-
-
Notifications
You must be signed in to change notification settings - Fork 13.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Semantically tag CVE patches #15660
Comments
|
Yes. We were planning on putting them into environment variables that are passed to the builder. |
one interesting note is that we look at the derivation files. those are accidentally parsable as Python (yes, haha) and we're able to introspect that. we could also look into the store paths into nix-support, too. that would actually be much more structured and less hacky than "eval" ing .drv files in Python :) |
If you assume you have the derivation, then in its closure there's also the |
Having the set of applied CVE patches available as a first-order value in the package set seems like overkill to me. Most CVEs are fixed by virtue of a version update, so there's no patch to begin with. And in those cases where a patch does exist, I'd just call the file "cve-2016-xxx.patch" or write the number in a comment behind the patch's file name. |
@peti but once you lose |
For me, personally, the ability to list all CVE-related patches for any given random binary is not particularly important. I've never needed that before. What I need to know is: what is the state of Nixpkgs revision XYZ (because that's what I have installed). Structured comments or file names in Nixpkgs would be good enough for my purposes.
|
Right. That's ultimately two different perspectives on the issue. However, using nix to its full extent does not promise you that you can point to a specific nixpkgs expression. I can also have something in the store that is reachable from an active root that came from a manual nix-build or other thing where we can't automatically determine the source. |
I'd expect that in the cases you care about CVE a lot you typically also want "track" which nixpkgs revisions you use, as the knowledge is useful for other reasons as well. On the other hand, e.g. Debian always installs even a full changelog. |
I think it does and I think you can. I manage a set of machines that's very diverse, ranging from desktops to servers and laptops, yet I have no trouble telling for every package I've installed what its source is. Granted, you can install packages in a way that's not reproducible, but I sure hope security-conscious people don't do that much. |
For me that's not about reproducibility. That's separate from knowing where something came from, right? We're providing a co-managed environment where we support our customers installing custom things in a structured way (yay, nix!). We can't guarantee to follow things in the store back to their expressions, though. |
If we can get deterministic (bit-for-bit) builds and NixOS/nix#709 merged in, we could actually tie all builds back to the source that produced them. That's a decent amount of work though 😄 |
It seems to me like the target group for the extension you're suggesting is Nix users who are (a) security conscious and (b) install things into their system where they have no clue what the source code was. I don't know ... that seems like a small set of people. Just my 2 cents. |
+1 to this, although for
nixpkgs-monitor scanning
patch names would be
enough
|
Heh, let's rephrase, I did mean something different. My point is that technically there will easily be cases where someone did not leave the expression around after something was installed. I don't follow that just because someone is security conscious means that on the system where a package is installed the expression must remain present after it was installed. |
I'd like to summarize observations so far:
I'd like to see examples of this to really address it. Hopefully the upstream issues a new CVE if existing patch doesn't fix it, if not I don't really see a way to avoid this
In multi-user managed machine (remember, Nix promotes this as a feature, everyone can install any nix expression as a user), we currently don't have a way to track back all built derivations to their source. Therefore having |
Inspect the derivation and search for patches named `CVE-YYYY-NNNNN`. vulnix assumes that these CVE have been fixed in the current version. If a single patch fixes several CVEs at once, construct a file name that names all of them. Of course, patches can be removed if a new program version gets released which is not known to be affected according to the current CVE database. So we don't need to keep CVE patches forever. The whole mechanism is only for fixes which don't change the version number. See `unzip` for example. Related to NixOS/nixpkgs#15660
I'd like to pick up the discussion. vulnix is now able to recognize CVE patches if they are named accordingly. I think this presents a practical solution for Domen's first point in the original description. This means:
Comments? |
See #39392 for related discussion. We should probably merge the two issues. |
I'd propose to close this issue. Discussion on NixCon has shown that including CVE names in patches is a workable practice. This will not cover every case, so the points being discussed in #39392 are still relevant. But we should focus discussion there and not here. |
I propose we add
cvePatches
attribute tomkDerivation
.Motivation
Given recent announcement of vulnix, it's clear we need a way to identify if a specific version of software has patches applied. A lot of times we have to patch existing version, for example
unzip
has 7 CVE patches on16.03
.Implementation
patchPhase
. The name of the patch denotes the CVE being patched$out/nix-support/CVE-BLABLA
for each of them. This way CVE scanning software can see what is already appliedThoughts?
cc @peti @copumpkin @ctheune @edolstra
The text was updated successfully, but these errors were encountered: