Ability to blacklist CPE patterns for specific Nixpkgs packages?
primeos opened this issue · comments
I've just noticed a few false positives, basically a all duplicates of the following two issues:
Because e.g. cpe:2.3:a:jenkins:git:*:*:*:*:*:jenkins:*:* matched for Git (while it's for the Jenkins Git plugin) and cpe:2.3:a:redhat:fuse:*:*:*:*:*:*:*:* matched for fuse (while it's for Red Hat Fuse instead of libfuse).
There will obviously always be some false positive but I was wondering if we could do something about these two cases. Either by changing the matching algorithm or maintaining a blacklist (e.g. jenkins:git != git (there's also gitFull so maybe using pname would actually be better))?
(Note: I'm unfortunately not familiar with the current implementation.)
Interesting idea. Need to think about how to extend vulnix' matching code.
See also NixOS/nixpkgs#75974
See also https://nvd.nist.gov/vuln/detail/CVE-2019-11644 (from NixOS/nixpkgs#88393)
See also NixOS/nixpkgs#88405 (comment)
See also NixOS/nixpkgs#88371
Another instance: NixOS/nixpkgs#90831 (comment)
NixOS/nixpkgs#92864 - disregard gitlab enterprise edition
Misinterpretation of terraform-provide-aws NixOS/nixpkgs#96829
Need to disambiguate between firefox and firefox_esr, e.g. in https://nvd.nist.gov/vuln/detail/CVE-2020-15655
Seen in NixOS/nixpkgs#101152
Jenkins InfluxDB plugin: NixOS/nixpkgs#102795
Jenkins Kanboard plugin: NixOS/nixpkgs#102798
KeystoneJS NixOS/nixpkgs#102800
MySQL component of Oracle SQL: NixOS/nixpkgs#102883
matrix-synapse: NixOS/nixpkgs#102901
Jetbrains Scala project (plugin) NixOS/nixpkgs#100322
Styx: Java reverse proxy (https://github.com/HotelsDotCom/styx) vs static site generator: NixOS/nixpkgs#90985
HP/Aruba airwave vs Airwave media player: NixOS/nixpkgs#99730 (comment)
diamond-0.8.36: cryptocurrency vs bioinformatics NixOS/nixpkgs#90781
connect-1.105: proxy vs Adobe product NixOS/nixpkgs#90741
unicode-2.6: nodejs vs Python lib
st-0.8.3: node.js app vs. terminal emulator
gatling-0.15: Jenkins plugin vs webserver
fastjson-0.99.8: Java vs C library
drive-0.3.8.1: Synology app vs Google drive client
drill-0.6.0: Apache drill vs. Rust-based load tester
gogs-0.12.3: Jenkins plugin vs standalone Go app
openssl C library vs Ruby gem: NixOS/nixpkgs#106218 (comment)
Aviatrix OpenVPN client vs. openvpn core: NixOS/nixpkgs#106219 (comment)
Jenkins findbugs plugin: NixOS/nixpkgs#106190 (comment)
Jenkins InfluxDB plugin: NixOS/nixpkgs#106198 (comment)
built-in php calendar extension vs. PECL calendera extension: NixOS/nixpkgs#106226 (comment)
GNOME Orca vs. Spinnaker Orca: NixOS/nixpkgs#106220 (comment)
HashiCorp Vault vs. TIBCO Managed File Transfer Internet Server: NixOS/nixpkgs#109227 (comment)
A lot of stuff. I've been tinkering with this issues for a while now and my current idea is not to use a blacklist but to include a cpe metadata field directly in the derivation for all cases where an implicit default like cpe:2.3:a:*:${pname}:${version}::::::: doesn't get it. Quite short on time ftm, but things will relax soon.
firefox ESR/regular, Linux/Android: NixOS/nixpkgs#113435 (comment)
A lot of stuff. I've been tinkering with this issues for a while now and my current idea is not to use a blacklist but to include a
cpemetadata field directly in the derivation for all cases where an implicit default likecpe:2.3:a:*:${pname}:${version}:::::::doesn't get it. Quite short on time ftm, but things will relax soon.
Was pondering the same. Have you discussed this possibility with Eelco and/or other Nixpkgs contributors? "Polluting" Nixpkgs might not be the nicest thing, but meta seems to be the best place to set/override some of the CPE attributes.