From: "Léo Le Bouter via Guix-patches via" <guix-patches@gnu.org>
To: Tobias Geerinckx-Rice <me@tobias.gr>
Cc: 47193@debbugs.gnu.org
Subject: [bug#47193] Fancify guix lint -c cve output
Date: Wed, 17 Mar 2021 09:13:36 +0100 [thread overview]
Message-ID: <f6dba3fcf4f524d85800b6c2c10b5dc88fd3c555.camel@zaclys.net> (raw)
In-Reply-To: <87a6r2n6pd.fsf@nckx>
[-- Attachment #1: Type: text/plain, Size: 6836 bytes --]
On Tue, 2021-03-16 at 22:12 +0100, Tobias Geerinckx-Rice wrote:
> Léo!
Tobias! :-)
> Léo Le Bouter via Guix-patches via 写道:
> > guix/cve.scm:328:18: warning: possibly unbound variable
> > `cve-item-base-
> > severity'
>
> One dark and stormy night I turned away an old woman at my doors,
> and ever since I have been cursed to include at least one stupid
> typo in each patch I send. True story.
>
> Thanks for testing. Fixed but it should not affect running guix
> lint.
I tried fixing it as well,
$ git diff
diff --git a/guix/cve.scm b/guix/cve.scm
index 3809e4493f..d52ea05117 100644
--- a/guix/cve.scm
+++ b/guix/cve.scm
@@ -325,7 +325,7 @@ versions."
return #f if ITEM does not list any configuration or if it does not
list
any \"a\" (application) configuration."
(let ((id (cve-id (cve-item-cve item)))
- (severity (cve-item-base-severity item)))
+ (severity (cve-item-cvssv3-base-severity item)))
(match (cve-item-configurations item)
(() ;no configurations
#f)
Look right?
> Hmm. I bet ‘rm -rf ~/.cache/guix/http’ will make this go
> conveniently away, just like lady stormypants.
I tried that (without the fix above) and:
$ ./pre-inst-env guix lint -c cve patch
fetching CVE database for 2021...
Backtrace:
In ice-9/boot-9.scm:
1736:10 18 (with-exception-handler _ _ #:unwind? _ # _)
In unknown file:
17 (apply-smob/0 #<thunk 7fd1e5545520>)
In ice-9/boot-9.scm:
718:2 16 (call-with-prompt _ _ #<procedure default-prompt-handle…>)
In ice-9/eval.scm:
619:8 15 (_ #(#(#<directory (guile-user) 7fd1e5548c80>)))
In guix/ui.scm:
2164:12 14 (run-guix-command _ . _)
In ice-9/boot-9.scm:
1736:10 13 (with-exception-handler _ _ #:unwind? _ # _)
1731:15 12 (with-exception-handler #<procedure 7fd1e1f0ee40 at ic…>
…)
In srfi/srfi-1.scm:
634:9 11 (for-each #<procedure 7fd1e1f0b000 at guix/scripts/lin…>
…)
In guix/scripts/lint.scm:
65:4 10 (run-checkers _ _ #:store _)
In srfi/srfi-1.scm:
634:9 9 (for-each #<procedure 7fd1d2f805d0 at guix/scripts/lin…>
…)
In guix/scripts/lint.scm:
74:21 8 (_ _)
In guix/lint.scm:
1205:4 7 (check-vulnerabilities _ _)
1151:9 6 (_ _)
In unknown file:
5 (force #<promise #<procedure 7fd1e227dab8 at guix/lint.…>)
In guix/lint.scm:
1134:2 4 (_)
1093:2 3 (call-with-networking-fail-safe _ _ _)
In ice-9/boot-9.scm:
1736:10 2 (with-exception-handler _ _ #:unwind? _ # _)
1669:16 1 (raise-exception _ #:continuable? _)
1667:16 0 (raise-exception _ #:continuable? _)
ice-9/boot-9.scm:1667:16: In procedure raise-exception:
error: cve-item-base-severity: unbound variable
Then *with* the fix:
$ ./pre-inst-env guix lint -c cve patch
fetching CVE database for 2021...
Backtrace:
In ice-9/boot-9.scm:
1736:10 18 (with-exception-handler _ _ #:unwind? _ # _)
In unknown file:
17 (apply-smob/0 #<thunk 7f4a634a5520>)
In ice-9/boot-9.scm:
718:2 16 (call-with-prompt _ _ #<procedure default-prompt-handle…>)
In ice-9/eval.scm:
619:8 15 (_ #(#(#<directory (guile-user) 7f4a634a8c80>)))
In guix/ui.scm:
2164:12 14 (run-guix-command _ . _)
In ice-9/boot-9.scm:
1736:10 13 (with-exception-handler _ _ #:unwind? _ # _)
1731:15 12 (with-exception-handler #<procedure 7f4a5fe6c8d0 at ic…>
…)
In srfi/srfi-1.scm:
634:9 11 (for-each #<procedure 7f4a5fe6ec20 at guix/scripts/lin…>
…)
In guix/scripts/lint.scm:
65:4 10 (run-checkers _ _ #:store _)
In srfi/srfi-1.scm:
634:9 9 (for-each #<procedure 7f4a50f5a0f0 at guix/scripts/lin…>
…)
In guix/scripts/lint.scm:
74:21 8 (_ _)
In guix/lint.scm:
1205:4 7 (check-vulnerabilities _ _)
1151:9 6 (_ _)
In unknown file:
5 (force #<promise #<procedure 7f4a601ddab8 at guix/lint.…>)
In guix/lint.scm:
1134:2 4 (_)
1093:2 3 (call-with-networking-fail-safe _ _ _)
In ice-9/boot-9.scm:
1736:10 2 (with-exception-handler _ _ #:unwind? _ # _)
1669:16 1 (raise-exception _ #:continuable? _)
1667:16 0 (raise-exception _ #:continuable? _)
ice-9/boot-9.scm:1667:16: In procedure raise-exception:
Throw to key `match-error' with args `("match" "no matching pattern"
(vulnerabilities 2 ((v "CVE-2021-0212" "MEDIUM" (("contrail_networking"
(< "1911.31")))) (v "CVE-2021-0220" "MEDIUM" (("junos_space" (or "19.1"
(or "18.4" (or "18.3" (or "18.2" (or "18.1r1" (or "18.1" (or "17.21.4"
(or "17.2" (or "17.1" (or "16.1" (or "15.2" (or "15.14" (or "15.12" (or
"15.1" (or "14.1" (or "13.33" (or "13.11.8" (or "13.1" (or "12.3" (or
"12.2" (or "12.1" (or "11.4" (or "11.3" (or "11.2" (or "11.1" (or "2.0"
(or "1.4" (or "1.3" (or "1.2" (or "1.1"
"1.0"))))))))))))))))))))))))))))))))) (v "CVE-2021-1051" "HIGH"
(("gpu_driver" (or (and (>= "460") (< "461.09")) (or (and (>= "450") (<
"452.77")) (or (and (>= "418") (< "427.11")) (and (>= "390") (<
"392.63")))))))) (v "CVE-2021-1052" "HIGH" (("gpu_driver" (or (or (and
(>= "460") (< "460.32.03")) (or (and (>= "450") (< "450.102.04")) (and
(>= "390") (< "390.141")))) (or (and (>= "460") (< "461.09")) (or (and
(>= "450") (< "452.77")) (or (and (>= "418") (< "427.11")) (and (>=
"390") (< "392.63"))))))))) (v "CVE-2021-1053" "MEDIUM" (("gpu_driver"
(or (or (and (>= "460") (< "460.32.03")) (or (and (>= "450") (<
"450.102.04")) (and (>= "390") (< "390.141")))) (or (and (>= "460") (<
"461.09")) (or (and (>= "450") (< "452.77")) (or (and (>= "418") (<
"427.11")) (and (>= "390") (< "392.63"))))))))) (v "CVE-2021-1054"
"MEDIUM" (("gpu_driver" (or (and (>= "460") (< "461.09")) (or (and (>=
"450") (< "452.77")) (or (and (>= "418") (< "427.11")) (and (>= "390")
(< "392.63")))))))) (v "CVE-2021-1055" "MEDIUM" (("gpu_driver" (or (and
(>= "460") (< "461.09")) (or (and (>= "450") (< "452.77")) (or (and (>=
"
[...]
I ran "$ rm -rf ~/.cache/guix/http" between each and every of these
attempts. The cache is clear, I also did make clean and recompiled (so
no left around .go file).
>
> > (v "CVE-2021-0212" (("contrail_networking" ...
>
> This is a stale cache file lacking the newly added ‘severity’
> field:
>
> (v "CVE-2021-0212" "MEDIUM" (("contrail_networking" ...
>
> I bumped the format version to 2 in (guix cve) to signal this
> incompatible change, but it appears this field may exist merely as
> a friendly reminder to actually add version handling some day...?
>
> I guess today is that day.
>
> Bah,
Don't know! I think there's some other issue here, or maybe you
modified the patch a little more on your side.
PS: I looked at the image you initially posted and the output looks
really nice and helpful!!
>
> T G-R
Thank you :-D
Léo
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2021-03-17 8:14 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-16 16:00 [bug#47193] Fancify guix lint -c cve output Tobias Geerinckx-Rice via Guix-patches via
2021-03-16 16:06 ` [bug#47193] [PATCH 1/2] lint: Sort possible vulnerabilities Tobias Geerinckx-Rice via Guix-patches via
2021-03-16 16:06 ` [bug#47193] [PATCH 2/2] lint: Indicate CVE severity Tobias Geerinckx-Rice via Guix-patches via
2021-03-31 13:03 ` [bug#47193] Fancify guix lint -c cve output Ludovic Courtès
2021-03-31 13:06 ` Léo Le Bouter via Guix-patches via
2021-03-31 20:57 ` Ludovic Courtès
2021-04-01 23:36 ` Léo Le Bouter via Guix-patches via
2021-03-31 12:53 ` Ludovic Courtès
2021-03-16 18:19 ` Léo Le Bouter via Guix-patches via
2021-03-16 21:12 ` Tobias Geerinckx-Rice via Guix-patches via
2021-03-17 8:13 ` Léo Le Bouter via Guix-patches via [this message]
2021-03-17 19:32 ` Tobias Geerinckx-Rice via Guix-patches via
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f6dba3fcf4f524d85800b6c2c10b5dc88fd3c555.camel@zaclys.net \
--to=guix-patches@gnu.org \
--cc=47193@debbugs.gnu.org \
--cc=lle-bout@zaclys.net \
--cc=me@tobias.gr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).