From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id SIFEEN4lOmcNOQEAqHPOHw:P1 (envelope-from ) for ; Sun, 17 Nov 2024 17:20:30 +0000 Received: from aspmx1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0.migadu.com with LMTPS id SIFEEN4lOmcNOQEAqHPOHw (envelope-from ) for ; Sun, 17 Nov 2024 18:20:30 +0100 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b="KigHH2/4"; dkim=fail ("headers rsa verify failed") header.d=gnu.org header.s=fencepost-gnu-org header.b=SJnUD+TQ; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" ARC-Seal: i=1; s=key1; d=yhetil.org; t=1731864030; a=rsa-sha256; cv=none; b=tzSAkMQgD7CZXGVTu/OJpnO2oM+pvHWbbhQJBttrGwUer5PFJwY4f4knjvKXlklfOU8Vju Jg2/8yOjt4x/I8+PoFNNa6qljvnAeT0jsWlJ4QpoEElJ8nEJRtyyKTSNTj33GJo76LDpgS QbqgVRtHiXmWhjmSUAOvYJvSg9tKBEqs8LWr1HApojpLwJyiJq31iSoj+HhcQnbRrFF50Y fMm4WLP1eJDXq78yLjl20bOF+yhKoKLA+eancsW8Zk2qgCFdCdyJTOOPDVE5q+aD+RS95Q Mwi4LKd83+mwYqIxsgaF0q4lFOspU02dV/C8unA0vhnkpILRjEWoM3JLp0effQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b="KigHH2/4"; dkim=fail ("headers rsa verify failed") header.d=gnu.org header.s=fencepost-gnu-org header.b=SJnUD+TQ; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1731864030; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=BnARNud5tAt0Gs6zUlSjykOwZijY6VklTTDutohtVt0=; b=N7tJB+FU+00cOmDlfniTUDBI1kPSrzpJMENnzMxwVpLKHHlRCk/XYcQFZlQ/ke2gBl16XK AWoPCltnUN2TKJ/pWbtkd8hk/wZ5lw4LlVlbjl/NRfzM7BYAxEPGKhViE41whU0NvU3vev MRwKQl02plR3AI5ZuVuXPn2R6JuYp7uEaW5+jn+dXIC5E9h6lp68xCs/LryB+lBBX9bwIO MWRjHX6Vz1tytWK/6IOsHwMtvMOCOweTiF3sj/mNNBboL0l7ULuQMGxwOwrkWVPHLcYllo 5R2hM1cW0Hpk477EbSGmFgGTX43NJBNfY87fal9Pk6HQg17L/vh7s6DdNQlFmQ== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id E2AE37829E for ; Sun, 17 Nov 2024 18:20:29 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tCiwQ-0004j1-H2; Sun, 17 Nov 2024 12:20:06 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tCiwN-0004gf-2e for guix-patches@gnu.org; Sun, 17 Nov 2024 12:20:03 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tCiwM-0005fB-Oa for guix-patches@gnu.org; Sun, 17 Nov 2024 12:20:02 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:Date:References:In-Reply-To:From:To:Subject; bh=BnARNud5tAt0Gs6zUlSjykOwZijY6VklTTDutohtVt0=; b=KigHH2/4l5ducZ/6v7u75oic+lnjJ8rW9Vqbue2dUw86Y2f51sRXdlBAvLJEozURaGhX0/ylLFmUY+400tLWjEiLrO1E55XV/cI9pujPfCWq6Mh0yE3OMp4qNcj4E4pMM1WVyAtOv33ZSe70/inGqxm0gJjYlEGRzN3/MDePRHj81AysQ8yKd9RNil2rm4Q7f8RVTPmI4YUDJYx9KlCaOrK1c8dJ9nu/XASiLx/hWQIDRre2aJkw1xo+LZyejdYijLPfi/nbJqQNVAYu2uATsndnfcdVKz/G/OMfeFggfDqE//aeO3s7l42oo21DS4ZEeKRLOUFDWOlbmkzF9r13kA==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tCiwM-0004gG-I6 for guix-patches@gnu.org; Sun, 17 Nov 2024 12:20:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#74034] [PATCH v4 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties. Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 17 Nov 2024 17:20:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 74034 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Nicolas Graves Cc: 74034@debbugs.gnu.org Received: via spool by 74034-submit@debbugs.gnu.org id=B74034.173186398217955 (code B ref 74034); Sun, 17 Nov 2024 17:20:02 +0000 Received: (at 74034) by debbugs.gnu.org; 17 Nov 2024 17:19:42 +0000 Received: from localhost ([127.0.0.1]:58414 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tCiw2-0004fX-Bb for submit@debbugs.gnu.org; Sun, 17 Nov 2024 12:19:42 -0500 Received: from eggs.gnu.org ([209.51.188.92]:50346) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tCivz-0004fI-E2 for 74034@debbugs.gnu.org; Sun, 17 Nov 2024 12:19:40 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tCivs-0005bt-Hy; Sun, 17 Nov 2024 12:19:32 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=BnARNud5tAt0Gs6zUlSjykOwZijY6VklTTDutohtVt0=; b=SJnUD+TQtJB/bNz8Ixtm P+dWh1+ddGBZGnsEAf+0U9JyMySIO3ldQVS41xsJvhOAU97Sz/NdcwRgbNEKb+GFxZh2YbjKrN/7k ZooGtQ/rd5S2rh7ZFzVE+rFdPqWj9n+8BGHLsSu5j0xnNrkzmMAvFb/FPJey72hqHBXN+uq0TVcmg vtsWSGDRlMg0GH85RLU4AI9UZMKtE4qb/G4l4QfA5yHlh17xsOyPAvIcmtwriG5s5sw/Giue8SwH3 KzHVLgC8apa2xGUahnOkqUEJUKQttWf2wI+ggAiw4Ax2IeaWzer5KiZagM/XhcLIjBMvRtH69+QaY D+oyiXbotzCegA==; From: Ludovic =?UTF-8?Q?Court=C3=A8s?= In-Reply-To: <20241113102414.1348-1-ngraves@ngraves.fr> (Nicolas Graves's message of "Wed, 13 Nov 2024 11:23:51 +0100") References: <20241026222934.25890-1-ngraves@ngraves.fr> <20241113102414.1348-1-ngraves@ngraves.fr> Date: Sun, 17 Nov 2024 18:19:30 +0100 Message-ID: <87zflxixr1.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -5.43 X-Spam-Score: -5.43 X-Migadu-Queue-Id: E2AE37829E X-Migadu-Scanner: mx10.migadu.com X-TUID: b1LpBEC8YJlX Hi! Nicolas Graves skribis: > * guix/cve.scm: Exploit cpe vendors information. > (cpe->package-name): Rename to... > (cpe->package-identifier): Renamed from cpe->package-name. Use > cpe_vendor:cpe_name in place or cpe_name. > (vulnerabily-matches?): Add helper function. > (vulnerabilities->lookup-proc): Extract cpe_name for table > hashes. Add vendor and hidden-vendor arguments. Adapt condition to > pass vulnerabilities to result in the fold. > > * guix/lint.scm (package-vulnerabilities): Use additional arguments > from vulnerabilities->lookup-proc. > > * tests/cve.scm (%expected-vulnerabilities): Adapt variable to changes > in guix/cve.scm. [...] > -(define (cpe->package-name cpe) > +(define (cpe->package-identifier cpe) > "Converts the Common Platform Enumeration (CPE) string CPE to a package > -name, in a very naive way. Return two values: the package name, and its > -version string. Return #f and #f if CPE does not look like an applicati= on CPE > -string." > +identifier, in a very naive way. Return two values: the package identif= ier > +(composed from the CPE vendor and the package name), and its version str= ing. > +Return #f and #f if CPE does not look like an application CPE string." It returns three values now. :-) (Nice!) > (define (merge-package-lists lst) > - "Merge the list in LST, each of which has the form (p sexp), where P > -is the name of a package and SEXP is an sexp that constrains matching > -versions." > + "Merge the list in LST, each of which has the form (V P SEXP), where V= is a > +CPE vendor, P is the name of a package and SEXP is an sexp that constrai= ns > +matching versions." Am I right that =E2=80=98vulnerability->sexp=E2=80=99 now includes the vend= or? In that case, the format version in =E2=80=98write-cache=E2=80=99 should be= bumped and =E2=80=98fetch-vulnerabilities=E2=80=99 should be adjusted accordingly (to = support v1 sexps that lack vendor info). Ludo=E2=80=99.