Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scan only runtime dependencies #80

Merged
merged 7 commits into from
Apr 2, 2024
Merged

Scan only runtime dependencies #80

merged 7 commits into from
Apr 2, 2024

Conversation

dermetfan
Copy link
Contributor

@dermetfan dermetfan commented Sep 17, 2021
edited

This PR adds a --closure flag that scans the closure of an output path.

Currently vulnix scans all dependencies (unless --no-requisites is given) so buildtime-only dependencies are included. Depending on the threat model it may be desirable to scan only runtime dependencies to avoid writing a huge whitelist.

Nix has a deriver field in the JSON output of nix path-info that I hoped we could use. Unfortunately we run into the same problem as #69 so we still have to shell out to Nix every time that path does not exist.

@ckauhaus ckauhaus self-requested a review September 20, 2021 10:12
@dermetfan
Copy link
Contributor Author

Store paths that appear in the closure but are also inputSrcs (from nix show-derivation) have no deriver and therefore cause an error. These should be excluded from the scan. I will look into this shortly.

@dermetfan
fix failure to find deriver for derivation input sources
5228f2b 
Derivation input sources have no deriver and can safely be skipped.

Also fix comment that says the `deriver` field was added to `nix path-info`
in Nix 2.4. That is incorrect, it is already present in stable Nix.
@dermetfan
Copy link
Contributor Author

dermetfan commented Sep 21, 2021
edited

Turns out the derivation field in nix path-info --json is already present in stable Nix. I previously stated in the description that it was added in Nix 2.4 which is incorrect. That allows us to check whether it is present and skip the path if it is not, so this PR is ready for review now.

dermetfan added a commit to input-output-hk/bitte that referenced this pull request Sep 24, 2021
@dermetfan
vulnix module: add scanClosure option to scan only runtime dependen…
e4a17a6 
…cies

use forked vulnix until nix-community/vulnix#80 is merged
dermetfan added a commit to input-output-hk/bitte that referenced this pull request Sep 24, 2021
@dermetfan
vulnix module: add scanClosure option to scan only runtime dependen…
5875d9f 
…cies

use forked vulnix until nix-community/vulnix#80 is merged
@disassembler
Copy link

@ckauhaus could we get this merged?

@domenkozar
Copy link

@ckauhaus 🙏

@dermetfan
Copy link
Contributor Author

Seems @ckauhaus no longer works at Flying Circus. You "recently" committed to this repo, maybe you can have a look @delroth @mrrpdt?

@henrirosten henrirosten mentioned this pull request Mar 27, 2024
Merged
13 tasks
@zimbatm zimbatm merged commit ebd8ea8 into nix-community:master Apr 2, 2024
@zimbatm zimbatm mentioned this pull request Apr 2, 2024
Open
@zimbatm
Copy link
Member

zimbatm commented Apr 2, 2024

Given the context, I assume that @ckauhaus is no longer active. If anybody is interested, I opened a new issue to nominate yourself as a maintainer.

@henrirosten henrirosten mentioned this pull request Apr 3, 2024
Merged
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ckauhaus ckauhaus Awaiting requested review from ckauhaus

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@dermetfan @disassembler @domenkozar @zimbatm