kookie
/
nomicon
1
0
Fork 0
Code Issues Projects Releases 1 Activity
My personal project and infrastructure archive
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1 Commit
7 Branches
1 Tag
1.4 GiB
 
 
 
 
 
 
Tag: Branch: Tree: f07e96ade7
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'f07e96ade7'
${ noResults }
nomicon/doc/contributing/vulnerability-roundup.chapt...

2.2 KiB
Raw Blame History

Vulnerability Roundup

Issues

Vulnerable packages in Nixpkgs are managed using issues. Currently opened ones can be found using the following:

github.com/NixOS/nixpkgs/issues?q=is:issue+is:open+"Vulnerability+roundup"

Each issue correspond to a vulnerable version of a package; As a consequence:

  • One issue can contain several CVEs;
  • One CVE can be shared across several issues;
  • A single package can be concerned by several issues.

A "Vulnerability roundup" issue usually respects the following format:

<link to relevant package search on search.nix.gsc.io>, <link to relevant files in Nixpkgs on GitHub>

<list of related CVEs, their CVSS score, and the impacted NixOS version>

<list of the scanned Nixpkgs versions>

<list of relevant contributors>

Note that there can be an extra comment containing links to previously reported (and still open) issues for the same package.

Triaging and Fixing

Note: An issue can be a "false positive" (i.e. automatically opened, but without the package it refers to being actually vulnerable). If you find such a "false positive", comment on the issue an explanation of why it falls into this category, linking as much information as the necessary to help maintainers double check.

If you are investigating a "true positive":