Open
Description
I love how vuls supports scanning for CVE's in some common package managers. I would like to see this list extended, in order to catch security problems on more machines.
(If you already include support for some of these, please lemme know which ones!)
- App Store (macOS)
- adb (Android)
- arch-audit (Arch Linux)
- pkg-audit (FreeBSD, DragonflyBSD, HardenedBSD)
pkg_admin audit(NetBSD)- pkg for more FreeBSD variants, including DragonflyBSD, HardenedBSD, NetBSD, OpenBSD, etc.
- pkgin
- pkgsrc
- Snap (Linux)
- Flatpak (Linux)
- apk (Alpine Linux)
- apt (Debian Linux family)
- ipkg (busybox/toybox Linux)
- opkg (OpenWrt Linux)
- PPA's (Ubuntu Linux family)
- urpmi (Mageia Linux)
- Homebrew (macOS and Linux)
- Chocolatey (Windows)
- winget (Windows)
- various WSL package managers, when vuls is run directly on a Windows host shell outside of WSL
- Windows Store (Windows)
- Cygwin / MSYS2 / MinGW / Strawberry Perl (Windows)
- cpan-audit (Perl programming language)
- entries registered as Installed Programs (Windows)
- arbitrary files in "C:\Program Files" and "C:\Program Files (x86)" (Windows)
- yast (OpenSuSE)
- yum (RHEL Linux family)
- Cargo (Rust programming language, essentially just run
cargo audit) - pip (Python programming language, essentially just run the third party
safety checkcommand) - Snyk CLI (many programming languages)
- RubyGems (Ruby programming language, essentially just run
gem audit) - NPM (JavaScript programming language family, essentially just run
npm audit) - Ansible
- Terraform
- Salt
- Chef
- Puppet ( see the
vulnerabilitymodule https://forge.puppet.com/modules/enterprisemodules/vulnerability/readme ) - entries in archives (zip, tar/gz/tgz/tar.gz/bz2/tbz2/tar.bz2/xz/txz/tar.xz, rar, jar, war, lzma, 7z, etc.)
- Cabal (Haskell programming language)
- Dub (D programming language)
- Conan (C/C++ programming languages)
- vcpkg (C/C++ programming languages)
- ASDF (the Common Lisp package manager, not the version manager)
- various Scheme language package managers
- ShellCheck (POSIX sh family programming languages)
- ohmyzsh and various other zsh, bash, etc. shell package managers
- Kubernetes (with KICS, checkov, etc.)
go mod(Go programming language, just runsnyk test)vendorsource trees (various programming languages)- git submodules
I think a lot of vulnerabilities hide out in these kinds of alleys, so the more of these we can include in vuls scans, the stronger our security posture will be.