Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

request: more BOM sources and general CVE scans #1640

Open
mcandre opened this issue Apr 12, 2023 · 2 comments
Open

request: more BOM sources and general CVE scans #1640

mcandre opened this issue Apr 12, 2023 · 2 comments
Labels
enhancement

Comments

@mcandre
Copy link

mcandre commented Apr 12, 2023
edited
Loading

I love how vuls supports scanning for CVE's in some common package managers. I would like to see this list extended, in order to catch security problems on more machines.

(If you already include support for some of these, please lemme know which ones!)

  • App Store (macOS)
  • adb (Android)
  • arch-audit (Arch Linux)
  • pkg-audit (FreeBSD, DragonflyBSD, HardenedBSD)
  • pkg_admin audit (NetBSD)
  • pkg for more FreeBSD variants, including DragonflyBSD, HardenedBSD, NetBSD, OpenBSD, etc.
  • pkgin
  • pkgsrc
  • Snap (Linux)
  • Flatpak (Linux)
  • apk (Alpine Linux)
  • apt (Debian Linux family)
  • ipkg (busybox/toybox Linux)
  • opkg (OpenWrt Linux)
  • PPA's (Ubuntu Linux family)
  • urpmi (Mageia Linux)
  • Homebrew (macOS and Linux)
  • Chocolatey (Windows)
  • winget (Windows)
  • various WSL package managers, when vuls is run directly on a Windows host shell outside of WSL
  • Windows Store (Windows)
  • Cygwin / MSYS2 / MinGW / Strawberry Perl (Windows)
  • cpan-audit (Perl programming language)
  • entries registered as Installed Programs (Windows)
  • arbitrary files in "C:\Program Files" and "C:\Program Files (x86)" (Windows)
  • yast (OpenSuSE)
  • yum (RHEL Linux family)
  • Cargo (Rust programming language, essentially just run cargo audit)
  • pip (Python programming language, essentially just run the third party safety check command)
  • Snyk CLI (many programming languages)
  • RubyGems (Ruby programming language, essentially just run gem audit)
  • NPM (JavaScript programming language family, essentially just run npm audit)
  • Ansible
  • Terraform
  • Salt
  • Chef
  • Puppet ( see the vulnerability module https://forge.puppet.com/modules/enterprisemodules/vulnerability/readme )
  • entries in archives (zip, tar/gz/tgz/tar.gz/bz2/tbz2/tar.bz2/xz/txz/tar.xz, rar, jar, war, lzma, 7z, etc.)
  • Cabal (Haskell programming language)
  • Dub (D programming language)
  • Conan (C/C++ programming languages)
  • vcpkg (C/C++ programming languages)
  • ASDF (the Common Lisp package manager, not the version manager)
  • various Scheme language package managers
  • ShellCheck (POSIX sh family programming languages)
  • ohmyzsh and various other zsh, bash, etc. shell package managers
  • Kubernetes (with KICS, checkov, etc.)
  • go mod (Go programming language, just run snyk test)
  • vendor source trees (various programming languages)
  • git submodules

I think a lot of vulnerabilities hide out in these kinds of alleys, so the more of these we can include in vuls scans, the stronger our security posture will be.
@mcandre mcandre changed the title request: more BOM sources request: more BOM sources and general CVE scans Apr 12, 2023
@MaineK00n
Copy link
Collaborator

It may be more valuable to summarize the availability of security advisories than on a per-package manager basis.

@MaineK00n
Copy link
Collaborator

Please refer to the following for the status of Vuls support.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mcandre @MaineK00n