CVE Remediation Guide & Workflow for Flake-based Nix Systems#

This guide provides a general workflow for identifying, assessing, and remediating CVEs (Common Vulnerabilities and Exposures) in a Nix flake-based infrastructure, leveraging the tools and scripts provided in this repository.

1. Vulnerability Scanning#

  • Run a scan:
  • Use the vulnix tool to scan your system’s Nix store for known vulnerabilities: 
    just vulscan

# or

nix run nixpkgs#vulnix -- -j -w whitelist.toml $(nix-store --query --deriver ./result) > vulnix.json

  • This produces a machine-readable vulnix.json file with all detected CVEs.

  • Generate reports:

  • Use the provided script to generate human-readable reports: 
    python3 ./scripts/vulnix-report-gen.py vulnix.json -f markdown -o vulnerabilities-report.md
python3 ./scripts/vulnix-report-gen.py vulnix.json -f terminal -o vulnerabilities-report.txt --no-color
python3 ./scripts/vulnix-report-gen.py vulnix.json -f json -o vulnerabilities-report.json

2. Review & Prioritize#

  • Executive summary:
  • Review the summary in the generated reports for counts and severity distribution.
  • Detailed findings:
  • Focus on packages with CRITICAL and HIGH CVEs first.
  • Review package names, versions, and associated CVEs.

3. Remediation Workflow#

  1. Update Packages: - Update the affected package(s) in your flake inputs or overlays. - Rebuild the system: 
    nix flake update
just rebuild  # or your preferred rebuild command
  2. Patch or Replace: - If no upstream fix is available, consider patching the package or using an alternative. - Document any temporary mitigations.
  3. Whitelist (if necessary): - If a CVE is a false positive or not applicable, add it to whitelist.toml with justification.

4. Verification#

  • Re-scan:
  • After remediation, re-run the scan and regenerate reports to confirm resolution.
  • CI Integration:
  • Integrate these steps into your CI pipeline to catch regressions early.

5. Documentation & Audit#

  • Track changes:
  • Commit updated reports and remediation notes to version control.
  • Audit trail:
  • Use the markdown and JSON reports as artifacts for compliance and audits.

6. Automation#

  • Use the just tasks and scripts in this repository to automate scanning, reporting, and basic remediation steps.
  • See justfile and modules/flake/programs/shell.nix for available commands and shells.

References#