From mboxrd@z Thu Jan  1 00:00:00 1970
From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: =?utf-8?B?4oCYZ3VpeCBsaW504oCZ?= CVE checker
Date: Thu, 26 Nov 2015 23:42:00 +0100
Message-ID: <87d1uwgz7r.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:37388)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1a25Eu-0002QV-1F
	for guix-devel@gnu.org; Thu, 26 Nov 2015 17:42:08 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1a25Ep-0007L3-1q
	for guix-devel@gnu.org; Thu, 26 Nov 2015 17:42:07 -0500
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:46036)
	by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@gnu.org>)
	id 1a25Eo-0007Kz-UT
	for guix-devel@gnu.org; Thu, 26 Nov 2015 17:42:02 -0500
Received: from reverse-83.fdn.fr ([80.67.176.83]:34450 helo=pluto)
	by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128)
	(Exim 4.82) (envelope-from <ludo@gnu.org>) id 1a25Eo-0007Bg-Ch
	for guix-devel@gnu.org; Thu, 26 Nov 2015 17:42:02 -0500
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
To: guix-devel <guix-devel@gnu.org>

Hi!

Commit 5432734 adds a =E2=80=98cve=E2=80=99 checker for =E2=80=98guix lint=
=E2=80=99.  It fetches the CVE
database from NIST, matches package names/versions against those found
in CVEs, and reports CVE IDs:

--8<---------------cut here---------------start------------->8---
$ time GUIX_PACKAGE_PATH=3D ./pre-inst-env guix lint -c cve
gnu/packages/gcc.scm:324:2: gcc-4.9.3: probably vulnerable to CVE-2015-5276
gnu/packages/image.scm:708:2: jasper-1.900.1: probably vulnerable to CVE-20=
08-3522
gnu/packages/pulseaudio.scm:44:2: libsndfile-1.0.25: probably vulnerable to=
 CVE-2015-7805
gnu/packages/xml.scm:64:2: libxml2-2.9.2: probably vulnerable to CVE-2015-7=
941, CVE-2015-7942
gnu/packages/xml.scm:144:2: libxslt-1.1.28: probably vulnerable to CVE-2015=
-7995

real	0m2.669s
user	0m2.248s
sys	0m0.120s
--8<---------------cut here---------------end--------------->8---

The libxml2/libxslt issues are actually patched, but since we didn=E2=80=99t
change the version number, the tool assumes that our packages are
vulnerable.  We should change version numbers in the future when
patching vulnerabilities.

One limitation is that package names may differ between CVEs and what we
have.  There=E2=80=99s a tentative =E2=80=98package-name->cpe-name=E2=80=99=
 conversion procedure
that currently handles one case, but we should augment it as we notice
new cases.

Thoughts?

Ludo=E2=80=99.