Open 06kellyjac opened 3 years ago
vulnix thinks my drv is uses jetbrains hub when the drv holds https://github.com/tektoncd/hub
This is also the case for other dependencies collected by gomod2nix
λ vulnix ./result 22 derivations with active advisories ------------------------------------------------------------------------ bash-4.4-p23 /nix/store/ay54nhnk1md3ygj8s877d6n3721l2dyz-bash-4.4-p23.drv CVE CVSSv3 https://nvd.nist.gov/vuln/detail/CVE-2019-18276 7.8 # ... ------------------------------------------------------------------------ hub-0ae1afc /nix/store/ni50vpsf4kclcbd8d6flk127nh8mx8pb-hub-0ae1afc.drv CVE CVSSv3 https://nvd.nist.gov/vuln/detail/CVE-2021-36209 9.8 https://nvd.nist.gov/vuln/detail/CVE-2020-11691 7.5 https://nvd.nist.gov/vuln/detail/CVE-2021-31901 7.5 https://nvd.nist.gov/vuln/detail/CVE-2019-12847 7.2 https://nvd.nist.gov/vuln/detail/CVE-2021-25759 6.5 https://nvd.nist.gov/vuln/detail/CVE-2021-37540 6.5 https://nvd.nist.gov/vuln/detail/CVE-2021-25757 6.1 https://nvd.nist.gov/vuln/detail/CVE-2021-37541 6.1 https://nvd.nist.gov/vuln/detail/CVE-2019-14955 5.3 https://nvd.nist.gov/vuln/detail/CVE-2019-18360 5.3 https://nvd.nist.gov/vuln/detail/CVE-2021-25760 5.3 # ... ------------------------------------------------------------------------ util-linux-2.36.2 /nix/store/2c9ab725kccddpjlxb5r8s1hxzbrjdqq-util-linux-2.36.2.drv CVE CVSSv3 https://nvd.nist.gov/vuln/detail/CVE-2021-37600 5.5 λ nix why-depends /nix/store/xkfmhy8za4jhlzk0iav0mm52wd2s4lji-vendor-env.drv /nix/store/ni50vpsf4kclcbd8d6flk127nh8mx8pb-hub-0ae1afc.drv └───github.com/tektoncd/hub/api -> /nix/store/3qa9ymxypdd5xv0jvxk4f4b9d83mv0py-hub-0ae1afc/api → /nix/store/3qa9ymxypdd5xv0jvxk4f4b9d83mv0py-hub-0ae1afc /nix/store/gmsm2cwync8nsnpqnwq6sg3nwfrqfwjl-vendor-env λ ls -l /nix/store/gmsm2cwync8nsnpqnwq6sg3nwfrqfwjl-vendor-env/github.com/tektoncd/hub lrwxrwxrwx root root 59 B Thu Jan 1 01:00:01 1970 api ⇒ /nix/store/3qa9ymxypdd5xv0jvxk4f4b9d83mv0py-hub-0ae1afc/api
Is there anything vulnix can do or should gomod2nix just change the drv names? or both?
I also a buildGoModule based build
buildGoModule
vulnix thinks it uses a vulnerable w3m during build but I can't find it
λ vulnix ./result 16 derivations with active advisories ------------------------------------------------------------------------ bash-4.4-p23 /nix/store/ay54nhnk1md3ygj8s877d6n3721l2dyz-bash-4.4-p23.drv CVE CVSSv3 https://nvd.nist.gov/vuln/detail/CVE-2019-18276 7.8 ------------------------------------------------------------------------ binutils-2.35.1 /nix/store/z4sfszir1p0077xw55bki07yjshymcs9-binutils-2.35.1.drv CVE CVSSv3 https://nvd.nist.gov/vuln/detail/CVE-2021-20294 7.8 https://nvd.nist.gov/vuln/detail/CVE-2021-3487 6.5 https://nvd.nist.gov/vuln/detail/CVE-2021-20284 5.5 # ... ------------------------------------------------------------------------ w3m-0.5.3+git20190105 /nix/store/h0j15nrdh0y9yng5ylg3qm1427j9ky1y-w3m-0.5.3+git20190105.drv CVE CVSSv3 https://nvd.nist.gov/vuln/detail/CVE-2016-9422 8.8 # ... https://nvd.nist.gov/vuln/detail/CVE-2016-9633 6.5 λ nix why-depends ./result /nix/store/h0j15nrdh0y9yng5ylg3qm1427j9ky1y-w3m-0.5.3+git20190105.drv this path will be fetched (0.73 MiB download, 1.69 MiB unpacked): /nix/store/hvq53cdwdbmkd26y5qh0lgwgzy3sbqfi-w3m-0.5.3+git20190105 '/nix/store/ly9bhnp0lmc7n76ks0vgarildp49pwy9-tkn-utils-0.0.1' does not depend on '/nix/store/hvq53cdwdbmkd26y5qh0lgwgzy3sbqfi-w3m-0.5.3+git20190105' # done a manual search too nix show-derivation ./result -r | bat -l json
I am indeed encountering similar issues with, e.g. shellcheck being mistaken for the shellcheck unofficial extension for VS Code.
vulnix thinks my drv is uses jetbrains hub when the drv holds https://github.com/tektoncd/hub
This is also the case for other dependencies collected by gomod2nix
Is there anything vulnix can do or should gomod2nix just change the drv names? or both?
I also a
buildGoModule
based buildvulnix thinks it uses a vulnerable w3m during build but I can't find it