vulnix integration

2026-03-09 20:31:10 +00:00 · 2025-05-09 15:27:22 +03:00 · 2025-05-09 15:27:22 +03:00 · 436855d8c1
commit 436855d8c1
parent 758438382d
11 changed files with 172 additions and 2 deletions
--- a/modules/default.nix
+++ b/modules/default.nix
@ -9,6 +9,7 @@ package:

 let
  tempSensorOptions = (import ./submodules/tempSensorOptions.nix) { inherit lib; };
+  vulnixWhitelistRule = (import ./submodules/vulnixWhitelistRule.nix) { inherit lib; };
 in
 {
  options.services.lego-monitoring = {
@ -19,6 +20,7 @@ in
        "start"
        "stop"
        "temp"
+        "vulnix"
      ]);
      default = [ ];
      description = "List of enabled check sets. Each check set is a module which checks something and generates alerts based on check results.";
@ -63,12 +65,40 @@ in
          '';
        };
      };
+
+      vulnix = {
+        whitelist = lib.mkOption {
+          type = lib.types.attrsOf (lib.types.submodule vulnixWhitelistRule);
+          default = { };
+          description = "Whitelist rules for vulnix. Attr name is package with version, package name, or `*`.";
+          example = lib.literalExpression ''{
+            "ffmpeg-3.4.2" = {
+              cve = [ "CVE-2018-6912" "CVE-2018-7557" ];
+              until = "2018-05-01";
+              issueUrl = "https://issues.example.com/29952";
+            };
+          }'';
+        };
+      };
    };
  };

  config = let
    cfg = config.services.lego-monitoring;
    json = pkgs.formats.json {};
+    toml = pkgs.formats.toml {};
+
+    # This monstrous incantation has the effect of converting the options to snake_case
+    # and removing those that are null (because TOML does not support null values)
+    vulnixWhitelistFile = toml.generate "vulnix-whitelist.toml" (lib.attrsets.filterAttrsRecursive (
+      k: v: v != null
+    ) (
+      lib.mapAttrs (_: rule: {
+        inherit (rule) cve until;
+        issue_url = rule.issueUrl;
+      }) cfg.checks.vulnix.whitelist
+    ));
+
    serviceConfigFile = json.generate "config.json" {
      enabled_check_sets = cfg.enabledCheckSets;
      telegram = with cfg.telegram; {
@ -88,6 +118,8 @@ in
          }) sensorCfg.readings;

        }) cfg.checks.temp.sensors;
+
+        vulnix.whitelist_path = vulnixWhitelistFile;
      };
    };
  in lib.mkIf cfg.enable {
--- a/modules/submodules/vulnixWhitelistRule.nix
+++ b/modules/submodules/vulnixWhitelistRule.nix
@ -0,0 +1,27 @@
+{
+  lib,
+}:
+
+{
+  options = {
+    cve = lib.mkOption {
+      type = lib.types.nullOr (lib.types.listOf lib.types.str);
+      default = null;
+      description = ''
+        List of CVE identifiers to match. The whitelist rule is valid as long as the detected CVEs are a subset of the CVEs listed here.
+        If additional CVEs are detected, this whitelist rule is not effective anymore. If null, all CVEs are matched.'';
+    };
+    until = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
+      description = ''
+        Date in the form "YYYY-MM-DD" which confines this rule's lifetime. Null means forever.
+        On the specified date and later, this whitelist rule is not effective anymore.'';
+    };
+    issueUrl = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
+      description = "URL or list of URLs that point to any issue tracker. Informational only.";
+    };
+  };
+}