From: "Ludovic Courtès" <ludo@gnu.org>
To: Tobias Geerinckx-Rice <me@tobias.gr>
Cc: 47193@debbugs.gnu.org
Subject: [bug#47193] Fancify guix lint -c cve output
Date: Wed, 31 Mar 2021 15:03:42 +0200 [thread overview]
Message-ID: <87h7kra30x.fsf_-_@gnu.org> (raw)
In-Reply-To: <20210316160653.9891-2-me@tobias.gr> (Tobias Geerinckx-Rice's message of "Tue, 16 Mar 2021 17:06:53 +0100")
Hi,
Tobias Geerinckx-Rice <me@tobias.gr> skribis:
> * guix/cve.scm <cve-item>[cvss3-base-severity]: New field.
> (impact-data->cve-cvss3-base-severity): New procedure.
> <vulnerability>[severity]: New field.
> (vulnerability->sexp, sexp->vulnerability, cve-item->vulnerability)
> (write-cache): Bump the format version to 2.
> (vulnerabilities->lookup-proc): Adjust accordingly.
> * guix/lint.scm (check-vulnerabilities): Indicate CVE severity according
> to the output port's terminal capabilities.
I would move the lint.scm bit to a separate patch.
Please also add a short test for ‘vulnerability-severity’ in
tests/cve.scm.
[...]
> + (cvssv3-base-severity cve-item-cvssv3-base-severity ;string
> + "impact" impact-data->cve-cvssv3-base-severity)
> + (published-date cve-item-published-date
> + "publishedDate" string->date*)
> + (last-modified-date cve-item-last-modified-date
> + "lastModifiedDate" string->date*))
>
> (define-json-mapping <cve> cve cve?
> json->cve
> @@ -183,6 +188,15 @@ element found in CVEs, return an sexp such as (\"binutils\" (<
> (let ((nodes (vector->list (assoc-ref alist "nodes"))))
> (filter-map node->configuration nodes)))
>
> +(define (impact-data->cve-cvssv3-base-severity alist)
> + "Given ALIST, a JSON dictionary for the \"impact\" element found in
> +CVEs, return a string indicating its CVSSv3 severity. This should be
> +one of \"NONE\", \"LOW\", \"MEDIUM\", \"HIGH\", or \"CRITICAL\", but we
> +return whatever we find, or #F if the severity cannot be determined."
> + (let* ((base-metric-v3 (assoc-ref alist "baseMetricV3"))
> + (cvss-v3 (assoc-ref base-metric-v3 "cvssV3")))
> + (assoc-ref cvss-v3 "baseSeverity")))
I would pass the result through (string->symbol (string-downcase …)).
For clarity, perhaps we can do:
(define-json-mapping <cvss> cvss cvss?
json->cvss
(vector-string cvss-vector-string “vector_String")
(base-severity cvss-severity "base_Severity"
(compose string->symbol string-downcase)))
… and use that instead of the last ‘assoc-ref’ call above.
The rest LGTM.
Thanks for this pleasant improvement!
Ludo’.
next prev parent reply other threads:[~2021-03-31 13:04 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-16 16:00 [bug#47193] Fancify guix lint -c cve output Tobias Geerinckx-Rice via Guix-patches via
2021-03-16 16:06 ` [bug#47193] [PATCH 1/2] lint: Sort possible vulnerabilities Tobias Geerinckx-Rice via Guix-patches via
2021-03-16 16:06 ` [bug#47193] [PATCH 2/2] lint: Indicate CVE severity Tobias Geerinckx-Rice via Guix-patches via
2021-03-31 13:03 ` Ludovic Courtès [this message]
2021-03-31 13:06 ` [bug#47193] Fancify guix lint -c cve output Léo Le Bouter via Guix-patches via
2021-03-31 20:57 ` Ludovic Courtès
2021-04-01 23:36 ` Léo Le Bouter via Guix-patches via
2021-03-31 12:53 ` Ludovic Courtès
2021-03-16 18:19 ` Léo Le Bouter via Guix-patches via
2021-03-16 21:12 ` Tobias Geerinckx-Rice via Guix-patches via
2021-03-17 8:13 ` Léo Le Bouter via Guix-patches via
2021-03-17 19:32 ` Tobias Geerinckx-Rice via Guix-patches via
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87h7kra30x.fsf_-_@gnu.org \
--to=ludo@gnu.org \
--cc=47193@debbugs.gnu.org \
--cc=me@tobias.gr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).