Checking and dealing with CVEs

Due to another round of OpenSSH fun I looked into the security scanning side of NixOS. Running vulnix reported quite a few CVEs for a recent stable system. Actually so many that I am now wondering how to deal with the situation.

Quite a few packages where I am surprised they are installed (on a server).

What is your process of keeping your systems secure?

$ vulnix --system
47 derivations with active advisories

------------------------------------------------------------------------
ShellCheck-0.10.0

/nix/store/aj58bwfcqjh0gwifmaa7jmhrxxkj0n40-ShellCheck-0.10.0.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2021-28794    9.8

------------------------------------------------------------------------
async-2.2.5

/nix/store/2qbx9zqliadh0njjrb0xfibfw2p248m5-async-2.2.5.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2021-43138    7.8

------------------------------------------------------------------------
async-2.2.5-r1.cabal

/nix/store/qn2i9pprsvbq20z8r321b9lch9g818r5-async-2.2.5-r1.cabal.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2021-43138    7.8

------------------------------------------------------------------------
avahi-0.8

/nix/store/vl55r915cj4frfaxf5d90nxy17xywqn4-avahi-0.8.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2021-26720    7.8

------------------------------------------------------------------------
bind-9.18.27

/nix/store/lxzrk4yjsipm38jfmkad32nlxzk5ilzc-bind-9.18.27.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2019-6470     7.5

------------------------------------------------------------------------
busybox-1.36.1

/nix/store/ryjdx5vlh6nv2g8jqd5ifr1n4s47pj4d-busybox-1.36.1.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2023-42363    5.5
https://nvd.nist.gov/vuln/detail/CVE-2023-42364    5.5
https://nvd.nist.gov/vuln/detail/CVE-2023-42365    5.5
https://nvd.nist.gov/vuln/detail/CVE-2023-42366    5.5

------------------------------------------------------------------------
cereal-0.5.8.3

/nix/store/qpr6wwi2zv6vjkh9ymrpymnh9i9i4kbg-cereal-0.5.8.3.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2020-11105    9.8
https://nvd.nist.gov/vuln/detail/CVE-2020-11104    5.3

------------------------------------------------------------------------
commonmark-0.2.6

/nix/store/bj8wfngdhqnj01621fxmb8sm3pgbkm0l-commonmark-0.2.6.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2019-10010    6.1

------------------------------------------------------------------------
cups-2.4.8

/nix/store/20y2yzfsms42mwk49z6mik5rj64mn05y-cups-2.4.8.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2022-26691    6.7

------------------------------------------------------------------------
dbus-1

/nix/store/mc2p5jnr8p463ahp8hym771b2igxk8d7-dbus-1.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2019-12749    7.1
https://nvd.nist.gov/vuln/detail/CVE-2022-42010    6.5
https://nvd.nist.gov/vuln/detail/CVE-2022-42011    6.5
https://nvd.nist.gov/vuln/detail/CVE-2022-42012    6.5

------------------------------------------------------------------------
flex-2.6.4

/nix/store/zyszm05448dxzazj8iz23q7cdjdvlzix-flex-2.6.4.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2019-6293     5.5

------------------------------------------------------------------------
fuse-2.9.9

/nix/store/mw5xqzykhxx1if91l97iby0fr116h00v-fuse-2.9.9.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2019-14860    6.5
https://nvd.nist.gov/vuln/detail/CVE-2019-14900    6.5

------------------------------------------------------------------------
fuse-2.9.9-closefrom-glibc-2-34.patch?id=8a970396fca7aca2d5a761b8e7a8242f1eef14c9

/nix/store/ajwfxppx403h691hphpxasn14am3wlmf-fuse-2.9.9-closefrom-glibc-2-34.patch?id=8a970396fca7aca2d5a761b8e7a8242f1eef14c9.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2019-14860    6.5
https://nvd.nist.gov/vuln/detail/CVE-2019-14900    6.5

------------------------------------------------------------------------
fuse-3.16.2

/nix/store/d40zx2xijjkh5sr6yjq172x512d2k94p-fuse-3.16.2.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2019-14860    6.5
https://nvd.nist.gov/vuln/detail/CVE-2019-14900    6.5

------------------------------------------------------------------------
gcc-13.2.0

/nix/store/j01i6ixs5n6vg1my63m9rn7q2wsila22-gcc-13.2.0.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2023-4039     4.8

------------------------------------------------------------------------
git-2.44.1

/nix/store/fsk5v9khc379nnf8h9ghvx6ccnhfbvm3-git-2.44.1.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2022-36882    8.8
https://nvd.nist.gov/vuln/detail/CVE-2022-30947    7.5
https://nvd.nist.gov/vuln/detail/CVE-2022-36883    7.5
https://nvd.nist.gov/vuln/detail/CVE-2022-38663    6.5
https://nvd.nist.gov/vuln/detail/CVE-2021-21684    6.1
https://nvd.nist.gov/vuln/detail/CVE-2020-2136     5.4
https://nvd.nist.gov/vuln/detail/CVE-2022-36884    5.3
https://nvd.nist.gov/vuln/detail/CVE-2019-1003010  4.3

------------------------------------------------------------------------
go-1.21.0-linux-amd64-bootstrap

/nix/store/iw77rhr8kd2wwhj997d8phbrkw1nxnm1-go-1.21.0-linux-amd64-bootstrap.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2023-39320    9.8
https://nvd.nist.gov/vuln/detail/CVE-2024-24790    9.8
https://nvd.nist.gov/vuln/detail/CVE-2023-39323    8.1
https://nvd.nist.gov/vuln/detail/CVE-2023-39321    7.5
https://nvd.nist.gov/vuln/detail/CVE-2023-39322    7.5
https://nvd.nist.gov/vuln/detail/CVE-2023-39325    7.5
https://nvd.nist.gov/vuln/detail/CVE-2023-44487    7.5
https://nvd.nist.gov/vuln/detail/CVE-2023-39318    6.1
https://nvd.nist.gov/vuln/detail/CVE-2023-39319    6.1
https://nvd.nist.gov/vuln/detail/CVE-2024-24789    5.5
https://nvd.nist.gov/vuln/detail/CVE-2023-49292    4.8

------------------------------------------------------------------------
go-1.22.4

/nix/store/17r606xxjy6j3dpli04x3d7q4b7qm3hm-go-1.22.4.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2023-49292    4.8

------------------------------------------------------------------------
hedgehog-1.4

/nix/store/s9r9bw3dgpk7jw7lym6y4y2ajrp4i357-hedgehog-1.4.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2021-4276     8.8

------------------------------------------------------------------------
hedgehog-1.4-r5.cabal

/nix/store/nf6m71sdfrn5g0j84xkskv647xzgphf7-hedgehog-1.4-r5.cabal.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2021-4276     8.8

------------------------------------------------------------------------
http-client-0.7.17

/nix/store/l3fn5sf66j3h22a0p7dmyr2glswfajnp-http-client-0.7.17.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2020-11021    7.5

------------------------------------------------------------------------
jbig2dec-0.20

/nix/store/xwdbnf22n4a6794gf9a9vhkg9f9i3q8z-jbig2dec-0.20.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2023-46361    6.5

------------------------------------------------------------------------
network-3.1.4.0

/nix/store/0fi41mvyn9i3pgx3h4wxr3scv5d2q7w3-network-3.1.4.0.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2021-35048    9.8
https://nvd.nist.gov/vuln/detail/CVE-2021-35047    8.8
https://nvd.nist.gov/vuln/detail/CVE-2021-35049    8.8
https://nvd.nist.gov/vuln/detail/CVE-2022-24388    8.8
https://nvd.nist.gov/vuln/detail/CVE-2022-24389    8.8
https://nvd.nist.gov/vuln/detail/CVE-2022-24390    8.8
https://nvd.nist.gov/vuln/detail/CVE-2022-24391    8.8
https://nvd.nist.gov/vuln/detail/CVE-2022-24392    8.8
https://nvd.nist.gov/vuln/detail/CVE-2022-24393    8.8
https://nvd.nist.gov/vuln/detail/CVE-2022-24394    8.8
https://nvd.nist.gov/vuln/detail/CVE-2022-0486     7.8
https://nvd.nist.gov/vuln/detail/CVE-2022-0997     7.8
https://nvd.nist.gov/vuln/detail/CVE-2021-35050    7.5

------------------------------------------------------------------------
network-3.1.4.0-r1.cabal

/nix/store/x4ql5grnn2s5inlvsb02bdc21ab3h1rl-network-3.1.4.0-r1.cabal.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2021-35048    9.8
https://nvd.nist.gov/vuln/detail/CVE-2021-35047    8.8
https://nvd.nist.gov/vuln/detail/CVE-2021-35049    8.8
https://nvd.nist.gov/vuln/detail/CVE-2022-24388    8.8
https://nvd.nist.gov/vuln/detail/CVE-2022-24389    8.8
https://nvd.nist.gov/vuln/detail/CVE-2022-24390    8.8
https://nvd.nist.gov/vuln/detail/CVE-2022-24391    8.8
https://nvd.nist.gov/vuln/detail/CVE-2022-24392    8.8
https://nvd.nist.gov/vuln/detail/CVE-2022-24393    8.8
https://nvd.nist.gov/vuln/detail/CVE-2022-24394    8.8
https://nvd.nist.gov/vuln/detail/CVE-2022-0486     7.8
https://nvd.nist.gov/vuln/detail/CVE-2022-0997     7.8
https://nvd.nist.gov/vuln/detail/CVE-2021-35050    7.5

------------------------------------------------------------------------
ninja-1.11.1

/nix/store/za62q0xaqmiy6g5yl2xvjxchbvyww6pr-ninja-1.11.1.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2021-4336     9.8

------------------------------------------------------------------------
patch-2.7.6

/nix/store/frds4szcmrgzzkvws3dybv96f34hlli5-patch-2.7.6.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2019-20633    5.5

------------------------------------------------------------------------
pip-20.3.4-source

/nix/store/zhkh91w1h1nawbgifsbh3hb98sqs3f80-pip-20.3.4-source.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2021-3572     5.7
https://nvd.nist.gov/vuln/detail/CVE-2023-5752     3.3

------------------------------------------------------------------------
procps-3.3.17-binlore

/nix/store/y3r751xcflsr9kdg0hc8hvyzdbkvbybh-procps-3.3.17-binlore.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2023-4016     3.3

------------------------------------------------------------------------
python-2.7.18.8

/nix/store/x559b30yb9khvdd5z24pkzxg9xql80dp-python-2.7.18.8.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2022-48565    9.8
https://nvd.nist.gov/vuln/detail/CVE-2019-9674     7.5
https://nvd.nist.gov/vuln/detail/CVE-2022-0391     7.5
https://nvd.nist.gov/vuln/detail/CVE-2022-45061    7.5
https://nvd.nist.gov/vuln/detail/CVE-2022-48560    7.5
https://nvd.nist.gov/vuln/detail/CVE-2023-24329    7.5
https://nvd.nist.gov/vuln/detail/CVE-2023-36632    7.5
https://nvd.nist.gov/vuln/detail/CVE-2022-26488    7.0
https://nvd.nist.gov/vuln/detail/CVE-2021-3733     6.5
https://nvd.nist.gov/vuln/detail/CVE-2022-48564    6.5
https://nvd.nist.gov/vuln/detail/CVE-2021-23336    5.9
https://nvd.nist.gov/vuln/detail/CVE-2022-48566    5.9
https://nvd.nist.gov/vuln/detail/CVE-2023-40217    5.3

------------------------------------------------------------------------
quote-1.0.35

/nix/store/m6x27h01f8bfwk4wdybxflizqv8caxb6-quote-1.0.35.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2020-16194    5.3

------------------------------------------------------------------------
rubygems-3.5.9

/nix/store/r4pviwcrcfkz44rfi96fbzi6wnr7avhh-rubygems-3.5.9.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2022-36073    8.8

------------------------------------------------------------------------
safe-0.3.21

/nix/store/qh3mmpi0mz4ks3jx5d6zlcyr3s0kmi7h-safe-0.3.21.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2022-28872    8.8
https://nvd.nist.gov/vuln/detail/CVE-2019-11644    7.8
https://nvd.nist.gov/vuln/detail/CVE-2022-38164    6.5
https://nvd.nist.gov/vuln/detail/CVE-2022-47524    5.4
https://nvd.nist.gov/vuln/detail/CVE-2021-44751    5.3
https://nvd.nist.gov/vuln/detail/CVE-2021-40834    4.3
https://nvd.nist.gov/vuln/detail/CVE-2021-40835    4.3
https://nvd.nist.gov/vuln/detail/CVE-2022-28868    4.3
https://nvd.nist.gov/vuln/detail/CVE-2022-28869    4.3
https://nvd.nist.gov/vuln/detail/CVE-2022-28870    4.3
https://nvd.nist.gov/vuln/detail/CVE-2022-28873    4.3
https://nvd.nist.gov/vuln/detail/CVE-2021-33596    4.1
https://nvd.nist.gov/vuln/detail/CVE-2021-33594    3.5
https://nvd.nist.gov/vuln/detail/CVE-2021-33595    3.5
https://nvd.nist.gov/vuln/detail/CVE-2022-38163    3.5

------------------------------------------------------------------------
safe-0.3.21-r1.cabal

/nix/store/czck8x3gxpymkkqyaqsl3xr65aym6xj4-safe-0.3.21-r1.cabal.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2022-28872    8.8
https://nvd.nist.gov/vuln/detail/CVE-2019-11644    7.8
https://nvd.nist.gov/vuln/detail/CVE-2022-38164    6.5
https://nvd.nist.gov/vuln/detail/CVE-2022-47524    5.4
https://nvd.nist.gov/vuln/detail/CVE-2021-44751    5.3
https://nvd.nist.gov/vuln/detail/CVE-2021-40834    4.3
https://nvd.nist.gov/vuln/detail/CVE-2021-40835    4.3
https://nvd.nist.gov/vuln/detail/CVE-2022-28868    4.3
https://nvd.nist.gov/vuln/detail/CVE-2022-28869    4.3
https://nvd.nist.gov/vuln/detail/CVE-2022-28870    4.3
https://nvd.nist.gov/vuln/detail/CVE-2022-28873    4.3
https://nvd.nist.gov/vuln/detail/CVE-2021-33596    4.1
https://nvd.nist.gov/vuln/detail/CVE-2021-33594    3.5
https://nvd.nist.gov/vuln/detail/CVE-2021-33595    3.5
https://nvd.nist.gov/vuln/detail/CVE-2022-38163    3.5

------------------------------------------------------------------------
sassc-3.6.2

/nix/store/jm82bn4fvdlc65x9rvw5wr0igpkv9r4m-sassc-3.6.2.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2022-43357    7.5

------------------------------------------------------------------------
setuptools-44.0.0-source

/nix/store/7g2vxzv3hhsp4g8m3hzwbvwi8l0jky5c-setuptools-44.0.0-source.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2022-40897    5.9

------------------------------------------------------------------------
unzip-6.0

/nix/store/4gp5qp80j5k1vhabmnwa4q3vnnav43ss-unzip-6.0.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2021-4217     3.3

------------------------------------------------------------------------
vault-0.3.1.5

/nix/store/gpvq91w9jcw74kmqzsra2hflp2j9qrhf-vault-0.3.1.5.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2023-24999    8.1
https://nvd.nist.gov/vuln/detail/CVE-2020-13223    7.5
https://nvd.nist.gov/vuln/detail/CVE-2021-27400    7.5
https://nvd.nist.gov/vuln/detail/CVE-2023-6337     7.5
https://nvd.nist.gov/vuln/detail/CVE-2023-0620     6.7
https://nvd.nist.gov/vuln/detail/CVE-2023-0665     6.5
https://nvd.nist.gov/vuln/detail/CVE-2021-41802    5.4
https://nvd.nist.gov/vuln/detail/CVE-2023-2121     5.4
https://nvd.nist.gov/vuln/detail/CVE-2020-25594    5.3
https://nvd.nist.gov/vuln/detail/CVE-2021-3024     5.3
https://nvd.nist.gov/vuln/detail/CVE-2021-38554    5.3
https://nvd.nist.gov/vuln/detail/CVE-2022-41316    5.3
https://nvd.nist.gov/vuln/detail/CVE-2023-25000    4.7

------------------------------------------------------------------------
vault-0.3.1.5-r6.cabal

/nix/store/zbvzqsv7rb1bz07bmbqq3f2ms0ll9rkd-vault-0.3.1.5-r6.cabal.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2023-24999    8.1
https://nvd.nist.gov/vuln/detail/CVE-2020-13223    7.5
https://nvd.nist.gov/vuln/detail/CVE-2021-27400    7.5
https://nvd.nist.gov/vuln/detail/CVE-2023-6337     7.5
https://nvd.nist.gov/vuln/detail/CVE-2023-0620     6.7
https://nvd.nist.gov/vuln/detail/CVE-2023-0665     6.5
https://nvd.nist.gov/vuln/detail/CVE-2021-41802    5.4
https://nvd.nist.gov/vuln/detail/CVE-2023-2121     5.4
https://nvd.nist.gov/vuln/detail/CVE-2020-25594    5.3
https://nvd.nist.gov/vuln/detail/CVE-2021-3024     5.3
https://nvd.nist.gov/vuln/detail/CVE-2021-38554    5.3
https://nvd.nist.gov/vuln/detail/CVE-2022-41316    5.3
https://nvd.nist.gov/vuln/detail/CVE-2023-25000    4.7

------------------------------------------------------------------------
warp-3.3.31

/nix/store/ddsv0f5gb36aq34c940jh9zdhvdrihpc-warp-3.3.31.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2022-3320     9.8
https://nvd.nist.gov/vuln/detail/CVE-2022-3512     8.8
https://nvd.nist.gov/vuln/detail/CVE-2022-4428     8.0
https://nvd.nist.gov/vuln/detail/CVE-2022-2145     7.8
https://nvd.nist.gov/vuln/detail/CVE-2022-2225     7.8
https://nvd.nist.gov/vuln/detail/CVE-2023-0652     7.8
https://nvd.nist.gov/vuln/detail/CVE-2023-1412     7.8
https://nvd.nist.gov/vuln/detail/CVE-2023-1862     7.3
https://nvd.nist.gov/vuln/detail/CVE-2023-2754     6.8
https://nvd.nist.gov/vuln/detail/CVE-2022-4457     5.5
https://nvd.nist.gov/vuln/detail/CVE-2023-0238     5.5
https://nvd.nist.gov/vuln/detail/CVE-2023-0654     3.7

------------------------------------------------------------------------
wheel-0.37.1-source

/nix/store/wyl87p0rzyr5g704in3qrlv6c5lqxs6h-wheel-0.37.1-source.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2022-40898    7.5

------------------------------------------------------------------------
yaml-0.11.11.2

/nix/store/fda3cmkg6h90g4fim34cyv4q03w1z0j1-yaml-0.11.11.2.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2022-3064     7.5
https://nvd.nist.gov/vuln/detail/CVE-2021-4235     5.5

------------------------------------------------------------------------
yaml-0.11.11.2-r2.cabal

/nix/store/wbiapj5jlpasvwa5faszmxfcyfzhmpj8-yaml-0.11.11.2-r2.cabal.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2022-3064     7.5
https://nvd.nist.gov/vuln/detail/CVE-2021-4235     5.5

------------------------------------------------------------------------
yara-4.5.0

/nix/store/6799dc1i8vgginii2dicypjnpki4jjl1-yara-4.5.0.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2021-45429    5.5

------------------------------------------------------------------------
yasm-1.3.0

/nix/store/5dy6p2pdj9fw2kag5g35hh9cna00z499-yasm-1.3.0.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2021-33454    5.5
https://nvd.nist.gov/vuln/detail/CVE-2021-33455    5.5
https://nvd.nist.gov/vuln/detail/CVE-2021-33456    5.5
https://nvd.nist.gov/vuln/detail/CVE-2021-33457    5.5
https://nvd.nist.gov/vuln/detail/CVE-2021-33458    5.5
https://nvd.nist.gov/vuln/detail/CVE-2021-33459    5.5
https://nvd.nist.gov/vuln/detail/CVE-2021-33460    5.5
https://nvd.nist.gov/vuln/detail/CVE-2021-33461    5.5
https://nvd.nist.gov/vuln/detail/CVE-2021-33462    5.5
https://nvd.nist.gov/vuln/detail/CVE-2021-33463    5.5
https://nvd.nist.gov/vuln/detail/CVE-2021-33464    5.5
https://nvd.nist.gov/vuln/detail/CVE-2021-33465    5.5
https://nvd.nist.gov/vuln/detail/CVE-2021-33466    5.5
https://nvd.nist.gov/vuln/detail/CVE-2021-33467    5.5
https://nvd.nist.gov/vuln/detail/CVE-2021-33468    5.5
https://nvd.nist.gov/vuln/detail/CVE-2023-30402    5.5
https://nvd.nist.gov/vuln/detail/CVE-2023-31972    5.5
https://nvd.nist.gov/vuln/detail/CVE-2023-31973    5.5
https://nvd.nist.gov/vuln/detail/CVE-2023-31974    5.5
https://nvd.nist.gov/vuln/detail/CVE-2023-51258    5.5
https://nvd.nist.gov/vuln/detail/CVE-2023-31975    3.3

------------------------------------------------------------------------
zlib-0.6.3.0

/nix/store/g6qkwsmq3y8phcmc19rmmjvmp7iwq29q-zlib-0.6.3.0.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2022-37434    9.8
https://nvd.nist.gov/vuln/detail/CVE-2023-45853    9.8
https://nvd.nist.gov/vuln/detail/CVE-2023-6992     5.5

------------------------------------------------------------------------
zlib-0.6.3.0-r4.cabal

/nix/store/zhdh31qvjr8mfhgn6cxa3ylcc7nf9xb2-zlib-0.6.3.0-r4.cabal.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2022-37434    9.8
https://nvd.nist.gov/vuln/detail/CVE-2023-45853    9.8
https://nvd.nist.gov/vuln/detail/CVE-2023-6992     5.5

------------------------------------------------------------------------
zlib-1.3.1

/nix/store/j3a72wky3aga4hf51jfqmpzwffgz3zw9-zlib-1.3.1.drv
CVE                                                CVSSv3
https://nvd.nist.gov/vuln/detail/CVE-2023-6992     5.5
3 Likes

Updating your system regularly and potentially reporting vulnerabilities you find upstream to nixpkgs, even updating and backporting them if you’re up for it.

Also limiting my attack surface as much as possible, auditing and ensuring everything is a bit unrealistic, but before introducing new software to my boxes I at least consider whether the software is maintained in a way I consider somewhat trustworthy, and what the impact of them having issues could mean long term.

Looking at some of these, if you’re on latest stable, I’d be surprised if this list would still be as large (but it would be interesting if it was) >_>

Updating your system regularly and potentially reporting vulnerabilities you find upstream to nixpkgs, even updating and backporting them if you’re up for it.

All done manually?

Well, it’s a fresh install of stable from about 3 weeks ago. And updated yesterday.

Unless I am missing something - yes, I am also a little surprised.

Since I remember seeing an update to yara work through a few months ago I’m surprised to see a 2021 CVE still listed and decided to take a look:

The NIST page links to this upstream issue Possible insecure pointer conversion in yr_set_configuration() leading to global-buffer-overflow Ā· Issue #1616 Ā· VirusTotal/yara Ā· GitHub reported on Dec 15 2021 and closed 5 days later by Fix issue #1616 by plusvic Ā· Pull Request #1621 Ā· VirusTotal/yara Ā· GitHub.

The commit it landed in (Fix issue #1616 (#1621) Ā· VirusTotal/yara@a36b497 Ā· GitHub) is listed as being present since 4.2.0.

I’m not super familiar with how CVEs work, but I’m guessing this has to do with the version-matching spec listed under the known affected software configurations section, which doesn’t appear to be well-specified.

Hopefully someone more familiar with how vulnix does this can weigh in, but this one spot-check leaves me a little skeptical re: how many of the older CVEs will still be active/accurate (at least if the project has been cutting releases since they were reported).

3 Likes

I mean I guess, it’s rare that I personally encounter anything vulnerable so it’s not usually that big of a hassle. That said, it seems vulnix gives a lot of false positives, so not sure how useful it is…

3 Likes

fwiw we used it as part of CI pipeline on my previous employer until we eventually gave up on it since there’s a very high amount of actual issues. False-positives include

  • wrongly matched packages(!)
  • platform-dependent stuff (e.g. Windows-only CVEs on stuff we also have packaged).
  • broken or flat out wrong version ranges (I don’t recall an actual standard for that fwiw).

Until a while ago somebody maintained a large list of false-positives: https://github.com/ckauhaus/nixos-vulnerability-roundup/blob/de14c81bfebf6faebd492b989e81db0e33f2843a/whitelists/nixos-21.11.toml

That said, are you actually using ShellCheck in your runtime closure? Wild guess, but perhaps you’re actually checking your build-closure here. I’d argue having async-2.2.5 & .cabal is an indicate for that (and both referencing the same cve fwiw).

6 Likes

Thanks for digging into that. Maybe it’s really just vulnix at fault here.

But I guess the question remains whether there is another way to know whether a NixOS system has applicable CVEs or not.

I was also quite confused when I saw ā€œSpellCheckā€ in there. Maybe wrong expectations on my side but I would not expect the build closure when running vulnix --system.

until we eventually gave up on it

Anything else you found useful or are using?

I know this is only a minor issue in this case, but you could check why shellcheck is in the closure with nix why-depends. I’m at least dying to know whether this is an issue with an individual package or something more wide-spread.

3 Likes

I think mostly you just have to trust that your distro maintainers are doing a good job at keeping up‐to‐date here, and apply defence‐in‐depth measures like regular (preferably automatic) updates, sandboxing, firewalls, making sure you only run what you use, and so on. Not every vulnerability even gets a CVE and even knowing that a CVE is on your system doesn’t help you unless you can fix it by updating, disable the relevant software, or help out fixing it upstream. While I wish it weren’t so, vulnerability scanners tend to generate more heat than light unless they’re very carefully designed.

If you do want to help out, then you might want to might want to follow things like the oss-security list (public archive).

4 Likes

Happy to check - but can you help out with nix why-depends?
IIUC it shows the paths between two packages - but I only have one.

https://nix.dev/manual/nix/2.13/command-ref/new-cli/nix3-why-depends

So what I tried is to look at the path from the flake but…

$ nix why-depends .\#nixosConfigurations.foo.config.system.build.toplevel nixpkgs#ShellCheck
error: flake 'flake:nixpkgs' does not provide attribute 'packages.x86_64-linux.ShellCheck', 'legacyPackages.x86_64-linux.ShellCheck' or 'ShellCheck'
       Did you mean shellcheck?

$ nix why-depends .\#nixosConfigurations.foo.config.system.build.toplevel nixpkgs#shellcheck
these 3 paths will be fetched (1.07 MiB download, 7.03 MiB unpacked):
  /nix/store/mf8ydpfnybzr35x0gmfmv89f7xi4xncb-shellcheck-0.10.0-bin
  /nix/store/m640gqq98c672w8f088g3njjaprcs502-shellcheck-0.10.0-doc
  /nix/store/hzag2npzb1xyaiyx9m9zd2hpjz67fh8w-shellcheck-0.10.0-man
error: argument 'flake:nixpkgs#shellcheck' should evaluate to one store path

Leaves me a little puzzled.

Try nixpkgs#shellcheck.bin (or was it ^bin for the flakes UI?); the documentation outputs probably don’t have exploitable vulnerabilities in them.

If that doesn’t work (flake inputs and registry entries don’t pre-se match), vulnix luckily gives you the exact derivation:

/nix/store/aj58bwfcqjh0gwifmaa7jmhrxxkj0n40-ShellCheck-0.10.0.drv

We need to convert that to the actual package though. I think the command for that is nix derivation show, and then you need to read through that to get the output path.

After that:

nix why-depends /var/run/current-system /nix/store/<path-without-drv>

Frankly I’m usually too lazy to figure out the ā€œcorrectā€ way to know the out path. I just grep the contents of /nix/store for the package name and guess which one is the most recent version.

1 Like
$ nix why-depends .\#nixosConfigurations.foo.config.system.build.toplevel nixpkgs#shellcheck.bin
this path will be fetched (1.06 MiB download, 7.00 MiB unpacked):
  /nix/store/mf8ydpfnybzr35x0gmfmv89f7xi4xncb-shellcheck-0.10.0-bin
'git+file:///home/ops/nixcfg#nixosConfigurations.foo.config.system.build.toplevel' does not depend on 'flake:nixpkgs#shellcheck.bin'

and

$ nix why-depends /var/run/current-system /nix/store/walpqgmyr8yk5yvxhpnc584yy9kqalcc-ShellCheck-0.10.0
this path will be fetched (1.06 MiB download, 7.00 MiB unpacked):
  /nix/store/walpqgmyr8yk5yvxhpnc584yy9kqalcc-ShellCheck-0.10.0
'/nix/store/9ws0q2s0zbdpm57zs06xqdscxwwakal3-nixos-system-foo-24.05.20240626.89c4987' does not depend on '/nix/store/walpqgmyr8yk5yvxhpnc584yy9kqalcc-ShellCheck-0.10.0'

Maybe from a previous nix-shell?

Then I think what is going on is this:

I don’t know what you need to do to check your actual system rather than its build dependencies, though.

Edit: That, or nixpkgs# just doesn’t match the version on your system, of course.

The ShellCheck CVE from above is one of these, by the way: ā€œThe unofficial ShellCheck extension before 0.13.4 for Visual Studio Code mishandles shellcheck.executablePathā€