Closed brianmcgee closed 1 year ago
brianmcgee
commented
1 year ago @henrirosten
Few issues I think we need to address before we merge this. I noticed vulnix and nix-visualize are no longer in the $PATH after this change, which makes
vulnxscanandnix_outdatedfail.
Fixed in https://github.com/tiiuae/sbomnix/pull/92/commits/f61703c4458d593b9153003c4ab09c4799662fce
brianmcgee
commented
1 year ago @henrirosten the nix run issues are resolved in https://github.com/tiiuae/sbomnix/pull/92/commits/fbe307d15908d7e13fbd827c33d6155c6aa469c3.
There were some packages missing in setup.py.
❯ nix run github:brianmcgee/sbomnix/fbe307d15908d7e13fbd827c33d6155c6aa469c3#nix_outdated -- $(nix build --print-out-paths nixpkgs#graphviz)
INFO Checking runtime dependencies referenced by '/nix/store/7v2hwwxhfklcp2plkw23qh7ak8baq9l9-graphviz-7.1.0'
INFO Generating SBOM for target '/nix/store/7v2hwwxhfklcp2plkw23qh7ak8baq9l9-graphviz-7.1.0'
INFO Loading runtime dependencies referenced by '/nix/store/7v2hwwxhfklcp2plkw23qh7ak8baq9l9-graphviz-7.1.0'
INFO Using SBOM '/tmp/nixdeps_91fskes_.cdx.json'
INFO Running repology_cli
INFO Using repology out: '/tmp/repology_8gjhdj5m.csv'
INFO Running nix-visualize
INFO Using nix-visualize out: '/tmp/nix-visualize_ohswb3jc.csv'
INFO Writing console report
INFO Dependencies that need update in nixpkgs (in priority order based on how many other packages depend on the potentially outdated package):
| priority | nix_package | version_local | version_nixpkgs | version_upstream |
|------------+---------------+-----------------+-------------------+--------------------|
| 7 | gcc | 12.2.0 | 12.3.0 | 13.2.0;13.2 |
| 7 | xz | 5.4.3 | 5.4.4 | 5.4.5 |
| 7 | libdeflate | 1.18 | 1.18 | 1.19 |
| 7 | libjpeg-turbo | 2.1.5.1 | 2.1.5.1 | 3.0.1 |
| 6 | libunwind | 1.6.2 | 1.6.2 | 1.7.2 |
| 6 | tiff | 4.5.1 | 4.5.1 | 4.6.0 |
| 5 | openexr | 2.5.8 | 2.5.8 | 3.2.1 |
| 5 | openexr | 2.5.8 | 3.2.0 | 3.2.1 |
| 5 | gperftools | 2.10 | 2.10 | 2.13;2.13.0 |
| 4 | libselinux | 3.3 | 3.3 | 3.5 |
| 3 | glib | 2.76.2 | 2.76.4 | 2.78.1 |
| 3 | libglvnd | 1.6.0 | 1.6.0 | 1.7.0 |
| 3 | dav1d | 1.2.0 | 1.2.1 | 1.3.0 |
| 2 | harfbuzz | 7.2.0 | 7.3.0 | 8.2.2 |
INFO Wrote: nix_outdated.csv❯ nix run github:brianmcgee/sbomnix/fbe307d15908d7e13fbd827c33d6155c6aa469c3#repology_cli -- --pkg_search 'firef' --repository 'nix_unstable'
INFO GET: https://repology.org/projects/?search=firef&inrepo=nix_unstable
INFO Repology package info, packages:20
| repo | package | version | status | potentially_vulnerable | newest_upstream_release | repo_version_classify |
|--------------+--------------------------------------------------------+-----------------------+-----------+--------------------------+---------------------------+-------------------------|
| nix_unstable | emacs:exwm-firefox-core | 20190812.2110 | newest | 0 | 20190812.2110 | |
| nix_unstable | emacs:exwm-firefox-evil | 20231026.309 | newest | 0 | | |
| nix_unstable | emacs:firefox-javascript-repl | 0.9.5 | newest | 0 | 0.9.5 | |
| nix_unstable | emacs:helm-firefox | 20220420.1346 | untrusted | 0 | 1.3 | |
| nix_unstable | faust2firefox | 2.59.6 | unique | 0 | | |
| nix_unstable | firefly-desktop | 2.1.8 | newest | 0 | 2.1.8 | |
| nix_unstable | firefox | 115-unwrapped-115.4.0 | legacy | 1 | 119.0.1 | |
| nix_unstable | firefox | 115.4.0 | legacy | 1 | 119.0.1 | |
| nix_unstable | firefox | 118.0b9 | outdated | 1 | 119.0.1 | repo_pkg_needs_update |
| nix_unstable | firefox | 119.0 | outdated | 0 | 119.0.1 | repo_pkg_needs_update |
| nix_unstable | firefox | 119.0b6 | outdated | 1 | 119.0.1 | repo_pkg_needs_update |
| nix_unstable | firefox | 119.0b9 | legacy | 1 | 119.0.1 | |
| nix_unstable | firefox | 119.0b9 | outdated | 1 | 119.0.1 | repo_pkg_needs_update |
| nix_unstable | firefox-decrypt | 1.1.0 | newest | 0 | | |
| nix_unstable | gnome:firefox-pip-always-on-top | 4 | unique | 0 | | |
| nix_unstable | haskell:firefly | 0.2.1.0 | newest | 0 | 0.2.1.0 | |
| nix_unstable | haskell:firefly-example | 0.1.0.0 | newest | 0 | 0.1.0.0 | |
| nix_unstable | himitsu-firefox | 0.3 | outdated | 0 | 0.4 | repo_pkg_needs_update |
| nix_unstable | python:fireflyalgorithm | 0.3.4 | outdated | 0 | 0.4.1 | repo_pkg_needs_update |
| nix_unstable | vscode-extension-firefox-devtools-vscode-firefox-debug | 2.9.10 | unique | 0 | | |
For more details, see: https://repology.org/projects/?search=firef&inrepo=nix_unstable
INFO Wrote: repology_report.csv❯ nix run github:brianmcgee/sbomnix/fbe307d15908d7e13fbd827c33d6155c6aa469c3#repology_cve -- openssl 3.1.0
INFO GET: https://repology.org/project/openssl/cves?version=3.1.0
INFO Repology affected CVE(s)
| package | version | cve |
|-----------+-----------+---------------|
| openssl | 3.1.0 | CVE-2023-0464 |
| openssl | 3.1.0 | CVE-2023-0465 |
| openssl | 3.1.0 | CVE-2023-0466 |
| openssl | 3.1.0 | CVE-2023-1255 |
| openssl | 3.1.0 | CVE-2023-2650 |
| openssl | 3.1.0 | CVE-2023-2975 |
| openssl | 3.1.0 | CVE-2023-3446 |
| openssl | 3.1.0 | CVE-2023-3817 |
| openssl | 3.1.0 | CVE-2023-4807 |
| openssl | 3.1.0 | CVE-2023-5363 |
INFO Wrote: repology_cves.csv
nix fmtwhich enables the following:.nixfilesreuse-lintto check for copyright header issues when runningnix flake checkdevShells.defaultoutput.envrcfile for direnv users to automatically drop into the default dev shell when cd'ing into the reposbomnixderivation as they shared the same source and dependencies