Use closure flag in vulnix to prevent build-time dependency vulnerabi…

…lity scans
gchq · Apr 16, 2024 · 282f80f · 282f80f
1 parent 9275d44
commit 282f80f
Show file tree

Hide file tree

Showing 7 changed files with 8 additions and 90 deletions.
diff --git a/.github/workflows/build-prod.yaml b/.github/workflows/build-prod.yaml
@@ -41,7 +41,7 @@ jobs:
       - name: Build nix-bootstrap
         run: nix build
       - name: Check for vulnerabilities
-        run: nix run .\#ciPackages.vulnix -- -w vulnerability-whitelist.toml result
+        run: nix run .\#ciPackages.vulnix -- -C -w vulnerability-whitelist.toml result/
       - name: Build release artefact
         run: nix run .\#ciPackages.buildBinaryCache
       - uses: actions/upload-artifact@v3

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -35,4 +35,4 @@ jobs:
       - name: Build nix-bootstrap
         run: nix build
       - name: Check for vulnerabilities
-        run: nix run .\#ciPackages.vulnix -- -w vulnerability-whitelist.toml result
+        run: nix run .\#ciPackages.vulnix -- -C -w vulnerability-whitelist.toml result/
diff --git a/.last-exported-commit b/.last-exported-commit
@@ -1 +1 @@
-Last exported commit from parent repo: 5b1d2424fc8a6aa661fe6298336c1210977cf25e
+Last exported commit from parent repo: bb9bcbbe554afa82da3292140172e898a14ae693
diff --git a/nix-bootstrap.cabal b/nix-bootstrap.cabal
@@ -5,7 +5,7 @@ cabal-version: 2.0
 -- see: https://github.com/sol/hpack
 
 name:           nix-bootstrap
-version:        1.5.7.1
+version:        1.5.7.2
 author:         gchquser
 maintainer:     [email protected]
 copyright:      Crown Copyright

diff --git a/nix/pre-commit-hooks.nix b/nix/pre-commit-hooks.nix
@@ -85,7 +85,7 @@
       entry = "${
         nixpkgs.writeShellScriptBin
         "check-for-vulnerabilities"
-        "${nixpkgs.vulnix}/bin/vulnix -w vulnerability-whitelist.toml result"
+        "${nixpkgs.vulnix}/bin/vulnix -C -w vulnerability-whitelist.toml result/"
       }/bin/check-for-vulnerabilities";
       files = "nix-bootstrap";
       name = "check-for-vulnerabilities";

diff --git a/package.yaml b/package.yaml
@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 name: nix-bootstrap
-version: 1.5.7.1
+version: 1.5.7.2
 author: gchquser
 maintainer: [email protected]
 copyright: Crown Copyright

diff --git a/vulnerability-whitelist.toml b/vulnerability-whitelist.toml
@@ -12,91 +12,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-["async"]
-cve = ["CVE-2021-43138"]
-comment = "CVE refers to the JavaScript package async, not this haskell package."
-
-["binutils"]
-comment = "binutils is only a build-time dependency so we're not vulnerable to this attack."
-
-["cereal"]
-cve = ["CVE-2020-11104", "CVE-2020-11105"]
-comment = "CVEs refer to the C++ library cereal, not this haskell package."
-
-["coreutils"]
-cve = ["CVE-2024-0684"]
-comment = "Worst case is application crash; risk accepted"
-
-["flex"]
-cve = ["CVE-2019-6293"]
-comment = "Worst case is application crash; risk accepted"
-
-["fuse"]
-cve = ["CVE-2019-14860", "CVE-2019-14900"]
-comment = "CVEs refer to RedHat Fuse, not C libfuse (Filesystem in Userspace) on which we depend."
-
 ["gcc"]
-comment = "gcc is only a build-time dependency so we are not vulnerable to this attack."
-
-["git"]
-comment = """Git is only a build-time dependency of the project; it is the responsibility of users \
-  to ensure their version of git is up-to-date.\
-  """
-
-["hedgehog"]
-cve = ["CVE-2021-4276"]
-comment = "CVE refers to dns-stats/hedgehog, not this package."
-
-["http-client"]
-cve = ["CVE-2020-11021"]
-comment = "CVE refers to the JavaScript package @actions/http-client, not this haskell package."
-
-["lens"]
-cve = ["CVE-2021-23154", "CVE-2021-44458"]
-comment = "CVEs refer to Mirantis Lens, not this haskell package."
-
-["network"]
-cve = ["CVE-2021-35048",
-  "CVE-2021-35047",
-  "CVE-2021-35049",
-  "CVE-2021-35050",
-  "CVE-2022-24388",
-  "CVE-2022-24389",
-  "CVE-2022-24390",
-  "CVE-2022-24391",
-  "CVE-2022-24392",
-  "CVE-2022-24393",
-  "CVE-2022-24394",
-  "CVE-2022-0486",
-  "CVE-2022-0997"]
-comment = "CVEs refer to Fidelis Network, not this haskell package."
-
-["ninja"]
-comment = "ninja is only a build-time dependency so we are not vulnerable to this attack."
-
-["patch"]
-comment = "patch is only a build-time dependency so we are not vulnerable to this attack."
-
-["safe"]
-comment = "CVEs refer to F-Secure SAFE browser, not this haskell package."
-
-["terminal"]
-cve = ["CVE-2022-44702", "CVE-2002-1898"]
-comment = "CVEs refers to microsoft terminal and OSX terminal, not this haskell package."
-
-["unzip"]
-cve = ["CVE-2021-4217"]
-comment = "This vulnerability doesn't affect nix-bootstrap as it doesn't process arbitrary zip files."
-
-["yaml"]
-cve = ["CVE-2022-3064", "CVE-2021-4235", "CVE-2023-2251"]
-comment = "CVEs refer to other things called yaml, not this haskell package."
-
-["zlib-0.6.3.0"]
-comment = "Actual zlib dependency is already on a patched version; this version is a haskell library."
-
-["zlib-0.6.3.0-r4.cabal"]
-comment = "Actual zlib dependency is already on a patched version; this version is a haskell library."
+cve = ["CVE-2023-4039"]
+comment = "Reasonable worst-case is loss of availability; risk acceptable."
 
 ["zlib-1.3.1"]
 cve = ["CVE-2023-6992"]
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		Last exported commit from parent repo: 5b1d2424fc8a6aa661fe6298336c1210977cf25e
		Last exported commit from parent repo: bb9bcbbe554afa82da3292140172e898a14ae693