Scanning nixpkgs for vulnerabilities in Go packages
ISC License
This project runs govulncheck on the source of Go packages in nixpkgs to identify security vulnerabilities not handled downstream (due to missing updates) or upstream (unmaintained or unaware projects).
Scans use a pinned version of nixpkgs and the govulndb so that the results
are reproducible. The scan report
is tracked as part of this repo. It can be inspected with the report-tool
, which gives an overview and
allows easy access to the relevant part of the report.
β― report-tool stats
Packages discovered: 2207
Packages failed: 387 (17%)
Packages scanned: 1820 (82%)
Packages vulnerable: 595 (32% of scanned)
Total vulnerabilities: 1507
isGoPkg
)
rg -c 'buildGo\d*Module (|rec )\{' | awk -F: '{s+=$2} END {print s}'
on nixpkgs gives 2074 findings,src
patches
not taken into accountcgo
dependencies are not present (see report-tool failed
)srcRoot
, subPackages
etc not taken into account (some failures as go.mod
is not found)goModules
isn't used by the govulncheck invocationreport-tool
Usage: report-tool <command> [args]
Commands:
stats
Show statistics about the report.
discovered
List packages which were tried to be checked.
failed
List packages for which the check failed.
scanned
List packages that were successfully scanned.
vulnerable
List packages that have vulnerabilities.
non-vulnerable
List packages that do not have vulnerabilities.
report <pkgName>
Show the report for a specific package.
findings <pkgName>
List the found vulnerabilities (URL) for a specific package.
mark <pkgName>
Show the vulnerabilities for a specific package in a format that can be
used to mark the package as vulnerable in the nixpkgs repository.
fix <pkgName>
Show the commands to fix the vulnerabilities upstream.