On Thu, Jul 11, 2019 at 10:34:00PM +0200, Ludovic Courtès wrote:
> Hello,
> 
> Efraim Flashner <efraim@flashner.co.il> skribis:
> 
> > currently we have:
> > (cpe-name . "firefox_esr")
> > (cpe-version . ,(first (string-split version #\-)
> >
> > and it should be:
> > (cpe-name . "firefox")
> > (cpe-version . ,(first (string-split version #\.)
> >
> > however, this returns results for firefox@60, which I'm pretty sure
> > doesn't take into account that we're not running 60.0.0 but 60.8.0. With
> > the change 'guix lint -c cve iceat' returns:
> > icecat@60.8.0-guix1: probably vulnerable to CVE-2019-9788, CVE-2019-9789, […]
> 
> Indeed, something seems to be wrong.
> 
> --8<---------------cut here---------------start------------->8---
> scheme@(guile-user)> ,use(guix cve)
> scheme@(guile-user)> (vulnerabilities->lookup-proc (current-vulnerabilities))
> fetching CVE database for 2019...
> fetching CVE database for 2018...
> scheme@(guile-user)> $2
> $3 = #<procedure 1f64baa0 at guix/cve.scm:268:2 (package #:optional version)>
> scheme@(guile-user)> (length ($2 "firefox" "60"))
> $4 = 107
> scheme@(guile-user)> (length ($2 "firefox" "60.8"))
> $5 = 0
> scheme@(guile-user)> (length ($2 "firefox" "60.5"))
> $6 = 0
> --8<---------------cut here---------------end--------------->8---
> 
> Actually, the procedure returned by ‘vulnerabilities->lookup-proc’
> performs exact matches on version string.  So “60” is _not_ equivalent
> to “60 or any 60.x version”.
> 
> Here are the versions we see for one of these CVEs:
> 
> --8<---------------cut here---------------start------------->8---
> scheme@(guile-user)> ,use(srfi srfi-1)
> scheme@(guile-user)> (find (lambda (vuln)
> 			     (string=? (vulnerability-id vuln)
> 				       "CVE-2019-9788"))
> 			   (current-vulnerabilities))
> $9 = #<<vulnerability> id: "CVE-2019-9788" packages: (("thunderbird" …) ("firefox_esr" "60.5.0" "60.4.0" "60.3.0" "60.2.2" "60.2.0" "60.1.0" "60.0" "53.0.0" "52.9.0" …) ("firefox" "9.0.1" "9.0" "8.0.1" "8.0" "7.0.1" "7.0" "65.0" "64.0.2" "64.0" "63.0.3" "63.0.1" "63.0" "62.0.3" "62.0.2" "62.0" "61.0.2" "61.0.1" "61.0" "60.6.1" "60.5.0" "60.4.0" "60.3.0" "60.2.2" "60.2.1" "60.2.0" "60.1.0" …)>
> --8<---------------cut here---------------end--------------->8---
> 
> So IceCat probably corresponds to “firefox_esr”, but we got the CPE
> version string wrong: we should just strip the “-gnu*” suffix, nothing
> more.
> 
> WDYT?
> 
I was about to go and make the change but it seems that this is already
what we have. 'firefox_esr' and '(first (string-split version #\-))'. So
it looks like the vulnerability list just hasn't caught up with the
version we have now.

Closing as 'everything works as expected'

-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted