Use a version of vulnix that doesn't collapse derivations with different sets of patches. (!196) · Merge requests · PrivateStorage / PrivateStorageio

Tom Prince requested to merge tomprince/PrivateStorageio:new-vulnix into develop Oct 09, 2021

As described in https://whetstone.privatestorage.io/privatestorage/PrivateStorageio/-/issues/93#note_16389, the version of vulnix in nixos-21.05 incorrectly combines leading to potentially masking a vulnerability, if we have two derivations for the same package, with different sets of patches applied.

I noticed this while preparing !195 (merged), where before, we had two versions of binutils-2.31.1 (one from our nixpkgs fork based on nixos-20.09, and one from haskell.nix's pinned nixos-20.09 version). It appears the latter had more patches fixing CVE's applied, so removing it caused old version of vulnix to start reporting new vulnerabilities.

Use a version of vulnix that doesn't collapse derivations with different sets of patches.

Merge request reports