[bug#47193] Fancify guix lint -c cve output

["Ludovic Courtès" <ludo@gnu.org>]

Hi,

Tobias Geerinckx-Rice <me@tobias.gr> skribis:

> * guix/cve.scm <cve-item>[cvss3-base-severity]: New field.
> (impact-data->cve-cvss3-base-severity): New procedure.
> <vulnerability>[severity]: New field.
> (vulnerability->sexp, sexp->vulnerability, cve-item->vulnerability)
> (write-cache): Bump the format version to 2.
> (vulnerabilities->lookup-proc): Adjust accordingly.
> * guix/lint.scm (check-vulnerabilities): Indicate CVE severity according
> to the output port's terminal capabilities.

I would move the lint.scm bit to a separate patch.

Please also add a short test for ‘vulnerability-severity’ in
tests/cve.scm.

[...]

> +  (cvssv3-base-severity cve-item-cvssv3-base-severity ;string
> +                        "impact" impact-data->cve-cvssv3-base-severity)
> +  (published-date       cve-item-published-date
> +                        "publishedDate" string->date*)
> +  (last-modified-date   cve-item-last-modified-date
> +                        "lastModifiedDate" string->date*))
>  
>  (define-json-mapping <cve> cve cve?
>    json->cve
> @@ -183,6 +188,15 @@ element found in CVEs, return an sexp such as (\"binutils\" (<
>    (let ((nodes (vector->list (assoc-ref alist "nodes"))))
>      (filter-map node->configuration nodes)))
>  
> +(define (impact-data->cve-cvssv3-base-severity alist)
> +  "Given ALIST, a JSON dictionary for the \"impact\" element found in
> +CVEs, return a string indicating its CVSSv3 severity.  This should be
> +one of \"NONE\", \"LOW\", \"MEDIUM\", \"HIGH\", or \"CRITICAL\", but we
> +return whatever we find, or #F if the severity cannot be determined."
> +  (let* ((base-metric-v3 (assoc-ref alist "baseMetricV3"))
> +         (cvss-v3        (assoc-ref base-metric-v3 "cvssV3")))
> +    (assoc-ref cvss-v3 "baseSeverity")))

I would pass the result through (string->symbol (string-downcase …)).

For clarity, perhaps we can do:

  (define-json-mapping <cvss> cvss cvss?
    json->cvss
    (vector-string  cvss-vector-string “vector_String")
    (base-severity  cvss-severity "base_Severity"
                    (compose string->symbol string-downcase)))

… and use that instead of the last ‘assoc-ref’ call above.

The rest LGTM.

Thanks for this pleasant improvement!

Ludo’.