search

nix-community / vulnix

Vulnerability (CVE) scanner for Nix/NixOS.
BSD 3-Clause "New" or "Revised" License
475 stars 36 forks source link

Ability to blacklist CPE patterns for specific Nixpkgs packages? #62

Open primeos opened 4 years ago

primeos commented 4 years ago

I've just noticed a few false positives, basically a all duplicates of the following two issues:

Because e.g. cpe:2.3:a:jenkins:git:*:*:*:*:*:jenkins:*:* matched for Git (while it's for the Jenkins Git plugin) and cpe:2.3:a:redhat:fuse:*:*:*:*:*:*:*:* matched for fuse (while it's for Red Hat Fuse instead of libfuse).

There will obviously always be some false positive but I was wondering if we could do something about these two cases. Either by changing the matching algorithm or maintaining a blacklist (e.g. jenkins:git != git (there's also gitFull so maybe using pname would actually be better))?

(Note: I'm unfortunately not familiar with the current implementation.)

ckauhaus commented 4 years ago

Interesting idea. Need to think about how to extend vulnix' matching code.

ckauhaus commented 4 years ago

See also NixOS/nixpkgs#75974

ckauhaus commented 4 years ago

See also https://nvd.nist.gov/vuln/detail/CVE-2019-11644 (from NixOS/nixpkgs#88393)

ckauhaus commented 4 years ago

See also https://github.com/NixOS/nixpkgs/issues/88405#issuecomment-631787312

ckauhaus commented 4 years ago

See also https://github.com/NixOS/nixpkgs/issues/88371

ckauhaus commented 4 years ago

Another instance: https://github.com/NixOS/nixpkgs/issues/90831#issuecomment-645984604

ckauhaus commented 4 years ago

And https://github.com/NixOS/nixpkgs/issues/90950

ckauhaus commented 4 years ago

https://github.com/NixOS/nixpkgs/issues/90835

ckauhaus commented 4 years ago

https://github.com/NixOS/nixpkgs/issues/90838

ckauhaus commented 4 years ago

https://github.com/NixOS/nixpkgs/issues/91036

ckauhaus commented 4 years ago

https://github.com/NixOS/nixpkgs/issues/90777

ckauhaus commented 4 years ago

https://github.com/NixOS/nixpkgs/issues/90953

ckauhaus commented 4 years ago

https://github.com/NixOS/nixpkgs/issues/90902

ckauhaus commented 4 years ago

https://github.com/NixOS/nixpkgs/issues/91039

ckauhaus commented 4 years ago

https://github.com/NixOS/nixpkgs/issues/90944

ckauhaus commented 4 years ago

https://github.com/NixOS/nixpkgs/issues/92032

ckauhaus commented 4 years ago

https://github.com/NixOS/nixpkgs/issues/92029

ckauhaus commented 4 years ago

https://github.com/NixOS/nixpkgs/issues/92062

ckauhaus commented 4 years ago

https://github.com/NixOS/nixpkgs/issues/92871

ckauhaus commented 4 years ago

https://github.com/NixOS/nixpkgs/issues/92864 - disregard gitlab enterprise edition

ckauhaus commented 4 years ago

https://github.com/NixOS/nixpkgs/issues/93270#issuecomment-659482092

ckauhaus commented 4 years ago

https://github.com/NixOS/nixpkgs/issues/92068#event-3562527038

ckauhaus commented 4 years ago

Misinterpretation of terraform-provide-aws https://github.com/NixOS/nixpkgs/issues/96829

ckauhaus commented 4 years ago

https://github.com/flyingcircusio/nixpkgs/issues/620

ckauhaus commented 4 years ago

https://github.com/NixOS/nixpkgs/issues/88280

ckauhaus commented 4 years ago

https://github.com/NixOS/nixpkgs/issues/99825#issuecomment-704364896

ckauhaus commented 4 years ago

https://github.com/NixOS/nixpkgs/issues/99819#issuecomment-704343614

ckauhaus commented 4 years ago

https://github.com/NixOS/nixpkgs/issues/99812#issuecomment-705679007

ckauhaus commented 4 years ago

https://github.com/NixOS/nixpkgs/issues/100319#issuecomment-707029732

ckauhaus commented 4 years ago

https://github.com/NixOS/nixpkgs/issues/100314#issuecomment-707769301

ckauhaus commented 4 years ago

Need to disambiguate between firefox and firefox_esr, e.g. in https://nvd.nist.gov/vuln/detail/CVE-2020-15655

Seen in https://github.com/NixOS/nixpkgs/issues/101152

ckauhaus commented 4 years ago

Jenkins InfluxDB plugin: https://github.com/NixOS/nixpkgs/issues/102795

ckauhaus commented 4 years ago

Jenkins Kanboard plugin: https://github.com/NixOS/nixpkgs/issues/102798

ckauhaus commented 4 years ago

KeystoneJS https://github.com/NixOS/nixpkgs/issues/102800

ckauhaus commented 4 years ago

MySQL component of Oracle SQL: https://github.com/NixOS/nixpkgs/issues/102883

ckauhaus commented 4 years ago

matrix-synapse: https://github.com/NixOS/nixpkgs/issues/102901

ckauhaus commented 4 years ago

Jetbrains Scala project (plugin) https://github.com/NixOS/nixpkgs/issues/100322

ckauhaus commented 4 years ago

Styx: Java reverse proxy (https://github.com/HotelsDotCom/styx) vs static site generator: https://github.com/NixOS/nixpkgs/issues/90985

ckauhaus commented 4 years ago

HP/Aruba airwave vs Airwave media player: https://github.com/NixOS/nixpkgs/issues/99730#issuecomment-721966013

ckauhaus commented 3 years ago

diamond-0.8.36: cryptocurrency vs bioinformatics https://github.com/NixOS/nixpkgs/issues/90781

ckauhaus commented 3 years ago

connect-1.105: proxy vs Adobe product https://github.com/NixOS/nixpkgs/issues/90741

ckauhaus commented 3 years ago

unicode-2.6: nodejs vs Python lib

ckauhaus commented 3 years ago

st-0.8.3: node.js app vs. terminal emulator

ckauhaus commented 3 years ago

gatling-0.15: Jenkins plugin vs webserver

ckauhaus commented 3 years ago

fastjson-0.99.8: Java vs C library

ckauhaus commented 3 years ago

drive-0.3.8.1: Synology app vs Google drive client

ckauhaus commented 3 years ago

drill-0.6.0: Apache drill vs. Rust-based load tester

ckauhaus commented 3 years ago

gogs-0.12.3: Jenkins plugin vs standalone Go app

ckauhaus commented 3 years ago

openssl C library vs Ruby gem: https://github.com/NixOS/nixpkgs/issues/106218#issuecomment-743915799

ckauhaus commented 3 years ago

Aviatrix OpenVPN client vs. openvpn core: https://github.com/NixOS/nixpkgs/issues/106219#event-4082583275