* [bug#47193] Fancify guix lint -c cve output @ 2021-03-16 16:00 Tobias Geerinckx-Rice via Guix-patches via 2021-03-16 16:06 ` [bug#47193] [PATCH 1/2] lint: Sort possible vulnerabilities Tobias Geerinckx-Rice via Guix-patches via 2021-03-16 18:19 ` Léo Le Bouter via Guix-patches via 0 siblings, 2 replies; 12+ messages in thread From: Tobias Geerinckx-Rice via Guix-patches via @ 2021-03-16 16:00 UTC (permalink / raw) To: 47193 [-- Attachment #1: Type: text/plain, Size: 446 bytes --] Guix, A quick hack requested by lle-bout: indicate CVE severity with pretty/scary colours[0]. It's deliberately simple: no scoring, no versioning, no importing (guix colors) from (guix cve), ... Another patch adds order to the rainbow. Sort CVEs by ID, so roughly chronological. In combination with the other patch, I prefer this to more complex ordering and/or grouping by severity. Kind regards, T G-R [0]: https://tobias.gr/tmp.png [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 247 bytes --] ^ permalink raw reply [flat|nested] 12+ messages in thread
* [bug#47193] [PATCH 1/2] lint: Sort possible vulnerabilities. 2021-03-16 16:00 [bug#47193] Fancify guix lint -c cve output Tobias Geerinckx-Rice via Guix-patches via @ 2021-03-16 16:06 ` Tobias Geerinckx-Rice via Guix-patches via 2021-03-16 16:06 ` [bug#47193] [PATCH 2/2] lint: Indicate CVE severity Tobias Geerinckx-Rice via Guix-patches via 2021-03-31 12:53 ` Ludovic Courtès 2021-03-16 18:19 ` Léo Le Bouter via Guix-patches via 1 sibling, 2 replies; 12+ messages in thread From: Tobias Geerinckx-Rice via Guix-patches via @ 2021-03-16 16:06 UTC (permalink / raw) To: 47193 * guix/lint.scm (check-vulnerabilities): Sort unpatched vulnerabilities by ID. --- guix/lint.scm | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/guix/lint.scm b/guix/lint.scm index 5144fa139d..ed57e19fe2 100644 --- a/guix/lint.scm +++ b/guix/lint.scm @@ -1164,6 +1164,23 @@ the NIST server non-fatal." package-vulnerabilities)) "Check for known vulnerabilities for PACKAGE. Obtain the list of vulnerability records for PACKAGE by calling PACKAGE-VULNERABILITIES." + + (define (vulnerability< v1 v2) + (define (string-list< list1 list2) + (match list1 + ((head1 tail1 ...) + (match list2 + ((head2 tail2 ...) + (if (string=? head1 head2) + (string-list< tail1 tail2) + (string<? head1 head2))) + (_ #f))) + (_ #f))) + + (let ((separators (char-set-complement char-set:letter+digit))) + (string-list< (string-split (vulnerability-id v1) separators) + (string-split (vulnerability-id v2) separators)))) + (let ((package (or (package-replacement package) package))) (match (package-vulnerabilities package) (() @@ -1184,7 +1201,8 @@ vulnerability records for PACKAGE by calling PACKAGE-VULNERABILITIES." (make-warning package (G_ "probably vulnerable to ~a") - (list (string-join (map vulnerability-id unpatched) + (list (string-join (map vulnerability-id + (sort unpatched vulnerability<)) ", ")))))))))) (define (check-for-updates package) -- 2.30.1 ^ permalink raw reply related [flat|nested] 12+ messages in thread
* [bug#47193] [PATCH 2/2] lint: Indicate CVE severity. 2021-03-16 16:06 ` [bug#47193] [PATCH 1/2] lint: Sort possible vulnerabilities Tobias Geerinckx-Rice via Guix-patches via @ 2021-03-16 16:06 ` Tobias Geerinckx-Rice via Guix-patches via 2021-03-31 13:03 ` [bug#47193] Fancify guix lint -c cve output Ludovic Courtès 2021-03-31 12:53 ` Ludovic Courtès 1 sibling, 1 reply; 12+ messages in thread From: Tobias Geerinckx-Rice via Guix-patches via @ 2021-03-16 16:06 UTC (permalink / raw) To: 47193 * guix/cve.scm <cve-item>[cvss3-base-severity]: New field. (impact-data->cve-cvss3-base-severity): New procedure. <vulnerability>[severity]: New field. (vulnerability->sexp, sexp->vulnerability, cve-item->vulnerability) (write-cache): Bump the format version to 2. (vulnerabilities->lookup-proc): Adjust accordingly. * guix/lint.scm (check-vulnerabilities): Indicate CVE severity according to the output port's terminal capabilities. --- guix/cve.scm | 48 ++++++++++++++++++++++++++++++++---------------- guix/lint.scm | 32 +++++++++++++++++++++++++++++++- 2 files changed, 63 insertions(+), 17 deletions(-) diff --git a/guix/cve.scm b/guix/cve.scm index b3a8b13a06..3809e4493f 100644 --- a/guix/cve.scm +++ b/guix/cve.scm @@ -1,5 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès <ludo@gnu.org> +;;; Copyright © 2021 Tobias Geerinckx-Rice <me@tobias.gr> ;;; ;;; This file is part of GNU Guix. ;;; @@ -38,6 +39,7 @@ cve-item? cve-item-cve cve-item-configurations + cve-item-cvssv3-base-severity cve-item-published-date cve-item-last-modified-date @@ -53,6 +55,7 @@ vulnerability? vulnerability-id + vulnerability-severity vulnerability-packages json->vulnerabilities @@ -72,13 +75,15 @@ (define-json-mapping <cve-item> cve-item cve-item? json->cve-item - (cve cve-item-cve "cve" json->cve) ;<cve> - (configurations cve-item-configurations ;list of sexps - "configurations" configuration-data->cve-configurations) - (published-date cve-item-published-date - "publishedDate" string->date*) - (last-modified-date cve-item-last-modified-date - "lastModifiedDate" string->date*)) + (cve cve-item-cve "cve" json->cve) ;<cve> + (configurations cve-item-configurations ;list of sexps + "configurations" configuration-data->cve-configurations) + (cvssv3-base-severity cve-item-cvssv3-base-severity ;string + "impact" impact-data->cve-cvssv3-base-severity) + (published-date cve-item-published-date + "publishedDate" string->date*) + (last-modified-date cve-item-last-modified-date + "lastModifiedDate" string->date*)) (define-json-mapping <cve> cve cve? json->cve @@ -183,6 +188,15 @@ element found in CVEs, return an sexp such as (\"binutils\" (< (let ((nodes (vector->list (assoc-ref alist "nodes")))) (filter-map node->configuration nodes))) +(define (impact-data->cve-cvssv3-base-severity alist) + "Given ALIST, a JSON dictionary for the \"impact\" element found in +CVEs, return a string indicating its CVSSv3 severity. This should be +one of \"NONE\", \"LOW\", \"MEDIUM\", \"HIGH\", or \"CRITICAL\", but we +return whatever we find, or #F if the severity cannot be determined." + (let* ((base-metric-v3 (assoc-ref alist "baseMetricV3")) + (cvss-v3 (assoc-ref base-metric-v3 "cvssV3"))) + (assoc-ref cvss-v3 "baseSeverity"))) + (define (json->cve-items json) "Parse JSON, an input port or a string, and return a list of <cve-item> records." @@ -251,20 +265,21 @@ records." (* 3600 24 (date-month %now))) (define-record-type <vulnerability> - (vulnerability id packages) + (vulnerability id severity packages) vulnerability? (id vulnerability-id) ;string + (severity vulnerability-severity) ;string (packages vulnerability-packages)) ;((p1 sexp1) (p2 sexp2) ...) (define vulnerability->sexp (match-lambda - (($ <vulnerability> id packages) - `(v ,id ,packages)))) + (($ <vulnerability> id severity packages) + `(v ,id ,severity ,packages)))) (define sexp->vulnerability (match-lambda - (('v id (packages ...)) - (vulnerability id packages)))) + (('v id severity (packages ...)) + (vulnerability id severity packages)))) (define (cve-configuration->package-list config) "Parse CONFIG, a config sexp, and return a list of the form (P SEXP) @@ -309,12 +324,13 @@ versions." "Return a <vulnerability> corresponding to ITEM, a <cve-item> record; return #f if ITEM does not list any configuration or if it does not list any \"a\" (application) configuration." - (let ((id (cve-id (cve-item-cve item)))) + (let ((id (cve-id (cve-item-cve item))) + (severity (cve-item-base-severity item))) (match (cve-item-configurations item) (() ;no configurations #f) ((configs ...) - (vulnerability id + (vulnerability id severity (merge-package-lists (map cve-configuration->package-list configs))))))) @@ -332,7 +348,7 @@ sexp to CACHE." (json->vulnerabilities input)) (write `(vulnerabilities - 1 ;format version + 2 ;format version ,(map vulnerability->sexp vulns)) cache)))) @@ -396,7 +412,7 @@ vulnerabilities affecting the given package version." ;; Map package names to lists of version/vulnerability pairs. (fold (lambda (vuln table) (match vuln - (($ <vulnerability> id packages) + (($ <vulnerability> id severity packages) (fold (lambda (package table) (match package ((name . versions) diff --git a/guix/lint.scm b/guix/lint.scm index ed57e19fe2..f3c4e13052 100644 --- a/guix/lint.scm +++ b/guix/lint.scm @@ -48,6 +48,7 @@ #:use-module (guix monads) #:use-module (guix scripts) #:use-module ((guix ui) #:select (texi->plain-text fill-paragraph)) + #:use-module (guix colors) #:use-module (guix gnu-maintenance) #:use-module (guix cve) #:use-module ((guix swh) #:hide (origin?)) @@ -1165,6 +1166,35 @@ the NIST server non-fatal." "Check for known vulnerabilities for PACKAGE. Obtain the list of vulnerability records for PACKAGE by calling PACKAGE-VULNERABILITIES." + (define severity->color + ;; A standard CVE colour gradient is red > orange > yellow > green > none. + ;; However, ANSI non-bold YELLOW is actually orange whilst BOLD YELLOW + ;; is actual yellow, so BOLD would confusingly be less serious. Skip it. + (match-lambda + ("CRITICAL" (color BOLD RED)) + ("HIGH" (color RED)) + ("MEDIUM" (color YELLOW)) + ("LOW" (color GREEN)) + (_ (color)))) + + (define (colorize-vulnerability vulnerability) + ;; If the terminal supports ANSI colours, use them to indicate severity. + (colorize-string (vulnerability-id vulnerability) + (severity->color (vulnerability-severity + vulnerability)))) + + (define (simple-format-vulnerability vulnerability) + ;; Otherwise, omit colour coding and explicitly append the severity string. + (simple-format #f "~a (~a)" + (vulnerability-id vulnerability) + (string-downcase (vulnerability-severity vulnerability)))) + + (define format-vulnerability + ;; Check once which of the above to use for all PACKAGE vulnerabilities. + (if (color-output? (current-output-port)) + colorize-vulnerability + simple-format-vulnerability)) + (define (vulnerability< v1 v2) (define (string-list< list1 list2) (match list1 @@ -1201,7 +1231,7 @@ vulnerability records for PACKAGE by calling PACKAGE-VULNERABILITIES." (make-warning package (G_ "probably vulnerable to ~a") - (list (string-join (map vulnerability-id + (list (string-join (map format-vulnerability (sort unpatched vulnerability<)) ", ")))))))))) -- 2.30.1 ^ permalink raw reply related [flat|nested] 12+ messages in thread
* [bug#47193] Fancify guix lint -c cve output 2021-03-16 16:06 ` [bug#47193] [PATCH 2/2] lint: Indicate CVE severity Tobias Geerinckx-Rice via Guix-patches via @ 2021-03-31 13:03 ` Ludovic Courtès 2021-03-31 13:06 ` Léo Le Bouter via Guix-patches via 0 siblings, 1 reply; 12+ messages in thread From: Ludovic Courtès @ 2021-03-31 13:03 UTC (permalink / raw) To: Tobias Geerinckx-Rice; +Cc: 47193 Hi, Tobias Geerinckx-Rice <me@tobias.gr> skribis: > * guix/cve.scm <cve-item>[cvss3-base-severity]: New field. > (impact-data->cve-cvss3-base-severity): New procedure. > <vulnerability>[severity]: New field. > (vulnerability->sexp, sexp->vulnerability, cve-item->vulnerability) > (write-cache): Bump the format version to 2. > (vulnerabilities->lookup-proc): Adjust accordingly. > * guix/lint.scm (check-vulnerabilities): Indicate CVE severity according > to the output port's terminal capabilities. I would move the lint.scm bit to a separate patch. Please also add a short test for ‘vulnerability-severity’ in tests/cve.scm. [...] > + (cvssv3-base-severity cve-item-cvssv3-base-severity ;string > + "impact" impact-data->cve-cvssv3-base-severity) > + (published-date cve-item-published-date > + "publishedDate" string->date*) > + (last-modified-date cve-item-last-modified-date > + "lastModifiedDate" string->date*)) > > (define-json-mapping <cve> cve cve? > json->cve > @@ -183,6 +188,15 @@ element found in CVEs, return an sexp such as (\"binutils\" (< > (let ((nodes (vector->list (assoc-ref alist "nodes")))) > (filter-map node->configuration nodes))) > > +(define (impact-data->cve-cvssv3-base-severity alist) > + "Given ALIST, a JSON dictionary for the \"impact\" element found in > +CVEs, return a string indicating its CVSSv3 severity. This should be > +one of \"NONE\", \"LOW\", \"MEDIUM\", \"HIGH\", or \"CRITICAL\", but we > +return whatever we find, or #F if the severity cannot be determined." > + (let* ((base-metric-v3 (assoc-ref alist "baseMetricV3")) > + (cvss-v3 (assoc-ref base-metric-v3 "cvssV3"))) > + (assoc-ref cvss-v3 "baseSeverity"))) I would pass the result through (string->symbol (string-downcase …)). For clarity, perhaps we can do: (define-json-mapping <cvss> cvss cvss? json->cvss (vector-string cvss-vector-string “vector_String") (base-severity cvss-severity "base_Severity" (compose string->symbol string-downcase))) … and use that instead of the last ‘assoc-ref’ call above. The rest LGTM. Thanks for this pleasant improvement! Ludo’. ^ permalink raw reply [flat|nested] 12+ messages in thread
* [bug#47193] Fancify guix lint -c cve output 2021-03-31 13:03 ` [bug#47193] Fancify guix lint -c cve output Ludovic Courtès @ 2021-03-31 13:06 ` Léo Le Bouter via Guix-patches via 2021-03-31 20:57 ` Ludovic Courtès 0 siblings, 1 reply; 12+ messages in thread From: Léo Le Bouter via Guix-patches via @ 2021-03-31 13:06 UTC (permalink / raw) To: Ludovic Courtès, Tobias Geerinckx-Rice; +Cc: 47193 [-- Attachment #1: Type: text/plain, Size: 216 bytes --] On Wed, 2021-03-31 at 15:03 +0200, Ludovic Courtès wrote: [...] > The rest LGTM. > > Thanks for this pleasant improvement! > > Ludo’. > Hello Ludo! Did you get it to work on your end? Léo [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 12+ messages in thread
* [bug#47193] Fancify guix lint -c cve output 2021-03-31 13:06 ` Léo Le Bouter via Guix-patches via @ 2021-03-31 20:57 ` Ludovic Courtès 2021-04-01 23:36 ` Léo Le Bouter via Guix-patches via 0 siblings, 1 reply; 12+ messages in thread From: Ludovic Courtès @ 2021-03-31 20:57 UTC (permalink / raw) To: Léo Le Bouter; +Cc: Tobias Geerinckx-Rice, 47193 Léo Le Bouter <lle-bout@zaclys.net> skribis: > Did you get it to work on your end? I didn’t try, but I’m confident Tobias will do the right thing! Ludo’. ^ permalink raw reply [flat|nested] 12+ messages in thread
* [bug#47193] Fancify guix lint -c cve output 2021-03-31 20:57 ` Ludovic Courtès @ 2021-04-01 23:36 ` Léo Le Bouter via Guix-patches via 0 siblings, 0 replies; 12+ messages in thread From: Léo Le Bouter via Guix-patches via @ 2021-04-01 23:36 UTC (permalink / raw) To: Ludovic Courtès; +Cc: Tobias Geerinckx-Rice, 47193 [-- Attachment #1: Type: text/plain, Size: 413 bytes --] On Wed, 2021-03-31 at 22:57 +0200, Ludovic Courtès wrote: > Léo Le Bouter <lle-bout@zaclys.net> skribis: > > > Did you get it to work on your end? > > I didn’t try, but I’m confident Tobias will do the right thing! > > Ludo’. I see, thanks, I was looking to get it to work for me since Tobias seems busy maybe you had some elements I could use, I don't doubt they will do the right thing! [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 12+ messages in thread
* [bug#47193] Fancify guix lint -c cve output 2021-03-16 16:06 ` [bug#47193] [PATCH 1/2] lint: Sort possible vulnerabilities Tobias Geerinckx-Rice via Guix-patches via 2021-03-16 16:06 ` [bug#47193] [PATCH 2/2] lint: Indicate CVE severity Tobias Geerinckx-Rice via Guix-patches via @ 2021-03-31 12:53 ` Ludovic Courtès 1 sibling, 0 replies; 12+ messages in thread From: Ludovic Courtès @ 2021-03-31 12:53 UTC (permalink / raw) To: Tobias Geerinckx-Rice; +Cc: 47193 Hi! Tobias Geerinckx-Rice <me@tobias.gr> skribis: > * guix/lint.scm (check-vulnerabilities): Sort unpatched vulnerabilities > by ID. [...] > (make-warning > package > (G_ "probably vulnerable to ~a") > - (list (string-join (map vulnerability-id unpatched) > + (list (string-join (map vulnerability-id > + (sort unpatched vulnerability<)) > ", ")))))))))) Nitpick: it might be a bit clearer done the other way around: (sort (map vulnerability-id unpatched) cve-id<?) … where ‘cve-id<?’ is like ‘vulnerability<’ but takes a CVE ID (a string). Otherwise LGTM! Ludo’. ^ permalink raw reply [flat|nested] 12+ messages in thread
* [bug#47193] Fancify guix lint -c cve output 2021-03-16 16:00 [bug#47193] Fancify guix lint -c cve output Tobias Geerinckx-Rice via Guix-patches via 2021-03-16 16:06 ` [bug#47193] [PATCH 1/2] lint: Sort possible vulnerabilities Tobias Geerinckx-Rice via Guix-patches via @ 2021-03-16 18:19 ` Léo Le Bouter via Guix-patches via 2021-03-16 21:12 ` Tobias Geerinckx-Rice via Guix-patches via 1 sibling, 1 reply; 12+ messages in thread From: Léo Le Bouter via Guix-patches via @ 2021-03-16 18:19 UTC (permalink / raw) To: 47193 [-- Attachment #1: Type: text/plain, Size: 1880 bytes --] Hello! Thanks a lot for working on this!! :-D I get a warning during compilation: guix/cve.scm:328:18: warning: possibly unbound variable `cve-item-base- severity' I also just tried it on patch package and it fails: $ ./pre-inst-env guix lint -c cve patch Backtrace:atch@2.7.6 [cve]... In ice-9/boot-9.scm: 1736:10 18 (with-exception-handler _ _ #:unwind? _ # _) In unknown file: 17 (apply-smob/0 #<thunk 7f5c56304520>) In ice-9/boot-9.scm: 718:2 16 (call-with-prompt _ _ #<procedure default-prompt-handle…>) In ice-9/eval.scm: 619:8 15 (_ #(#(#<directory (guile-user) 7f5c56307c80>))) In guix/ui.scm: 2164:12 14 (run-guix-command _ . _) In ice-9/boot-9.scm: 1736:10 13 (with-exception-handler _ _ #:unwind? _ # _) 1731:15 12 (with-exception-handler #<procedure 7f5c52ccde40 at ic…> …) In srfi/srfi-1.scm: 634:9 11 (for-each #<procedure 7f5c52ccb620 at guix/scripts/lin…> …) In guix/scripts/lint.scm: 65:4 10 (run-checkers #<package patch@2.7.6 gnu/packages/base.…> …) In srfi/srfi-1.scm: 634:9 9 (for-each #<procedure 7f5c43b5df30 at guix/scripts/lin…> …) In guix/scripts/lint.scm: 74:21 8 (_ _) In guix/lint.scm: 1205:4 7 (check-vulnerabilities #<package patch@2.7.6 gnu/packa…> …) 1151:9 6 (_ _) In unknown file: 5 (force #<promise #<procedure 7f5c5303cab8 at guix/lint.…>) In guix/lint.scm: 1134:2 4 (_) 1093:2 3 (call-with-networking-fail-safe _ _ _) In ice-9/boot-9.scm: 1736:10 2 (with-exception-handler _ _ #:unwind? _ # _) 1669:16 1 (raise-exception _ #:continuable? _) 1667:16 0 (raise-exception _ #:continuable? _) ice-9/boot-9.scm:1667:16: In procedure raise-exception: Throw to key `match-error' with args `("match" "no matching pattern" (v "CVE-2021-0212" (("contrail_networking" (< "1911.31")))))'. [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 12+ messages in thread
* [bug#47193] Fancify guix lint -c cve output 2021-03-16 18:19 ` Léo Le Bouter via Guix-patches via @ 2021-03-16 21:12 ` Tobias Geerinckx-Rice via Guix-patches via 2021-03-17 8:13 ` Léo Le Bouter via Guix-patches via 0 siblings, 1 reply; 12+ messages in thread From: Tobias Geerinckx-Rice via Guix-patches via @ 2021-03-16 21:12 UTC (permalink / raw) To: Léo Le Bouter; +Cc: 47193 [-- Attachment #1: Type: text/plain, Size: 1011 bytes --] Léo! Léo Le Bouter via Guix-patches via 写道: > guix/cve.scm:328:18: warning: possibly unbound variable > `cve-item-base- > severity' One dark and stormy night I turned away an old woman at my doors, and ever since I have been cursed to include at least one stupid typo in each patch I send. True story. Thanks for testing. Fixed but it should not affect running guix lint. > I also just tried it on patch package and it fails: Hmm. I bet ‘rm -rf ~/.cache/guix/http’ will make this go conveniently away, just like lady stormypants. > (v "CVE-2021-0212" (("contrail_networking" ... This is a stale cache file lacking the newly added ‘severity’ field: (v "CVE-2021-0212" "MEDIUM" (("contrail_networking" ... I bumped the format version to 2 in (guix cve) to signal this incompatible change, but it appears this field may exist merely as a friendly reminder to actually add version handling some day...? I guess today is that day. Bah, T G-R [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 247 bytes --] ^ permalink raw reply [flat|nested] 12+ messages in thread
* [bug#47193] Fancify guix lint -c cve output 2021-03-16 21:12 ` Tobias Geerinckx-Rice via Guix-patches via @ 2021-03-17 8:13 ` Léo Le Bouter via Guix-patches via 2021-03-17 19:32 ` Tobias Geerinckx-Rice via Guix-patches via 0 siblings, 1 reply; 12+ messages in thread From: Léo Le Bouter via Guix-patches via @ 2021-03-17 8:13 UTC (permalink / raw) To: Tobias Geerinckx-Rice; +Cc: 47193 [-- Attachment #1: Type: text/plain, Size: 6836 bytes --] On Tue, 2021-03-16 at 22:12 +0100, Tobias Geerinckx-Rice wrote: > Léo! Tobias! :-) > Léo Le Bouter via Guix-patches via 写道: > > guix/cve.scm:328:18: warning: possibly unbound variable > > `cve-item-base- > > severity' > > One dark and stormy night I turned away an old woman at my doors, > and ever since I have been cursed to include at least one stupid > typo in each patch I send. True story. > > Thanks for testing. Fixed but it should not affect running guix > lint. I tried fixing it as well, $ git diff diff --git a/guix/cve.scm b/guix/cve.scm index 3809e4493f..d52ea05117 100644 --- a/guix/cve.scm +++ b/guix/cve.scm @@ -325,7 +325,7 @@ versions." return #f if ITEM does not list any configuration or if it does not list any \"a\" (application) configuration." (let ((id (cve-id (cve-item-cve item))) - (severity (cve-item-base-severity item))) + (severity (cve-item-cvssv3-base-severity item))) (match (cve-item-configurations item) (() ;no configurations #f) Look right? > Hmm. I bet ‘rm -rf ~/.cache/guix/http’ will make this go > conveniently away, just like lady stormypants. I tried that (without the fix above) and: $ ./pre-inst-env guix lint -c cve patch fetching CVE database for 2021... Backtrace: In ice-9/boot-9.scm: 1736:10 18 (with-exception-handler _ _ #:unwind? _ # _) In unknown file: 17 (apply-smob/0 #<thunk 7fd1e5545520>) In ice-9/boot-9.scm: 718:2 16 (call-with-prompt _ _ #<procedure default-prompt-handle…>) In ice-9/eval.scm: 619:8 15 (_ #(#(#<directory (guile-user) 7fd1e5548c80>))) In guix/ui.scm: 2164:12 14 (run-guix-command _ . _) In ice-9/boot-9.scm: 1736:10 13 (with-exception-handler _ _ #:unwind? _ # _) 1731:15 12 (with-exception-handler #<procedure 7fd1e1f0ee40 at ic…> …) In srfi/srfi-1.scm: 634:9 11 (for-each #<procedure 7fd1e1f0b000 at guix/scripts/lin…> …) In guix/scripts/lint.scm: 65:4 10 (run-checkers _ _ #:store _) In srfi/srfi-1.scm: 634:9 9 (for-each #<procedure 7fd1d2f805d0 at guix/scripts/lin…> …) In guix/scripts/lint.scm: 74:21 8 (_ _) In guix/lint.scm: 1205:4 7 (check-vulnerabilities _ _) 1151:9 6 (_ _) In unknown file: 5 (force #<promise #<procedure 7fd1e227dab8 at guix/lint.…>) In guix/lint.scm: 1134:2 4 (_) 1093:2 3 (call-with-networking-fail-safe _ _ _) In ice-9/boot-9.scm: 1736:10 2 (with-exception-handler _ _ #:unwind? _ # _) 1669:16 1 (raise-exception _ #:continuable? _) 1667:16 0 (raise-exception _ #:continuable? _) ice-9/boot-9.scm:1667:16: In procedure raise-exception: error: cve-item-base-severity: unbound variable Then *with* the fix: $ ./pre-inst-env guix lint -c cve patch fetching CVE database for 2021... Backtrace: In ice-9/boot-9.scm: 1736:10 18 (with-exception-handler _ _ #:unwind? _ # _) In unknown file: 17 (apply-smob/0 #<thunk 7f4a634a5520>) In ice-9/boot-9.scm: 718:2 16 (call-with-prompt _ _ #<procedure default-prompt-handle…>) In ice-9/eval.scm: 619:8 15 (_ #(#(#<directory (guile-user) 7f4a634a8c80>))) In guix/ui.scm: 2164:12 14 (run-guix-command _ . _) In ice-9/boot-9.scm: 1736:10 13 (with-exception-handler _ _ #:unwind? _ # _) 1731:15 12 (with-exception-handler #<procedure 7f4a5fe6c8d0 at ic…> …) In srfi/srfi-1.scm: 634:9 11 (for-each #<procedure 7f4a5fe6ec20 at guix/scripts/lin…> …) In guix/scripts/lint.scm: 65:4 10 (run-checkers _ _ #:store _) In srfi/srfi-1.scm: 634:9 9 (for-each #<procedure 7f4a50f5a0f0 at guix/scripts/lin…> …) In guix/scripts/lint.scm: 74:21 8 (_ _) In guix/lint.scm: 1205:4 7 (check-vulnerabilities _ _) 1151:9 6 (_ _) In unknown file: 5 (force #<promise #<procedure 7f4a601ddab8 at guix/lint.…>) In guix/lint.scm: 1134:2 4 (_) 1093:2 3 (call-with-networking-fail-safe _ _ _) In ice-9/boot-9.scm: 1736:10 2 (with-exception-handler _ _ #:unwind? _ # _) 1669:16 1 (raise-exception _ #:continuable? _) 1667:16 0 (raise-exception _ #:continuable? _) ice-9/boot-9.scm:1667:16: In procedure raise-exception: Throw to key `match-error' with args `("match" "no matching pattern" (vulnerabilities 2 ((v "CVE-2021-0212" "MEDIUM" (("contrail_networking" (< "1911.31")))) (v "CVE-2021-0220" "MEDIUM" (("junos_space" (or "19.1" (or "18.4" (or "18.3" (or "18.2" (or "18.1r1" (or "18.1" (or "17.21.4" (or "17.2" (or "17.1" (or "16.1" (or "15.2" (or "15.14" (or "15.12" (or "15.1" (or "14.1" (or "13.33" (or "13.11.8" (or "13.1" (or "12.3" (or "12.2" (or "12.1" (or "11.4" (or "11.3" (or "11.2" (or "11.1" (or "2.0" (or "1.4" (or "1.3" (or "1.2" (or "1.1" "1.0"))))))))))))))))))))))))))))))))) (v "CVE-2021-1051" "HIGH" (("gpu_driver" (or (and (>= "460") (< "461.09")) (or (and (>= "450") (< "452.77")) (or (and (>= "418") (< "427.11")) (and (>= "390") (< "392.63")))))))) (v "CVE-2021-1052" "HIGH" (("gpu_driver" (or (or (and (>= "460") (< "460.32.03")) (or (and (>= "450") (< "450.102.04")) (and (>= "390") (< "390.141")))) (or (and (>= "460") (< "461.09")) (or (and (>= "450") (< "452.77")) (or (and (>= "418") (< "427.11")) (and (>= "390") (< "392.63"))))))))) (v "CVE-2021-1053" "MEDIUM" (("gpu_driver" (or (or (and (>= "460") (< "460.32.03")) (or (and (>= "450") (< "450.102.04")) (and (>= "390") (< "390.141")))) (or (and (>= "460") (< "461.09")) (or (and (>= "450") (< "452.77")) (or (and (>= "418") (< "427.11")) (and (>= "390") (< "392.63"))))))))) (v "CVE-2021-1054" "MEDIUM" (("gpu_driver" (or (and (>= "460") (< "461.09")) (or (and (>= "450") (< "452.77")) (or (and (>= "418") (< "427.11")) (and (>= "390") (< "392.63")))))))) (v "CVE-2021-1055" "MEDIUM" (("gpu_driver" (or (and (>= "460") (< "461.09")) (or (and (>= "450") (< "452.77")) (or (and (>= " [...] I ran "$ rm -rf ~/.cache/guix/http" between each and every of these attempts. The cache is clear, I also did make clean and recompiled (so no left around .go file). > > > (v "CVE-2021-0212" (("contrail_networking" ... > > This is a stale cache file lacking the newly added ‘severity’ > field: > > (v "CVE-2021-0212" "MEDIUM" (("contrail_networking" ... > > I bumped the format version to 2 in (guix cve) to signal this > incompatible change, but it appears this field may exist merely as > a friendly reminder to actually add version handling some day...? > > I guess today is that day. > > Bah, Don't know! I think there's some other issue here, or maybe you modified the patch a little more on your side. PS: I looked at the image you initially posted and the output looks really nice and helpful!! > > T G-R Thank you :-D Léo [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply related [flat|nested] 12+ messages in thread
* [bug#47193] Fancify guix lint -c cve output 2021-03-17 8:13 ` Léo Le Bouter via Guix-patches via @ 2021-03-17 19:32 ` Tobias Geerinckx-Rice via Guix-patches via 0 siblings, 0 replies; 12+ messages in thread From: Tobias Geerinckx-Rice via Guix-patches via @ 2021-03-17 19:32 UTC (permalink / raw) To: Léo Le Bouter; +Cc: 47193 [-- Attachment #1: Type: text/plain, Size: 1027 bytes --] Léo Le Bouter 写道: > On Tue, 2021-03-16 at 22:12 +0100, Tobias Geerinckx-Rice wrote: >> Léo! > > Tobias! :-) Yes! > ice-9/boot-9.scm:1667:16: In procedure raise-exception: > Throw to key `match-error' with args `("match" "no matching > pattern" > (vulnerabilities 2 ((v "CVE-2021-0212" "MEDIUM" > (("contrail_networking" Thanks for including the full error message. Now the cached data's as expected but the code chokes on it anyway. Sure, why not. > Don't know! I think there's some other issue here, or maybe you > modified the patch a little more on your side. I haven't, and like you've I (regularly) remove stale .go files and delete ~/.cache/guix. Works like a screenshotted charm. I'm not in the mood for spooks; time to bust out the flamethrower that is a fresh git clone. > PS: I looked at the image you initially posted and the output > looks > really nice and helpful!! Oh, good to know that is what you had in mind. I wasn't sure. Kind regards, T G-R [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 247 bytes --] ^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2021-04-01 23:37 UTC | newest] Thread overview: 12+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2021-03-16 16:00 [bug#47193] Fancify guix lint -c cve output Tobias Geerinckx-Rice via Guix-patches via 2021-03-16 16:06 ` [bug#47193] [PATCH 1/2] lint: Sort possible vulnerabilities Tobias Geerinckx-Rice via Guix-patches via 2021-03-16 16:06 ` [bug#47193] [PATCH 2/2] lint: Indicate CVE severity Tobias Geerinckx-Rice via Guix-patches via 2021-03-31 13:03 ` [bug#47193] Fancify guix lint -c cve output Ludovic Courtès 2021-03-31 13:06 ` Léo Le Bouter via Guix-patches via 2021-03-31 20:57 ` Ludovic Courtès 2021-04-01 23:36 ` Léo Le Bouter via Guix-patches via 2021-03-31 12:53 ` Ludovic Courtès 2021-03-16 18:19 ` Léo Le Bouter via Guix-patches via 2021-03-16 21:12 ` Tobias Geerinckx-Rice via Guix-patches via 2021-03-17 8:13 ` Léo Le Bouter via Guix-patches via 2021-03-17 19:32 ` Tobias Geerinckx-Rice via Guix-patches via
Code repositories for project(s) associated with this external index https://git.savannah.gnu.org/cgit/guix.git This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.