after several weeks without new vulnix results we have the first vulnerability roundup based on the JSON feeds and the new version matching code in vulnix 1.9.x.
The Monster List™ is here: https://github.com/NixOS/nixpkgs/issues?utf8=✓&q=is%3Aissue+is%3Aopen+"Vulnerability+roundup+77"
72 issues. Phew. Quite a lot.
Some people have already started to work on the issues. That’s great! There are also false positives and false negatives. Based on the experiences with the first production run of the new matching code I’ll try to refine matching and weed out bugs.
Some people have already started fixing security stuff without having a new vulnerability roundup in place. Great to see that security is really a concern! Special mention to @risicle here. This means that when you start working on a issue which is part of the vulnerability roundup, please make sure that there is not already some patch/update/… present. We should avoid doing duplicate work.
I’d like to thank everyone who’s doing updates, patches, testing, reviewing, commenting.
Thank you also. These issues are actually really easy to step into because of the all the information gathered, it allows you to have a very formulaic approach to solving them. Personally, it feels like often 60%++ the research I would have done is already there for me to read.
Great to hear! Out of curiosity: What is in the missing 40%? I’d like to evolve the tools in a way that helps the devs best.
Points on the current wishlist are e.g.
- CVSS scores
- Auto-CC maintainers
Auto-CC-Maintainers would help a lot. IMHO, we already should have a bot like this for issues and autolabeling.
Also, are you opening the issues manually?
A great thing we could encourage with the tool is maintainers checking in on CVE’s of the packages they maintain. I’d be cool if with vulnix, I could give it a nixpkgs maintainers attribute and it will scan for vulnerabilities for all those packages. This could be very convenient for maintainers.
Thanks for your suggestions!
- There is a bit of code in Graham’s bot. I’ll check that out. Should be doable.
- No, the tickets are opened automatically. I’ve written quite a bit of tooling around vulnix to prepare the vulnerability roundups.
- This is a bit complicated: vulnix inspects only the .drv files, which do not contain metadata like maintainer.