I have been working on the task of scanning CVE and licenses with Sonatype (Nexus IQ) CLM scan tool. While looking into below sonatype document, it seems that Sonatype currently does not supports Nix packages scanning.
Has any Nix developer ever tried scanning Nix packages with Sonatype CLM scan? if so can someone please share documents with more details.
what do you expect to find?
We would like to scan nix packages and find CVE vulnerabilities & open source license violation (like GPL license).
I did something similar (scan an application that uses a package manager that is not supported by IQ), and I found IQ to be rather useless for that usage…
It has an API endpoint to ingest SBOMs, but the SBOM need to provide all the information (including vulnerabilities). So it seemed that one needed to scan their application themselves to be able to import the results into IQ…
This might be helpful:
@Pamplemousse is correct, nice reply.
Are you a sonatype customer? If so, please let them know and get them to integrate their tools in the Nix/OS CI pipeline.
It should be a very simple integration, however it will require nix knowledge and sonatype knowledge to integrate them successfully.
Lucky for me I have both and i’d think this would be a fun project…
You didn’t mention what company your worked for, or what your project was.
DM if your interested in getting this working professionally just drop me a line.
There are a whole raft of security tools that out there, nix is very suited to those that can do static analysis of source code and it is also very good at dynamic analysis tools thanks to the way nixos full integration tests work.
You got me thinking!!! …
Good luck,
and may the nix be with you…always.
Thanks for your reply. Can you please suggest any CVE & OSS license scanning tool which can scan nix packages successfully after download on my maching and generates CVE report.
It will be great if you can provide any nix user documentation where a nix user has successfully used any scanning tool to generate CVE report.
however i don’t know the current status of this, however it’s part of nix community, and probably needs building into the Base operating system as a first class citizen.
That should get you started.
The idea situation is to a get a integration with a established too, however, that’s beyond the scope of what i can support you with here, however my DM’s are always open.
Could you perhaps tell us your interest in nix, and what you are or intent using it for, just out curiosity…
As far as I can tell, what you are looking for doesn’t exist yet.
Brainstorming around this need happened at NixCon in 2022, you can learn about the status of the effort at the time there:
Now, at least, we have moved forward, and have an SBOM generator.
Identifying packages is hard.
As far as I know, we still have a problem with this. It’s unclear to me where we are at with updating the PURL spec to support Nix. The following thread seems relevant Package URL's (purl) for Nix packages.
Then, on paper, one could use any vulnerability scanner out there (Trivy or Grype were mentioned at NixCon2022 for example). Maybe Vulnix can also fill that gap, as @nixinator pointed out.
Thanks @Pamplemousse for your response. So it seems that currently there is no open source scanner available to scan CVE on nix packages.
Do you know if any nix user ever tried to use any commercial scanner (like sonatype etc.) and was able to successfully integrate it to scan nix packages to scan CVE?
I don’t know for sure.
But, as
Identifying packages is hard.
from the other thread implies: such tool will likely have a hard time correlating nix packages with what they have in their DB:
Say your scanner’s vulnerability database knows about a CVE in package foo. How do you know for sure which package from nixpkgs packages foo? We may even have several of them!