From: "Ludovic Courtès" <ludo@gnu.org>
To: 37838@debbugs.gnu.org
Cc: "Ludovic Courtès" <ludo@gnu.org>
Subject: [bug#37838] [PATCH 0/2] Rewrite (guix cve) to read NIST's JSON feed
Date: Sun, 20 Oct 2019 22:34:51 +0200 [thread overview]
Message-ID: <20191020203451.1912-1-ludo@gnu.org> (raw)
Hello!
Last Thursday I was surprised to see that ‘guix lint -c cve’
would be redirected to:
https://nvd.nist.gov/General/News/XML-Vulnerability-Feed-Retirement-Phase-3
… leading to a failure.
And indeed, the XML CVE feed has now been replaced by a JSON feed
(let’s hope they don’t switch to YAML next year :-)). The JSON feed
seems to be nicer in some ways; for instance, it can specify ranges
of versions to which a given CVE applies.
The patch that follows rewrites (guix cve) so it gets info from the
JSON feed. It does so by providing a one-to-one mapping between data
structures in JSON and Scheme records, and then converting those to
the higher-level <vulnerability> records that were already there before.
If you look at the JSON-mapped record types, there are lots of
low-hanging fruits; for instance, we could grab severity info from
the JSON feeds and use them somehow. I’m not sure if ‘guix lint’
is the best place to display detailed CVE info, but we could/should
use that info somehow.
Feedback welcome!
Ludo’.
Ludovic Courtès (2):
cve: Rewrite to read the JSON feed instead of the XML feed.
lint: Re-enable CVE checker.
Makefile.am | 2 +-
doc/guix.texi | 4 +-
guix/cve.scm | 376 ++++++++----
guix/lint.scm | 16 +-
tests/cve-sample.json | 1279 +++++++++++++++++++++++++++++++++++++++++
tests/cve-sample.xml | 616 --------------------
tests/cve.scm | 83 ++-
7 files changed, 1610 insertions(+), 766 deletions(-)
create mode 100644 tests/cve-sample.json
delete mode 100644 tests/cve-sample.xml
--
2.23.0
next reply other threads:[~2019-10-20 20:36 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-20 20:34 Ludovic Courtès [this message]
2019-10-20 21:20 ` [bug#37838] [PATCH 1/2] cve: Rewrite to read the JSON feed instead of the XML feed Ludovic Courtès
2019-10-20 21:20 ` [bug#37838] [PATCH 2/2] lint: Re-enable CVE checker Ludovic Courtès
2019-10-23 14:48 ` bug#37838: [PATCH 0/2] Rewrite (guix cve) to read NIST's JSON feed Ludovic Courtès
2019-10-23 16:46 ` [bug#37838] " Efraim Flashner
2019-10-23 17:35 ` Marius Bakke
2019-10-25 16:18 ` Ludovic Courtès
2019-11-03 17:29 ` Marius Bakke
2019-11-04 17:32 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191020203451.1912-1-ludo@gnu.org \
--to=ludo@gnu.org \
--cc=37838@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).