Closed dermetfan closed 6 months ago
dermetfan
commented
3 years ago Store paths that appear in the closure but are also inputSrcs (from nix show-derivation) have no deriver and therefore cause an error. These should be excluded from the scan. I will look into this shortly.
dermetfan
commented
3 years ago Turns out the derivation field in nix path-info --json is already present in stable Nix. I previously stated in the description that it was added in Nix 2.4 which is incorrect. That allows us to check whether it is present and skip the path if it is not, so this PR is ready for review now.
disassembler
commented
2 years ago @ckauhaus could we get this merged?
domenkozar
commented
2 years ago @ckauhaus 🙏
dermetfan
commented
1 year ago Seems @ckauhaus no longer works at Flying Circus. You "recently" committed to this repo, maybe you can have a look @delroth @mrrpdt?
zimbatm
commented
6 months ago Given the context, I assume that @ckauhaus is no longer active. If anybody is interested, I opened a new issue to nominate yourself as a maintainer.
This PR adds a
--closureflag that scans the closure of an output path.Currently vulnix scans all dependencies (unless
--no-requisitesis given) so buildtime-only dependencies are included. Depending on the threat model it may be desirable to scan only runtime dependencies to avoid writing a huge whitelist.Nix has a
deriverfield in the JSON output ofnix path-infothat I hoped we could use. Unfortunately we run into the same problem as #69 so we still have to shell out to Nix every time that path does not exist.