Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

request: more BOM sources and general CVE scans #1640

Open
mcandre opened this issue Apr 12, 2023 · 2 comments
Open

request: more BOM sources and general CVE scans #1640

mcandre opened this issue Apr 12, 2023 · 2 comments
Labels
enhancement

Comments

@mcandre
Copy link

mcandre commented Apr 12, 2023
edited
Loading

I love how vuls supports scanning for CVE's in some common package managers. I would like to see this list extended, in order to catch security problems on more machines.

(If you already include support for some of these, please lemme know which ones!)

  • App Store (macOS)
  • adb (Android)
  • arch-audit (Arch Linux)
  • pkg-audit (FreeBSD, DragonflyBSD, HardenedBSD)
  • pkg_admin audit (NetBSD)
  • pkg for more FreeBSD variants, including DragonflyBSD, HardenedBSD, NetBSD, OpenBSD, etc.
  • pkgin
  • pkgsrc
  • Snap (Linux)
  • Flatpak (Linux)
  • apk (Alpine Linux)
  • apt (Debian Linux family)
  • ipkg (busybox/toybox Linux)
  • opkg (OpenWrt Linux)
  • PPA's (Ubuntu Linux family)
  • urpmi (Mageia Linux)
  • Homebrew (macOS and Linux)
  • Chocolatey (Windows)
  • winget (Windows)
  • various WSL package managers, when vuls is run directly on a Windows host shell outside of WSL
  • Windows Store (Windows)
  • Cygwin / MSYS2 / MinGW / Strawberry Perl (Windows)
  • cpan-audit (Perl programming language)
  • entries registered as Installed Programs (Windows)
  • arbitrary files in "C:\Program Files" and "C:\Program Files (x86)" (Windows)
  • yast (OpenSuSE)
  • yum (RHEL Linux family)
  • Cargo (Rust programming language, essentially just run cargo audit)
  • pip (Python programming language, essentially just run the third party safety check command)
  • Snyk CLI (many programming languages)
  • RubyGems (Ruby programming language, essentially just run gem audit)
  • NPM (JavaScript programming language family, essentially just run npm audit)
  • Ansible
  • Terraform
  • Salt
  • Chef
  • Puppet ( see the vulnerability module https://forge.puppet.com/modules/enterprisemodules/vulnerability/readme )
  • entries in archives (zip, tar/gz/tgz/tar.gz/bz2/tbz2/tar.bz2/xz/txz/tar.xz, rar, jar, war, lzma, 7z, etc.)
  • Cabal (Haskell programming language)
  • Dub (D programming language)
  • Conan (C/C++ programming languages)
  • vcpkg (C/C++ programming languages)
  • ASDF (the Common Lisp package manager, not the version manager)
  • various Scheme language package managers
  • ShellCheck (POSIX sh family programming languages)
  • ohmyzsh and various other zsh, bash, etc. shell package managers
  • Kubernetes (with KICS, checkov, etc.)
  • go mod (Go programming language, just run snyk test)
  • vendor source trees (various programming languages)
  • git submodules

I think a lot of vulnerabilities hide out in these kinds of alleys, so the more of these we can include in vuls scans, the stronger our security posture will be.
@mcandre mcandre changed the title request: more BOM sources request: more BOM sources and general CVE scans Apr 12, 2023
@MaineK00n
Copy link
Collaborator

It may be more valuable to summarize the availability of security advisories than on a per-package manager basis.

@MaineK00n
Copy link
Collaborator

Please refer to the following for the status of Vuls support.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mcandre @MaineK00n