Closed dermetfan closed 6 months ago
Store paths that appear in the closure but are also inputSrcs
(from nix show-derivation
) have no deriver and therefore cause an error. These should be excluded from the scan. I will look into this shortly.
Turns out the derivation
field in nix path-info --json
is already present in stable Nix. I previously stated in the description that it was added in Nix 2.4 which is incorrect. That allows us to check whether it is present and skip the path if it is not, so this PR is ready for review now.
@ckauhaus could we get this merged?
@ckauhaus 🙏
Seems @ckauhaus no longer works at Flying Circus. You "recently" committed to this repo, maybe you can have a look @delroth @mrrpdt?
Given the context, I assume that @ckauhaus is no longer active. If anybody is interested, I opened a new issue to nominate yourself as a maintainer.
This PR adds a
--closure
flag that scans the closure of an output path.Currently vulnix scans all dependencies (unless
--no-requisites
is given) so buildtime-only dependencies are included. Depending on the threat model it may be desirable to scan only runtime dependencies to avoid writing a huge whitelist.Nix has a
deriver
field in the JSON output ofnix path-info
that I hoped we could use. Unfortunately we run into the same problem as #69 so we still have to shell out to Nix every time that path does not exist.