Improve our tracking of vulnerabilities and CVEs.
We currently use vulnix to report on the number of vulnerabilities in our stack.
However, it has several issues:
- It picks up vulnerabilities in build dependencies:
- e.g. openexr/openjpeg via sphinx+imagemagick via qemu via qemu-utils via cloud-utils which is used in the initrd. However, qemu-utils is not used by the output (
guest) of cloud-utils used by the initrd. - e.g. c-ares which is a dependency of the binaries built by nghttp2 but curl only pulls in the library, which doesn't depend on c-ares
- e.g. openexr/openjpeg via sphinx+imagemagick via qemu via qemu-utils via cloud-utils which is used in the initrd. However, qemu-utils is not used by the output (
- False positives:
- The vulnerability for morph refers to some sort of bitcoin thing
- The vulnerability for
dbus-1is picking up the derivation that has configuration (which typically goes in/etc/dbus-1or/usr/share/dbus-1). - The vulnerability for fuse is referring to something related to jboss: https://www.redhat.com/en/technologies/jboss-middleware/fuse-online