Vulnerability database in OSV format

[lubo]

GitHub Dependabot has just added support for Nix flakes (dependabot/dependabot-core#7340). However, it's unable to provide security updates for NixOS packages due to the fact that there's no database in OSV format that maps CVEs to affected NixOS packages (dependabot/dependabot-core#7340 (comment)). Several distributions like Alpine Linux, Debian, RHEL, etc. do provide such databases.

I'm unsure whether https://tracker.security.nixos.org/api/v1/issues/ is meant to serve the same purpose, but it currently:

• Crashes with HTTP status code 500.
• Doesn't provide all necessary information in the standardized OSV format, according to https://github.com/NixOS/nix-security-tracker/blob/6f3b2690c23673db55b703bf85e78dcd1b3d5f14/src/shared/views.py.

This is the only thing that precludes me from using Nix flakes in all my projects, personal and business ones.

[LeSuisse]

I have a (crappy, you have been warned 😅 ) proof of concept here: https://github.com/LeSuisse/nixpkgs-security-advisory-osv

ATM we are missing a way to determine when (i.e. the commit or at least the commit of the evaluation has an approximation) a specific issue on the security tracker has been fixed to make it useful for downstream consumers.

[fricklerhandwerk]

Yes we should do this natively. Can't promise it will be fast though, the backlog is substantial.