search

nix-community / vulnix

Vulnerability (CVE) scanner for Nix/NixOS.
BSD 3-Clause "New" or "Revised" License
464 stars 35 forks source link

Don't report whitelisted CVEs again #41

Closed ckauhaus closed 6 years ago

ckauhaus commented 6 years ago

Currently, a whitelist rule matches are atomic. This means if there are some CVEs for a given package covered by a whitelist rule and some are not, the whole set of CVEs is reported again. This goes against users' expectations.

For example, see NixOS/nixpkgs#42882 - exiv2 got a few new CVEs but most of them have already been covered in previous vulnerability roundups and have been added to the whitelist.

It would be better to report non-whitelisted CVEs only.

ckauhaus commented 6 years ago

Fixed in cce172006af8edcd4ddc53fa442e7c4bc0c18e24