This repository automates vulnerability scans for the Ghaf Framework. The Ghaf vulnerability reports available on this repository are automatically updated on daily basis for the selected Ghaf branches and targets as specified in the Vulnerability Scan GitHub action workflow.
Key points demonstrated in this repository:
- Running automatic vulnerability scans for nix flake projects, using Ghaf Framework as an example.
- Using vulnxscan as the main vulnerability scanning tool for a Nix flake project.
- Using Nix flake updates to derive potentially missing security fixes for a Nix flake project. See section Theory of Operation for more details.
- Incorporating manual analysis results to the automated vulnerability scans.
This repository makes use of vulnxscan, which allows vulnerability scanning any Nix store paths, including Nix flake outputs.
Since Nix makes it possible to find buildtime dependencies without compiling the target, vulnxscan can also be used to scan any Nix flake outputs without realising (building) the output target. This makes it possible to scan targets that have not been built earlier and still be able to get the scan results relatively quickly.
Projects that make use of the Nix flakes are pinned to a specific Nixpkgs revision. As an example, at the time of writing, the Ghaf main branch is pinned to github:NixOS/nixpkgs/nixos-23.05 revision f6de47bd2ff24bb99459f01d04c324dce335aff9. We label this version of Ghaf as 'current'.
If we update the Ghaf pin by running nix flake lock --update-input nixpkgs, the nixpkgs revision Ghaf is pinned to moves forward to the latest Nixpkgs revision available in the channel Ghaf pins to. This means all Ghaf dependencies are updated to their latest version available in that channel. We label this version of Ghaf as 'lock_updated'.
If we update the Ghaf pin so that instead of pinning it to nix-release (e.g. github:NixOS/nixpkgs/nixos-23.05), we pin it to nix-unstable (github:NixOS/nixpkgs/nixos-unstable), all Ghaf dependencies will be updated to their latest version available in nix-unstable. We label this version of Ghaf as 'nix_unstable'.
We can now find potentially missing Ghaf security fixes by comparing the set of vulnerabilities reported by vulnxscan for the three different versions of Ghaf.
Vulnerabilities that are in 'current' set but not in 'lock_updated', are potentially fixed in nixpkgs channel Ghaf is pinned to, but the fixes have not been included in Ghaf. This set of vulnerabilities would be mitigated by updating the Ghaf flake lock file with nix flake lock --update-input nixpkgs or similar. ghafscan reports this set of vulnerabilities in each target report in section Vulnerabilities Fixed in Ghaf nixpkgs Upstream.
Vulnerabilities that are in 'lock_updated' set but not in 'nix_unstable', are potentially fixed in nixpkgs nix-unstable channel, but the fixes have not been backported to the channel Ghaf is currently pinned to. This set of vulnerabilities potentially requires backporting the fix from nix-unstable to the nixpkgs release branch Ghaf is currently pinned to. ghafscan reports this set of vulnerabilities in each target report in section Vulnerabilities Fixed in nix-unstable.
This repository demonstrates how to run ghafscan from Github actions, but ghafscan can be run locally too.
It requires that common Nix tools are available in $PATH and assumes nix flakes is enabled.
ghafscan can be run as a Nix flake from the tiiuae/ghafscan repository:
# '--' signifies the end of argument list for `nix`.
# '--help' is the first argument to `ghafscan`
$ nix run github:tiiuae/ghafscan#ghafscan -- --helpor from a local repository:
$ git clone https://github.com/tiiuae/ghafscan
$ cd ghafscan
$ nix run .#ghafscan -- --helpSee the full list of supported flake targets by running nix flake show.
To start a local development shell, run:
$ git clone https://github.com/tiiuae/ghafscan
$ cd ghafscan
$ nix developFrom the development shell, run ghafscan as follows:
$ ./src/ghafscan/main.py --helpTo deactivate the Nix development shell, run exit in your shell.
All pull requests, suggestions, and error reports are welcome. To start development, we recommend using Nix flakes development shell.
Run make help in the development shell to see the list of supported make targets.
Prior to sending any pull requests, make sure at least the make pre-push runs without failures.
This project is licensed under the Apache-2.0 license - see the Apache-2.0.txt file for details.