all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* ‘guix lint’ CVE checker
@ 2015-11-26 22:42 Ludovic Courtès
  2015-11-27  9:58 ` Ludovic Courtès
  2015-11-28 15:07 ` Ludovic Courtès
  0 siblings, 2 replies; 5+ messages in thread
From: Ludovic Courtès @ 2015-11-26 22:42 UTC (permalink / raw)
  To: guix-devel

Hi!

Commit 5432734 adds a ‘cve’ checker for ‘guix lint’.  It fetches the CVE
database from NIST, matches package names/versions against those found
in CVEs, and reports CVE IDs:

--8<---------------cut here---------------start------------->8---
$ time GUIX_PACKAGE_PATH= ./pre-inst-env guix lint -c cve
gnu/packages/gcc.scm:324:2: gcc-4.9.3: probably vulnerable to CVE-2015-5276
gnu/packages/image.scm:708:2: jasper-1.900.1: probably vulnerable to CVE-2008-3522
gnu/packages/pulseaudio.scm:44:2: libsndfile-1.0.25: probably vulnerable to CVE-2015-7805
gnu/packages/xml.scm:64:2: libxml2-2.9.2: probably vulnerable to CVE-2015-7941, CVE-2015-7942
gnu/packages/xml.scm:144:2: libxslt-1.1.28: probably vulnerable to CVE-2015-7995

real	0m2.669s
user	0m2.248s
sys	0m0.120s
--8<---------------cut here---------------end--------------->8---

The libxml2/libxslt issues are actually patched, but since we didn’t
change the version number, the tool assumes that our packages are
vulnerable.  We should change version numbers in the future when
patching vulnerabilities.

One limitation is that package names may differ between CVEs and what we
have.  There’s a tentative ‘package-name->cpe-name’ conversion procedure
that currently handles one case, but we should augment it as we notice
new cases.

Thoughts?

Ludo’.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2015-11-28 15:37 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-11-26 22:42 ‘guix lint’ CVE checker Ludovic Courtès
2015-11-27  9:58 ` Ludovic Courtès
2015-11-27 21:39   ` Mark H Weaver
2015-11-28 15:37     ` Ludovic Courtès
2015-11-28 15:07 ` Ludovic Courtès

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.