- Nothing changed yet.
- Expose CVE descriptions in both plain text and JSON output (#78).
- Fix compatibility issue due to pyyaml 6.0 in nixpkgs-unstable (#83).
- Extend -f/--file input. It now also accepts JSON input containing package names and applied patches.
- Wait rather than fail on concurrent invocations (#60).
- Ignore NVD entries without cpe23Uri (#68).
- Add --profile option to scan user environments (#72).
- Wait for lock on concurrent invocations instead of failing (#73).
- Improved tactics to find derivers (#74).
- Correctly handle the case when both an explicit version and version ranges are given in a NVD expression (#77).
- Fix flake8 check (#64).
- Packaging: Improve keywords.
- Add -f option which reads a list of derivations directly from a file.
- Exclude .tgz derivations by default.
- Change default mirror for NIST feeds (#61).
- Python 3.8 compatbility.
- Fix "invalid package selector" bug.
- Print CVSS scores by default.
- Fix reliability problem when migrating from old databases (#58).
- Improve performance by pre-fetching all cached CPE configurations for each candidate vulnerability. This change requires to rebuild the ZODB database, which is done transparently.
- Fix bug that crashed vulnix when trying to extend existing whitelist entries with new CVEs (#57).
- Fix packaging bug.
- Pull NVD feeds from https://nvd.nist.gov/feeds/json/cve/1.1/ as XML feeds have been discontinued (#55).
- Print CVSS v3 base scores for each CVE. Order by descending CVSS score (#53).
- Evaluate version ranges in CPE entries.
- Process package versions containing a hyphen properly (e.g., R versions) (#50).
- Builds with both PyYAML 3.13 and 5.1 (#49).
- Exit code 1 is returned only in conjunction with --show-whitelisted (#45).
- Fix bug in the processing of the 'until' whitelist field (#43).
- Improve error messages when TOML files contain syntax errors.
- Fix install requirements so that they match upstream nixpkgs (NixOS/nixpkgs#43999).
- Selective CVE reporting: Only those CVEs are reported for which no whitelist entry exists (#41).
- Consider all applicable whitelist entries for a given package (pkg-version, pkg, "*") (#42).
- Refine TOML section header check.
- Really fix FC-101294. Now for whitelists containing more than one line :)
- Fail on spaces between package and version in whitelist headers.
- Sort CVEs in JSON output.
- Bugfix: fail clearly if section headers are not quoted (FC-101294).
- Parse derivation files with __structuredAttrs = true (#37).
- Completely reworked whitelisting subsystem. Whitelists can now be written as TOML files and support a more expressive range of options including expiry datedates. The old YAML syntax is still supported (#36).
- Ignore case when guessing CVE identifiers from patch file names (thanks to @adisbladis).
- Add man pages (#29).
- Guesses applied CVE patches out of the patches derivation envVar (see nixpkgs FC-15660).
- Add '--no-requisites' flag which stops vulnix from determining the transitive closure of derivations passed on the command line.
- Provide structured JSON output with --json.
- Remove whitelist from README as it is quite buggy right now.
- Fix return code bug (FC-28741).
- Fix partial whitelisting of products where several vulnerable versions are present on the system at the same time (#24).
- Improve error reporting for incorrectly formed whitelist rules.
- Minor: fix packaging issues.
- Security: Fix arbitrary code execution bug during derivation evaluation.
- .drv files may be specified directly on the command line.
- Updated PyPI dependencies.
- Document system requirements (#12).
- Don't leave large files in /tmp around.
- Remove duplicate CVEs in output (#25).
- Fix bug with reporting less than 3 vulnerabilities (#28).
- Packaging improvements: pin versions in setup.py, include NVDCVE test data in sdist.
- Reduce NVDCVE fixture size. This cuts tests run time by more than 50%.
- Skip /nix/var/nix/gcroots/booted-system during system check.
- Make output a bit easier to read by removing visual clutter.
Improve CPU and memory usage: refactored the way we fetch, parse, store and process data. We now leverage ZODB as the storage for parsed data that is efficient to look up.
On our test systems this caused memory usage to drop from > 1GiB to ~70MiB and a pure evaluation of existing data to around 7-10 seconds.
This change requires a re-retrieval of all historic sources.
Improve unit test coverage with at least a smoke test for our new fetching procedure.
- Keep a reverse index: product name -> vulnerabilities to speed up scan process.
- Mark 'in progress' vulnerabilities with an asterisk
- The '-w' switch accepts URLs, too
- vulnix no longer scans /var/nix/var/gcroots/booted-system
- only cached files are saved (archives are to be deleted)
- added travis build: runs periodically against nixpkgs/master and updates requirements*.nix files in case of success
- Add src to PYTHONPATH so that tests run also on older NixOS versions (tested on 15.09).
- Correct URL, add metadata.
- Add nix to propagatedBuildInputs, as vulnix calls nix-store at runtime.
- Pin the Python version to 3.4 (Nix only)
- Add Nix expressions (Nix/NixOS) to MANIFEST.in
- Add VERSION to MANIFEST.in
- Scans the whole system (NixOS only), the current user environment, or a project-specific path (e.g., ./result). #1
- Allow to specify site-specific whitelists in addition to the builtin default whitelist. #4
- Fully repeatable install using default.nix. Thanks to Rok Garbas. #4
- Cache pre-parsed NVD files for improved scanning speed. #2
- Support multiple whitelists (repeat -w option). #3
- Cache NVD files in ~/.cache/vulnix. #7
- Document whitelist file format. #10
- Fix Nix build on macOS. #11