arch-audit has an option --upgradable where it doesn't report vulnerabilities where upgrading won't fix it.
Something similar would be nice for Vulnix.
This would allow users to quickly see actionable upgrades.
To make this work, a user should pass two derivations to Vulnix, one based on the current nixpkgs snapshot and one based on a newer snapshot (nixpkgs-unstable for example).
Vulnix should then only report vulnerabilities that appear in the first report but not in the second.
For syntax I would imagine something like vulnix current.drv --upgradable=newer.drv.
arch-audithas an option--upgradablewhere it doesn't report vulnerabilities where upgrading won't fix it. Something similar would be nice for Vulnix. This would allow users to quickly see actionable upgrades.To make this work, a user should pass two derivations to Vulnix, one based on the current nixpkgs snapshot and one based on a newer snapshot (nixpkgs-unstable for example). Vulnix should then only report vulnerabilities that appear in the first report but not in the second.
For syntax I would imagine something like
vulnix current.drv --upgradable=newer.drv.