = mkOption {
@@ -113,7 +123,12 @@ in {
 
       path = with pkgs; [ cfg.package vault-bin curl jq nixFlakes gitMinimal ];
 
-      script = ''
+      script = let
+        mkWhitelists = map (lib.flip lib.pipe [
+          (whitelistFormat.generate "vulnix-whitelist.toml")
+          (drv: "${drv}")
+        ]);
+      in ''
         set -o pipefail
 
         function scan {
@@ -125,10 +140,6 @@ in {
               requisites = scanRequisites;
               no-requisites = !scanRequisites;
               closure = scanClosure;
-              whitelist = map (lib.flip lib.pipe [
-                (whitelistFormat.generate "vulnix-whitelist.toml")
-                (drv: "${drv}")
-              ]) whitelists;
             }
           )} \
             --cache-dir $CACHE_DIRECTORY \
@@ -145,6 +156,7 @@ in {
         scan ${lib.cli.toGNUCommandLineShell {} (with cfg; {
           system = scanSystem;
           gc-roots = scanGcRoots;
+          whitelist = mkWhitelists whitelists;
         })} \
           -- ${lib.escapeShellArgs cfg.paths} \
         | ${cfg.sink}
@@ -177,7 +189,10 @@ in {
               nix --netrc-file $CREDENTIALS_DIRECTORY/netrc show-derivation \
             | jq --unbuffered -r keys[] \
             | while read -r drv; do
-              scan -- "$drv" \
+              scan ${lib.cli.toGNUCommandLineShell {} (with cfg.scanNomadJobs; {
+                whitelist = mkWhitelists whitelists;
+              })} \
+                -- "$drv" \
               | NOMAD_JOB_NAMESPACE=$(<<< "$job" jq -rj .namespace) \
                 NOMAD_JOB_ID=$(<<< "$job" jq -rj .job) \
                 NOMAD_JOB_TASKGROUP_NAME=$(<<< "$job" jq -rj .taskgroup) \