From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:55030) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fHzhn-0003oV-SX for guix-patches@gnu.org; Sun, 13 May 2018 18:43:04 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fHzhm-0004ys-N0 for guix-patches@gnu.org; Sun, 13 May 2018 18:43:03 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:53202) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fHzhm-0004yk-JM for guix-patches@gnu.org; Sun, 13 May 2018 18:43:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1fHzhm-0008Ty-Co for guix-patches@gnu.org; Sun, 13 May 2018 18:43:02 -0400 Subject: [bug#31444] 'guix health': a tool to report vulnerable packages Resent-Message-ID: Received: from eggs.gnu.org ([2001:4830:134:3::10]:54897) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fHzhV-0004K4-D3 for guix-patches@gnu.org; Sun, 13 May 2018 18:42:46 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fHzHL-0001s5-Hr for guix-patches@gnu.org; Sun, 13 May 2018 18:15:44 -0400 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:52386) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fHzHL-0001s1-Ct for guix-patches@gnu.org; Sun, 13 May 2018 18:15:43 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=50500 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1fHzHK-0003b1-Un for guix-patches@gnu.org; Sun, 13 May 2018 18:15:43 -0400 From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) Date: Mon, 14 May 2018 00:15:41 +0200 Message-ID: <87fu2vjj76.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: 31444@debbugs.gnu.org Hello Guix! On IRC davidl shared a shell script that checks the output of =E2=80=98guix= lint -c cve=E2=80=99 and uses that to determine vulnerable packages in a profile. That reminds me of the plan for =E2=80=98guix health=E2=80=99 (a tool to do= just that), so I went ahead and tried to make it a reality at last. This =E2=80=98guix health=E2=80=99 reports information about =E2=80=9Cleaf= =E2=80=9D packages in a profile, but not about their dependencies: --8<---------------cut here---------------start------------->8--- $ ./pre-inst-env guix health -p /run/current-system/profile/ guix health: warning: util-linux@2.31.1 may be vulnerable to CVE-2018-7738 guix health: warning: util-linux@2.31.1 is available but does not fix any o= f these hint: Run `guix pull' and then re-run `guix health' to see if fixes are ava= ilable. If none are available, please consider submitting a patch for the package defi= nition of 'util-linux'. guix health: warning: shadow@4.5 may be vulnerable to CVE-2018-7169 guix health: warning: shadow@4.6 is available and fixes CVE-2018-7169, cons= ider ugprading guix health: warning: tar@1.29 may be vulnerable to CVE-2016-6321 guix health: warning: tar@1.29 is available but does not fix any of these hint: Run `guix pull' and then re-run `guix health' to see if fixes are ava= ilable. If none are available, please consider submitting a patch for the package defi= nition of 'tar'. --8<---------------cut here---------------end--------------->8--- The difficulty here is that we need to know a package=E2=80=99s CPE name be= fore we can check the CVE database, and we also need to know whether the package already includes fixes for known CVEs. This patch set attaches this information to manifest entries, so that =E2=80=98guix health=E2=80=99= can then rely on it. Fundamentally, that means we cannot reliably tell much about dependencies: in cases where the CPE name differs from the Guix name, we won=E2=80=99t have any match, and more generally, we cannot know what CVE a= re patched in the package; we could infer part of this by looking at the same-named package in the current Guix, but that=E2=80=99s hacky. I think that longer-term we probably need to attach this kind of meta-data to packages themselves, by adding a bunch of files in each package, say under PREFIX/guix. We could do that for search paths as well. Should we satisfy ourselves with the current approach in the meantime? Thoughts? Besides, support for properties in manifest entries seems useful to me, so we may want to keep it regardless of whether we take =E2=80=98guix healt= h=E2=80=99 as-is. Ludo=E2=80=99. Ludovic Court=C3=A8s (5): profiles: Add '%current-profile', 'user-friendly-profile', & co. packages: Add 'package-patched-vulnerabilities'. profiles: Add 'properties' field to manifest entries. profiles: Record fixed vulnerabilities as properties of entries. DRAFT Add 'guix health'. Makefile.am | 1 + guix/packages.scm | 28 +++++++ guix/profiles.scm | 91 ++++++++++++++++++++-- guix/scripts/health.scm | 158 +++++++++++++++++++++++++++++++++++++++ guix/scripts/lint.scm | 23 +----- guix/scripts/package.scm | 40 ---------- po/guix/POTFILES.in | 1 + tests/packages.scm | 15 ++++ tests/profiles.scm | 22 ++++++ 9 files changed, 312 insertions(+), 67 deletions(-) create mode 100644 guix/scripts/health.scm --=20 2.17.0