SpackNVD: A Vulnerability Audit Tool for Spack Packages

Security models for Linux distro package security and interoperability have traditionally emphasized the use of more recent (more secure) versions at the occasional expense of execution reproducibility. A complementary approach (e.g., Lmod) allows access to multiple sysadmin-approved package versions. Another approach (e.g., Spack) enables a purely user space process for package selection without system administrator oversight. While maximizing reproducibility, there is no user feedback regarding potential security vulnerabilities. We introduce a general security model for package management and our implementation of SpackNVD, a security auditing tool for Spack. Users may query reported vulnerabilities for specific package versions and can prevent installation where the severity score exceeds a threshold. We emphasize this is a tool, not a solution: Spack users are not expected to be security professionals. However, this information may influence Spack concretizer decisions, and enable users to ask support staff about whether specific package versions are appropriate for use.