request: more BOM sources and general CVE scans

[mcandre]

I love how vuls supports scanning for CVE's in some common package managers. I would like to see this list extended, in order to catch security problems on more machines.

(If you already include support for some of these, please lemme know which ones!)

• App Store (macOS)
• adb (Android)
• arch-audit (Arch Linux)
• pkg-audit (FreeBSD, DragonflyBSD, HardenedBSD)
• pkg_admin audit (NetBSD)
• pkg for more FreeBSD variants, including DragonflyBSD, HardenedBSD, NetBSD, OpenBSD, etc.
• pkgin
• pkgsrc
• Snap (Linux)
• Flatpak (Linux)
• apk (Alpine Linux)
• apt (Debian Linux family)
• ipkg (busybox/toybox Linux)
• opkg (OpenWrt Linux)
• PPA's (Ubuntu Linux family)
• urpmi (Mageia Linux)
• Homebrew (macOS and Linux)
• Chocolatey (Windows)
• winget (Windows)
• various WSL package managers, when vuls is run directly on a Windows host shell outside of WSL
• Windows Store (Windows)
• Cygwin / MSYS2 / MinGW / Strawberry Perl (Windows)
• cpan-audit (Perl programming language)
• entries registered as Installed Programs (Windows)
• arbitrary files in "C:\Program Files" and "C:\Program Files (x86)" (Windows)
• yast (OpenSuSE)
• yum (RHEL Linux family)
• Cargo (Rust programming language, essentially just run cargo audit)
• pip (Python programming language, essentially just run the third party safety check command)
• Snyk CLI (many programming languages)
• RubyGems (Ruby programming language, essentially just run gem audit)
• NPM (JavaScript programming language family, essentially just run npm audit)
• Ansible
• Terraform
• Salt
• Chef
• Puppet ( see the vulnerability module https://forge.puppet.com/modules/enterprisemodules/vulnerability/readme )
• entries in archives (zip, tar/gz/tgz/tar.gz/bz2/tbz2/tar.bz2/xz/txz/tar.xz, rar, jar, war, lzma, 7z, etc.)
• Cabal (Haskell programming language)
• Dub (D programming language)
• Conan (C/C++ programming languages)
• vcpkg (C/C++ programming languages)
• ASDF (the Common Lisp package manager, not the version manager)
• various Scheme language package managers
• ShellCheck (POSIX sh family programming languages)
• ohmyzsh and various other zsh, bash, etc. shell package managers
• Kubernetes (with KICS, checkov, etc.)
• go mod (Go programming language, just run snyk test)
• vendor source trees (various programming languages)
• git submodules

I think a lot of vulnerabilities hide out in these kinds of alleys, so the more of these we can include in vuls scans, the stronger our security posture will be.

[MaineK00n]

It may be more valuable to summarize the availability of security advisories than on a per-package manager basis.

[MaineK00n]

Please refer to the following for the status of Vuls support.

• https://vuls.io/docs/en/supported-os.html
• https://vuls.io/docs/en/usage-scan-non-os-packages.html