all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* [bug#53721] [PATCH] lint: Perform fuzzy search on package names for CVE checker.
@ 2022-02-02 14:15 Efraim Flashner
  2022-02-02 14:54 ` Maxime Devos
  2022-02-04 21:56 ` Ludovic Courtès
  0 siblings, 2 replies; 4+ messages in thread
From: Efraim Flashner @ 2022-02-02 14:15 UTC (permalink / raw)
  To: 53721; +Cc: Efraim Flashner

* guix/lint.scm (package-vulnerabilities): Also allow the name in the
CVE database to have the package name's prefix stripped off when
checking for CVEs.
---

When I checked for cpe-name in the Guix repo there weren't a lot of
hits. Clearly just stripping off the leading 'python2-' or whatever
isn't completely the correct answer, python-redis@3.5.3 isn't likely
vulnerable to redis@3.5.3's CVEs, but as-is there are almost no CVEs
easily discovered for any of our language library packages.

 guix/lint.scm | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/guix/lint.scm b/guix/lint.scm
index 3ca7a0b608..7f08d6af5e 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -7,7 +7,7 @@
 ;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
 ;;; Copyright © 2017 Alex Kost <alezost@gmail.com>
 ;;; Copyright © 2017, 2021 Tobias Geerinckx-Rice <me@tobias.gr>
-;;; Copyright © 2017, 2018, 2020 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2017, 2018, 2020, 2022 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2018, 2019 Arun Isaac <arunisaac@systemreboot.net>
 ;;; Copyright © 2020 Chris Marusich <cmmarusich@gmail.com>
 ;;; Copyright © 2020 Timothy Sample <samplet@ngyro.com>
@@ -1416,12 +1416,21 @@ (define package-vulnerabilities
       "Return a list of vulnerabilities affecting PACKAGE."
       ;; First we retrieve the Common Platform Enumeration (CPE) name and
       ;; version for PACKAGE, then we can pass them to LOOKUP.
-      (let ((name    (or (assoc-ref (package-properties package)
-                                    'cpe-name)
-                         (package-name package)))
-            (version (or (assoc-ref (package-properties package)
-                                    'cpe-version)
-                         (package-version package))))
+      (let* ((pkg-name (package-name package))
+             (version  (or (assoc-ref (package-properties package)
+                                      'cpe-version)
+                           (package-version package)))
+             (name
+               (or (assoc-ref (package-properties package)
+                              'cpe-name)
+                   (false-if-exception
+                     (first
+                       (filter string?
+                               (map (lambda (prefix)
+                                      (when (string-prefix? prefix pkg-name)
+                                        (string-drop pkg-name (string-length prefix))))
+                                    '("java-" "perl-" "python-" "python2-" "ruby-")))))
+                   pkg-name)))
         ((force lookup) name version)))))
 
 (define* (check-vulnerabilities package

base-commit: 8f585083277e64ea1e9a0848ef3c49f12327618c
-- 
2.34.0





^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [bug#53721] [PATCH] lint: Perform fuzzy search on package names for CVE checker.
  2022-02-02 14:15 [bug#53721] [PATCH] lint: Perform fuzzy search on package names for CVE checker Efraim Flashner
@ 2022-02-02 14:54 ` Maxime Devos
  2022-02-02 15:13   ` Efraim Flashner
  2022-02-04 21:56 ` Ludovic Courtès
  1 sibling, 1 reply; 4+ messages in thread
From: Maxime Devos @ 2022-02-02 14:54 UTC (permalink / raw)
  To: Efraim Flashner, 53721

[-- Attachment #1: Type: text/plain, Size: 1119 bytes --]

Efraim Flashner schreef op wo 02-02-2022 om 16:15 [+0200]:
> +                   (false-if-exception
> +                     (first
> +                       (filter string?
> +                               (map (lambda (prefix)
> +                                      (when (string-prefix? prefix pkg-name)
> +                                        (string-drop pkg-name (string-length prefix))))
> +                                    '("java-" "perl-" "python-" "python2-" "ruby-")))))
> +                   pkg-name)))

When can an exception happen here?

Also, the following seems simpler and equivalent:

(any (lambda (prefix)
       (and (string-prefix? prefix)
            (string-drop pkg-name (string-length prefix))))
     '("java-" "perl-" "python-" "python2-" "ruby-"))

It would be nice to test the code for guessing the CPE name of a
package in a few unit tests.

Greetings,
Maxime

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [bug#53721] [PATCH] lint: Perform fuzzy search on package names for CVE checker.
  2022-02-02 14:54 ` Maxime Devos
@ 2022-02-02 15:13   ` Efraim Flashner
  0 siblings, 0 replies; 4+ messages in thread
From: Efraim Flashner @ 2022-02-02 15:13 UTC (permalink / raw)
  To: Maxime Devos; +Cc: 53721

[-- Attachment #1: Type: text/plain, Size: 1769 bytes --]

On Wed, Feb 02, 2022 at 03:54:38PM +0100, Maxime Devos wrote:
> Efraim Flashner schreef op wo 02-02-2022 om 16:15 [+0200]:
> > +                   (false-if-exception
> > +                     (first
> > +                       (filter string?
> > +                               (map (lambda (prefix)
> > +                                      (when (string-prefix? prefix pkg-name)
> > +                                        (string-drop pkg-name (string-length prefix))))
> > +                                    '("java-" "perl-" "python-" "python2-" "ruby-")))))
> > +                   pkg-name)))
> 
> When can an exception happen here?

I tossed in 'glibc' since I know that always has CVEs listed against it,
you can't take first from an empty list.

> Also, the following seems simpler and equivalent:
> 
> (any (lambda (prefix)
>        (and (string-prefix? prefix)
>             (string-drop pkg-name (string-length prefix))))
>      '("java-" "perl-" "python-" "python2-" "ruby-"))

That is much nicer.

> It would be nice to test the code for guessing the CPE name of a
> package in a few unit tests.

Definitely. Also I should check if we should try dropping any of the
other prefixes. rust might work, go probably needs some actual
transformation to happen.

> Greetings,
> Maxime



-- 
Efraim Flashner   <efraim@flashner.co.il>   רנשלפ םירפא
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [bug#53721] [PATCH] lint: Perform fuzzy search on package names for CVE checker.
  2022-02-02 14:15 [bug#53721] [PATCH] lint: Perform fuzzy search on package names for CVE checker Efraim Flashner
  2022-02-02 14:54 ` Maxime Devos
@ 2022-02-04 21:56 ` Ludovic Courtès
  1 sibling, 0 replies; 4+ messages in thread
From: Ludovic Courtès @ 2022-02-04 21:56 UTC (permalink / raw)
  To: Efraim Flashner; +Cc: Maxime Devos, 53721

Hello,

Efraim Flashner <efraim@flashner.co.il> skribis:

> -      (let ((name    (or (assoc-ref (package-properties package)
> -                                    'cpe-name)
> -                         (package-name package)))
> -            (version (or (assoc-ref (package-properties package)
> -                                    'cpe-version)
> -                         (package-version package))))
> +      (let* ((pkg-name (package-name package))
> +             (version  (or (assoc-ref (package-properties package)
> +                                      'cpe-version)
> +                           (package-version package)))
> +             (name
> +               (or (assoc-ref (package-properties package)
> +                              'cpe-name)
> +                   (false-if-exception
> +                     (first
> +                       (filter string?
> +                               (map (lambda (prefix)
> +                                      (when (string-prefix? prefix pkg-name)
> +                                        (string-drop pkg-name (string-length prefix))))
> +                                    '("java-" "perl-" "python-" "python2-" "ruby-")))))
> +                   pkg-name)))

I agree with Maxime’s suggestions.

In addition, I’d suggest moving this code out in two procedures,
‘package-cpe-name’ and ‘package-cpe-version’, that would honor the
relevant property and fall back to stripping prefixes.

Then ‘package-vulnerabilities’ would simply call these two procedures.

How does that sound?

Longer-term, we should add a thing that proposes correct CPE names:

  https://issues.guix.gnu.org/42299

Thanks,
Ludo’.




^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2022-02-04 21:57 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-02-02 14:15 [bug#53721] [PATCH] lint: Perform fuzzy search on package names for CVE checker Efraim Flashner
2022-02-02 14:54 ` Maxime Devos
2022-02-02 15:13   ` Efraim Flashner
2022-02-04 21:56 ` Ludovic Courtès

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.