* [bug#53721] [PATCH] lint: Perform fuzzy search on package names for CVE checker.
@ 2022-02-02 14:15 Efraim Flashner
2022-02-02 14:54 ` Maxime Devos
2022-02-04 21:56 ` Ludovic Courtès
0 siblings, 2 replies; 4+ messages in thread
From: Efraim Flashner @ 2022-02-02 14:15 UTC (permalink / raw)
To: 53721; +Cc: Efraim Flashner
* guix/lint.scm (package-vulnerabilities): Also allow the name in the
CVE database to have the package name's prefix stripped off when
checking for CVEs.
---
When I checked for cpe-name in the Guix repo there weren't a lot of
hits. Clearly just stripping off the leading 'python2-' or whatever
isn't completely the correct answer, python-redis@3.5.3 isn't likely
vulnerable to redis@3.5.3's CVEs, but as-is there are almost no CVEs
easily discovered for any of our language library packages.
guix/lint.scm | 23 ++++++++++++++++-------
1 file changed, 16 insertions(+), 7 deletions(-)
diff --git a/guix/lint.scm b/guix/lint.scm
index 3ca7a0b608..7f08d6af5e 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -7,7 +7,7 @@
;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
;;; Copyright © 2017 Alex Kost <alezost@gmail.com>
;;; Copyright © 2017, 2021 Tobias Geerinckx-Rice <me@tobias.gr>
-;;; Copyright © 2017, 2018, 2020 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2017, 2018, 2020, 2022 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2018, 2019 Arun Isaac <arunisaac@systemreboot.net>
;;; Copyright © 2020 Chris Marusich <cmmarusich@gmail.com>
;;; Copyright © 2020 Timothy Sample <samplet@ngyro.com>
@@ -1416,12 +1416,21 @@ (define package-vulnerabilities
"Return a list of vulnerabilities affecting PACKAGE."
;; First we retrieve the Common Platform Enumeration (CPE) name and
;; version for PACKAGE, then we can pass them to LOOKUP.
- (let ((name (or (assoc-ref (package-properties package)
- 'cpe-name)
- (package-name package)))
- (version (or (assoc-ref (package-properties package)
- 'cpe-version)
- (package-version package))))
+ (let* ((pkg-name (package-name package))
+ (version (or (assoc-ref (package-properties package)
+ 'cpe-version)
+ (package-version package)))
+ (name
+ (or (assoc-ref (package-properties package)
+ 'cpe-name)
+ (false-if-exception
+ (first
+ (filter string?
+ (map (lambda (prefix)
+ (when (string-prefix? prefix pkg-name)
+ (string-drop pkg-name (string-length prefix))))
+ '("java-" "perl-" "python-" "python2-" "ruby-")))))
+ pkg-name)))
((force lookup) name version)))))
(define* (check-vulnerabilities package
base-commit: 8f585083277e64ea1e9a0848ef3c49f12327618c
--
2.34.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [bug#53721] [PATCH] lint: Perform fuzzy search on package names for CVE checker.
2022-02-02 14:15 [bug#53721] [PATCH] lint: Perform fuzzy search on package names for CVE checker Efraim Flashner
@ 2022-02-02 14:54 ` Maxime Devos
2022-02-02 15:13 ` Efraim Flashner
2022-02-04 21:56 ` Ludovic Courtès
1 sibling, 1 reply; 4+ messages in thread
From: Maxime Devos @ 2022-02-02 14:54 UTC (permalink / raw)
To: Efraim Flashner, 53721
[-- Attachment #1: Type: text/plain, Size: 1119 bytes --]
Efraim Flashner schreef op wo 02-02-2022 om 16:15 [+0200]:
> + (false-if-exception
> + (first
> + (filter string?
> + (map (lambda (prefix)
> + (when (string-prefix? prefix pkg-name)
> + (string-drop pkg-name (string-length prefix))))
> + '("java-" "perl-" "python-" "python2-" "ruby-")))))
> + pkg-name)))
When can an exception happen here?
Also, the following seems simpler and equivalent:
(any (lambda (prefix)
(and (string-prefix? prefix)
(string-drop pkg-name (string-length prefix))))
'("java-" "perl-" "python-" "python2-" "ruby-"))
It would be nice to test the code for guessing the CPE name of a
package in a few unit tests.
Greetings,
Maxime
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* [bug#53721] [PATCH] lint: Perform fuzzy search on package names for CVE checker.
2022-02-02 14:54 ` Maxime Devos
@ 2022-02-02 15:13 ` Efraim Flashner
0 siblings, 0 replies; 4+ messages in thread
From: Efraim Flashner @ 2022-02-02 15:13 UTC (permalink / raw)
To: Maxime Devos; +Cc: 53721
[-- Attachment #1: Type: text/plain, Size: 1769 bytes --]
On Wed, Feb 02, 2022 at 03:54:38PM +0100, Maxime Devos wrote:
> Efraim Flashner schreef op wo 02-02-2022 om 16:15 [+0200]:
> > + (false-if-exception
> > + (first
> > + (filter string?
> > + (map (lambda (prefix)
> > + (when (string-prefix? prefix pkg-name)
> > + (string-drop pkg-name (string-length prefix))))
> > + '("java-" "perl-" "python-" "python2-" "ruby-")))))
> > + pkg-name)))
>
> When can an exception happen here?
I tossed in 'glibc' since I know that always has CVEs listed against it,
you can't take first from an empty list.
> Also, the following seems simpler and equivalent:
>
> (any (lambda (prefix)
> (and (string-prefix? prefix)
> (string-drop pkg-name (string-length prefix))))
> '("java-" "perl-" "python-" "python2-" "ruby-"))
That is much nicer.
> It would be nice to test the code for guessing the CPE name of a
> package in a few unit tests.
Definitely. Also I should check if we should try dropping any of the
other prefixes. rust might work, go probably needs some actual
transformation to happen.
> Greetings,
> Maxime
--
Efraim Flashner <efraim@flashner.co.il> רנשלפ םירפא
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* [bug#53721] [PATCH] lint: Perform fuzzy search on package names for CVE checker.
2022-02-02 14:15 [bug#53721] [PATCH] lint: Perform fuzzy search on package names for CVE checker Efraim Flashner
2022-02-02 14:54 ` Maxime Devos
@ 2022-02-04 21:56 ` Ludovic Courtès
1 sibling, 0 replies; 4+ messages in thread
From: Ludovic Courtès @ 2022-02-04 21:56 UTC (permalink / raw)
To: Efraim Flashner; +Cc: Maxime Devos, 53721
Hello,
Efraim Flashner <efraim@flashner.co.il> skribis:
> - (let ((name (or (assoc-ref (package-properties package)
> - 'cpe-name)
> - (package-name package)))
> - (version (or (assoc-ref (package-properties package)
> - 'cpe-version)
> - (package-version package))))
> + (let* ((pkg-name (package-name package))
> + (version (or (assoc-ref (package-properties package)
> + 'cpe-version)
> + (package-version package)))
> + (name
> + (or (assoc-ref (package-properties package)
> + 'cpe-name)
> + (false-if-exception
> + (first
> + (filter string?
> + (map (lambda (prefix)
> + (when (string-prefix? prefix pkg-name)
> + (string-drop pkg-name (string-length prefix))))
> + '("java-" "perl-" "python-" "python2-" "ruby-")))))
> + pkg-name)))
I agree with Maxime’s suggestions.
In addition, I’d suggest moving this code out in two procedures,
‘package-cpe-name’ and ‘package-cpe-version’, that would honor the
relevant property and fall back to stripping prefixes.
Then ‘package-vulnerabilities’ would simply call these two procedures.
How does that sound?
Longer-term, we should add a thing that proposes correct CPE names:
https://issues.guix.gnu.org/42299
Thanks,
Ludo’.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-02-04 21:57 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-02-02 14:15 [bug#53721] [PATCH] lint: Perform fuzzy search on package names for CVE checker Efraim Flashner
2022-02-02 14:54 ` Maxime Devos
2022-02-02 15:13 ` Efraim Flashner
2022-02-04 21:56 ` Ludovic Courtès
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.