From: Efraim Flashner <efraim@flashner.co.il>
To: 53721@debbugs.gnu.org
Cc: Efraim Flashner <efraim@flashner.co.il>
Subject: [bug#53721] [PATCH] lint: Perform fuzzy search on package names for CVE checker.
Date: Wed, 2 Feb 2022 16:15:20 +0200 [thread overview]
Message-ID: <839345988529640bb54feea0fa830f25bd5bb608.1643811188.git.efraim@flashner.co.il> (raw)
* guix/lint.scm (package-vulnerabilities): Also allow the name in the
CVE database to have the package name's prefix stripped off when
checking for CVEs.
---
When I checked for cpe-name in the Guix repo there weren't a lot of
hits. Clearly just stripping off the leading 'python2-' or whatever
isn't completely the correct answer, python-redis@3.5.3 isn't likely
vulnerable to redis@3.5.3's CVEs, but as-is there are almost no CVEs
easily discovered for any of our language library packages.
guix/lint.scm | 23 ++++++++++++++++-------
1 file changed, 16 insertions(+), 7 deletions(-)
diff --git a/guix/lint.scm b/guix/lint.scm
index 3ca7a0b608..7f08d6af5e 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -7,7 +7,7 @@
;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
;;; Copyright © 2017 Alex Kost <alezost@gmail.com>
;;; Copyright © 2017, 2021 Tobias Geerinckx-Rice <me@tobias.gr>
-;;; Copyright © 2017, 2018, 2020 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2017, 2018, 2020, 2022 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2018, 2019 Arun Isaac <arunisaac@systemreboot.net>
;;; Copyright © 2020 Chris Marusich <cmmarusich@gmail.com>
;;; Copyright © 2020 Timothy Sample <samplet@ngyro.com>
@@ -1416,12 +1416,21 @@ (define package-vulnerabilities
"Return a list of vulnerabilities affecting PACKAGE."
;; First we retrieve the Common Platform Enumeration (CPE) name and
;; version for PACKAGE, then we can pass them to LOOKUP.
- (let ((name (or (assoc-ref (package-properties package)
- 'cpe-name)
- (package-name package)))
- (version (or (assoc-ref (package-properties package)
- 'cpe-version)
- (package-version package))))
+ (let* ((pkg-name (package-name package))
+ (version (or (assoc-ref (package-properties package)
+ 'cpe-version)
+ (package-version package)))
+ (name
+ (or (assoc-ref (package-properties package)
+ 'cpe-name)
+ (false-if-exception
+ (first
+ (filter string?
+ (map (lambda (prefix)
+ (when (string-prefix? prefix pkg-name)
+ (string-drop pkg-name (string-length prefix))))
+ '("java-" "perl-" "python-" "python2-" "ruby-")))))
+ pkg-name)))
((force lookup) name version)))))
(define* (check-vulnerabilities package
base-commit: 8f585083277e64ea1e9a0848ef3c49f12327618c
--
2.34.0
next reply other threads:[~2022-02-02 14:43 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-02 14:15 Efraim Flashner [this message]
2022-02-02 14:54 ` [bug#53721] [PATCH] lint: Perform fuzzy search on package names for CVE checker Maxime Devos
2022-02-02 15:13 ` Efraim Flashner
2022-02-04 21:56 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=839345988529640bb54feea0fa830f25bd5bb608.1643811188.git.efraim@flashner.co.il \
--to=efraim@flashner.co.il \
--cc=53721@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.