-
-
Notifications
You must be signed in to change notification settings - Fork 34
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Scan only runtime dependencies #80
Conversation
Store paths that appear in the closure but are also |
Derivation input sources have no deriver and can safely be skipped. Also fix comment that says the `deriver` field was added to `nix path-info` in Nix 2.4. That is incorrect, it is already present in stable Nix.
Turns out the |
…cies use forked vulnix until nix-community/vulnix#80 is merged
…cies use forked vulnix until nix-community/vulnix#80 is merged
@ckauhaus could we get this merged? |
Given the context, I assume that @ckauhaus is no longer active. If anybody is interested, I opened a new issue to nominate yourself as a maintainer. |
This PR adds a
--closure
flag that scans the closure of an output path.Currently vulnix scans all dependencies (unless
--no-requisites
is given) so buildtime-only dependencies are included. Depending on the threat model it may be desirable to scan only runtime dependencies to avoid writing a huge whitelist.Nix has a
deriver
field in the JSON output ofnix path-info
that I hoped we could use. Unfortunately we run into the same problem as #69 so we still have to shell out to Nix every time that path does not exist.