way to check the system for known CVEs
how do you usually check, what tools you use?
can you recommmend good FLOSS scaner + antivirus, with fastest regular crowd contributed updates?
antivirus alone doesn't fix or protect from arbitrary code expoiting CVE.
clamAV if even with recent signatures doesn't detect unix (or crossplatform) badware.
----------------
2c
1 in nixpkgs you supposed to read, audit code yourself, trust build intstruction, hash demonstrates build reproducibility. But there are other specific designated tools out there for reproducible builds other that nix.
2 in theory nothing prevents you to run offline customized CVE scan script, just get and compare installed versions vs vulnerable. + optional exploit check via nix-env .