Metadata-Version: 1.1
Name: vulnix
Version: 1.1
Summary: Scans a Nix store for derivations that are affected by vulnerabilities.
Home-page: https://bitbucket.org/flyingcircus/vulnix
Author: Maksim Bronsky
Author-email: mb@flyingcircus.io
License: BSD (2-clause)
Description: Nix(OS) vulnerability scanner
        =============================
        
        This is a utility that validates a Nix store for any packages that are
        reachable from live paths and likely to be affected by vulnerabilities
        listed in the NVD.
        
        It implements a CLI utility to inspect the current status and a
        monitoring integration for Sensu.
        
        Example output::
        
            Security issues for sqlite, libxml2, ... (and 10 more)
        
            sqlite-2.9.3 (inprogress)
                https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2073
                https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8710
        
                See https://plan.flyingcircus.io/issues/18544
        
        
            libxml2-2.9.3
                https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3717
        
        Usage::
        
            $ nix-build
            $ ./result/bin/vulnix
        
        
        Whitelist
        =========
        
        The whitelist file uses a sub-set of the
        `YAML <https://en.wikipedia.org/wiki/YAML>`__ language to define rules
        which matches shall be ignored or in other words are declared to be
        trusted or in progress, hence the term whitelist. If the match is
        **partial**, e.G. there is a package which is affected by more than one
        vulnerability, but only one is whitelist, the match will still be
        printed except for the declared exception.
        
        Syntax
        ------
        
        Every rule starts with the ``-`` and a new-line, declaring a list
        element.
        
        +----------+----------------+--------------+
        | Element  | Example value  | Description  |
        +==========+================+==============+
        | cve      | cve:           | Ignores all  |
        |          | CVE-2015-2503  | matches      |
        |          |                | which are    |
        |          |                | referred by  |
        |          |                | the CVE      |
        +----------+----------------+--------------+
        | comment  | comment:       | comments the |
        |          | microsoft      | rule         |
        |          | access,        |              |
        |          | accidently     |              |
        |          | matching the   |              |
        |          | 'access'       |              |
        |          | derivation     |              |
        +----------+----------------+--------------+
        | name     | name: libxslt  | refers to    |
        |          |                | the name     |
        |          |                | attribute of |
        |          |                | a package    |
        |          |                | derivation   |
        +----------+----------------+--------------+
        | version  | version: 2.0   | refers to    |
        |          |                | the name     |
        |          |                | attribute of |
        |          |                | a package    |
        |          |                | derivation   |
        +----------+----------------+--------------+
        | vendor   | microsoft      | refers to    |
        |          |                | the [NIST]   |
        |          |                | (https://nvd |
        |          |                | .nist.gov/cp |
        |          |                | e.cfm)       |
        |          |                | term of the  |
        |          |                | person or    |
        |          |                | organization |
        |          |                | which        |
        |          |                | created the  |
        |          |                | software     |
        +----------+----------------+--------------+
        | product  | access         | Like vendor  |
        |          |                | it's a term  |
        |          |                | coined by    |
        |          |                | NIST and is  |
        |          |                | an analogy   |
        |          |                | to what name |
        |          |                | means for    |
        |          |                | Nix          |
        +----------+----------------+--------------+
        
        
        Example
        -------
        
        There is an `example <src/vulnix/default_whitelist.yaml>`__ for a
        working whitelist file as part of the unit tests.
        
        
        1.1 (2016-08-11)
        ================
        
        - Scans the whole system (NixOS only), the current user environment, or a
          project-specific path (e.g., ./result). #1
        
        - Allow to specify site-specific whitelists in addition to the builtin default
          whitelist. #4
        
        - Fully repeatale install using default.nix. Thanks to Rok Garbas. #4
        
        - Cache pre-parsed NVD files for improved scanning speed. #2
        
        - Support multiple whitelists (repeat -w option). #3
        
        - Cache NVD files in `~/.cache/vulnix`. #7
        
        - Document whitelist file format. #10
        
        - Fix Nix build on macOS. #11
        
Keywords: security
Platform: UNKNOWN
Classifier: License :: OSI Approved :: BSD License
Classifier: Programming Language :: Python
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3 :: Only
