From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id uBmeCDRVU2A+LgAA0tVLHw (envelope-from ) for ; Thu, 18 Mar 2021 13:27:16 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id eOZlBDRVU2BkfAAAB5/wlQ (envelope-from ) for ; Thu, 18 Mar 2021 13:27:16 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 5B10327CA0 for ; Thu, 18 Mar 2021 14:27:15 +0100 (CET) Received: from localhost ([::1]:32882 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lMsgE-0000Wd-JF for larch@yhetil.org; Thu, 18 Mar 2021 09:27:14 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:42200) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lMsg2-0000PB-NN for bug-guix@gnu.org; Thu, 18 Mar 2021 09:27:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:33814) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lMsg2-0001Zf-Fi for bug-guix@gnu.org; Thu, 18 Mar 2021 09:27:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lMsg2-0007sP-Cn for bug-guix@gnu.org; Thu, 18 Mar 2021 09:27:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#47188: "guix lint -c cve" does not account for language prefixes (rust-, python-, go-, ..) Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 18 Mar 2021 13:27:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47188 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: =?UTF-8?Q?L=C3=A9o?= Le Bouter Received: via spool by 47188-submit@debbugs.gnu.org id=B47188.161607399130217 (code B ref 47188); Thu, 18 Mar 2021 13:27:02 +0000 Received: (at 47188) by debbugs.gnu.org; 18 Mar 2021 13:26:31 +0000 Received: from localhost ([127.0.0.1]:45357 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lMsfW-0007rJ-HN for submit@debbugs.gnu.org; Thu, 18 Mar 2021 09:26:30 -0400 Received: from eggs.gnu.org ([209.51.188.92]:49102) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lMsfT-0007r0-RY for 47188@debbugs.gnu.org; Thu, 18 Mar 2021 09:26:28 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:54827) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lMsfO-0001Aa-Ci; Thu, 18 Mar 2021 09:26:22 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=53148 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1lMsfM-0002yH-To; Thu, 18 Mar 2021 09:26:21 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <706d51950b7545eefd43a54f738bc82df0d7f36c.camel@zaclys.net> Date: Thu, 18 Mar 2021 14:26:18 +0100 In-Reply-To: <706d51950b7545eefd43a54f738bc82df0d7f36c.camel@zaclys.net> ("=?UTF-8?Q?L=C3=A9o?= Le Bouter"'s message of "Tue, 16 Mar 2021 10:29:43 +0100") Message-ID: <87a6r0r3t1.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 47188@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1616074035; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=+mnQ0vNjmzYAAW3q0AMiaDJJpVlovpVd9T2y8Ok4Eio=; b=HLtEzBfrOTo9j17f8CoMObOt3tZM/GAFBHS2aPI4xtpxLDyTTAI1s/sI7NLvdocBYMCuJc a/gT8e6J38EcDqk2CPFdFgnFMXotO4qeOI9mKoJBuTg9k9vGWVi/JlSR3bWapkg8AieiLU QF3uYZvDxodige6+Czp8beZX7i+YtW7H+8cD/rrkQIvYf/R97J0vqZSK1Q6F8JHxVoMr+Q sAmaS/Y/xQC2sVssJgn2FwEF45J58pyxGoYrMU+9gu10wRLXjj4L7NAyTXB2MpToshFDuK L1aM/inGRktgPa7JrQGJZXPvgPbuzcA2bo/9ejGY4jCEv0myoRwrG2Tckr3OXA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616074035; a=rsa-sha256; cv=none; b=tLgNKG2Tl6pAub5LlFcZBkg6IAwiJ4AxSnYsjeO9wVB+8TXS4Eftop3XIEvPdFGO86N0Oq zgMMQnxZsOYgtsh671sltDLCsqyC0PhpXrvGh403AUlLCafWiewWjolZmycwnoWkgFuSYa OP1FdxfvVZgU6Jafr/bbZUOduLu0rvHtflGhVEIwOdP4zZn7BXodkvfl9fyITpK5h9Vkp+ Yv0q5HO4PkvswH8m2Bi/Ryzi/Ba+FkmuDc1G8MCSgCoYsofZCQI9BPzPga1FsfJ/O7Bgyz ysVy2A3UZZYP6YnZziB/p5Qtxj/g6PM3a+5bo2puIP9mSivqZmAF2Uu+IyrniA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -2.91 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 5B10327CA0 X-Spam-Score: -2.91 X-Migadu-Scanner: scn0.migadu.com X-TUID: fN84ESt/jXiO Hi, L=C3=A9o Le Bouter skribis: > ./pre-inst-env guix lint -c cve python-urllib3@1.26.2 > Here this should return at least CVE-2021-28363 but it does not because > the CVE database contains urllib3 and not python-urllib3 (which AFAICT > the cve linter searches for). > > Annotating each and every python-, go-, and rust- package with cpe-name=20 > properties is going to be very annoying. I suggest we add some > heuristics that try both the full name and prefix-trimmed name. python- > urllib3's cpe name and vendor is python (vendor) urllib3 (name). > > Same story for CVE-2021-28305 and rust-diesel, though it doesnt even > have a CPE entry yet. Yes, that=E2=80=99s an issue. We can address these by adding a =E2=80=98cp= e-name=E2=80=99 property (info "(guix) Invoking guix lint"), but that=E2=80=99s going to be tedious. We can at least add it to high-profile packages for now. Tooling that suggests or deduces the CPE name would help a lot: https://issues.guix.gnu.org/42299 Ludo=E2=80=99.