I have been working on the task of scanning CVE and licenses with Sonatype (Nexus IQ) CLM scan tool. While looking into below sonatype document, it seems that Sonatype currently does not supports Nix packages scanning.
Has any Nix developer ever tried scanning Nix packages with Sonatype CLM scan? if so can someone please share documents with more details.
I did something similar (scan an application that uses a package manager that is not supported by IQ), and I found IQ to be rather useless for that usage…
It has an API endpoint to ingest SBOMs, but the SBOM need to provide all the information (including vulnerabilities). So it seemed that one needed to scan their application themselves to be able to import the results into IQ…
Are you a sonatype customer? If so, please let them know and get them to integrate their tools in the Nix/OS CI pipeline.
It should be a very simple integration, however it will require nix knowledge and sonatype knowledge to integrate them successfully.
Lucky for me I have both and i’d think this would be a fun project…
You didn’t mention what company your worked for, or what your project was.
DM if your interested in getting this working professionally just drop me a line.
There are a whole raft of security tools that out there, nix is very suited to those that can do static analysis of source code and it is also very good at dynamic analysis tools thanks to the way nixos full integration tests work.
Thanks for your reply. Can you please suggest any CVE & OSS license scanning tool which can scan nix packages successfully after download on my maching and generates CVE report.
It will be great if you can provide any nix user documentation where a nix user has successfully used any scanning tool to generate CVE report.
As far as I know, we still have a problem with this. It’s unclear to me where we are at with updating the PURL spec to support Nix. The following thread seems relevant Package URL's (purl) for Nix packages.
Then, on paper, one could use any vulnerability scanner out there (Trivy or Grype were mentioned at NixCon2022 for example). Maybe Vulnix can also fill that gap, as @nixinator pointed out.
from the other thread implies: such tool will likely have a hard time correlating nix packages with what they have in their DB:
Say your scanner’s vulnerability database knows about a CVE in package foo. How do you know for sure which package from nixpkgs packages foo? We may even have several of them!