anselmolsm has quit [Remote host closed the connection]
anselmolsm has joined #nixos-security
anselmolsm has quit [Client Quit]
andi- has quit [Ping timeout: 256 seconds]
andi- has joined #nixos-security
hmpffff has joined #nixos-security
hmpffff_ has quit [Ping timeout: 246 seconds]
FRidh has joined #nixos-security
FRidh2 has joined #nixos-security
FRidh has quit [Ping timeout: 265 seconds]
hmpffff_ has joined #nixos-security
hmpffff has quit [Ping timeout: 272 seconds]
hmpffff has joined #nixos-security
hmpffff_ has quit [Ping timeout: 240 seconds]
justanotheruser has quit [Ping timeout: 240 seconds]
justanotheruser has joined #nixos-security
hmpffff has quit [Remote host closed the connection]
hmpffff has joined #nixos-security
kleisli_ has joined #nixos-security
kleisli has quit [Ping timeout: 256 seconds]
FRidh2 has quit [Ping timeout: 240 seconds]
FRidh2 has joined #nixos-security
hmpffff has quit [Quit: nchrrrr…]
hmpffff has joined #nixos-security
KeiraT has quit [Ping timeout: 240 seconds]
KeiraT has joined #nixos-security
anselmolsm has joined #nixos-security
justanotheruser has quit [Ping timeout: 272 seconds]
justanotheruser has joined #nixos-security
lordcirth has joined #nixos-security
Freneticks has joined #nixos-security
<Freneticks>
Hello is there a way to know fixed cve package that are updatable in nixos ?
<tilpner>
I suppose you *could* run vulnix once on your current system, and once on your system built with the current version of the channel
<tilpner>
Then you diff and know what would be fixed
<tilpner>
Of course that defeats the point, because you would have to speculatively build your system with the most recent channel, which I assume you're trying to avoid
<tilpner>
But if there is an API that lets you query CVEs in nixpkgs by revision, this gets more realistic
<gchristensen>
broken.sh does this I think?
<tilpner>
gchristensen: I haven't noticed (or looked particularly in-depth) an API that's queried by nixpkgs revision (or even channel revision)
hmpffff has quit [Quit: nchrrrr…]
<flokli>
tilpner: iirc, broken.sh has this information - i just think the API underneath is subject to change.
<andi->
You can just query that with accept: application/json and it will give you json instead of HTML
<andi->
caveat there is: It must be a channel revision
<andi->
and I think I stopped re-scanning very old releases (17.09ish) against current CVE databases because as it stand right now a complete run takes >36h
<andi->
I have a few things that I can optimise there but haven't found motiviation to work on the security stuff again
<tilpner>
Do you have any CLI tools built on top of it?
<tilpner>
It's a little awkward to have someone evaluate NixOS, and then tell them "sure, Nix can do what you want. If you build a script that does X and Y..."
<andi->
It used to be a CLI tool. Since it was largely me having a monologue in here few almost a year on that topic I didn't really continue that route... I just use curl + jq
<andi->
that being said it is just a very small sqlite database that I could offer for download and then someone could run a slightly modified version of the tool against it