From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id +I/xF6uY+mEBcgAAgWs5BA (envelope-from ) for ; Wed, 02 Feb 2022 15:43:55 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id MHQUFauY+mE+VAEA9RJhRA (envelope-from ) for ; Wed, 02 Feb 2022 15:43:55 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id CDF5D36ED3 for ; Wed, 2 Feb 2022 15:43:54 +0100 (CET) Received: from localhost ([::1]:45946 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nFGrR-0000UH-Mg for larch@yhetil.org; Wed, 02 Feb 2022 09:43:53 -0500 Received: from eggs.gnu.org ([209.51.188.92]:54412) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nFGRY-0000pk-El for guix-patches@gnu.org; Wed, 02 Feb 2022 09:17:08 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:58000) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nFGRS-00070C-Ot for guix-patches@gnu.org; Wed, 02 Feb 2022 09:17:08 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1nFGRS-0000z0-Ix for guix-patches@gnu.org; Wed, 02 Feb 2022 09:17:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#53721] [PATCH] lint: Perform fuzzy search on package names for CVE checker. Resent-From: Efraim Flashner Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 02 Feb 2022 14:17:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 53721 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 53721@debbugs.gnu.org Cc: Efraim Flashner X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.16438113673689 (code B ref -1); Wed, 02 Feb 2022 14:17:02 +0000 Received: (at submit) by debbugs.gnu.org; 2 Feb 2022 14:16:07 +0000 Received: from localhost ([127.0.0.1]:51894 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nFGQV-0000xE-06 for submit@debbugs.gnu.org; Wed, 02 Feb 2022 09:16:07 -0500 Received: from lists.gnu.org ([209.51.188.17]:55270) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nFGQS-0000wh-6v for submit@debbugs.gnu.org; Wed, 02 Feb 2022 09:16:01 -0500 Received: from eggs.gnu.org ([209.51.188.92]:53940) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nFGQS-0000LO-0b for guix-patches@gnu.org; Wed, 02 Feb 2022 09:16:00 -0500 Received: from flashner.co.il ([178.62.234.194]:60830) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nFGQP-0006hN-BS for guix-patches@gnu.org; Wed, 02 Feb 2022 09:15:59 -0500 Received: from localhost (unknown [31.210.177.79]) by flashner.co.il (Postfix) with ESMTPSA id CA5EA40043; Wed, 2 Feb 2022 14:15:55 +0000 (UTC) From: Efraim Flashner Date: Wed, 2 Feb 2022 16:15:20 +0200 Message-Id: <839345988529640bb54feea0fa830f25bd5bb608.1643811188.git.efraim@flashner.co.il> X-Mailer: git-send-email 2.34.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=178.62.234.194; envelope-from=efraim@flashner.co.il; helo=flashner.co.il X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1643813035; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=3xPahNrMClX/7PvysU7aZT+EKAOtPa+CMd4hnnAtK3s=; b=Tpx78aCCYktw12t8bNQUrwBYuQw+4UmztguxrsyG8M+HhPHYdOW19bkg+pdDyQbwctt217 zoYjy7KqDhITKypDIwTwTxOKjU3c0WXp0fGzqeBCw5j/jwZU5bXxmC7q81s8wuXF6dkkCQ oIP4P0vBGMPy9kZtbbbKzye5Artuh/CSwst+8B4khgRCUYV8FjsT/CU+bnl+iTHegQisEx aQOAjFrdQosa1VtmA6vArGYKTXxVFAIcIYIAQo1l8HkFCOgFEH+rF+I1l1Y0yoT1B8J8Dg 6AqkMtJUoeu3kuUvycFgkzk7EIMsM57ucgPQEKwogK7Nas8wwZP5wzL9/ch0eg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1643813035; a=rsa-sha256; cv=none; b=dSy3QIvZL2blzzuOdS6sshVAEhonxczHLT8pLz/bAVL+UaT5B/TZBd+uIMA3/qO+FlIhu7 XhaLwECMY/xFw9b2hHgH0AVu3n5p8DX7RXvbT9N1jhotGEKakVmrILOyYzLUBqeZ4v+upR gWAHDAuyLd5LhZQAUX3fmilpoGOV0V3lXbNl+808X5aCri7A5EDGucHHMQ8uy12n2I1Prn k9uzwGvq/OkhyH19woa3RLvZG7XYvEaT4QVamwGkWcEUOWMcFkXiYKohaB8c6BPk/211yX UvoUARX3NFqXIbL4szn8IR3O99SYLjP7T0L6cCrDrh3aWERBUUsm/dD0dMdpUw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -4.43 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: CDF5D36ED3 X-Spam-Score: -4.43 X-Migadu-Scanner: scn0.migadu.com X-TUID: u6hJWNie3kXo * guix/lint.scm (package-vulnerabilities): Also allow the name in the CVE database to have the package name's prefix stripped off when checking for CVEs. --- When I checked for cpe-name in the Guix repo there weren't a lot of hits. Clearly just stripping off the leading 'python2-' or whatever isn't completely the correct answer, python-redis@3.5.3 isn't likely vulnerable to redis@3.5.3's CVEs, but as-is there are almost no CVEs easily discovered for any of our language library packages. guix/lint.scm | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/guix/lint.scm b/guix/lint.scm index 3ca7a0b608..7f08d6af5e 100644 --- a/guix/lint.scm +++ b/guix/lint.scm @@ -7,7 +7,7 @@ ;;; Copyright © 2016 Hartmut Goebel ;;; Copyright © 2017 Alex Kost ;;; Copyright © 2017, 2021 Tobias Geerinckx-Rice -;;; Copyright © 2017, 2018, 2020 Efraim Flashner +;;; Copyright © 2017, 2018, 2020, 2022 Efraim Flashner ;;; Copyright © 2018, 2019 Arun Isaac ;;; Copyright © 2020 Chris Marusich ;;; Copyright © 2020 Timothy Sample @@ -1416,12 +1416,21 @@ (define package-vulnerabilities "Return a list of vulnerabilities affecting PACKAGE." ;; First we retrieve the Common Platform Enumeration (CPE) name and ;; version for PACKAGE, then we can pass them to LOOKUP. - (let ((name (or (assoc-ref (package-properties package) - 'cpe-name) - (package-name package))) - (version (or (assoc-ref (package-properties package) - 'cpe-version) - (package-version package)))) + (let* ((pkg-name (package-name package)) + (version (or (assoc-ref (package-properties package) + 'cpe-version) + (package-version package))) + (name + (or (assoc-ref (package-properties package) + 'cpe-name) + (false-if-exception + (first + (filter string? + (map (lambda (prefix) + (when (string-prefix? prefix pkg-name) + (string-drop pkg-name (string-length prefix)))) + '("java-" "perl-" "python-" "python2-" "ruby-"))))) + pkg-name))) ((force lookup) name version))))) (define* (check-vulnerabilities package base-commit: 8f585083277e64ea1e9a0848ef3c49f12327618c -- 2.34.0