From unknown Sat Aug 16 18:45:38 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#37838] [PATCH 0/2] Rewrite (guix cve) to read NIST's JSON feed Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 20 Oct 2019 20:36:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 37838 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 37838@debbugs.gnu.org Cc: Ludovic =?UTF-8?Q?Court=C3=A8s?= X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.157160370817129 (code B ref -1); Sun, 20 Oct 2019 20:36:01 +0000 Received: (at submit) by debbugs.gnu.org; 20 Oct 2019 20:35:08 +0000 Received: from localhost ([127.0.0.1]:55352 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iMHuu-0004SD-0S for submit@debbugs.gnu.org; Sun, 20 Oct 2019 16:35:08 -0400 Received: from lists.gnu.org ([209.51.188.17]:39496) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iMHur-0004S3-Rt for submit@debbugs.gnu.org; Sun, 20 Oct 2019 16:35:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51490) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iMHuq-0005ZA-Hq for guix-patches@gnu.org; Sun, 20 Oct 2019 16:35:05 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.2 required=5.0 tests=ALL_TRUSTED,BAYES_50, URIBL_BLOCKED autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:470:142:3::e]:53149) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1iMHup-0005H7-V6; Sun, 20 Oct 2019 16:35:03 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=38064 helo=gnu.org) by fencepost.gnu.org with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1iMHuo-0007cb-6F; Sun, 20 Oct 2019 16:35:02 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Date: Sun, 20 Oct 2019 22:34:51 +0200 Message-Id: <20191020203451.1912-1-ludo@gnu.org> X-Mailer: git-send-email 2.23.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hello! Last Thursday I was surprised to see that ‘guix lint -c cve’ would be redirected to: https://nvd.nist.gov/General/News/XML-Vulnerability-Feed-Retirement-Phase-3 … leading to a failure. And indeed, the XML CVE feed has now been replaced by a JSON feed (let’s hope they don’t switch to YAML next year :-)). The JSON feed seems to be nicer in some ways; for instance, it can specify ranges of versions to which a given CVE applies. The patch that follows rewrites (guix cve) so it gets info from the JSON feed. It does so by providing a one-to-one mapping between data structures in JSON and Scheme records, and then converting those to the higher-level records that were already there before. If you look at the JSON-mapped record types, there are lots of low-hanging fruits; for instance, we could grab severity info from the JSON feeds and use them somehow. I’m not sure if ‘guix lint’ is the best place to display detailed CVE info, but we could/should use that info somehow. Feedback welcome! Ludo’. Ludovic Courtès (2): cve: Rewrite to read the JSON feed instead of the XML feed. lint: Re-enable CVE checker. Makefile.am | 2 +- doc/guix.texi | 4 +- guix/cve.scm | 376 ++++++++---- guix/lint.scm | 16 +- tests/cve-sample.json | 1279 +++++++++++++++++++++++++++++++++++++++++ tests/cve-sample.xml | 616 -------------------- tests/cve.scm | 83 ++- 7 files changed, 1610 insertions(+), 766 deletions(-) create mode 100644 tests/cve-sample.json delete mode 100644 tests/cve-sample.xml -- 2.23.0 From unknown Sat Aug 16 18:45:38 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#37838] [PATCH 1/2] cve: Rewrite to read the JSON feed instead of the XML feed. References: <20191020203451.1912-1-ludo@gnu.org> In-Reply-To: <20191020203451.1912-1-ludo@gnu.org> Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 20 Oct 2019 21:21:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37838 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 37838@debbugs.gnu.org Cc: Ludovic =?UTF-8?Q?Court=C3=A8s?= Received: via spool by 37838-submit@debbugs.gnu.org id=B37838.157160644721262 (code B ref 37838); Sun, 20 Oct 2019 21:21:02 +0000 Received: (at 37838) by debbugs.gnu.org; 20 Oct 2019 21:20:47 +0000 Received: from localhost ([127.0.0.1]:55368 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iMId5-0005Ws-An for submit@debbugs.gnu.org; Sun, 20 Oct 2019 17:20:47 -0400 Received: from eggs.gnu.org ([209.51.188.92]:45637) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iMId3-0005WZ-Hy for 37838@debbugs.gnu.org; Sun, 20 Oct 2019 17:20:45 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:53477) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1iMIcx-0006XX-Rn; Sun, 20 Oct 2019 17:20:40 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=38170 helo=gnu.org) by fencepost.gnu.org with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1iMIcx-0002SN-4C; Sun, 20 Oct 2019 17:20:39 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Date: Sun, 20 Oct 2019 23:20:30 +0200 Message-Id: <20191020212031.2854-1-ludo@gnu.org> X-Mailer: git-send-email 2.23.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" The XML feed was discontinued on Oct. 16th, 2019: * guix/cve.scm (string->date*): New procedure. (, , ): New record types. (cpe-match->cve-configuration, configuration-data->cve-configurations) (json->cve-items, version-matches?): New procedures. (yearly-feed-uri): Change URL to refer to JSON feed. (cpe->product-alist, %parse-vulnerability-feed) (xml->vulnerabilities): Remove. (cve-configuration->package-list, merge-package-lists) (cve-item->vulnerability, json->vulnerabilities): New procedures. (write-cache): Use 'json->vulnerabilities' instead of 'xml->vulnerabilities', and remove 'parameterize'. (vulnerabilities->lookup-proc): Use 'version-matches?' when VERSION is true. * tests/cve.scm (%sample): Use 'tests/cve-sample.json'. (%expected-vulnerabilities): Rewrite accordingly. ("json->cve-items", "cve-item-published-date") ("json->vulnerabilities"): New tests. ("xml->vulnerabilities"): Remove. ("vulnerabilities->lookup-proc"): Adjust to new vulnerabilities. * tests/cve-sample.json: New file. * tests/cve-sample.xml: Remove. * Makefile.am (EXTRA_DIST): Adjust accordingly. * doc/guix.texi (Invoking guix lint): Update nist.gov URLs. --- Makefile.am | 2 +- doc/guix.texi | 4 +- guix/cve.scm | 376 ++++++++---- tests/cve-sample.json | 1279 +++++++++++++++++++++++++++++++++++++++++ tests/cve-sample.xml | 616 -------------------- tests/cve.scm | 83 ++- 6 files changed, 1605 insertions(+), 755 deletions(-) create mode 100644 tests/cve-sample.json delete mode 100644 tests/cve-sample.xml diff --git a/Makefile.am b/Makefile.am index 36767c2f47..b1f33946c5 100644 --- a/Makefile.am +++ b/Makefile.am @@ -564,7 +564,7 @@ EXTRA_DIST += \ tests/test.drv \ tests/signing-key.pub \ tests/signing-key.sec \ - tests/cve-sample.xml \ + tests/cve-sample.json \ build-aux/config.rpath \ bootstrap \ doc/build.scm \ diff --git a/doc/guix.texi b/doc/guix.texi index 6eccbb971f..d29be2da28 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -9484,7 +9484,7 @@ that limit has been reset. @cindex CVE, Common Vulnerabilities and Exposures Report known vulnerabilities found in the Common Vulnerabilities and Exposures (CVE) databases of the current and past year -@uref{https://nvd.nist.gov/download.cfm#CVE_FEED, published by the US +@uref{https://nvd.nist.gov/vuln/data-feeds, published by the US NIST}. To view information about a particular vulnerability, visit pages such as: @@ -9501,7 +9501,7 @@ where @code{CVE-YYYY-ABCD} is the CVE identifier---e.g., @code{CVE-2015-7554}. Package developers can specify in package recipes the -@uref{https://nvd.nist.gov/cpe.cfm,Common Platform Enumeration (CPE)} +@uref{https://nvd.nist.gov/products/cpe,Common Platform Enumeration (CPE)} name and version of the package when they differ from the name or version that Guix uses, as in this example: diff --git a/guix/cve.scm b/guix/cve.scm index 99754fa1f6..903d94a8a6 100644 --- a/guix/cve.scm +++ b/guix/cve.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2015, 2016, 2017, 2018 Ludovic Courtès +;;; Copyright © 2015, 2016, 2017, 2018, 2019 Ludovic Courtès ;;; ;;; This file is part of GNU Guix. ;;; @@ -19,21 +19,43 @@ (define-module (guix cve) #:use-module (guix utils) #:use-module (guix http-client) - #:use-module (sxml ssax) + #:use-module (guix json) + #:use-module (guix i18n) + #:use-module (json) #:use-module (web uri) #:use-module (srfi srfi-1) #:use-module (srfi srfi-9) #:use-module (srfi srfi-11) #:use-module (srfi srfi-19) #:use-module (srfi srfi-26) + #:use-module (srfi srfi-34) + #:use-module (srfi srfi-35) #:use-module (ice-9 match) #:use-module (ice-9 regex) #:use-module (ice-9 vlist) - #:export (vulnerability? + #:export (json->cve-items + + cve-item? + cve-item-cve + cve-item-configurations + cve-item-published-date + cve-item-last-modified-date + + cve? + cve-id + cve-data-type + cve-data-format + cvs-references + + cve-reference? + cve-reference-url + cve-reference-tags + + vulnerability? vulnerability-id vulnerability-packages - xml->vulnerabilities + json->vulnerabilities current-vulnerabilities vulnerabilities->lookup-proc)) @@ -41,15 +63,174 @@ ;;; ;;; This modules provides the tools to fetch, parse, and digest part of the ;;; Common Vulnerabilities and Exposures (CVE) feeds provided by the US NIST -;;; at . +;;; at . ;;; ;;; Code: -(define-record-type - (vulnerability id packages) - vulnerability? - (id vulnerability-id) ;string - (packages vulnerability-packages)) ;((p1 v1 v2 v3) (p2 v1) ...) +(define (string->date* str) + (string->date str "~Y-~m-~dT~H:~M~z")) + +(define-json-mapping cve-item cve-item? + json->cve-item + (cve cve-item-cve "cve" json->cve) ; + (configurations cve-item-configurations ;list of sexps + "configurations" configuration-data->cve-configurations) + (published-date cve-item-published-date + "publishedDate" string->date*) + (last-modified-date cve-item-last-modified-date + "lastModifiedDate" string->date*)) + +(define-json-mapping cve cve? + json->cve + (id cve-id "CVE_data_meta" ;string + (cut assoc-ref <> "ID")) + (data-type cve-data-type ;'CVE + "data_type" string->symbol) + (data-format cve-data-format ;'MITRE + "data_format" string->symbol) + (references cve-item-references ;list of + "references" reference-data->cve-references)) + +(define-json-mapping cve-reference cve-reference? + json->cve-reference + (url cve-reference-url) ;string + (tags cve-reference-tags ;list of strings + "tags" vector->list)) + +(define (reference-data->cve-references alist) + (map json->cve-reference + (vector->list (assoc-ref alist "reference_data")))) + +(define %cpe-package-rx + ;; For applications: "cpe:2.3:a:VENDOR:PACKAGE:VERSION", or sometimes + ;; "cpe:2.3:a:VENDOR:PACKAGE:VERSION:PATCH-LEVEL". + (make-regexp "^cpe:2\\.3:a:([^:]+):([^:]+):([^:]+):([^:]+):")) + +(define (cpe->package-name cpe) + "Converts the Common Platform Enumeration (CPE) string CPE to a package +name, in a very naive way. Return two values: the package name, and its +version string. Return #f and #f if CPE does not look like an application CPE +string." + (cond ((regexp-exec %cpe-package-rx cpe) + => + (lambda (matches) + (values (match:substring matches 2) + (match (match:substring matches 3) + ("*" '_) + (version + (string-append version + (match (match:substring matches 4) + ("" "") + (patch-level + ;; Drop the colon from things like + ;; "cpe:2.3:a:openbsd:openssh:6.8:p1". + (string-drop patch-level 1))))))))) + (else + (values #f #f)))) + +(define (cpe-match->cve-configuration alist) + "Convert ALIST, a \"cpe_match\" alist, into an sexp representing the package +and versions matched. Return #f if ALIST doesn't correspond to an application +package." + (let ((cpe (assoc-ref alist "cpe23Uri")) + (starti (assoc-ref alist "versionStartIncluding")) + (starte (assoc-ref alist "versionStartExcluding")) + (endi (assoc-ref alist "versionEndIncluding")) + (ende (assoc-ref alist "versionEndExcluding"))) + (let-values (((package version) (cpe->package-name cpe))) + (and package + `(,package + ,(cond ((and (or starti starte) (or endi ende)) + `(and ,(if starti `(>= ,starti) `(> ,starte)) + ,(if endi `(<= ,endi) `(< ,ende)))) + (starti `(>= ,starti)) + (starte `(> ,starte)) + (endi `(<= ,endi)) + (ende `(< ,ende)) + (else version))))))) + +(define (configuration-data->cve-configurations alist) + "Given ALIST, a JSON dictionary for the baroque \"configurations\" +element found in CVEs, return an sexp such as (\"binutils\" (< +\"2.31\")) that represents matching configurations." + (define string->operator + (match-lambda + ("OR" 'or) + ("AND" 'and))) + + (define (node->configuration node) + (let ((operator (string->operator (assoc-ref node "operator")))) + (cond + ((assoc-ref node "cpe_match") + => + (lambda (matches) + (let ((matches (vector->list matches))) + (match (filter-map cpe-match->cve-configuration + matches) + (() #f) + ((one) one) + (lst (cons operator lst)))))) + ((assoc-ref node "children") ;typically for 'and' + => + (lambda (children) + (match (filter-map node->configuration (vector->list children)) + (() #f) + ((one) one) + (lst (cons operator lst))))) + (else + #f)))) + + (let ((nodes (vector->list (assoc-ref alist "nodes")))) + (filter-map node->configuration nodes))) + +(define (json->cve-items json) + "Parse JSON, an input port or a string, and return a list of +records." + (let* ((alist (json->scm json)) + (type (assoc-ref alist "CVE_data_type")) + (format (assoc-ref alist "CVE_data_format")) + (version (assoc-ref alist "CVE_data_version"))) + (unless (equal? type "CVE") + (raise (condition (&message + (message "invalid CVE feed"))))) + (unless (equal? format "MITRE") + (raise (condition + (&message + (message (format #f (G_ "unsupported CVE format: '~a'") + format)))))) + (unless (equal? version "4.0") + (raise (condition + (&message + (message (format #f (G_ "unsupported CVE data version: '~a'") + version)))))) + + (map json->cve-item + (vector->list (assoc-ref alist "CVE_Items"))))) + +(define (version-matches? version sexp) + "Return true if VERSION, a string, matches SEXP." + (match sexp + ('_ + #t) + ((? string? expected) + (version-prefix? expected version)) + (('or sexps ...) + (any (cut version-matches? version <>) sexps)) + (('and sexps ...) + (every (cut version-matches? version <>) sexps)) + (('< max) + (version>? max version)) + (('<= max) + (version>=? max version)) + (('> min) + (version>? version min)) + (('>= min) + (version>=? version min)))) + + +;;; +;;; High-level interface. +;;; (define %now (current-date)) @@ -61,8 +242,8 @@ (define (yearly-feed-uri year) "Return the URI for the CVE feed for YEAR." (string->uri - (string-append "https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-" - (number->string year) ".xml.gz"))) + (string-append "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-" + (number->string year) ".json.gz"))) (define %current-year-ttl ;; According to , feeds are @@ -73,102 +254,11 @@ ;; Update the previous year's database more and more infrequently. (* 3600 24 (date-month %now))) -(define %cpe-package-rx - ;; For applications: "cpe:/a:VENDOR:PACKAGE:VERSION", or sometimes - ;; "cpe/a:VENDOR:PACKAGE:VERSION:PATCH-LEVEL". - (make-regexp "^cpe:/a:([^:]+):([^:]+):([^:]+)((:.+)?)")) - -(define (cpe->package-name cpe) - "Converts the Common Platform Enumeration (CPE) string CPE to a package -name, in a very naive way. Return two values: the package name, and its -version string. Return #f and #f if CPE does not look like an application CPE -string." - (cond ((regexp-exec %cpe-package-rx (string-trim-both cpe)) - => - (lambda (matches) - (values (match:substring matches 2) - (string-append (match:substring matches 3) - (match (match:substring matches 4) - ("" "") - (patch-level - ;; Drop the colon from things like - ;; "cpe:/a:openbsd:openssh:6.8:p1". - (string-drop patch-level 1))))))) - (else - (values #f #f)))) - -(define (cpe->product-alist products) - "Given PRODUCTS, a list of CPE names, return the subset limited to the -applications listed in PRODUCTS, with names converted to package names: - - (cpe->product-alist - '(\"cpe:/a:gnu:libtasn1:4.7\" \"cpe:/a:gnu:libtasn1:4.6\" \"cpe:/a:gnu:cpio:2.11\")) - => ((\"libtasn1\" \"4.7\" \"4.6\") (\"cpio\" \"2.11\")) -" - (fold (lambda (product result) - (let-values (((name version) (cpe->package-name product))) - (if name - (match result - (((previous . versions) . tail) - ;; Attempt to coalesce NAME and PREVIOUS. - (if (string=? name previous) - (alist-cons name (cons version versions) tail) - (alist-cons name (list version) result))) - (() - (alist-cons name (list version) result))) - result))) - '() - (sort products string and return a list of - ;; vulnerability objects. - (ssax:make-parser NEW-LEVEL-SEED - (lambda (elem-gi attributes namespaces expected-content - seed) - (match elem-gi - ((name-space . 'entry) - (cons (assoc-ref attributes 'id) seed)) - ((name-space . 'vulnerable-software-list) - (cons '() seed)) - ((name-space . 'product) - (cons 'product seed)) - (x seed))) - - FINISH-ELEMENT - (lambda (elem-gi attributes namespaces parent-seed - seed) - (match elem-gi - ((name-space . 'entry) - (match seed - (((? string? id) . rest) - ;; Some entries have no vulnerable-software-list. - rest) - ((products id . rest) - (match (cpe->product-alist products) - (() - ;; No application among PRODUCTS. - rest) - (packages - (cons (vulnerability id packages) - rest)))))) - (x - seed))) - - CHAR-DATA-HANDLER - (lambda (str _ seed) - (match seed - (('product software-list . rest) - ;; Add STR to the vulnerable software list this - ;; tag is part of. - (cons (cons str software-list) rest)) - (x x))))) - -(define (xml->vulnerabilities port) - "Read from PORT an XML feed of vulnerabilities and return a list of -vulnerability objects." - (reverse (%parse-vulnerability-feed port '()))) +(define-record-type + (vulnerability id packages) + vulnerability? + (id vulnerability-id) ;string + (packages vulnerability-packages)) ;((p1 sexp1) (p2 sexp2) ...) (define vulnerability->sexp (match-lambda @@ -180,16 +270,70 @@ vulnerability objects." (('v id (packages ...)) (vulnerability id packages)))) +(define (cve-configuration->package-list config) + "Parse CONFIG, a config sexp, and return a list of the form (P SEXP) +where P is a package name and SEXP expresses constraints on the matching +versions." + (let loop ((config config) + (packages '())) + (match config + (('or configs ...) + (fold loop packages configs)) + (('and config _ ...) ;XXX + (loop config packages)) + (((? string? package) '_) ;any version + (cons `(,package _) + (alist-delete package packages))) + (((? string? package) sexp) + (let ((previous (assoc-ref packages package))) + (if previous + (cons `(,package (or ,sexp ,@previous)) + (alist-delete package packages)) + (cons `(,package ,sexp) packages))))))) + +(define (merge-package-lists lst) + "Merge the list in LST, each of which has the form (p sexp), where P +is the name of a package and SEXP is an sexp that constrains matching +versions." + (fold (lambda (plist result) ;XXX: quadratic + (fold (match-lambda* + (((package version) result) + (match (assoc-ref result package) + (#f + (cons `(,package ,version) result)) + ((previous) + (cons `(,package (or ,version ,previous)) + (alist-delete package result)))))) + result + plist)) + '() + lst)) + +(define (cve-item->vulnerability item) + "Return a corresponding to ITEM, a record; +return #f if ITEM does not list any configuration or if it does not list +any \"a\" (application) configuration." + (let ((id (cve-id (cve-item-cve item)))) + (match (cve-item-configurations item) + (() ;no configurations + #f) + ((configs ...) + (vulnerability id + (merge-package-lists + (map cve-configuration->package-list configs))))))) + +(define (json->vulnerabilities json) + "Parse JSON, an input port or a string, and return the list of +vulnerabilities found therein." + (filter-map cve-item->vulnerability (json->cve-items json))) + (define (write-cache input cache) - "Read vulnerabilities as gzipped XML from INPUT, and write it as a compact + "Read vulnerabilities as gzipped JSON from INPUT, and write it as a compact sexp to CACHE." (call-with-decompressed-port 'gzip input (lambda (input) - ;; XXX: The SSAX "error port" is used to send pointless warnings such as - ;; "warning: Skipping PI". Turn that off. (define vulns - (parameterize ((current-ssax-error-port (%make-void-port "w"))) - (xml->vulnerabilities input))) + (json->vulnerabilities input)) (write `(vulnerabilities 1 ;format version @@ -215,7 +359,7 @@ the given TTL (fetch from the NIST web site when TTL has expired)." (lambda () (read-options options))))) - ;; Note: We used to keep the original XML files in cache but parsing it + ;; Note: We used to keep the original JSON files in cache but parsing it ;; would take typically ~15s for a year of data. Thus, we instead store a ;; summarized version thereof as an sexp, which can be parsed in 1s or so. (let* ((port (http-fetch/cached (yearly-feed-uri year) @@ -269,8 +413,8 @@ vulnerabilities affecting the given package version." (vhash-fold* (if version (lambda (pair result) (match pair - ((vuln . versions) - (if (member version versions) + ((vuln sexp) + (if (version-matches? version sexp) (cons vuln result) result)))) (lambda (pair result) diff --git a/tests/cve-sample.json b/tests/cve-sample.json new file mode 100644 index 0000000000..39816f9dd4 --- /dev/null +++ b/tests/cve-sample.json @@ -0,0 +1,1279 @@ +{ + "CVE_data_type" : "CVE", + "CVE_data_format" : "MITRE", + "CVE_data_version" : "4.0", + "CVE_data_numberOfCVEs" : "9826", + "CVE_data_timestamp" : "2019-10-17T07:00Z", + "CVE_Items" : [ { + "cve" : { + "data_type" : "CVE", + "data_format" : "MITRE", + "data_version" : "4.0", + "CVE_data_meta" : { + "ID" : "CVE-2019-0001", + "ASSIGNER" : "cve@mitre.org" + }, + "problemtype" : { + "problemtype_data" : [ { + "description" : [ { + "lang" : "en", + "value" : "CWE-400" + } ] + } ] + }, + "references" : { + "reference_data" : [ { + "url" : "http://www.securityfocus.com/bid/106541", + "name" : "106541", + "refsource" : "BID", + "tags" : [ "Third Party Advisory", "VDB Entry" ] + }, { + "url" : "https://kb.juniper.net/JSA10900", + "name" : "https://kb.juniper.net/JSA10900", + "refsource" : "CONFIRM", + "tags" : [ "Vendor Advisory" ] + } ] + }, + "description" : { + "description_data" : [ { + "lang" : "en", + "value" : "Receipt of a malformed packet on MX Series devices with dynamic vlan configuration can trigger an uncontrolled recursion loop in the Broadband Edge subscriber management daemon (bbe-smgd), and lead to high CPU usage and a crash of the bbe-smgd service. Repeated receipt of the same packet can result in an extended denial of service condition for the device. Affected releases are Juniper Networks Junos OS: 16.1 versions prior to 16.1R7-S1; 16.2 versions prior to 16.2R2-S7; 17.1 versions prior to 17.1R2-S10, 17.1R3; 17.2 versions prior to 17.2R3; 17.3 versions prior to 17.3R3-S1; 17.4 versions prior to 17.4R2; 18.1 versions prior to 18.1R3; 18.2 versions prior to 18.2R2." + } ] + } + }, + "configurations" : { + "CVE_data_version" : "4.0", + "nodes" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:*:*:*:*:*:*:*" + } ] + } { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.2:*:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.1:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.1:r1:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.1:r2:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:a:juniper:junos:18.2:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:a:juniper:junos:18.2:r1-s3:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:a:juniper:junos:18.2:r1-s4:*:*:*:*:*:*" + } ] + } ] + }, + "impact" : { + "baseMetricV3" : { + "cvssV3" : { + "version" : "3.0", + "vectorString" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "attackVector" : "NETWORK", + "attackComplexity" : "HIGH", + "privilegesRequired" : "NONE", + "userInteraction" : "NONE", + "scope" : "UNCHANGED", + "confidentialityImpact" : "NONE", + "integrityImpact" : "NONE", + "availabilityImpact" : "HIGH", + "baseScore" : 5.9, + "baseSeverity" : "MEDIUM" + }, + "exploitabilityScore" : 2.2, + "impactScore" : 3.6 + }, + "baseMetricV2" : { + "cvssV2" : { + "version" : "2.0", + "vectorString" : "AV:N/AC:M/Au:N/C:N/I:N/A:C", + "accessVector" : "NETWORK", + "accessComplexity" : "MEDIUM", + "authentication" : "NONE", + "confidentialityImpact" : "NONE", + "integrityImpact" : "NONE", + "availabilityImpact" : "COMPLETE", + "baseScore" : 7.1 + }, + "severity" : "HIGH", + "exploitabilityScore" : 8.6, + "impactScore" : 6.9, + "acInsufInfo" : false, + "obtainAllPrivilege" : false, + "obtainUserPrivilege" : false, + "obtainOtherPrivilege" : false, + "userInteractionRequired" : false + } + }, + "publishedDate" : "2019-01-15T21:29Z", + "lastModifiedDate" : "2019-10-09T23:43Z" + }, { + "cve" : { + "data_type" : "CVE", + "data_format" : "MITRE", + "data_version" : "4.0", + "CVE_data_meta" : { + "ID" : "CVE-2019-0005", + "ASSIGNER" : "cve@mitre.org" + }, + "problemtype" : { + "problemtype_data" : [ { + "description" : [ { + "lang" : "en", + "value" : "CWE-400" + } ] + } ] + }, + "references" : { + "reference_data" : [ { + "url" : "http://www.securityfocus.com/bid/106665", + "name" : "106665", + "refsource" : "BID", + "tags" : [ "Third Party Advisory" ] + }, { + "url" : "https://kb.juniper.net/JSA10905", + "name" : "https://kb.juniper.net/JSA10905", + "refsource" : "CONFIRM", + "tags" : [ "Vendor Advisory" ] + } ] + }, + "description" : { + "description_data" : [ { + "lang" : "en", + "value" : "On EX2300, EX3400, EX4600, QFX3K and QFX5K series, firewall filter configuration cannot perform packet matching on any IPv6 extension headers. This issue may allow IPv6 packets that should have been blocked to be forwarded. IPv4 packet filtering is unaffected by this vulnerability. Affected releases are Juniper Networks Junos OS on EX and QFX series;: 14.1X53 versions prior to 14.1X53-D47; 15.1 versions prior to 15.1R7; 15.1X53 versions prior to 15.1X53-D234 on QFX5200/QFX5110 series; 15.1X53 versions prior to 15.1X53-D591 on EX2300/EX3400 series; 16.1 versions prior to 16.1R7; 17.1 versions prior to 17.1R2-S10, 17.1R3; 17.2 versions prior to 17.2R3; 17.3 versions prior to 17.3R3; 17.4 versions prior to 17.4R2; 18.1 versions prior to 18.1R2." + } ] + } + }, + "configurations" : { + "CVE_data_version" : "4.0", + "nodes" : [ { + "operator" : "AND", + "children" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d10:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d15:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d16:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d25:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d26:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d27:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d30:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d35:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d40:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d42:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d43:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d44:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d45:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d46:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300-c:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex3400:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4650:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3500:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5100:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5110:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5120:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5210:-:*:*:*:*:*:*:*" + } ] + } ] + }, { + "operator" : "AND", + "children" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1:r1:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1:r2:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1:r3:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1:r4:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1:r5:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1:r6:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300-c:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex3400:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4650:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3500:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5100:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5110:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5120:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5210:-:*:*:*:*:*:*:*" + } ] + } ] + }, { + "operator" : "AND", + "children" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d20:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d21:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d30:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d32:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d33:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d34:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d50:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d51:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d52:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5110:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:*" + } ] + } ] + }, { + "operator" : "AND", + "children" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d20:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d21:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d210:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d230:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d234:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d30:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d32:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d33:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d34:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d50:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d51:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d52:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d55:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d57:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d58:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d59:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d590:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5110:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:*" + } ] + } ] + }, { + "operator" : "AND", + "children" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:r1:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:r2:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:r3:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:r3-s10:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:r4:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:r5:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:r6:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:r6-s6:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:r7:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300-c:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex3400:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4650:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3500:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5100:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5110:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5120:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5210:-:*:*:*:*:*:*:*" + } ] + } ] + }, { + "operator" : "AND", + "children" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.1:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.1:r1:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300-c:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex3400:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4650:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3500:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5100:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5110:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5120:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5210:-:*:*:*:*:*:*:*" + } ] + } ] + }, { + "operator" : "AND", + "children" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.2:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.2:r1:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.2:r1-s7:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.2:r2:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300-c:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex3400:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4650:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3500:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5100:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5110:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5120:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5210:-:*:*:*:*:*:*:*" + } ] + } ] + }, { + "operator" : "AND", + "children" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.3:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.3:r1:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.3:r2:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300-c:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex3400:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4650:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:gfx3600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3500:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5100:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5110:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5120:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5210:-:*:*:*:*:*:*:*" + } ] + } ] + }, { + "operator" : "AND", + "children" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.4:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.4:r1:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300-c:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex3400:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4650:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3500:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5100:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5110:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5120:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5210:-:*:*:*:*:*:*:*" + } ] + } ] + }, { + "operator" : "AND", + "children" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:a:juniper:junos:18.1:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:a:juniper:junos:18.1:r1:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300-c:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex3400:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4650:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3500:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5100:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5110:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5120:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5210:-:*:*:*:*:*:*:*" + } ] + } ] + } ] + }, + "impact" : { + "baseMetricV3" : { + "cvssV3" : { + "version" : "3.0", + "vectorString" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "attackVector" : "NETWORK", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "NONE", + "scope" : "UNCHANGED", + "confidentialityImpact" : "NONE", + "integrityImpact" : "LOW", + "availabilityImpact" : "NONE", + "baseScore" : 5.3, + "baseSeverity" : "MEDIUM" + }, + "exploitabilityScore" : 3.9, + "impactScore" : 1.4 + }, + "baseMetricV2" : { + "cvssV2" : { + "version" : "2.0", + "vectorString" : "AV:N/AC:L/Au:N/C:N/I:P/A:N", + "accessVector" : "NETWORK", + "accessComplexity" : "LOW", + "authentication" : "NONE", + "confidentialityImpact" : "NONE", + "integrityImpact" : "PARTIAL", + "availabilityImpact" : "NONE", + "baseScore" : 5.0 + }, + "severity" : "MEDIUM", + "exploitabilityScore" : 10.0, + "impactScore" : 2.9, + "acInsufInfo" : false, + "obtainAllPrivilege" : false, + "obtainUserPrivilege" : false, + "obtainOtherPrivilege" : false, + "userInteractionRequired" : false + } + }, + "publishedDate" : "2019-01-15T21:29Z", + "lastModifiedDate" : "2019-02-14T18:40Z" + }, { + "cve" : { + "data_type" : "CVE", + "data_format" : "MITRE", + "data_version" : "4.0", + "CVE_data_meta" : { + "ID" : "CVE-2019-14811", + "ASSIGNER" : "cve@mitre.org" + }, + "problemtype" : { + "problemtype_data" : [ { + "description" : [ { + "lang" : "en", + "value" : "CWE-264" + } ] + } ] + }, + "references" : { + "reference_data" : [ { + "url" : "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00088.html", + "name" : "openSUSE-SU-2019:2223", + "refsource" : "SUSE", + "tags" : [ ] + }, { + "url" : "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00090.html", + "name" : "openSUSE-SU-2019:2222", + "refsource" : "SUSE", + "tags" : [ ] + }, { + "url" : "https://access.redhat.com/errata/RHBA-2019:2824", + "name" : "RHBA-2019:2824", + "refsource" : "REDHAT", + "tags" : [ ] + }, { + "url" : "https://access.redhat.com/errata/RHSA-2019:2594", + "name" : "RHSA-2019:2594", + "refsource" : "REDHAT", + "tags" : [ ] + }, { + "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14811", + "name" : "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14811", + "refsource" : "CONFIRM", + "tags" : [ "Exploit", "Issue Tracking", "Mitigation", "Patch", "Third Party Advisory" ] + }, { + "url" : "https://lists.debian.org/debian-lts-announce/2019/09/msg00007.html", + "name" : "[debian-lts-announce] 20190909 [SECURITY] [DLA 1915-1] ghostscript security update", + "refsource" : "MLIST", + "tags" : [ ] + }, { + "url" : "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6AATIHU32MYKUOXQDJQU4X4DDVL7NAY3/", + "name" : "FEDORA-2019-ebd6c4f15a", + "refsource" : "FEDORA", + "tags" : [ ] + }, { + "url" : "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LBUC4DBBJTRFNCR3IODBV4IXB2C2HI3V/", + "name" : "FEDORA-2019-0a9d525d71", + "refsource" : "FEDORA", + "tags" : [ ] + }, { + "url" : "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZP34D27RKYV2POJ3NJLSVCHUA5V5C45A/", + "name" : "FEDORA-2019-953fc0f16d", + "refsource" : "FEDORA", + "tags" : [ ] + }, { + "url" : "https://seclists.org/bugtraq/2019/Sep/15", + "name" : "20190910 [SECURITY] [DSA 4518-1] ghostscript security update", + "refsource" : "BUGTRAQ", + "tags" : [ ] + }, { + "url" : "https://www.debian.org/security/2019/dsa-4518", + "name" : "DSA-4518", + "refsource" : "DEBIAN", + "tags" : [ ] + } ] + }, + "description" : { + "description_data" : [ { + "lang" : "en", + "value" : "A flaw was found in, ghostscript versions prior to 9.28, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands." + } ] + } + }, + "configurations" : { + "CVE_data_version" : "4.0", + "nodes" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:a:artifex:ghostscript:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "9.28" + } ] + } ] + }, + "impact" : { + "baseMetricV3" : { + "cvssV3" : { + "version" : "3.0", + "vectorString" : "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "attackVector" : "LOCAL", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "REQUIRED", + "scope" : "UNCHANGED", + "confidentialityImpact" : "HIGH", + "integrityImpact" : "HIGH", + "availabilityImpact" : "HIGH", + "baseScore" : 7.8, + "baseSeverity" : "HIGH" + }, + "exploitabilityScore" : 1.8, + "impactScore" : 5.9 + }, + "baseMetricV2" : { + "cvssV2" : { + "version" : "2.0", + "vectorString" : "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "accessVector" : "NETWORK", + "accessComplexity" : "MEDIUM", + "authentication" : "NONE", + "confidentialityImpact" : "PARTIAL", + "integrityImpact" : "PARTIAL", + "availabilityImpact" : "PARTIAL", + "baseScore" : 6.8 + }, + "severity" : "MEDIUM", + "exploitabilityScore" : 8.6, + "impactScore" : 6.4, + "acInsufInfo" : false, + "obtainAllPrivilege" : false, + "obtainUserPrivilege" : false, + "obtainOtherPrivilege" : false, + "userInteractionRequired" : true + } + }, + "publishedDate" : "2019-09-03T16:15Z", + "lastModifiedDate" : "2019-09-10T03:15Z" + }, { + "cve" : { + "data_type" : "CVE", + "data_format" : "MITRE", + "data_version" : "4.0", + "CVE_data_meta" : { + "ID" : "CVE-2019-17365", + "ASSIGNER" : "cve@mitre.org" + }, + "problemtype" : { + "problemtype_data" : [ { + "description" : [ { + "lang" : "en", + "value" : "CWE-276" + } ] + } ] + }, + "references" : { + "reference_data" : [ { + "url" : "http://www.openwall.com/lists/oss-security/2019/10/09/4", + "name" : "http://www.openwall.com/lists/oss-security/2019/10/09/4", + "refsource" : "MISC", + "tags" : [ "Exploit", "Mailing List", "Third Party Advisory" ] + }, { + "url" : "http://www.openwall.com/lists/oss-security/2019/10/10/1", + "name" : "[oss-security] 20191010 Re: CVE-2019-17365: Nix per-user profile directory hijack", + "refsource" : "MLIST", + "tags" : [ "Third Party Advisory" ] + } ] + }, + "description" : { + "description_data" : [ { + "lang" : "en", + "value" : "Nix through 2.3 allows local users to gain access to an arbitrary user's account because the parent directory of the user-profile directories is world writable." + } ] + } + }, + "configurations" : { + "CVE_data_version" : "4.0", + "nodes" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:a:nixos:nix:*:*:*:*:*:*:*:*", + "versionEndIncluding" : "2.3" + } ] + } ] + }, + "impact" : { + "baseMetricV3" : { + "cvssV3" : { + "version" : "3.1", + "vectorString" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "attackVector" : "LOCAL", + "attackComplexity" : "LOW", + "privilegesRequired" : "LOW", + "userInteraction" : "NONE", + "scope" : "UNCHANGED", + "confidentialityImpact" : "HIGH", + "integrityImpact" : "HIGH", + "availabilityImpact" : "HIGH", + "baseScore" : 7.8, + "baseSeverity" : "HIGH" + }, + "exploitabilityScore" : 1.8, + "impactScore" : 5.9 + }, + "baseMetricV2" : { + "cvssV2" : { + "version" : "2.0", + "vectorString" : "AV:L/AC:L/Au:N/C:P/I:P/A:P", + "accessVector" : "LOCAL", + "accessComplexity" : "LOW", + "authentication" : "NONE", + "confidentialityImpact" : "PARTIAL", + "integrityImpact" : "PARTIAL", + "availabilityImpact" : "PARTIAL", + "baseScore" : 4.6 + }, + "severity" : "MEDIUM", + "exploitabilityScore" : 3.9, + "impactScore" : 6.4, + "acInsufInfo" : false, + "obtainAllPrivilege" : false, + "obtainUserPrivilege" : false, + "obtainOtherPrivilege" : false, + "userInteractionRequired" : false + } + }, + "publishedDate" : "2019-10-09T22:15Z", + "lastModifiedDate" : "2019-10-11T13:19Z" + }, { + "cve" : { + "data_type" : "CVE", + "data_format" : "MITRE", + "data_version" : "4.0", + "CVE_data_meta" : { + "ID" : "CVE-2019-1010180", + "ASSIGNER" : "cve@mitre.org" + }, + "problemtype" : { + "problemtype_data" : [ { + "description" : [ { + "lang" : "en", + "value" : "CWE-119" + } ] + } ] + }, + "references" : { + "reference_data" : [ { + "url" : "http://www.securityfocus.com/bid/109367", + "name" : "109367", + "refsource" : "BID", + "tags" : [ "Third Party Advisory", "VDB Entry" ] + }, { + "url" : "https://sourceware.org/bugzilla/show_bug.cgi?id=23657", + "name" : "https://sourceware.org/bugzilla/show_bug.cgi?id=23657", + "refsource" : "MISC", + "tags" : [ "Exploit", "Issue Tracking", "Third Party Advisory" ] + } ] + }, + "description" : { + "description_data" : [ { + "lang" : "en", + "value" : "GNU gdb All versions is affected by: Buffer Overflow - Out of bound memory access. The impact is: Deny of Service, Memory Disclosure, and Possible Code Execution. The component is: The main gdb module. The attack vector is: Open an ELF for debugging. The fixed version is: Not fixed yet." + } ] + } + }, + "configurations" : { + "CVE_data_version" : "4.0", + "nodes" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:a:gnu:gdb:*:*:*:*:*:*:*:*" + } ] + } ] + }, + "impact" : { + "baseMetricV3" : { + "cvssV3" : { + "version" : "3.0", + "vectorString" : "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "attackVector" : "LOCAL", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "REQUIRED", + "scope" : "UNCHANGED", + "confidentialityImpact" : "HIGH", + "integrityImpact" : "HIGH", + "availabilityImpact" : "HIGH", + "baseScore" : 7.8, + "baseSeverity" : "HIGH" + }, + "exploitabilityScore" : 1.8, + "impactScore" : 5.9 + }, + "baseMetricV2" : { + "cvssV2" : { + "version" : "2.0", + "vectorString" : "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "accessVector" : "NETWORK", + "accessComplexity" : "MEDIUM", + "authentication" : "NONE", + "confidentialityImpact" : "PARTIAL", + "integrityImpact" : "PARTIAL", + "availabilityImpact" : "PARTIAL", + "baseScore" : 6.8 + }, + "severity" : "MEDIUM", + "exploitabilityScore" : 8.6, + "impactScore" : 6.4, + "acInsufInfo" : false, + "obtainAllPrivilege" : false, + "obtainUserPrivilege" : false, + "obtainOtherPrivilege" : false, + "userInteractionRequired" : true + } + }, + "publishedDate" : "2019-07-24T13:15Z", + "lastModifiedDate" : "2019-08-01T15:39Z" + }, { + "cve" : { + "data_type" : "CVE", + "data_format" : "MITRE", + "data_version" : "4.0", + "CVE_data_meta" : { + "ID" : "CVE-2019-1010204", + "ASSIGNER" : "cve@mitre.org" + }, + "problemtype" : { + "problemtype_data" : [ { + "description" : [ { + "lang" : "en", + "value" : "CWE-125" + }, { + "lang" : "en", + "value" : "CWE-20" + } ] + } ] + }, + "references" : { + "reference_data" : [ { + "url" : "https://security.netapp.com/advisory/ntap-20190822-0001/", + "name" : "https://security.netapp.com/advisory/ntap-20190822-0001/", + "refsource" : "CONFIRM", + "tags" : [ ] + }, { + "url" : "https://sourceware.org/bugzilla/show_bug.cgi?id=23765", + "name" : "https://sourceware.org/bugzilla/show_bug.cgi?id=23765", + "refsource" : "MISC", + "tags" : [ "Issue Tracking", "Third Party Advisory" ] + } ] + }, + "description" : { + "description_data" : [ { + "lang" : "en", + "value" : "GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened." + } ] + } + }, + "configurations" : { + "CVE_data_version" : "4.0", + "nodes" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:a:gnu:binutils:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "2.21", + "versionEndIncluding" : "2.31.1" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:a:gnu:binutils_gold:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "1.11", + "versionEndIncluding" : "1.16" + } ] + } ] + }, + "impact" : { + "baseMetricV3" : { + "cvssV3" : { + "version" : "3.0", + "vectorString" : "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "attackVector" : "LOCAL", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "REQUIRED", + "scope" : "UNCHANGED", + "confidentialityImpact" : "NONE", + "integrityImpact" : "NONE", + "availabilityImpact" : "HIGH", + "baseScore" : 5.5, + "baseSeverity" : "MEDIUM" + }, + "exploitabilityScore" : 1.8, + "impactScore" : 3.6 + }, + "baseMetricV2" : { + "cvssV2" : { + "version" : "2.0", + "vectorString" : "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "accessVector" : "NETWORK", + "accessComplexity" : "MEDIUM", + "authentication" : "NONE", + "confidentialityImpact" : "NONE", + "integrityImpact" : "NONE", + "availabilityImpact" : "PARTIAL", + "baseScore" : 4.3 + }, + "severity" : "MEDIUM", + "exploitabilityScore" : 8.6, + "impactScore" : 2.9, + "acInsufInfo" : false, + "obtainAllPrivilege" : false, + "obtainUserPrivilege" : false, + "obtainOtherPrivilege" : false, + "userInteractionRequired" : true + } + }, + "publishedDate" : "2019-07-23T14:15Z", + "lastModifiedDate" : "2019-08-22T07:15Z" + }, { + "cve" : { + "data_type" : "CVE", + "data_format" : "MITRE", + "data_version" : "4.0", + "CVE_data_meta" : { + "ID" : "CVE-2019-18192", + "ASSIGNER" : "cve@mitre.org" + }, + "problemtype" : { + "problemtype_data" : [ { + "description" : [ ] + } ] + }, + "references" : { + "reference_data" : [ { + "url" : "http://www.openwall.com/lists/oss-security/2019/10/17/3", + "name" : "[oss-security] 20191017 CVE-2019-18192: Insecure permissions on Guix profile directory", + "refsource" : "MLIST", + "tags" : [ ] + }, { + "url" : "https://issues.guix.gnu.org/issue/37744", + "name" : "https://issues.guix.gnu.org/issue/37744", + "refsource" : "MISC", + "tags" : [ ] + } ] + }, + "description" : { + "description_data" : [ { + "lang" : "en", + "value" : "GNU Guix 1.0.1 allows local users to gain access to an arbitrary user's account because the parent directory of the user-profile directories is world writable, a similar issue to CVE-2019-17365." + } ] + } + }, + "configurations" : { + "CVE_data_version" : "4.0", + "nodes" : [ ] + }, + "impact" : { }, + "publishedDate" : "2019-10-17T20:15Z", + "lastModifiedDate" : "2019-10-17T20:29Z" + } ] +} diff --git a/tests/cve-sample.xml b/tests/cve-sample.xml deleted file mode 100644 index ce158490f1..0000000000 --- a/tests/cve-sample.xml +++ /dev/null @@ -1,616 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - cpe:/o:microsoft:windows_2000::sp2:professional - cpe:/o:linux:linux_kernel:2.4.4 - cpe:/o:microsoft:windows_2000_terminal_services::sp1 - cpe:/o:microsoft:windows_2000::sp1:advanced_server - cpe:/o:linux:linux_kernel:2.4.19 - cpe:/o:microsoft:windows_2000::sp2:advanced_server - cpe:/o:microsoft:windows_2000_terminal_services - cpe:/o:microsoft:windows_2000:::advanced_server - cpe:/o:linux:linux_kernel:2.4.20 - cpe:/o:netbsd:netbsd:1.5.1 - cpe:/o:microsoft:windows_2000_terminal_services::sp2 - cpe:/o:netbsd:netbsd:1.5.3 - cpe:/o:netbsd:netbsd:1.5.2 - cpe:/o:linux:linux_kernel:2.4.6 - cpe:/o:linux:linux_kernel:2.4.9 - cpe:/o:microsoft:windows_2000:::datacenter_server - cpe:/o:netbsd:netbsd:1.6 - cpe:/o:netbsd:netbsd:1.5 - cpe:/o:linux:linux_kernel:2.4.7 - cpe:/o:linux:linux_kernel:2.4.8 - cpe:/o:microsoft:windows_2000::sp1:datacenter_server - cpe:/o:microsoft:windows_2000::sp2:datacenter_server - cpe:/o:freebsd:freebsd:4.3 - cpe:/o:linux:linux_kernel:2.4.10 - cpe:/o:microsoft:windows_2000::sp1:server - cpe:/o:freebsd:freebsd:4.5 - cpe:/o:linux:linux_kernel:2.4.12 - cpe:/o:freebsd:freebsd:4.2 - cpe:/o:freebsd:freebsd:4.7 - cpe:/o:freebsd:freebsd:4.4 - cpe:/o:freebsd:freebsd:4.6 - cpe:/o:microsoft:windows_2000::sp2:server - cpe:/o:linux:linux_kernel:2.4.18 - cpe:/o:linux:linux_kernel:2.4.1 - cpe:/o:linux:linux_kernel:2.4.15 - cpe:/o:microsoft:windows_2000:::server - cpe:/o:linux:linux_kernel:2.4.17 - cpe:/o:linux:linux_kernel:2.4.14 - cpe:/o:linux:linux_kernel:2.4.2 - cpe:/o:microsoft:windows_2000:::professional - cpe:/o:linux:linux_kernel:2.4.11 - cpe:/o:linux:linux_kernel:2.4.5 - cpe:/o:linux:linux_kernel:2.4.16 - cpe:/o:microsoft:windows_2000::sp1:professional - cpe:/o:linux:linux_kernel:2.4.13 - cpe:/o:linux:linux_kernel:2.4.3 - - CVE-2003-0001 - 2003-01-17T00:00:00.000-05:00 - 2015-11-24T13:05:47.073-05:00 - - - 5.0 - NETWORK - LOW - NONE - PARTIAL - NONE - NONE - http://nvd.nist.gov - 2015-11-24T12:23:33.593-05:00 - - - - - - CERT-VN - VU#412115 - - - BUGTRAQ - 20150402 NEW : VMSA-2015-0003 VMware product updates address critical information disclosure issue in JRE - - - BUGTRAQ - 20030117 Re: More information regarding Etherleak - - - BUGTRAQ - 20030106 Etherleak: Ethernet frame padding information leakage (A010603-1) - - - REDHAT - RHSA-2003:088 - - - REDHAT - RHSA-2003:025 - - - OSVDB - 9962 - - - CONFIRM - http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html - - - MISC - http://www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdf - - - ATSTAKE - A010603-1 - - - FULLDISC - 20150402 NEW : VMSA-2015-0003 VMware product updates address critical information disclosure issue in JRE - - - MISC - http://packetstormsecurity.com/files/131271/VMware-Security-Advisory-2015-0003.html - - - BUGTRAQ - 20030110 More information regarding Etherleak - - - VULNWATCH - 20030110 More information regarding Etherleak - - - - - Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak. - - - - - - - - - cpe:/a:tcp:tcp - - CVE-2004-0230 - 2004-08-18T00:00:00.000-04:00 - 2015-11-24T13:06:40.597-05:00 - - - 5.0 - NETWORK - LOW - NONE - NONE - NONE - PARTIAL - http://nvd.nist.gov - 2015-11-24T12:17:30.930-05:00 - - - - - - - - - CERT - TA04-111A - - - CERT-VN - VU#415294 - - - CONFIRM - https://kc.mcafee.com/corporate/index?page=content&id=SB10053 - - - XF - tcp-rst-dos(15886) - - - VUPEN - ADV-2006-3983 - - - MISC - http://www.uniras.gov.uk/vuls/2004/236929/index.htm - - - BID - 10183 - - - BUGTRAQ - 20150402 NEW : VMSA-2015-0003 VMware product updates address critical information disclosure issue in JRE - - - HP - SSRT061264 - - - OSVDB - 4030 - - - CONFIRM - http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html - - - MS - MS06-064 - - - MS - MS05-019 - - - CISCO - 20040420 TCP Vulnerabilities in Multiple IOS-Based Cisco Products - - - FULLDISC - 20150402 NEW : VMSA-2015-0003 VMware product updates address critical information disclosure issue in JRE - - - MISC - http://packetstormsecurity.com/files/131271/VMware-Security-Advisory-2015-0003.html - - - HP - SSRT4696 - - - BUGTRAQ - 20040425 Perl code exploting TCP not checking RST ACK. - - - CONFIRM - http://kb.juniper.net/JSA10638 - - - SGI - 20040403-01-A - - - SCO - SCOSA-2005.14 - - - SCO - SCOSA-2005.9 - - - SCO - SCOSA-2005.3 - - - NETBSD - NetBSD-SA2004-006 - - - - - - - - - - - - - - - - - TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP. - - - - - - - - - - cpe:/a:vastal:phpvid:1.1 - cpe:/a:vastal:phpvid:1.2 - - CVE-2008-2335 - 2008-05-19T09:20:00.000-04:00 - 2015-11-24T11:45:25.057-05:00 - - - 4.3 - NETWORK - MEDIUM - NONE - NONE - PARTIAL - NONE - http://nvd.nist.gov - 2015-11-24T10:50:05.737-05:00 - - - - - XF - phpvid-query-xss(42450) - - - VUPEN - ADV-2008-2552 - - - BID - 29238 - - - MILW0RM - 6422 - - - EXPLOIT-DB - 27519 - - - MISC - http://tetraph.com/security/xss-vulnerability/vastal-i-tech-phpvid-1-2-3-multiple-xss-cross-site-scripting-security-vulnerabilities/ - - - FULLDISC - 20150310 Vastal I-tech phpVID 1.2.3 Multiple XSS (Cross-site Scripting) Security Vulnerabilities - - - MISC - http://packetstormsecurity.com/files/130755/Vastal-I-tech-phpVID-1.2.3-Cross-Site-Scripting.html - - - MISC - http://packetstormsecurity.com/files/122746/PHP-VID-XSS-SQL-Injection-CRLF-Injection.html - - - OSVDB - 45171 - - - MISC - http://holisticinfosec.org/content/view/65/45/ - - Cross-site scripting (XSS) vulnerability in search_results.php in Vastal I-Tech phpVID 1.1 and 1.2 allows remote attackers to inject arbitrary web script or HTML via the query parameter. NOTE: some of these details are obtained from third party information. NOTE: it was later reported that 1.2.3 is also affected. - - - - - - - - - - - - - - cpe:/a:redhat:enterprise_virtualization:3.5 - cpe:/a:jasper_project:jasper:1.900.1 - - CVE-2008-3522 - 2008-10-02T14:18:05.790-04:00 - 2015-11-24T11:46:04.933-05:00 - - - 10.0 - NETWORK - LOW - NONE - COMPLETE - COMPLETE - COMPLETE - http://nvd.nist.gov - 2015-11-24T10:05:46.467-05:00 - - - ALLOWS_ADMIN_ACCESS - - - XF - jasper-jasstreamprintf-bo(45623) - - - UBUNTU - USN-742-1 - - - BID - 31470 - - - MANDRIVA - MDVSA-2009:164 - - - MANDRIVA - MDVSA-2009:144 - - - MANDRIVA - MDVSA-2009:142 - - - GENTOO - GLSA-200812-18 - - - REDHAT - RHSA-2015:0698 - - - MISC - http://bugs.gentoo.org/show_bug.cgi?id=222819 - - - MISC - http://bugs.gentoo.org/attachment.cgi?id=163282&action=view - - Buffer overflow in the jas_stream_printf function in libjasper/base/jas_stream.c in JasPer 1.900.1 might allow context-dependent attackers to have an unknown impact via vectors related to the mif_hdr_put function and use of vsprintf. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - cpe:/o:canonical:ubuntu_linux:10.04::~~lts~~~ - cpe:/o:canonical:ubuntu_linux:8.04:-:lts - cpe:/o:canonical:ubuntu_linux:10.10 - cpe:/a:sun:openoffice.org:2.1.0 - cpe:/a:sun:openoffice.org:2.3.0 - cpe:/a:sun:openoffice.org:2.2.1 - - - CVE-2009-3301 - 2010-02-16T14:30:00.533-05:00 - 2015-11-17T10:59:44.723-05:00 - - - 9.3 - NETWORK - MEDIUM - NONE - COMPLETE - COMPLETE - COMPLETE - http://nvd.nist.gov - 2015-11-17T10:02:50.097-05:00 - - - - - - CERT - TA10-287A - - - CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=533038 - - - XF - openoffice-word-sprmtdeftable-bo(56240) - - - VUPEN - ADV-2010-2905 - - - VUPEN - ADV-2010-0635 - - - VUPEN - ADV-2010-0366 - - - UBUNTU - USN-903-1 - - - BID - 38218 - - - REDHAT - RHSA-2010:0101 - - - CONFIRM - http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html - - - CONFIRM - http://www.openoffice.org/security/cves/CVE-2009-3301-3302.html - - - CONFIRM - http://www.openoffice.org/security/bulletin.html - - - MANDRIVA - MDVSA-2010:221 - - - GENTOO - GLSA-201408-19 - - - DEBIAN - DSA-1995 - - - SECTRACK - 1023591 - - - SUSE - SUSE-SA:2010:017 - - - - - Integer underflow in filter/ww8/ww8par2.cxx in OpenOffice.org (OOo) before 3.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted sprmTDefTable table property modifier in a Word document. - - - CVE-2015-8330 - 2015-11-24T15:59:25.897-05:00 - 2015-11-24T15:59:26.930-05:00 - - MISC - https://www.onapsis.com/blog/analyzing-sap-security-notes-november-2015 - - - MISC - http://erpscan.com/advisories/erpscan-15-032-sap-pco-agent-dos-vulnerability/ - - The PCo agent in SAP Plant Connectivity (PCo) allows remote attackers to cause a denial of service (memory corruption and agent crash) via crafted xMII requests, aka SAP Security Note 2238619. - - diff --git a/tests/cve.scm b/tests/cve.scm index e95b21c073..b69da0e120 100644 --- a/tests/cve.scm +++ b/tests/cve.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2015, 2016 Ludovic Courtès +;;; Copyright © 2015, 2016, 2019 Ludovic Courtès ;;; ;;; This file is part of GNU Guix. ;;; @@ -19,10 +19,11 @@ (define-module (test-cve) #:use-module (guix cve) #:use-module (srfi srfi-1) + #:use-module (srfi srfi-19) #:use-module (srfi srfi-64)) (define %sample - (search-path %load-path "tests/cve-sample.xml")) + (search-path %load-path "tests/cve-sample.json")) (define (vulnerability id packages) (make-struct/no-tail (@@ (guix cve) ) id packages)) @@ -30,34 +31,76 @@ (define %expected-vulnerabilities ;; What we should get when reading %SAMPLE. (list - ;; CVE-2003-0001 has no "/a" in its product list so it is omitted. - ;; CVE-2004-0230 lists "tcp" as an application, but lacks a version number. - (vulnerability "CVE-2008-2335" '(("phpvid" "1.2" "1.1"))) - (vulnerability "CVE-2008-3522" '(("enterprise_virtualization" "3.5") - ("jasper" "1.900.1"))) - (vulnerability "CVE-2009-3301" '(("openoffice.org" "2.3.0" "2.2.1" "2.1.0"))) - ;; CVE-2015-8330 has no software list. + (vulnerability "CVE-2019-0001" + ;; Only the "a" CPE configurations are kept; the "o" + ;; configurations are discarded. + '(("junos" (or "18.21-s4" (or "18.21-s3" "18.2"))))) + (vulnerability "CVE-2019-0005" + '(("junos" (or "18.11" "18.1")))) + ;; CVE-2019-0005 has no "a" configurations. + (vulnerability "CVE-2019-14811" + '(("ghostscript" (< "9.28")))) + (vulnerability "CVE-2019-17365" + '(("nix" (<= "2.3")))) + (vulnerability "CVE-2019-1010180" + '(("gdb" _))) ;any version + (vulnerability "CVE-2019-1010204" + '(("binutils" (and (>= "2.21") (<= "2.31.1"))) + ("binutils_gold" (and (>= "1.11") (<= "1.16"))))) + ;; CVE-2019-18192 has no associated configurations. )) (test-begin "cve") -(test-equal "xml->vulnerabilities" +(test-equal "json->cve-items" + '("CVE-2019-0001" + "CVE-2019-0005" + "CVE-2019-14811" + "CVE-2019-17365" + "CVE-2019-1010180" + "CVE-2019-1010204" + "CVE-2019-18192") + (map (compose cve-id cve-item-cve) + (call-with-input-file %sample json->cve-items))) + +(test-equal "cve-item-published-date" + '(2019) + (delete-duplicates + (map (compose date-year cve-item-published-date) + (call-with-input-file %sample json->cve-items)))) + +(test-equal "json->vulnerabilities" %expected-vulnerabilities - (call-with-input-file %sample xml->vulnerabilities)) + (call-with-input-file %sample json->vulnerabilities)) (test-equal "vulnerabilities->lookup-proc" - (list (list (first %expected-vulnerabilities)) + (list (list (third %expected-vulnerabilities)) ;ghostscript + (list (third %expected-vulnerabilities)) + '() + + (list (fifth %expected-vulnerabilities)) ;gdb + (list (fifth %expected-vulnerabilities)) + + (list (fourth %expected-vulnerabilities)) ;nix '() + + (list (sixth %expected-vulnerabilities)) ;binutils '() - (list (second %expected-vulnerabilities)) - (list (third %expected-vulnerabilities))) - (let* ((vulns (call-with-input-file %sample xml->vulnerabilities)) + (list (sixth %expected-vulnerabilities)) + '()) + (let* ((vulns (call-with-input-file %sample json->vulnerabilities)) (lookup (vulnerabilities->lookup-proc vulns))) - (list (lookup "phpvid") - (lookup "jasper" "2.0") - (lookup "foobar") - (lookup "jasper" "1.900.1") - (lookup "openoffice.org" "2.3.0")))) + (list (lookup "ghostscript") + (lookup "ghostscript" "9.27") + (lookup "ghostscript" "9.28") + (lookup "gdb") + (lookup "gdb" "42.0") + (lookup "nix") + (lookup "nix" "2.4") + (lookup "binutils" "2.31.1") + (lookup "binutils" "2.10") + (lookup "binutils_gold" "1.11") + (lookup "binutils" "2.32")))) (test-end "cve") -- 2.23.0 From unknown Sat Aug 16 18:45:38 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#37838] [PATCH 2/2] lint: Re-enable CVE checker. Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 20 Oct 2019 21:21:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37838 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 37838@debbugs.gnu.org Cc: Ludovic =?UTF-8?Q?Court=C3=A8s?= Received: via spool by 37838-submit@debbugs.gnu.org id=B37838.157160645021274 (code B ref 37838); Sun, 20 Oct 2019 21:21:02 +0000 Received: (at 37838) by debbugs.gnu.org; 20 Oct 2019 21:20:50 +0000 Received: from localhost ([127.0.0.1]:55369 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iMId8-0005X4-Gl for submit@debbugs.gnu.org; Sun, 20 Oct 2019 17:20:50 -0400 Received: from eggs.gnu.org ([209.51.188.92]:45639) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iMId3-0005Wa-OW for 37838@debbugs.gnu.org; Sun, 20 Oct 2019 17:20:47 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:53478) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1iMIcy-0006Xm-Lg; Sun, 20 Oct 2019 17:20:40 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=38170 helo=gnu.org) by fencepost.gnu.org with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1iMIcy-0002SN-6V; Sun, 20 Oct 2019 17:20:40 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Date: Sun, 20 Oct 2019 23:20:31 +0200 Message-Id: <20191020212031.2854-2-ludo@gnu.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20191020212031.2854-1-ludo@gnu.org> References: <20191020212031.2854-1-ludo@gnu.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) This reverts d7fcd9c565812919109ae88049f5d8bf4c56f9bd. * guix/lint.scm (%network-dependent-checkers): Re-enable 'cve checker. --- guix/lint.scm | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/guix/lint.scm b/guix/lint.scm index 6336cf4e3b..03a8e88225 100644 --- a/guix/lint.scm +++ b/guix/lint.scm @@ -1319,17 +1319,11 @@ or a list thereof") (name 'github-url) (description "Suggest GitHub URLs") (check check-github-url)) - - ;; FIXME: Commented out as a consequence of the XML CVE feed retirement: - ;; . - ;; Reinstate it once the JSON feed is supported. - - ;; (lint-checker - ;; (name 'cve) - ;; (description "Check the Common Vulnerabilities and Exposures\ - ;; (CVE) database") - ;; (check check-vulnerabilities)) - + (lint-checker + (name 'cve) + (description "Check the Common Vulnerabilities and Exposures\ + (CVE) database") + (check check-vulnerabilities)) (lint-checker (name 'refresh) (description "Check the package for new upstream releases") -- 2.23.0 From unknown Sat Aug 16 18:45:38 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Subject: bug#37838: closed (Re: [bug#37838] [PATCH 0/2] Rewrite (guix cve) to read NIST's JSON feed) Message-ID: References: <87o8y7sejv.fsf@gnu.org> <20191020203451.1912-1-ludo@gnu.org> X-Gnu-PR-Message: they-closed 37838 X-Gnu-PR-Package: guix-patches X-Gnu-PR-Keywords: patch Reply-To: 37838@debbugs.gnu.org Date: Wed, 23 Oct 2019 14:50:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1571842202-6131-1" This is a multi-part message in MIME format... ------------=_1571842202-6131-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #37838: [PATCH 0/2] Rewrite (guix cve) to read NIST's JSON feed which was filed against the guix-patches package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 37838@debbugs.gnu.org. --=20 37838: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D37838 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1571842202-6131-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 37838-done) by debbugs.gnu.org; 23 Oct 2019 14:49:11 +0000 Received: from localhost ([127.0.0.1]:34785 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iNHwe-0001ZJ-K4 for submit@debbugs.gnu.org; Wed, 23 Oct 2019 10:49:08 -0400 Received: from eggs.gnu.org ([209.51.188.92]:51454) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iNHwa-0001Ym-7U for 37838-done@debbugs.gnu.org; Wed, 23 Oct 2019 10:49:00 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:53616) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1iNHwV-0001om-2O for 37838-done@debbugs.gnu.org; Wed, 23 Oct 2019 10:48:55 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=56852 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1iNHwU-0001uW-0a for 37838-done@debbugs.gnu.org; Wed, 23 Oct 2019 10:48:54 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: 37838-done@debbugs.gnu.org Subject: Re: [bug#37838] [PATCH 0/2] Rewrite (guix cve) to read NIST's JSON feed References: <20191020203451.1912-1-ludo@gnu.org> Date: Wed, 23 Oct 2019 16:48:52 +0200 In-Reply-To: <20191020203451.1912-1-ludo@gnu.org> ("Ludovic \=\?utf-8\?Q\?Cour\?\= \=\?utf-8\?Q\?t\=C3\=A8s\=22's\?\= message of "Sun, 20 Oct 2019 22:34:51 +0200") Message-ID: <87o8y7sejv.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 37838-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hello, Ludovic Court=C3=A8s skribis: > cve: Rewrite to read the JSON feed instead of the XML feed. > lint: Re-enable CVE checker. Pushed as 9efa2c28a4f842b7ca1977e084299de441842856. Please let me know if you notice anything fishy with =E2=80=98guix lint -c = cve=E2=80=99: CVEs not showing up, CVEs showing up that should not, etc. Ludo=E2=80=99. ------------=_1571842202-6131-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 20 Oct 2019 20:35:08 +0000 Received: from localhost ([127.0.0.1]:55352 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iMHuu-0004SD-0S for submit@debbugs.gnu.org; Sun, 20 Oct 2019 16:35:08 -0400 Received: from lists.gnu.org ([209.51.188.17]:39496) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iMHur-0004S3-Rt for submit@debbugs.gnu.org; Sun, 20 Oct 2019 16:35:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51490) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iMHuq-0005ZA-Hq for guix-patches@gnu.org; Sun, 20 Oct 2019 16:35:05 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.2 required=5.0 tests=ALL_TRUSTED,BAYES_50, URIBL_BLOCKED autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:470:142:3::e]:53149) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1iMHup-0005H7-V6; Sun, 20 Oct 2019 16:35:03 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=38064 helo=gnu.org) by fencepost.gnu.org with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1iMHuo-0007cb-6F; Sun, 20 Oct 2019 16:35:02 -0400 From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= To: guix-patches@gnu.org Subject: [PATCH 0/2] Rewrite (guix cve) to read NIST's JSON feed Date: Sun, 20 Oct 2019 22:34:51 +0200 Message-Id: <20191020203451.1912-1-ludo@gnu.org> X-Mailer: git-send-email 2.23.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: submit Cc: =?UTF-8?q?Ludovic=20Court=C3=A8s?= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hello! Last Thursday I was surprised to see that ‘guix lint -c cve’ would be redirected to: https://nvd.nist.gov/General/News/XML-Vulnerability-Feed-Retirement-Phase-3 … leading to a failure. And indeed, the XML CVE feed has now been replaced by a JSON feed (let’s hope they don’t switch to YAML next year :-)). The JSON feed seems to be nicer in some ways; for instance, it can specify ranges of versions to which a given CVE applies. The patch that follows rewrites (guix cve) so it gets info from the JSON feed. It does so by providing a one-to-one mapping between data structures in JSON and Scheme records, and then converting those to the higher-level records that were already there before. If you look at the JSON-mapped record types, there are lots of low-hanging fruits; for instance, we could grab severity info from the JSON feeds and use them somehow. I’m not sure if ‘guix lint’ is the best place to display detailed CVE info, but we could/should use that info somehow. Feedback welcome! Ludo’. Ludovic Courtès (2): cve: Rewrite to read the JSON feed instead of the XML feed. lint: Re-enable CVE checker. Makefile.am | 2 +- doc/guix.texi | 4 +- guix/cve.scm | 376 ++++++++---- guix/lint.scm | 16 +- tests/cve-sample.json | 1279 +++++++++++++++++++++++++++++++++++++++++ tests/cve-sample.xml | 616 -------------------- tests/cve.scm | 83 ++- 7 files changed, 1610 insertions(+), 766 deletions(-) create mode 100644 tests/cve-sample.json delete mode 100644 tests/cve-sample.xml -- 2.23.0 ------------=_1571842202-6131-1-- From unknown Sat Aug 16 18:45:38 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#37838] [PATCH 0/2] Rewrite (guix cve) to read NIST's JSON feed Resent-From: Efraim Flashner Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 23 Oct 2019 16:47:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37838 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 37838-done@debbugs.gnu.org, ludo@gnu.org Received: via spool by 37838-done@debbugs.gnu.org id=D37838.157184919817644 (code D ref 37838); Wed, 23 Oct 2019 16:47:02 +0000 Received: (at 37838-done) by debbugs.gnu.org; 23 Oct 2019 16:46:38 +0000 Received: from localhost ([127.0.0.1]:34911 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iNJmQ-0004aV-Gn for submit@debbugs.gnu.org; Wed, 23 Oct 2019 12:46:38 -0400 Received: from flashner.co.il ([178.62.234.194]:59680) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iNJmO-0004aJ-J3 for 37838-done@debbugs.gnu.org; Wed, 23 Oct 2019 12:46:36 -0400 Received: from localhost (unknown [141.226.13.108]) by flashner.co.il (Postfix) with ESMTPSA id BA3864018C; Wed, 23 Oct 2019 16:46:30 +0000 (UTC) Date: Wed, 23 Oct 2019 19:46:29 +0300 From: Efraim Flashner Message-ID: <20191023164629.GA15460@E5400> References: <20191020203451.1912-1-ludo@gnu.org> <87o8y7sejv.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="FL5UXtIhxfXey3p5" Content-Disposition: inline In-Reply-To: <87o8y7sejv.fsf@gnu.org> X-PGP-Key-ID: 0x41AAE7DCCA3D8351 X-PGP-Key: https://flashner.co.il/~efraim/efraim_flashner.asc X-PGP-Fingerprint: A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 User-Agent: Mutt/1.12.2 (2019-09-21) X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --FL5UXtIhxfXey3p5 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Oct 23, 2019 at 04:48:52PM +0200, Ludovic Court=C3=A8s wrote: > Hello, >=20 > Ludovic Court=C3=A8s skribis: >=20 > > cve: Rewrite to read the JSON feed instead of the XML feed. > > lint: Re-enable CVE checker. >=20 > Pushed as 9efa2c28a4f842b7ca1977e084299de441842856. >=20 > Please let me know if you notice anything fishy with =E2=80=98guix lint -= c cve=E2=80=99: > CVEs not showing up, CVEs showing up that should not, etc. >=20 Sorry to respond to a closed bug, the CVE for vim shows up as expected. (I was actually a little worried before when it wasn't showing up) --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --FL5UXtIhxfXey3p5 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAl2wg+IACgkQQarn3Mo9 g1F1ChAAuZTZehCPJ3oQn0v4EBjDU/HTcAOZQHGfd3fc6WYv4jyL/5fYXTtyJdwH rQd1SJq6GMuWwfS+++gSrvongU1H7XF+KnJ2VLUTcF/xeNe8912zl+0steFJHOSe e+2MuAaWLMnf3l6p+FHRe5jqj10Je26ZPupj3FPB/J3QkKW3DhwRiyk8ALbUnscO LpxjOiNSq6oHPOLqg8BwMnHAa5LV+RSheICHtO4dAnwGitfF3OI2wjX5Ip5l3Zhv 6rw2S6V/QuyaTRPwignk/hVAUdoHb2bf9ZOaEAXgNTikBb8nK6DzJdRirZaIxDpu 7MVijSjJrjrfK6awJVHgnP64bhfxgaDmgiVY39mvrvBfAO77iaxpdoHQtbMFcWod A29UToK2R8vuyUEEx/Z5lGViKHShiY2f3qRWfmQTUl57mCW/Fo01tlNvLwSsULeG kCG41sNtaztU5ln6EoUCWoOBIV0/LfxRXsv+1XkYPXazwG+XgNyCK7/mDBQc92q/ 46/3fOXAA1Hva5LJwQWuNxTgEAYCK+yrvxxcXgV3mOZPbpfF6NzaPdpgnBVWJDiF hJV54zjooqLZSX3PNCBRcNxDC3cWlnvDB+3VyJi/lAZwXsKlPZBlZhDRmbEnctWw Jp5NlT/40C5B+7nTk0xMKhSjwcY7i1SeR+mcs0FlrH69nUB5hNo= =a4r5 -----END PGP SIGNATURE----- --FL5UXtIhxfXey3p5-- From unknown Sat Aug 16 18:45:38 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#37838] [PATCH 0/2] Rewrite (guix cve) to read NIST's JSON feed Resent-From: Marius Bakke Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 23 Oct 2019 17:37:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37838 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ludovic =?UTF-8?Q?Court=C3=A8s?= , 37838-done@debbugs.gnu.org Received: via spool by 37838-done@debbugs.gnu.org id=D37838.157185216530430 (code D ref 37838); Wed, 23 Oct 2019 17:37:01 +0000 Received: (at 37838-done) by debbugs.gnu.org; 23 Oct 2019 17:36:05 +0000 Received: from localhost ([127.0.0.1]:34961 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iNKYH-0007uk-6Q for submit@debbugs.gnu.org; Wed, 23 Oct 2019 13:36:05 -0400 Received: from wout1-smtp.messagingengine.com ([64.147.123.24]:38389) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iNKYF-0007uG-LI for 37838-done@debbugs.gnu.org; Wed, 23 Oct 2019 13:36:04 -0400 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.west.internal (Postfix) with ESMTP id E43454B0; Wed, 23 Oct 2019 13:35:57 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute5.internal (MEProxy); Wed, 23 Oct 2019 13:35:58 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= from:to:subject:in-reply-to:references:date:message-id :mime-version:content-type; s=fm1; bh=oRYsa9v2qCaZVMt3h2Zj0zuvh9 JQVoST0ySUBoY8FZw=; b=vOsCmZCyc9avRB9WtFlqb+ovvoI5V/FcYocUJRR/fS 0xDWvvt6HVkq1UxQ4q5ro3URjB/Vw/eSqdbJdpCBqsABt7KECcdQnd1AA+aztAXk i49WnzafGPxMavWLqLB69jp8iYEdRS/oezIOGZd0RiyddzwDandXbaM4lxgCSGg4 L1xm/em3yDKH6z5woxQy0nbvy/HTXLILi4DBhUC+Yi+024ajj5eSG7ZyeUU54f56 rX2jVDrYYwA9IZLN8y7gOu8GE5Ce+4LJtlwc0Uz1i6WUCX3FAwsat3iSR3TEEAEj TU9bTHKfn2Z3FAByK/HG2r7L/RzFeSjgzYRuz/gVSBXA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=oRYsa9 v2qCaZVMt3h2Zj0zuvh9JQVoST0ySUBoY8FZw=; b=fov6IwUxbqcLcGnvp/0Vi2 fsggpBF+YvaBSmSHjYjzfKHzEG8QjJUZi9jr9pF3Z6bhPp3GoB9EV+3B06Hj2k26 9dImsSVstHUQz1nDXaE/8p05eiE3H7dbM4/cqY8EVvpI08h0uYejxXlZRQKWCyDC 4xO4mJvVqxW2D+t/x5LS63ykdyJ4UMo6ZwIEFO0T+D3gg4hGZv/ow2YlVXMiGOTW lLlSy8BegpEerWEAOsV9YZ+Mf7Zdb9m1ekop1Xs9cFQwZxnnLSrAKVynQ/yc2ZA6 CAZotxGfzZZogDL5Oc2bgHSjXm8VUyRUSSq0lxPJm5fUa7cwU0QtSwc9nyKtHEEw == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrkeelgdduudeiucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffvufgjfhgffffkgggtsehgtderredtreejnecuhfhrohhmpeforghrihhu shcuuegrkhhkvgcuoehmsggrkhhkvgesfhgrshhtmhgrihhlrdgtohhmqeenucfkphepie dvrdduiedrudelvddrudehtdenucfrrghrrghmpehmrghilhhfrhhomhepmhgsrghkkhgv sehfrghsthhmrghilhdrtghomhenucevlhhushhtvghrufhiiigvpedt X-ME-Proxy: Received: from localhost (ti0006q161-0149.bb.online.no [62.16.192.150]) by mail.messagingengine.com (Postfix) with ESMTPA id 1E37DD60057; Wed, 23 Oct 2019 13:35:57 -0400 (EDT) From: Marius Bakke In-Reply-To: <87o8y7sejv.fsf@gnu.org> References: <20191020203451.1912-1-ludo@gnu.org> <87o8y7sejv.fsf@gnu.org> User-Agent: Notmuch/0.29.1 (https://notmuchmail.org) Emacs/26.2 (x86_64-pc-linux-gnu) Date: Wed, 23 Oct 2019 19:35:55 +0200 Message-ID: <871rv3xt38.fsf@devup.no> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Ludovic Court=C3=A8s writes: > Hello, > > Ludovic Court=C3=A8s skribis: > >> cve: Rewrite to read the JSON feed instead of the XML feed. >> lint: Re-enable CVE checker. > > Pushed as 9efa2c28a4f842b7ca1977e084299de441842856. > > Please let me know if you notice anything fishy with =E2=80=98guix lint -= c cve=E2=80=99: > CVEs not showing up, CVEs showing up that should not, etc. Here is what I get (on ee42e9f9f): $ ./pre-inst-env guix lint -c cve ao fetching CVE database for 2019...]... Backtrace: 11 (apply-smob/1 #) In ice-9/boot-9.scm: 705:2 10 (call-with-prompt _ _ #) In ice-9/eval.scm: 619:8 9 (_ #(#(#))) In guix/ui.scm: 1730:12 8 (run-guix-command _ . _) In srfi/srfi-1.scm: 640:9 7 (for-each # ("ao")) In guix/scripts/lint.scm: 57:4 6 (run-checkers _ _) In srfi/srfi-1.scm: 640:9 5 (for-each # (#< name: c=E2=80=A6>)) In guix/scripts/lint.scm: 64:17 4 (_ _) In guix/lint.scm: 999:4 3 (check-vulnerabilities _) 994:9 2 (_ _) In unknown file: 1 (force #>) In guix/lint.scm: 983:24 0 (_) guix/lint.scm:983:24: Throw to key `srfi-34' with args `(#)'. I tried downloading the .json.gz files manually and they seem fine. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl2wj3sACgkQoqBt8qM6 VPoNnwgAsDYfUxtI/FMhID+KnCM+2Q9GmONhx2g1TBMxUXXoetOg7fGbZhiAzqTz rxg+aH4xXADlKnsZrriow2rD0tGfc4um8InpvkVAg7p83eswJ29T9z9lyMITx/n2 eWZmx+JYs23wQI0EH5KonJY2Rw3I/sQWkPy3RGJBTH255Os071st3dFNGPaIBW1E hduyR1aehDTRRyZMvujAgl5IXA01JKwmechuaer3fRboKT8mROzMyBBcNNlskL+h k5K8/fW+WuuKaG099Q4tMngeRJODrPjzndoEXhb8KoipS3pop9pSQAq3b46nmUWs r5Z4lL97flfyGQGei6NfnkzSNRDhZg== =eOao -----END PGP SIGNATURE----- --=-=-=-- From unknown Sat Aug 16 18:45:38 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#37838] [PATCH 0/2] Rewrite (guix cve) to read NIST's JSON feed Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 25 Oct 2019 16:19:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37838 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Marius Bakke Cc: 37838-done@debbugs.gnu.org Received: via spool by 37838-done@debbugs.gnu.org id=D37838.157202033012207 (code D ref 37838); Fri, 25 Oct 2019 16:19:02 +0000 Received: (at 37838-done) by debbugs.gnu.org; 25 Oct 2019 16:18:50 +0000 Received: from localhost ([127.0.0.1]:39292 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iO2Ib-0003An-KB for submit@debbugs.gnu.org; Fri, 25 Oct 2019 12:18:49 -0400 Received: from eggs.gnu.org ([209.51.188.92]:56104) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iO2IZ-0003AX-UT for 37838-done@debbugs.gnu.org; Fri, 25 Oct 2019 12:18:48 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:53360) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1iO2IS-0007Hu-Uf; Fri, 25 Oct 2019 12:18:42 -0400 Received: from [2001:660:6102:320:e120:2c8f:8909:cdfe] (port=44482 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1iO2IS-0006eM-G1; Fri, 25 Oct 2019 12:18:40 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <20191020203451.1912-1-ludo@gnu.org> <87o8y7sejv.fsf@gnu.org> <871rv3xt38.fsf@devup.no> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 4 Brumaire an 228 de la =?UTF-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Fri, 25 Oct 2019 18:18:37 +0200 In-Reply-To: <871rv3xt38.fsf@devup.no> (Marius Bakke's message of "Wed, 23 Oct 2019 19:35:55 +0200") Message-ID: <877e4spzmq.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi Marius, Marius Bakke skribis: > Ludovic Court=C3=A8s writes: > >> Hello, >> >> Ludovic Court=C3=A8s skribis: >> >>> cve: Rewrite to read the JSON feed instead of the XML feed. >>> lint: Re-enable CVE checker. >> >> Pushed as 9efa2c28a4f842b7ca1977e084299de441842856. >> >> Please let me know if you notice anything fishy with =E2=80=98guix lint = -c cve=E2=80=99: >> CVEs not showing up, CVEs showing up that should not, etc. > > Here is what I get (on ee42e9f9f): > > $ ./pre-inst-env guix lint -c cve ao > fetching CVE database for 2019...]... > Backtrace: > 11 (apply-smob/1 #) > In ice-9/boot-9.scm: > 705:2 10 (call-with-prompt _ _ #) > In ice-9/eval.scm: > 619:8 9 (_ #(#(#))) > In guix/ui.scm: > 1730:12 8 (run-guix-command _ . _) > In srfi/srfi-1.scm: > 640:9 7 (for-each # ("ao")) > In guix/scripts/lint.scm: > 57:4 6 (run-checkers _ _) > In srfi/srfi-1.scm: > 640:9 5 (for-each # (#< name: c=E2=80=A6>)) > In guix/scripts/lint.scm: > 64:17 4 (_ _) > In guix/lint.scm: > 999:4 3 (check-vulnerabilities _) > 994:9 2 (_ _) > In unknown file: > 1 (force #>) > In guix/lint.scm: > 983:24 0 (_) > > guix/lint.scm:983:24: Throw to key `srfi-34' with args `(#)'. > > I tried downloading the .json.gz files manually and they seem fine. I don=E2=80=99t encounter this problem. Is it reproducible for you? Thanks, Ludo=E2=80=99. From unknown Sat Aug 16 18:45:38 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#37838] [PATCH 0/2] Rewrite (guix cve) to read NIST's JSON feed Resent-From: Marius Bakke Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 03 Nov 2019 17:31:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37838 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 37838-done@debbugs.gnu.org Received: via spool by 37838-done@debbugs.gnu.org id=D37838.157280220719818 (code D ref 37838); Sun, 03 Nov 2019 17:31:01 +0000 Received: (at 37838-done) by debbugs.gnu.org; 3 Nov 2019 17:30:07 +0000 Received: from localhost ([127.0.0.1]:35055 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iRJhW-00058f-90 for submit@debbugs.gnu.org; Sun, 03 Nov 2019 12:30:07 -0500 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:53685) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iRJhU-00057i-Us for 37838-done@debbugs.gnu.org; Sun, 03 Nov 2019 12:30:05 -0500 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id D1D052148D; Sun, 3 Nov 2019 12:29:59 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute5.internal (MEProxy); Sun, 03 Nov 2019 12:29:59 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= from:to:cc:subject:in-reply-to:references:date:message-id :mime-version:content-type; s=fm1; bh=+1uSsuV5eMbDmW8alOGvrFfKKO jY6Vao4DSVUaASe04=; b=V1TDIyju57Rs9sqnMkwU5PZxP5E7PzFo6Bsm5wlY+I q6NnrFY+DR8XyqNp89Qq2Qqu7cR5r1Ahnj4SfOYXdP2e92hQi5840QZbm07XHAFo 47+xADLCtM6WhBFsViXcGmQIyu4mDpTaKgHF57twuO32IRWOpgC6nhL8OolMG0hu 0oqTG3QeUlLJ4wL8byH8p3Cmv6tGZ/PIWkrZ+hiW4UaR663SIWLq9/ZUQ7oJ5TGC FBCewYgshD74aTOKlU70lyXwC6jfbcOze93Vp7haSB1T0JQDofFNpa9dAm1zkfB2 ihdTMHXdlconiTOyq8VljbjbCnpBoawn/sGN9whMgwaQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=+1uSsu V5eMbDmW8alOGvrFfKKOjY6Vao4DSVUaASe04=; b=Cj1fkCgqjiW9LB7AzbeZ8V uOn1LX7/pF4x0cSJfL6A3VXJ96apeY2a58a1e9kqdNUxLkz4SXLahrAsBqC5d+FP V3uHQfIOOm65wS5q268IAZh/OJDQ22BiJm1fsfcLc6fKEb5WWzd5zXOXLGuuKvta VnA1FTgTdP8BfJe8uCMRaEkZvVgmiYox2dgRZo1S15DP4dGt++lbNbD7N60vQdKw ug4KTKDES8bNMzOSfuYuXj8U+5x65Tjra2lEN5dMXOsdf8vM02MSEzMd9O1L80TM sBHqxxXeXssSF/1py9RS/vClHBWAMeqiu+QFHHccVA/7d+eACWha/PIA0Hene7ig == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrudduuddguddthecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefhvffujghffgffkfggtgesghdtreertderjeenucfhrhhomhepofgrrhhi uhhsuceurghkkhgvuceomhgsrghkkhgvsehfrghsthhmrghilhdrtghomheqnecukfhppe eivddrudeirdduledvrdduhedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmsggrkhhk vgesfhgrshhtmhgrihhlrdgtohhmnecuvehluhhsthgvrhfuihiivgeptd X-ME-Proxy: Received: from localhost (ti0006q161-0149.bb.online.no [62.16.192.150]) by mail.messagingengine.com (Postfix) with ESMTPA id 5D0E4306005F; Sun, 3 Nov 2019 12:29:59 -0500 (EST) From: Marius Bakke In-Reply-To: <877e4spzmq.fsf@gnu.org> References: <20191020203451.1912-1-ludo@gnu.org> <87o8y7sejv.fsf@gnu.org> <871rv3xt38.fsf@devup.no> <877e4spzmq.fsf@gnu.org> User-Agent: Notmuch/0.29.1 (https://notmuchmail.org) Emacs/26.3 (x86_64-pc-linux-gnu) Date: Sun, 03 Nov 2019 18:29:58 +0100 Message-ID: <87k18gookp.fsf@devup.no> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Ludovic Court=C3=A8s writes: > Hi Marius, > > Marius Bakke skribis: > >> Ludovic Court=C3=A8s writes: >> >>> Hello, >>> >>> Ludovic Court=C3=A8s skribis: >>> >>>> cve: Rewrite to read the JSON feed instead of the XML feed. >>>> lint: Re-enable CVE checker. >>> >>> Pushed as 9efa2c28a4f842b7ca1977e084299de441842856. >>> >>> Please let me know if you notice anything fishy with =E2=80=98guix lint= -c cve=E2=80=99: >>> CVEs not showing up, CVEs showing up that should not, etc. >> >> Here is what I get (on ee42e9f9f): >> >> $ ./pre-inst-env guix lint -c cve ao >> fetching CVE database for 2019...]... >> Backtrace: >> 11 (apply-smob/1 #) >> In ice-9/boot-9.scm: >> 705:2 10 (call-with-prompt _ _ #) >> In ice-9/eval.scm: >> 619:8 9 (_ #(#(#))) >> In guix/ui.scm: >> 1730:12 8 (run-guix-command _ . _) >> In srfi/srfi-1.scm: >> 640:9 7 (for-each # ("ao")) >> In guix/scripts/lint.scm: >> 57:4 6 (run-checkers _ _) >> In srfi/srfi-1.scm: >> 640:9 5 (for-each # (#< name: c=E2=80=A6>)) >> In guix/scripts/lint.scm: >> 64:17 4 (_ _) >> In guix/lint.scm: >> 999:4 3 (check-vulnerabilities _) >> 994:9 2 (_ _) >> In unknown file: >> 1 (force #>) >> In guix/lint.scm: >> 983:24 0 (_) >> >> guix/lint.scm:983:24: Throw to key `srfi-34' with args `(#)'. >> >> I tried downloading the .json.gz files manually and they seem fine. > > I don=E2=80=99t encounter this problem. Is it reproducible for you? I still get this when using './pre-inst-env', even after a 'make clean-go'. It works without the './pre-inst-env script'(!?). --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl2/DpYACgkQoqBt8qM6 VPofswf/bDx1Wktyw4O30j/33QPFmUCK8MQw7oWMpTLf/e8GzLMXEZSiopTG2axd 7raaEvIkrQDJ1gfJ8zVfJTNwKAw6wduaELuqH+nLeP9omLDlcEaNHohaWuaUz2K5 nPMvbtrKg9ZZ7blCI+Yh+UnaOqez41dpM7ZhTJQoejk4dkTSi+dtxrJcrPDn8tNs raX4Rmed47tIZmpdg1bwet8qU60lzBjGSDEkOzf+J1XxUrPvxAiADvWwDOKiYNBP HajZYM1nSX5brcDr0cK3uVXcSXVFNHuHtfBzkvQrqtqNcT0xhS+qJAP78v4gt1zl XLkwGYzFYHtKUuqQD+kroS7GhSnr4Q== =CjgF -----END PGP SIGNATURE----- --=-=-=-- From unknown Sat Aug 16 18:45:38 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#37838] [PATCH 0/2] Rewrite (guix cve) to read NIST's JSON feed Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 04 Nov 2019 17:33:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37838 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Marius Bakke Cc: 37838-done@debbugs.gnu.org Received: via spool by 37838-done@debbugs.gnu.org id=D37838.157288875712790 (code D ref 37838); Mon, 04 Nov 2019 17:33:02 +0000 Received: (at 37838-done) by debbugs.gnu.org; 4 Nov 2019 17:32:37 +0000 Received: from localhost ([127.0.0.1]:37475 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iRgDU-0003KD-Tj for submit@debbugs.gnu.org; Mon, 04 Nov 2019 12:32:37 -0500 Received: from eggs.gnu.org ([209.51.188.92]:52965) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iRgDT-0003K0-BV for 37838-done@debbugs.gnu.org; Mon, 04 Nov 2019 12:32:35 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]:34190) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1iRgDK-0007mH-Sc; Mon, 04 Nov 2019 12:32:28 -0500 Received: from [2001:660:6102:320:e120:2c8f:8909:cdfe] (port=42206 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1iRgDF-0006YG-1s; Mon, 04 Nov 2019 12:32:23 -0500 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <20191020203451.1912-1-ludo@gnu.org> <87o8y7sejv.fsf@gnu.org> <871rv3xt38.fsf@devup.no> <877e4spzmq.fsf@gnu.org> <87k18gookp.fsf@devup.no> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 14 Brumaire an 228 de la =?UTF-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Mon, 04 Nov 2019 18:32:19 +0100 In-Reply-To: <87k18gookp.fsf@devup.no> (Marius Bakke's message of "Sun, 03 Nov 2019 18:29:58 +0100") Message-ID: <87eeyn7djw.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hello, Marius Bakke skribis: > Ludovic Court=C3=A8s writes: > >> Hi Marius, >> >> Marius Bakke skribis: >> >>> Ludovic Court=C3=A8s writes: >>> >>>> Hello, >>>> >>>> Ludovic Court=C3=A8s skribis: >>>> >>>>> cve: Rewrite to read the JSON feed instead of the XML feed. >>>>> lint: Re-enable CVE checker. >>>> >>>> Pushed as 9efa2c28a4f842b7ca1977e084299de441842856. >>>> >>>> Please let me know if you notice anything fishy with =E2=80=98guix lin= t -c cve=E2=80=99: >>>> CVEs not showing up, CVEs showing up that should not, etc. >>> >>> Here is what I get (on ee42e9f9f): >>> >>> $ ./pre-inst-env guix lint -c cve ao >>> fetching CVE database for 2019...]... >>> Backtrace: >>> 11 (apply-smob/1 #) >>> In ice-9/boot-9.scm: >>> 705:2 10 (call-with-prompt _ _ #) >>> In ice-9/eval.scm: >>> 619:8 9 (_ #(#(#))) >>> In guix/ui.scm: >>> 1730:12 8 (run-guix-command _ . _) >>> In srfi/srfi-1.scm: >>> 640:9 7 (for-each # ("ao")) >>> In guix/scripts/lint.scm: >>> 57:4 6 (run-checkers _ _) >>> In srfi/srfi-1.scm: >>> 640:9 5 (for-each # (#< name: c=E2=80=A6>)) >>> In guix/scripts/lint.scm: >>> 64:17 4 (_ _) >>> In guix/lint.scm: >>> 999:4 3 (check-vulnerabilities _) >>> 994:9 2 (_ _) >>> In unknown file: >>> 1 (force #>) >>> In guix/lint.scm: >>> 983:24 0 (_) >>> >>> guix/lint.scm:983:24: Throw to key `srfi-34' with args `(#)'. >>> >>> I tried downloading the .json.gz files manually and they seem fine. >> >> I don=E2=80=99t encounter this problem. Is it reproducible for you? > > I still get this when using './pre-inst-env', even after a 'make > clean-go'. It works without the './pre-inst-env script'(!?). Hmm hmm! Could you add some =E2=80=98pk=E2=80=99 calls around there in gui= x/lint.scm? Ludo=E2=80=99.