From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id 8MKuG/JSLmcvsAAAqHPOHw:P1 (envelope-from ) for ; Fri, 08 Nov 2024 18:05:38 +0000 Received: from aspmx1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0.migadu.com with LMTPS id 8MKuG/JSLmcvsAAAqHPOHw (envelope-from ) for ; Fri, 08 Nov 2024 19:05:38 +0100 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("body hash did not verify") header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b=KBmwNKDF; dkim=fail ("body hash did not verify") header.d=ngraves.fr header.s=ovhmo4487190-selector1 header.b="R95kfT/W"; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" ARC-Seal: i=1; s=key1; d=yhetil.org; t=1731089138; a=rsa-sha256; cv=none; b=p6NYPLliwsuJuNf04Drlgg8AzDMz+flYSrDnaGG60hhlKk/qC8ccCBhMUFXUD5hdFmUBGP XvkQ5t5eTfuqo2zkJ5NQMIi6alaJrfxM6fYGy7Dvt5SIgtslgIhFHE+vd56ke2e+Ttd9Aw 2jGsaxeA+/+EDWlmkNcHmLnabQCKDIVv18F1FsqGO65OOBfK0A1jE0Kb1xC8+g71wOKryo GDSXCY3OrB445gTBywuIIN7+iJ9h7lgNXJCMBfu8+rB4PlkLTyXCT/G+kw6L8Adt0UPu/C d+Fb90ysa8615lJDXFj1nFxejAVwF4hdfO+XCMdxJj6BtPTMXTGW+fMVtVwF3Q== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("body hash did not verify") header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b=KBmwNKDF; dkim=fail ("body hash did not verify") header.d=ngraves.fr header.s=ovhmo4487190-selector1 header.b="R95kfT/W"; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1731089138; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=xIdptOYpMNH/0Umn+85OaXn4EzDMA14BHTKwJBrRXrM=; b=scLc/hsaop7T+TclfFy/OYdoUPqYxFY7cVuA4s/rclviRbGCALExZpPf9v7TcOsnuBSCxZ 8DBOQNckCYr6YwJeveaJaHHdp7msfoeB+Ma4pyrzEBkLyYYJMMSQrObGG2GjE9OH0ZPE8w 6EQF+VTAYOhjI+/xmvi3JnY6rixuUSy3zqDY61sZfUV91DvrA1T/TiYaS4KfvREdSYzPbZ rnCbO2Q5AyUF6kXEdJzKgIoirdKyLBTPAq3mBrScb0IeRriEqv4PIh6+YxkIVS5ivFhyjX H69q20wcC80ZDXNG2u02CbWLt6zP9AJsreSTqBtt7oP6KaB4trg2W7IIHd7L8Q== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 115981A51E for ; Fri, 08 Nov 2024 19:05:38 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1t9TLF-0006EH-Lt; Fri, 08 Nov 2024 13:04:17 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t9TL1-0005ej-O6 for guix-patches@gnu.org; Fri, 08 Nov 2024 13:04:05 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1t9TL0-0002HV-9H for guix-patches@gnu.org; Fri, 08 Nov 2024 13:04:02 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:Date:From:To:In-Reply-To:References:Subject; bh=NkGfgMjz8aoxRF7cXRF4womUqEdgDb6UpL8lCWYjrNE=; b=KBmwNKDFStiKSZNG06lQXkeYkj1t0hSYGaMLG3Mltt56679XySGZKygGGG1O9Wz48kxpvDDZ2lmxc0kME4WqkJBKYYrd1kNWEqtvQGqSSmYEz0A4mQKfupg1mFvHDkdTvnwW42eHB1nl5AggLqROGg0aYJQ7OB8rf9hUaxFQF7eOtr3La27MkmjQxy2M+Fyyg5SekZmu9WRxmKtkuLymink3tdFrlfB0vkVyUleI+lBszlZ9ALvwSn2ISWUbMxSTeoPcG7yQnBc7PMEayrUDjppeu2GxZp2if2PBHsixbkXZaKNIy27Dlj1qzlXb38vJeqSfhfUGR4ZACLq7H0h2lg==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1t9TKz-0002MY-PL for guix-patches@gnu.org; Fri, 08 Nov 2024 13:04:01 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#74034] [PATCH v3 01/17] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties. References: <20241026222934.25890-1-ngraves@ngraves.fr> In-Reply-To: <20241026222934.25890-1-ngraves@ngraves.fr> Resent-From: Nicolas Graves Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 08 Nov 2024 18:04:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 74034 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 74034@debbugs.gnu.org Cc: Nicolas Graves Received: via spool by 74034-submit@debbugs.gnu.org id=B74034.17310890248952 (code B ref 74034); Fri, 08 Nov 2024 18:04:01 +0000 Received: (at 74034) by debbugs.gnu.org; 8 Nov 2024 18:03:44 +0000 Received: from localhost ([127.0.0.1]:51991 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t9TKh-0002K8-4K for submit@debbugs.gnu.org; Fri, 08 Nov 2024 13:03:44 -0500 Received: from 3.mo576.mail-out.ovh.net ([188.165.52.203]:40251) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t9TKd-0002Jr-DA for 74034@debbugs.gnu.org; Fri, 08 Nov 2024 13:03:42 -0500 Received: from director3.ghost.mail-out.ovh.net (unknown [10.108.17.23]) by mo576.mail-out.ovh.net (Postfix) with ESMTP id 4XlRdP3YrFz1r8d for <74034@debbugs.gnu.org>; Fri, 8 Nov 2024 18:03:37 +0000 (UTC) Received: from ghost-submission-5b5ff79f4f-sjpm4 (unknown [10.110.113.85]) by director3.ghost.mail-out.ovh.net (Postfix) with ESMTPS id A74721FDD6; Fri, 8 Nov 2024 18:03:36 +0000 (UTC) Received: from ngraves.fr ([37.59.142.102]) by ghost-submission-5b5ff79f4f-sjpm4 with ESMTPSA id gPhhB3hSLmcwlgMA2BQawg (envelope-from ); Fri, 08 Nov 2024 18:03:36 +0000 X-OVh-ClientIp: 80.215.133.26 Date: Fri, 8 Nov 2024 19:02:24 +0100 Message-ID: <20241108180330.18126-1-ngraves@ngraves.fr> X-Mailer: git-send-email 2.46.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Ovh-Tracer-Id: 5942781186244207330 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 0 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeefuddrtdeigddutdegucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttdenucenucfjughrpefhvfevufffkffoggfgsedtkeertdertddtnecuhfhrohhmpefpihgtohhlrghsucfirhgrvhgvshcuoehnghhrrghvvghssehnghhrrghvvghsrdhfrheqnecuggftrfgrthhtvghrnhepkeffgeetfffgffejgeejvdffgfdtvdeuueetgfefuedvjeegvdegjeejveeuueevnecukfhppeduvdejrddtrddtrddupdektddrvdduhedrudeffedrvdeipdefjedrheelrddugedvrddutddvnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepuddvjedrtddrtddruddpmhgrihhlfhhrohhmpehnghhrrghvvghssehnghhrrghvvghsrdhfrhdpnhgspghrtghpthhtohepuddprhgtphhtthhopeejgedtfeegseguvggssghughhsrdhgnhhurdhorhhgpdfovfetjfhoshhtpehmohehjeeimgdpmhhouggvpehsmhhtphhouhht DKIM-Signature: a=rsa-sha256; bh=NkGfgMjz8aoxRF7cXRF4womUqEdgDb6UpL8lCWYjrNE=; c=relaxed/relaxed; d=ngraves.fr; h=From; s=ovhmo4487190-selector1; t=1731089017; v=1; b=R95kfT/WW6QocpMuwIndGafQI8Sh4TXiJJenpGSoD4sRhRqMC0GIa0SpHkY7KxdY/RwSPzAI ADS/0g69CLcqZH78vO55gASOJkXkeqg64ERGsyyZKY5Y+w1PTx5Z2l0oxmkaf/6G+j7gqr07X+N oTUNv0kUaFvUAv5YnfVk6hzfHpAoNeH3grXetzfFMXO51QoxVJzibs/6+bTdTPPVFrK8UhBisni l814F7a4sOidLqLAMZSveWb1p4vBX1QEHaDqbekUxhK64zszgB2cx4xdkLzrHtVyoyBdW1UyVR/ y+c41B5wSGvgTwrXQOSow3rKRlBzsamGQb+/J7ctN6H1Q== X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Nicolas Graves X-ACL-Warn: , Nicolas Graves via Guix-patches From: Nicolas Graves via Guix-patches via Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -1.38 X-Spam-Score: -1.38 X-Migadu-Queue-Id: 115981A51E X-Migadu-Scanner: mx10.migadu.com X-TUID: 375bEwMUpj5o * guix/cve.scm: Exploit cpe vendors information. (cpe->package-name): Rename to... (cpe->package-identifier): Renamed from cpe->package-name. Use cpe_vendor:cpe_name in place or cpe_name. (vulnerabily-matches?): Add helper function. (vulnerabilities->lookup-proc): Extract cpe_name for table hashes. Add vendor and hidden-vendor arguments. Adapt condition to pass vulnerabilities to result in the fold. * guix/lint.scm (package-vulnerabilities): Use additional arguments from vulnerabilities->lookup-proc. * tests/cve.scm (%expected-vulnerabilities): Adapt variable to changes in guix/cve.scm. --- guix/cve.scm | 69 ++++++++++++++++++++++++++++++++------------------- guix/lint.scm | 10 ++++++-- tests/cve.scm | 14 +++++------ 3 files changed, 59 insertions(+), 34 deletions(-) diff --git a/guix/cve.scm b/guix/cve.scm index 9e1cf5b587..f7984be0ad 100644 --- a/guix/cve.scm +++ b/guix/cve.scm @@ -106,22 +106,22 @@ (define (reference-data->cve-references alist) (define %cpe-package-rx ;; For applications: "cpe:2.3:a:VENDOR:PACKAGE:VERSION", or sometimes ;; "cpe:2.3:a:VENDOR:PACKAGE:VERSION:PATCH-LEVEL". - (make-regexp "^cpe:2\\.3:a:([^:]+):([^:]+):([^:]+):([^:]+):")) + (make-regexp "^cpe:2\\.3:a:([^:]+:[^:]+):([^:]+):([^:]+):")) -(define (cpe->package-name cpe) +(define (cpe->package-identifier cpe) "Converts the Common Platform Enumeration (CPE) string CPE to a package -name, in a very naive way. Return two values: the package name, and its -version string. Return #f and #f if CPE does not look like an application CPE -string." +identifier, in a very naive way. Return two values: the package identifier +(composed from the CPE vendor and the package name), and its version string. +Return #f and #f if CPE does not look like an application CPE string." (cond ((regexp-exec %cpe-package-rx cpe) => (lambda (matches) - (values (match:substring matches 2) - (match (match:substring matches 3) + (values (match:substring matches 1) + (match (match:substring matches 2) ("*" '_) (version (string-append version - (match (match:substring matches 4) + (match (match:substring matches 3) ("" "") (patch-level ;; Drop the colon from things like @@ -142,7 +142,7 @@ (define (cpe-match->cve-configuration alist) ;; Normally "cpe23Uri" is here in each "cpe_match" item, but CVE-2020-0534 ;; has a configuration that lacks it. (and cpe - (let-values (((package version) (cpe->package-name cpe))) + (let-values (((package version) (cpe->package-identifier cpe))) (and package `(,package ,(cond ((and (or starti starte) (or endi ende)) @@ -228,6 +228,24 @@ (define (version-matches? version sexp) (('>= min) (version>=? version min)))) +(define (vulnerability-matches? vuln vendor hidden-vendors) + "Checks if a VENDOR matches at least one of VULN +packages. When VENDOR is #f, ignore packages that have a vendor among +HIDDEN-VENDORS." + (define (vendor-matches? vendor+name) + (if vendor + (string-prefix? (string-append vendor ":") vendor+name) + (or (null? hidden-vendors) + (not (any (cut string-prefix? (string-append <> ":") vendor+name) + hidden-vendors))))) + + (match vuln + (($ id packages) + (any (match-lambda + (((? vendor-matches? vendor+name) . _) #t) + (_ #f)) + packages)))) + ;;; ;;; High-level interface. @@ -404,28 +422,29 @@ (define table (($ id packages) (fold (lambda (package table) (match package - ((name . versions) - (vhash-cons name (cons vuln versions) + ((vendor+name . versions) + (vhash-cons (match (string-split vendor+name #\:) + ((vendor name) name) + ((name) name)) + (cons vuln versions) table)))) table packages)))) vlist-null vulnerabilities)) - (lambda* (package #:optional version) - (vhash-fold* (if version - (lambda (pair result) - (match pair - ((vuln sexp) - (if (version-matches? version sexp) - (cons vuln result) - result)))) - (lambda (pair result) - (match pair - ((vuln . _) - (cons vuln result))))) - '() - package table))) + (lambda* (package #:optional version #:key (vendor #f) (hidden-vendors '())) + (vhash-fold* + (lambda (pair result) + (match pair + ((vuln sexp) + (if (and (or (and (not vendor) (null? hidden-vendors)) + (vulnerability-matches? vuln vendor hidden-vendors)) + (or (not version) (version-matches? version sexp))) + (cons vuln result) + result)))) + '() + package table))) ;;; cve.scm ends here diff --git a/guix/lint.scm b/guix/lint.scm index 8c6c20c723..bea6d0a194 100644 --- a/guix/lint.scm +++ b/guix/lint.scm @@ -1551,8 +1551,14 @@ (define package-vulnerabilities (package-name package))) (version (or (assoc-ref (package-properties package) 'cpe-version) - (package-version package)))) - ((force lookup) name version))))) + (package-version package))) + (vendor (assoc-ref (package-properties package) + 'cpe-vendor)) + (hidden-vendors (assoc-ref (package-properties package) + 'lint-hidden-cpe-vendors))) + ((force lookup) name version + #:vendor vendor + #:hidden-vendors hidden-vendors))))) ;; Prevent Guile 3 from inlining this procedure so we can mock it in tests. (set! package-vulnerabilities package-vulnerabilities) diff --git a/tests/cve.scm b/tests/cve.scm index b69da0e120..6567d73c69 100644 --- a/tests/cve.scm +++ b/tests/cve.scm @@ -34,19 +34,19 @@ (define %expected-vulnerabilities (vulnerability "CVE-2019-0001" ;; Only the "a" CPE configurations are kept; the "o" ;; configurations are discarded. - '(("junos" (or "18.21-s4" (or "18.21-s3" "18.2"))))) + '(("juniper:junos" (or "18.21-s4" (or "18.21-s3" "18.2"))))) (vulnerability "CVE-2019-0005" - '(("junos" (or "18.11" "18.1")))) + '(("juniper:junos" (or "18.11" "18.1")))) ;; CVE-2019-0005 has no "a" configurations. (vulnerability "CVE-2019-14811" - '(("ghostscript" (< "9.28")))) + '(("artifex:ghostscript" (< "9.28")))) (vulnerability "CVE-2019-17365" - '(("nix" (<= "2.3")))) + '(("nixos:nix" (<= "2.3")))) (vulnerability "CVE-2019-1010180" - '(("gdb" _))) ;any version + '(("gnu:gdb" _))) ;any version (vulnerability "CVE-2019-1010204" - '(("binutils" (and (>= "2.21") (<= "2.31.1"))) - ("binutils_gold" (and (>= "1.11") (<= "1.16"))))) + '(("gnu:binutils" (and (>= "2.21") (<= "2.31.1"))) + ("gnu:binutils_gold" (and (>= "1.11") (<= "1.16"))))) ;; CVE-2019-18192 has no associated configurations. )) -- 2.46.0