Merge branch 'new-vulnix' into 'develop'

Use a version of vulnix that doesn't collapse derivations with different sets of patches. See merge request !196

Merge branch 'new-vulnix' into 'develop'
49d9c194 · Jean-Paul Calderone · 3475e697 · c5d5119a · 49d9c194
Commit 49d9c194 authored 3 years ago by Jean-Paul Calderone
--- a/ci-tools/vulnerability-scan
+++ b/ci-tools/vulnerability-scan
@@ -32,6 +32,12 @@ else
 fi
 '

+# The version (1.9.6) of vulnix in nixos-21.05 incorrectly collapses
+# derivations with the same name+version, but different sets of patches
+# applied. Therefore, we use a recent nixos-unstable version that has a newer
+# version of vulnix included.
+export NIX_PATH=nixpkgs=https://api.github.com/repos/NixOS/nixpkgs/tarball/ee084c02040e864eeeb4cf4f8538d92f7c675671
+
 # vulnix exits with an error status if there are vulnerabilities.  We told
 # GitLab to allow this by setting `allow_failure` to true in the GitLab CI
 # config.  vulnix exit status indicates what vulnix thinks happened.  If we