IssueHunt
Bug Bounty (New!)
Browse
Sign in with GitHub
future-architect/vuls

Do you want to work on this issue?

You can request for a bounty in order to promote it!

request: more BOM sources and general CVE scans #1640

mcandre posted onGitHub

I love how vuls supports scanning for CVE's in some common package managers. I would like to see this list extended, in order to catch security problems on more machines.

(If you already include support for some of these, please lemme know which ones!)

  • App Store (macOS)
  • adb (Android)
  • arch-audit (Arch Linux)
  • pkg-audit (FreeBSD, DragonflyBSD, HardenedBSD)
  • pkg_admin audit (NetBSD)
  • pkg for more FreeBSD variants, including DragonflyBSD, HardenedBSD, NetBSD, OpenBSD, etc.
  • pkgin
  • pkgsrc
  • Snap (Linux)
  • Flatpak (Linux)
  • apk (Alpine Linux)
  • apt (Debian Linux family)
  • ipkg (busybox/toybox Linux)
  • opkg (OpenWrt Linux)
  • PPA's (Ubuntu Linux family)
  • urpmi (Mageia Linux)
  • Homebrew (macOS and Linux)
  • Chocolatey (Windows)
  • winget (Windows)
  • various WSL package managers, when vuls is run directly on a Windows host shell outside of WSL
  • Windows Store (Windows)
  • Cygwin / MSYS2 / MinGW / Strawberry Perl (Windows)
  • cpan-audit (Perl programming language)
  • entries registered as Installed Programs (Windows)
  • arbitrary files in "C:\Program Files" and "C:\Program Files (x86)" (Windows)
  • yast (OpenSuSE)
  • yum (RHEL Linux family)
  • Cargo (Rust programming language, essentially just run cargo audit)
  • pip (Python programming language, essentially just run the third party safety check command)
  • Snyk CLI (many programming languages)
  • RubyGems (Ruby programming language, essentially just run gem audit)
  • NPM (JavaScript programming language family, essentially just run npm audit)
  • Ansible
  • Terraform
  • Salt
  • Chef
  • Puppet ( see the vulnerability module https://forge.puppet.com/modules/enterprisemodules/vulnerability/readme )
  • entries in archives (zip, tar/gz/tgz/tar.gz/bz2/tbz2/tar.bz2/xz/txz/tar.xz, rar, jar, war, lzma, 7z, etc.)
  • Cabal (Haskell programming language)
  • Dub (D programming language)
  • Conan (C/C++ programming languages)
  • vcpkg (C/C++ programming languages)
  • ASDF (the Common Lisp package manager, not the version manager)
  • various Scheme language package managers
  • ShellCheck (POSIX sh family programming languages)
  • ohmyzsh and various other zsh, bash, etc. shell package managers
  • Kubernetes (with KICS, checkov, etc.)
  • go mod (Go programming language, just run snyk test)
  • vendor source trees (various programming languages)
  • git submodules

I think a lot of vulnerabilities hide out in these kinds of alleys, so the more of these we can include in vuls scans, the stronger our security posture will be.

It may be more valuable to summarize the availability of security advisories than on a per-package manager basis.

posted by MaineK00n almost 2 years ago

Please refer to the following for the status of Vuls support.

posted by MaineK00n almost 2 years ago

Fund this Issue

$0.00
Funded
Only logged in users can fund an issue

Pull requests

Company
AboutMission
Community
SpectrumEmbed
Support
FAQTerms of usePrivacy policyCode of conductCredits
Connect
FacebookTwitter

© 2019 BoostIO, Inc.