Add --memory option

chkno · chkno · commit 730ba5bb1f55 · 2021-05-20T16:52:45.000-07:00
diff --git a/doc/vulnix.1.md b/doc/vulnix.1.md
@@ -31,6 +31,9 @@ should not be reported.
   Scans the current system defined as transitive closure of
   _/run/current-system_.
 
+* `-M`, `--memory`:
+  Scans currently-running processes.
+
 * `-G`, `--gc-roots`:
   Scans all active garbage collection roots. This option is of limited use since
   the scan will include all old system generations.
diff --git a/src/vulnix/main.py b/src/vulnix/main.py
@@ -50,10 +50,12 @@ def init_logging(verbose):
         logging.basicConfig(level=logging.WARNING)
 
 
-def populate_store(store, gc_roots, paths, requisites=True):
+def populate_store(store, gc_roots, memory, paths, requisites=True):
     """Load derivations from nix store depending on cmdline invocation."""
     if gc_roots:
         store.add_gc_roots()
+    if memory:
+        store.add_memory_roots()
     for path in paths:
         store.add_path(path)
     return store
@@ -74,6 +76,8 @@ def run(nvd, store):
 # what to scan
 @click.option('-S', '--system', is_flag=True,
               help='Scan the current system.')
+@click.option('-M', '--memory', is_flag=True,
+              help='Scan currently-running process.')
 @click.option('-G', '--gc-roots', is_flag=True,
               help='Scan all active GC roots (including old ones).')
 @click.option('-f', '--from-file', type=click.File(mode='r'),
@@ -108,14 +112,14 @@ def run(nvd, store):
               help='(obsolete; kept for compatibility reasons)')
 @click.option('-F', '--notfixed', is_flag=True,
               help='(obsolete; kept for compatibility reasons)')
-def main(verbose, gc_roots, system, from_file, path, mirror, cache_dir,
+def main(verbose, gc_roots, memory, system, from_file, path, mirror, cache_dir,
          requisites, whitelist, write_whitelist, version, json,
          show_whitelisted, default_whitelist, notfixed):
     if version:
         print('vulnix ' + pkg_resources.get_distribution('vulnix').version)
         sys.exit(0)
 
-    if not (gc_roots or system or path or from_file):
+    if not (gc_roots or memory or system or path or from_file):
         howto()
         sys.exit(3)
 
@@ -141,7 +145,7 @@ def main(verbose, gc_roots, system, from_file, path, mirror, cache_dir,
                     for drv in from_file.readlines():
                         paths.append(drv.strip())
             if paths:
-                populate_store(store, gc_roots, paths, requisites)
+                populate_store(store, gc_roots, memory, paths, requisites)
         with NVD(mirror, cache_dir) as nvd:
             with Timer('Update NVD data'):
                 nvd.update()
diff --git a/src/vulnix/nix.py b/src/vulnix/nix.py
@@ -22,6 +22,15 @@ def add_gc_roots(self):
         for d in call(['nix-store', '--gc', '--print-live']).splitlines():
             self.update(d)
 
+    def add_memory_roots(self):
+        """Add derivations found in currently-running processes."""
+        _log.debug('loading derivations from currently-running processes')
+        for line in call(['nix-store', '--gc', '--print-roots']).splitlines():
+            source, path = line.split(' -> ', 1)
+            if (source.startswith('/proc/') or source.startswith('{temp:')
+                    or source == '{lsof}' or source == '{censored}'):
+                self.add_path(path)
+
     def add_path(self, path):
         """Add the closure of all derivations referenced by a store path."""
         if not p.exists(path):
