Repology now has CVE reporting beta now experimentally supports reporting vulnerable packages based on CVE information.

Here’s the list of vulnerable nixpkgs-unstable packages:

and 20.03:



I’ve wondered how well Nixpkgs does on getting CVEs covered. This is on the statistics page (but not the graphs). I only see 7 repositories with more than 4000 packages and <0.4% vulnerable.

  • CPAN, MetaCPAN, Hackage, and CRAN are all at 0% (the largest is CRAN at just shy of 15.6K packages)
  • nixpkgs stable, nixpkgs unstable, and AUR are all between 0.29-0.35%

nixpkgs (is? looks? I guess it’s a little unfair to use % of packages–better metrics might be like, what percent of package installs are vulnerable, or what percent of the system install base has a vulnerable package installed?) really competitive here.

Tangentially–I guess it’s expected for a beta, but I noticed bash 5.0.p16 in the list of vulnerable packages in nixpkgs even though it (appears?) the CVE it is listed for only affected versions up to 5.0.p11.

1 Like

Interesting. I suppose the next step is them wanting to collect also which CVE’s the repositories have accounted for.

In our case, we could look at the patches that are named according to a certain scheme.

I think it would be nice to have a small tool that, given a Nixpkgs version, generates the data that Repology consumes, and then uses the repology API to compare as you would compare any other distro. That way you could check for example the state of the development branches.


You can already get that by doing:

curl -H 'Accept: application/json' | jq .

The format might not be ideal but for the lack of any requirements it
has evolved into what it is right now.

(This should work for any nixos-unstable channel bump, at latest ~12h
after the bump)