Repology now has CVE reporting beta

ryantm · May 17, 2020, 10:46pm

Repology.org now experimentally supports reporting vulnerable packages based on CVE information.

Here’s the list of vulnerable nixpkgs-unstable packages:

https://repology.org/projects/?inrepo=nix_unstable&vulnerable=1

and 20.03:

https://repology.org/projects/?inrepo=nix_stable&vulnerable=1

abathur · May 17, 2020, 11:38pm

Nice.

I’ve wondered how well Nixpkgs does on getting CVEs covered. This is on the statistics page (but not the graphs). I only see 7 repositories with more than 4000 packages and <0.4% vulnerable.

CPAN, MetaCPAN, Hackage, and CRAN are all at 0% (the largest is CRAN at just shy of 15.6K packages)
nixpkgs stable, nixpkgs unstable, and AUR are all between 0.29-0.35%

nixpkgs (is? looks? I guess it’s a little unfair to use % of packages–better metrics might be like, what percent of package installs are vulnerable, or what percent of the system install base has a vulnerable package installed?) really competitive here.

Tangentially–I guess it’s expected for a beta, but I noticed bash 5.0.p16 in the list of vulnerable packages in nixpkgs even though it (appears?) the CVE it is listed for only affected versions up to 5.0.p11.

FRidh · May 18, 2020, 12:14pm

Interesting. I suppose the next step is them wanting to collect also which CVE’s the repositories have accounted for.

github.com/repology/repology-updater

False positive CVEs reports for patched packages

opened 10:03PM - 14 May 20 UTC

AMDmi3

upstream cooperation required question/discussion datasources

**TL;DR:** Some repository has some CVE patched, but Repology shows the package …as vulnerable. This is known, and that's why Repology uses the term "potentially vulnerable". However there's no easy way to fix it right now. - In either case, repositories should provide data on mitigated CVEs in a machine readable format which is not the case for e.g. DSA/GLSA - We need to implement algorithm for each distro specific version comparison to know which internally used versions are not vulnerable. This is too huge work and is not planned right now. - Alternatively, distros should tell us for every CVE which versions are not vulnerable. This is huge work on distros side instead - Discussion is welcome --- Sometimes when software is affected by vulnerability there's no new release in which it is fixed (yet), so distributions have to patch it instead of waiting for a new release. Also there are stable distributions which stick to older versions and patch them for CVEs and bugs instead of updating to a newer versions. In both cases there needs to be a way for distributions to convey that they are unaffected by specific CVEs. Here are examples of existing tools: - [Debian security](https://www.debian.org/security/) - [Gentoo security database](https://glsa.gentoo.org/) - [FreeBSD vuxml](https://svn.freebsd.org/ports/head/security/vuxml/vuln.xml) Unfortunately they all share the same property of relying on distro-specific version comparison algorithm in order to determine whether specific package version is vulnerable and in some cases lacking a machine readable form. For instance: - [Debian](https://www.debian.org/security/2020/dsa-4684): > For the stable distribution (buster), this problem has been fixed in version 3.27-6+deb10u1. - [Gentoo](https://glsa.gentoo.org/glsa/202005-02): > Unaffected versions | >= 4.2.0-r5 - FreeBSD ```xml <vuln vid="88760f4d-8ef7-11ea-a66d-4b2ef158be83"> <topic>mailman -- arbitrary content injection vulnerability via options or private archive login pages</topic> <affects> <package> <name>mailman</name> <range><lt>2.1.30_4</lt></range> <range><ge>2.1.31</ge><lt>2.1.33</lt></range> </package> ``` In all cases specific version algorithms are needed to be implemented in order to match these entries against packages to determine which of them are not affected by mentioned vulnerabilities. Repology supports 70+ repository families and it would be too huge task to implement version comparison algorithms for all of them. Additionally, we would like to encourage community to come with a common machine readable format of publishing information on vulnerability status to allow other (probably more security centric than Repology) tools to be introduced, without the need to reimplement this huge set of version comparison and parsing algorithms. So, although I absolutely expect complaints from (especially stable) distros on false positive CVE linkages to their (patched) package, there's no way to fix it without their cooperation and I encourage a discussion.

In our case, we could look at the patches that are named according to a certain scheme.

I think it would be nice to have a small tool that, given a Nixpkgs version, generates the data that Repology consumes, and then uses the repology API to compare as you would compare any other distro. That way you could check for example the state of the development branches.

andir · May 20, 2020, 10:17am

You can already get that by doing:

curl -H 'Accept: application/json' https://broken.sh/channels/nixos-unstable/0f5ce2fac0c726036ca69a5524c59a49e2973dd | jq .

The format might not be ideal but for the lack of any requirements it
has evolved into what it is right now.

(This should work for any nixos-unstable channel bump, at latest ~12h
after the bump)