From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id +EmjH/KJQ2dBLgEAe85BDQ:P1 (envelope-from ) for ; Sun, 24 Nov 2024 20:17:54 +0000 Received: from aspmx1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2.migadu.com with LMTPS id +EmjH/KJQ2dBLgEAe85BDQ (envelope-from ) for ; Sun, 24 Nov 2024 21:17:54 +0100 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("body hash did not verify") header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b=vybI3Aml; dkim=fail ("body hash did not verify") header.d=ngraves.fr header.s=ovhmo4487190-selector1 header.b=UOepi9VL; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" ARC-Seal: i=1; s=key1; d=yhetil.org; t=1732479473; a=rsa-sha256; cv=none; b=RrF4g8MkLsALzvP2YovqWATHnxYnmUWPSp/fvyejns87Oc5uJxAPxBwd3ogxMDkyZv3WzL 3zQ3z/KbUK4tAA9N/XPF0bdrSzgJXegReMMJ63s4L2bIfJHTJfJmh1w6uM8SbuHYp3dgiX OrjTFIOZ6E6aQgCQ7q5hkmRfp7gj/YT3Xc43gAgZ484A8OT6UoNE2LhyelxSrPJEvytVvR ssYHpApMmQAkpBU3oew0+B71LPXhJn4zIbXUiLWzi1FlD2g8/AzINwaSBR8GItCQS2rGZS Xuh7qlU0b0UrkPmuwH6iAohk+/pBVwPdgr04h6lQmUDswZwzmLR9sIzVyfaqKg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("body hash did not verify") header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b=vybI3Aml; dkim=fail ("body hash did not verify") header.d=ngraves.fr header.s=ovhmo4487190-selector1 header.b=UOepi9VL; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1732479473; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=My2CN1dx1+qXcExWHT7CHNT94mnBzuxjZ8BeiToQFaE=; b=egUTTeVEzLu+GxdgvNEAqDZcLLTT4eyXzo3IvUH0S3N0RUOXvPy3Mx7CFpmPF4Wf+ho9RA 3uLsBVf2xbv67L78PXczHDr0Y5L9XRIJTe3+eoVGdtrGs5xVOmCGSEwcG8doWdLfQwpxeU wTx746HGhhBUpw3D5puCCYYK7hLBoAlC0USFQTnRCDmUbW3acUWee0iTl5ZavxeoHC/IIg oTJTYWWjZkY8NMCSCHkr/gauXu+uicxiFtAuB5Bx/aHX+y9FyRso/bRWlz0C8X2ktbDhtR vnDhBrP5qeeDMcmejbs3St6P/iQjkAbYKLiguXcToVgGOCRaYaaH9JO6QUmWyg== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 3AAA070E42 for ; Sun, 24 Nov 2024 21:17:53 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tFJ2i-0001oV-Q1; Sun, 24 Nov 2024 15:17:16 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tFJ2V-0001ma-2y for guix-patches@gnu.org; Sun, 24 Nov 2024 15:17:03 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tFJ2U-0008Ms-NR for guix-patches@gnu.org; Sun, 24 Nov 2024 15:17:02 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:Date:From:To:In-Reply-To:References:Subject; bh=KV2vvSnbUtpFYvireUCz7Zz14g//6xFlaisGyrp/Vqc=; b=vybI3AmlrVY1k9BUR2nTl6YZNhSbR+ovTiAhOcHcAPZAg/5adNXFtGtj9MtBNxyYc6OCmDlydo6BBsk4EgDPrdp0h+gjGFGQkDfiDFiD/lzbum4qGkugtoOTkxMekdaeRYZYtu/QrmD3LBPB1GFgPdeuZ8MHuEvOBOKVp9JU16ojfn2+OAvMuMMKzFIeyGWswXRp8S86Jz/yLwIBVkFoqqecihFBoSOrkqDZ/Mv3SEJdYx/vcGjy16elV92QMDp+yhiG/lcOVwOSBDxTezqETHuLu/aLHC3+qUvp9bfZv5gM3PONm7+MF8SpQXrJLNxwlJoUZCEUnq9nHNojTUo1oA==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tFJ2U-0000rt-Ga for guix-patches@gnu.org; Sun, 24 Nov 2024 15:17:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#74034] [PATCH v6 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties. References: <20241026222934.25890-1-ngraves@ngraves.fr> In-Reply-To: <20241026222934.25890-1-ngraves@ngraves.fr> Resent-From: Nicolas Graves Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 24 Nov 2024 20:17:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 74034 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 74034@debbugs.gnu.org Cc: ludo@gnu.org, Nicolas Graves Received: via spool by 74034-submit@debbugs.gnu.org id=B74034.17324794113226 (code B ref 74034); Sun, 24 Nov 2024 20:17:02 +0000 Received: (at 74034) by debbugs.gnu.org; 24 Nov 2024 20:16:51 +0000 Received: from localhost ([127.0.0.1]:36147 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tFJ2I-0000pr-ER for submit@debbugs.gnu.org; Sun, 24 Nov 2024 15:16:51 -0500 Received: from 3.mo561.mail-out.ovh.net ([46.105.44.175]:55543) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tFJ2D-0000pS-MN for 74034@debbugs.gnu.org; Sun, 24 Nov 2024 15:16:48 -0500 Received: from director4.ghost.mail-out.ovh.net (unknown [10.109.140.34]) by mo561.mail-out.ovh.net (Postfix) with ESMTP id 4XxKqc0qGrz1JMx for <74034@debbugs.gnu.org>; Sun, 24 Nov 2024 20:16:43 +0000 (UTC) Received: from ghost-submission-5b5ff79f4f-8xtvc (unknown [10.110.118.7]) by director4.ghost.mail-out.ovh.net (Postfix) with ESMTPS id 216841FE5E; Sun, 24 Nov 2024 20:16:42 +0000 (UTC) Received: from ngraves.fr ([37.59.142.99]) by ghost-submission-5b5ff79f4f-8xtvc with ESMTPSA id jTAgI6qJQ2dr7wgAeCPQ7Q (envelope-from ); Sun, 24 Nov 2024 20:16:42 +0000 X-OVh-ClientIp: 90.92.117.144 Date: Sun, 24 Nov 2024 21:16:19 +0100 Message-ID: <20241124201638.10098-1-ngraves@ngraves.fr> X-Mailer: git-send-email 2.46.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Ovh-Tracer-Id: 9920022607270699746 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 0 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeefuddrgeefgddufeefucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttdenucenucfjughrpefhvfevufffkffoggfgsedtkeertdertddtnecuhfhrohhmpefpihgtohhlrghsucfirhgrvhgvshcuoehnghhrrghvvghssehnghhrrghvvghsrdhfrheqnecuggftrfgrthhtvghrnhepkeffgeetfffgffejgeejvdffgfdtvdeuueetgfefuedvjeegvdegjeejveeuueevnecukfhppeduvdejrddtrddtrddupdeltddrledvrdduudejrddugeegpdefjedrheelrddugedvrdelleenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpeduvdejrddtrddtrddupdhmrghilhhfrhhomhepnhhgrhgrvhgvshesnhhgrhgrvhgvshdrfhhrpdhnsggprhgtphhtthhopedupdhrtghpthhtohepjeegtdefgeesuggvsggsuhhgshdrghhnuhdrohhrghdpoffvtefjohhsthepmhhoheeiudgmpdhmohguvgepshhmthhpohhuth DKIM-Signature: a=rsa-sha256; bh=KV2vvSnbUtpFYvireUCz7Zz14g//6xFlaisGyrp/Vqc=; c=relaxed/relaxed; d=ngraves.fr; h=From; s=ovhmo4487190-selector1; t=1732479404; v=1; b=UOepi9VLe5XsF9AD4FaLygSy/Qnp3QLKrhgzPXh9ItEP21x7SccDvuL5o3L6Iw76OOcG/Fcc dCQJmhVORmqOcv4A0jE4THtkyczQUoZysREMRCTg0mKB81OgxvfjChxvphpn1rWUVLaBr2dmgNm dJNqxW+/cjVisdn3fBJilHFgMLiXPoKp1MzO0pG9msfETJRTHdVUBXl+TZ9kcDxufRKax/824U6 a05FuiGQVnVfHlbrq2fr0s9HFcYNlHfS57hzTN7n8sZkBUpmdUJli4NXEVQz6WgBzRFQACzt3BH fPW3EFr4o8bTn5s+GUlTldelzQCppkQmkzqaFrW9N85hA== X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Nicolas Graves X-ACL-Warn: , Nicolas Graves via Guix-patches From: Nicolas Graves via Guix-patches via Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -2.88 X-Spam-Score: -2.88 X-Migadu-Queue-Id: 3AAA070E42 X-Migadu-Scanner: mx10.migadu.com X-TUID: mFE+mnJh8Gnf * guix/cve.scm: Exploit cpe vendors information. (cpe->package-name): Rename to... (cpe->package-identifier): Renamed from cpe->package-name. Use cpe_vendor:cpe_name in place or cpe_name. (vulnerabily-matches?): Add helper function. (vulnerabilities->lookup-proc): Extract cpe_name for table hashes. Add vendor and hidden-vendor arguments. Adapt condition to pass vulnerabilities to result in the fold. (write-cache, fetch-vulnerabilities): Update the format version. * guix/lint.scm (package-vulnerabilities): Use additional arguments from vulnerabilities->lookup-proc. * tests/cve.scm (%expected-vulnerabilities): Adapt variable to changes in guix/cve.scm. --- guix/cve.scm | 153 +++++++++++++++++++++++++++++--------------------- guix/lint.scm | 10 +++- tests/cve.scm | 14 ++--- 3 files changed, 105 insertions(+), 72 deletions(-) diff --git a/guix/cve.scm b/guix/cve.scm index 9e1cf5b587..098fdf0a05 100644 --- a/guix/cve.scm +++ b/guix/cve.scm @@ -25,11 +25,11 @@ (define-module (guix cve) #:use-module (web uri) #:use-module (srfi srfi-1) #:use-module (srfi srfi-9) - #:use-module (srfi srfi-11) #:use-module (srfi srfi-19) #:use-module (srfi srfi-26) #:use-module (srfi srfi-34) #:use-module (srfi srfi-35) + #:use-module (srfi srfi-71) #:use-module (ice-9 match) #:use-module (ice-9 regex) #:use-module (ice-9 vlist) @@ -108,15 +108,16 @@ (define %cpe-package-rx ;; "cpe:2.3:a:VENDOR:PACKAGE:VERSION:PATCH-LEVEL". (make-regexp "^cpe:2\\.3:a:([^:]+):([^:]+):([^:]+):([^:]+):")) -(define (cpe->package-name cpe) +(define (cpe->package-identifier cpe) "Converts the Common Platform Enumeration (CPE) string CPE to a package -name, in a very naive way. Return two values: the package name, and its -version string. Return #f and #f if CPE does not look like an application CPE -string." +identifier, in a very naive way. Return three values: the CPE vendor, the +package name, and its version string. +Return three #f values if CPE does not look like an application CPE string." (cond ((regexp-exec %cpe-package-rx cpe) => (lambda (matches) - (values (match:substring matches 2) + (values (match:substring matches 1) + (match:substring matches 2) (match (match:substring matches 3) ("*" '_) (version @@ -128,7 +129,7 @@ (define (cpe->package-name cpe) ;; "cpe:2.3:a:openbsd:openssh:6.8:p1". (string-drop patch-level 1))))))))) (else - (values #f #f)))) + (values #f #f #f)))) (define (cpe-match->cve-configuration alist) "Convert ALIST, a \"cpe_match\" alist, into an sexp representing the package @@ -142,17 +143,18 @@ (define (cpe-match->cve-configuration alist) ;; Normally "cpe23Uri" is here in each "cpe_match" item, but CVE-2020-0534 ;; has a configuration that lacks it. (and cpe - (let-values (((package version) (cpe->package-name cpe))) + (let ((vendor package version (cpe->package-identifier cpe))) (and package - `(,package - ,(cond ((and (or starti starte) (or endi ende)) - `(and ,(if starti `(>= ,starti) `(> ,starte)) - ,(if endi `(<= ,endi) `(< ,ende)))) - (starti `(>= ,starti)) - (starte `(> ,starte)) - (endi `(<= ,endi)) - (ende `(< ,ende)) - (else version)))))))) + `(,vendor + ,package + ,(cond ((and (or starti starte) (or endi ende)) + `(and ,(if starti `(>= ,starti) `(> ,starte)) + ,(if endi `(<= ,endi) `(< ,ende)))) + (starti `(>= ,starti)) + (starte `(> ,starte)) + (endi `(<= ,endi)) + (ende `(< ,ende)) + (else version)))))))) (define (configuration-data->cve-configurations alist) "Given ALIST, a JSON dictionary for the baroque \"configurations\" @@ -228,6 +230,23 @@ (define (version-matches? version sexp) (('>= min) (version>=? version min)))) +(define (vulnerability-matches? vuln vendor hidden-vendors) + "Checks if a VENDOR matches at least one of VULN +packages. When VENDOR is #f, ignore packages that have a vendor among +HIDDEN-VENDORS." + (define hidden-vendor? + (if (list? hidden-vendors) + (cut member <> hidden-vendors) + (const #f))) + + (match vuln + (($ id packages) + (any (match-lambda + ((? (cut string=? <> vendor)) #t) + ((? hidden-vendor?) #f) + (otherwise (not vendor))) + (map car packages))))) ;candidate vendors + ;;; ;;; High-level interface. @@ -259,7 +278,7 @@ (define-record-type (vulnerability id packages) vulnerability? (id vulnerability-id) ;string - (packages vulnerability-packages)) ;((p1 sexp1) (p2 sexp2) ...) + (packages vulnerability-packages)) ;((v1 p1 sexp1) (v2 p2 sexp2) ...) (define vulnerability->sexp (match-lambda @@ -272,39 +291,47 @@ (define sexp->vulnerability (vulnerability id packages)))) (define (cve-configuration->package-list config) - "Parse CONFIG, a config sexp, and return a list of the form (P SEXP) -where P is a package name and SEXP expresses constraints on the matching -versions." + "Parse CONFIG, a config sexp, and return a list of the form (V P SEXP) +where V is a CPE vendor, P is a package name and SEXP expresses constraints on +the matching versions." (let loop ((config config) - (packages '())) + (results '())) (match config (('or configs ...) - (fold loop packages configs)) - (('and config _ ...) ;XXX - (loop config packages)) - (((? string? package) '_) ;any version - (cons `(,package _) - (alist-delete package packages))) - (((? string? package) sexp) - (let ((previous (assoc-ref packages package))) - (if previous - (cons `(,package (or ,sexp ,@previous)) - (alist-delete package packages)) - (cons `(,package ,sexp) packages))))))) + (fold loop results configs)) + (('and config _ ...) ;XXX + (loop config results)) + (((? string? vendor) (? string? package) sexp) + (let ((pruned-results (remove (match-lambda + ((vendor package _) #t) + (otherwise #f)) + results))) + (match sexp + ('_ ;any version + (cons `(,vendor ,package _) pruned-results)) + (_ + (match (assoc-ref (assoc-ref results vendor) package) + ((previous) + (cons `(,vendor ,package (or ,sexp ,previous)) pruned-results)) + (_ + (cons `(,vendor ,package ,sexp) results)))))))))) (define (merge-package-lists lst) - "Merge the list in LST, each of which has the form (p sexp), where P -is the name of a package and SEXP is an sexp that constrains matching -versions." + "Merge the list in LST, each of which has the form (V P SEXP), where V is a +CPE vendor, P is the name of a package and SEXP is an sexp that constrains +matching versions." (fold (lambda (plist result) ;XXX: quadratic (fold (match-lambda* - (((package version) result) - (match (assoc-ref result package) - (#f - (cons `(,package ,version) result)) - ((previous) - (cons `(,package (or ,version ,previous)) - (alist-delete package result)))))) + (((vendor package version) result) + (match (assoc-ref result vendor) + (((? (cut string=? package <>)) previous) + (cons `(,vendor ,package (or ,version ,previous)) + (remove (match-lambda + ((vendor package _) #t) + (otherwise #f)) + result))) + (_ + (cons `(,vendor ,package ,version) result))))) result plist)) '() @@ -337,7 +364,7 @@ (define vulns (json->vulnerabilities input)) (write `(vulnerabilities - 1 ;format version + 2 ;format version ,(map vulnerability->sexp vulns)) cache)))) @@ -371,8 +398,10 @@ (define (read* port) (sexp (read* port))) (close-port port) (match sexp - (('vulnerabilities 1 vulns) - (map sexp->vulnerability vulns))))) + (('vulnerabilities 2 vulns) + (map sexp->vulnerability vulns)) + (('vulnerabilities 1 vulns) ;old format, lacks vendor info + (map sexp-v1->vulnerability vulns))))) (define* (current-vulnerabilities #:key (timeout 10)) "Return the current list of Common Vulnerabilities and Exposures (CVE) as @@ -404,28 +433,26 @@ (define table (($ id packages) (fold (lambda (package table) (match package - ((name . versions) - (vhash-cons name (cons vuln versions) + ((vendor name versions) + (vhash-cons name (cons vuln `(,versions)) table)))) table packages)))) vlist-null vulnerabilities)) - (lambda* (package #:optional version) - (vhash-fold* (if version - (lambda (pair result) - (match pair - ((vuln sexp) - (if (version-matches? version sexp) - (cons vuln result) - result)))) - (lambda (pair result) - (match pair - ((vuln . _) - (cons vuln result))))) - '() - package table))) + (lambda* (package #:optional version #:key (vendor #f) (hidden-vendors '())) + (vhash-fold* + (lambda (pair result) + (match pair + ((vuln sexp) + (if (and (or (and (not vendor) (null? hidden-vendors)) + (vulnerability-matches? vuln vendor hidden-vendors)) + (or (not version) (version-matches? version sexp))) + (cons vuln result) + result)))) + '() + package table))) ;;; cve.scm ends here diff --git a/guix/lint.scm b/guix/lint.scm index 8c6c20c723..bea6d0a194 100644 --- a/guix/lint.scm +++ b/guix/lint.scm @@ -1551,8 +1551,14 @@ (define package-vulnerabilities (package-name package))) (version (or (assoc-ref (package-properties package) 'cpe-version) - (package-version package)))) - ((force lookup) name version))))) + (package-version package))) + (vendor (assoc-ref (package-properties package) + 'cpe-vendor)) + (hidden-vendors (assoc-ref (package-properties package) + 'lint-hidden-cpe-vendors))) + ((force lookup) name version + #:vendor vendor + #:hidden-vendors hidden-vendors))))) ;; Prevent Guile 3 from inlining this procedure so we can mock it in tests. (set! package-vulnerabilities package-vulnerabilities) diff --git a/tests/cve.scm b/tests/cve.scm index b69da0e120..90ada2b647 100644 --- a/tests/cve.scm +++ b/tests/cve.scm @@ -34,19 +34,19 @@ (define %expected-vulnerabilities (vulnerability "CVE-2019-0001" ;; Only the "a" CPE configurations are kept; the "o" ;; configurations are discarded. - '(("junos" (or "18.21-s4" (or "18.21-s3" "18.2"))))) + '(("juniper" "junos" (or "18.2" (or "18.21-s3" "18.21-s4"))))) (vulnerability "CVE-2019-0005" - '(("junos" (or "18.11" "18.1")))) + '(("juniper" "junos" (or "18.1" "18.11")))) ;; CVE-2019-0005 has no "a" configurations. (vulnerability "CVE-2019-14811" - '(("ghostscript" (< "9.28")))) + '(("artifex" "ghostscript" (< "9.28")))) (vulnerability "CVE-2019-17365" - '(("nix" (<= "2.3")))) + '(("nixos" "nix" (<= "2.3")))) (vulnerability "CVE-2019-1010180" - '(("gdb" _))) ;any version + '(("gnu" "gdb" _))) ;any version (vulnerability "CVE-2019-1010204" - '(("binutils" (and (>= "2.21") (<= "2.31.1"))) - ("binutils_gold" (and (>= "1.11") (<= "1.16"))))) + '(("gnu" "binutils" (and (>= "2.21") (<= "2.31.1"))) + ("gnu" "binutils_gold" (and (>= "1.11") (<= "1.16"))))) ;; CVE-2019-18192 has no associated configurations. )) -- 2.46.0