Skip to content

Latest commit

 

History

History
78 lines (60 loc) · 2.91 KB

README.md

File metadata and controls

78 lines (60 loc) · 2.91 KB
Raw

Govulncheck on nixpkgs

This project runs govulncheck on the source of Go packages in nixpkgs to identify security vulnerabilities not handled downstream (due to missing updates) or upstream (unmaintained or unaware projects).

Scans use a pinned version of nixpkgs and the govulndb so that the results are reproducible. The scan report is tracked as part of this repo. It can be inspected with the report-tool, which gives an overview and allows easy access to the relevant part of the report.

❯ report-tool stats
Packages discovered:   2207
Packages failed:       387 (17%)
Packages scanned:      1820 (82%)
Packages vulnerable:   595 (32% of scanned)
Total vulnerabilities: 1507

Current limitations

  • Primitive package discovery (see isGoPkg)
    • Only looking at package attributes to identify Go packages
    • Not recuring into nested attribute sets
    • rg -c 'buildGo\d*Module (|rec )\{' | awk -F: '{s+=$2} END {print s}' on nixpkgs gives 2074 findings, so the 2090 packages found by the heuristic might should at least be somewhat close
  • Checks are running directly on src
    • patches not taken into account
    • cgo dependencies are not present (see report-tool failed)
    • srcRoot, subPackages etc not taken into account (some failures as go.mod is not found)
    • goModules isn't used by the govulncheck invocation
  • Scan is not running in the sandbox
  • All the limitations of govulncheck
  • Only covers nixpkgs-unstable (support for releases upcoming)
  • Report lacks a structured format. I couldn't befriend with the JSONline output of govulncheck, it misses some important info like scan failures, which won't be part of the structured output. The current report can be somehow worked with using the report-tool. In the future, some kind of website would be nice to present the results.

report-tool

Usage: report-tool <command> [args]

Commands:
    stats
        Show statistics about the report.

    discovered
        List packages which were tried to be checked.

    failed
        List packages for which the check failed.

    scanned
        List packages that were successfully scanned.

    vulnerable
        List packages that have vulnerabilities.

    non-vulnerable
        List packages that do not have vulnerabilities.

    report <pkgName>
        Show the report for a specific package.

    findings <pkgName>
        List the found vulnerabilities (URL) for a specific package.

    mark <pkgName>
        Show the vulnerabilities for a specific package in a format that can be
        used to mark the package as vulnerable in the nixpkgs repository.

    fix <pkgName>
        Show the commands to fix the vulnerabilities upstream.