GNU bug report logs - #37838
[PATCH 0/2] Rewrite (guix cve) to read NIST's JSON feed

Previous Next

Package: guix-patches;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Sun, 20 Oct 2019 20:36:01 UTC

Severity: normal

Tags: patch

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Ludovic Courtès <ludo <at> gnu.org>
Subject: bug#37838: closed (Re: [bug#37838] [PATCH 0/2] Rewrite (guix cve)
 to read NIST's JSON feed)
Date: Wed, 23 Oct 2019 14:50:02 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#37838: [PATCH 0/2] Rewrite (guix cve) to read NIST's JSON feed

which was filed against the guix-patches package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 37838 <at> debbugs.gnu.org.

-- 
37838: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=37838
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Ludovic Courtès <ludo <at> gnu.org>
To: 37838-done <at> debbugs.gnu.org
Subject: Re: [bug#37838] [PATCH 0/2] Rewrite (guix cve) to read NIST's JSON
 feed
Date: Wed, 23 Oct 2019 16:48:52 +0200

Hello,

Ludovic Courtès <ludo <at> gnu.org> skribis:

>   cve: Rewrite to read the JSON feed instead of the XML feed.
>   lint: Re-enable CVE checker.

Pushed as 9efa2c28a4f842b7ca1977e084299de441842856.

Please let me know if you notice anything fishy with ‘guix lint -c cve’:
CVEs not showing up, CVEs showing up that should not, etc.

Ludo’.


[Message part 3 (message/rfc822, inline)]
From: Ludovic Courtès <ludo <at> gnu.org>
To: guix-patches <at> gnu.org
Cc: Ludovic Courtès <ludo <at> gnu.org>
Subject: [PATCH 0/2] Rewrite (guix cve) to read NIST's JSON feed
Date: Sun, 20 Oct 2019 22:34:51 +0200

Hello!

Last Thursday I was surprised to see that ‘guix lint -c cve’
would be redirected to:

  https://nvd.nist.gov/General/News/XML-Vulnerability-Feed-Retirement-Phase-3

… leading to a failure.

And indeed, the XML CVE feed has now been replaced by a JSON feed
(let’s hope they don’t switch to YAML next year :-)).  The JSON feed
seems to be nicer in some ways; for instance, it can specify ranges
of versions to which a given CVE applies.

The patch that follows rewrites (guix cve) so it gets info from the
JSON feed.  It does so by providing a one-to-one mapping between data
structures in JSON and Scheme records, and then converting those to
the higher-level <vulnerability> records that were already there before.

If you look at the JSON-mapped record types, there are lots of
low-hanging fruits; for instance, we could grab severity info from
the JSON feeds and use them somehow.  I’m not sure if ‘guix lint’
is the best place to display detailed CVE info, but we could/should
use that info somehow.

Feedback welcome!

Ludo’.

Ludovic Courtès (2):
  cve: Rewrite to read the JSON feed instead of the XML feed.
  lint: Re-enable CVE checker.

 Makefile.am           |    2 +-
 doc/guix.texi         |    4 +-
 guix/cve.scm          |  376 ++++++++----
 guix/lint.scm         |   16 +-
 tests/cve-sample.json | 1279 +++++++++++++++++++++++++++++++++++++++++
 tests/cve-sample.xml  |  616 --------------------
 tests/cve.scm         |   83 ++-
 7 files changed, 1610 insertions(+), 766 deletions(-)
 create mode 100644 tests/cve-sample.json
 delete mode 100644 tests/cve-sample.xml

-- 
2.23.0
This bug report was last modified 5 years and 258 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.