GNU bug report logs -
#47193
Fancify guix lint -c cve output
Previous Next
To reply to this bug, email your comments to 47193 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#47193; Package
guix-patches.
(Tue, 16 Mar 2021 16:01:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Tobias Geerinckx-Rice <me <at> tobias.gr>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Tue, 16 Mar 2021 16:01:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Guix,
A quick hack requested by lle-bout: indicate CVE severity with
pretty/scary colours[0]. It's deliberately simple: no scoring, no
versioning, no importing (guix colors) from (guix cve), ...
Another patch adds order to the rainbow. Sort CVEs by ID, so
roughly
chronological. In combination with the other patch, I prefer this
to
more complex ordering and/or grouping by severity.
Kind regards,
T G-R
[0]: https://tobias.gr/tmp.png
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#47193; Package
guix-patches.
(Tue, 16 Mar 2021 16:08:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 47193 <at> debbugs.gnu.org (full text, mbox):
* guix/lint.scm (check-vulnerabilities): Sort unpatched vulnerabilities
by ID.
---
guix/lint.scm | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/guix/lint.scm b/guix/lint.scm
index 5144fa139d..ed57e19fe2 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -1164,6 +1164,23 @@ the NIST server non-fatal."
package-vulnerabilities))
"Check for known vulnerabilities for PACKAGE. Obtain the list of
vulnerability records for PACKAGE by calling PACKAGE-VULNERABILITIES."
+
+ (define (vulnerability< v1 v2)
+ (define (string-list< list1 list2)
+ (match list1
+ ((head1 tail1 ...)
+ (match list2
+ ((head2 tail2 ...)
+ (if (string=? head1 head2)
+ (string-list< tail1 tail2)
+ (string<? head1 head2)))
+ (_ #f)))
+ (_ #f)))
+
+ (let ((separators (char-set-complement char-set:letter+digit)))
+ (string-list< (string-split (vulnerability-id v1) separators)
+ (string-split (vulnerability-id v2) separators))))
+
(let ((package (or (package-replacement package) package)))
(match (package-vulnerabilities package)
(()
@@ -1184,7 +1201,8 @@ vulnerability records for PACKAGE by calling PACKAGE-VULNERABILITIES."
(make-warning
package
(G_ "probably vulnerable to ~a")
- (list (string-join (map vulnerability-id unpatched)
+ (list (string-join (map vulnerability-id
+ (sort unpatched vulnerability<))
", "))))))))))
(define (check-for-updates package)
--
2.30.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#47193; Package
guix-patches.
(Tue, 16 Mar 2021 16:08:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 47193 <at> debbugs.gnu.org (full text, mbox):
* guix/cve.scm <cve-item>[cvss3-base-severity]: New field.
(impact-data->cve-cvss3-base-severity): New procedure.
<vulnerability>[severity]: New field.
(vulnerability->sexp, sexp->vulnerability, cve-item->vulnerability)
(write-cache): Bump the format version to 2.
(vulnerabilities->lookup-proc): Adjust accordingly.
* guix/lint.scm (check-vulnerabilities): Indicate CVE severity according
to the output port's terminal capabilities.
---
guix/cve.scm | 48 ++++++++++++++++++++++++++++++++----------------
guix/lint.scm | 32 +++++++++++++++++++++++++++++++-
2 files changed, 63 insertions(+), 17 deletions(-)
diff --git a/guix/cve.scm b/guix/cve.scm
index b3a8b13a06..3809e4493f 100644
--- a/guix/cve.scm
+++ b/guix/cve.scm
@@ -1,5 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès <ludo <at> gnu.org>
+;;; Copyright © 2021 Tobias Geerinckx-Rice <me <at> tobias.gr>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -38,6 +39,7 @@
cve-item?
cve-item-cve
cve-item-configurations
+ cve-item-cvssv3-base-severity
cve-item-published-date
cve-item-last-modified-date
@@ -53,6 +55,7 @@
vulnerability?
vulnerability-id
+ vulnerability-severity
vulnerability-packages
json->vulnerabilities
@@ -72,13 +75,15 @@
(define-json-mapping <cve-item> cve-item cve-item?
json->cve-item
- (cve cve-item-cve "cve" json->cve) ;<cve>
- (configurations cve-item-configurations ;list of sexps
- "configurations" configuration-data->cve-configurations)
- (published-date cve-item-published-date
- "publishedDate" string->date*)
- (last-modified-date cve-item-last-modified-date
- "lastModifiedDate" string->date*))
+ (cve cve-item-cve "cve" json->cve) ;<cve>
+ (configurations cve-item-configurations ;list of sexps
+ "configurations" configuration-data->cve-configurations)
+ (cvssv3-base-severity cve-item-cvssv3-base-severity ;string
+ "impact" impact-data->cve-cvssv3-base-severity)
+ (published-date cve-item-published-date
+ "publishedDate" string->date*)
+ (last-modified-date cve-item-last-modified-date
+ "lastModifiedDate" string->date*))
(define-json-mapping <cve> cve cve?
json->cve
@@ -183,6 +188,15 @@ element found in CVEs, return an sexp such as (\"binutils\" (<
(let ((nodes (vector->list (assoc-ref alist "nodes"))))
(filter-map node->configuration nodes)))
+(define (impact-data->cve-cvssv3-base-severity alist)
+ "Given ALIST, a JSON dictionary for the \"impact\" element found in
+CVEs, return a string indicating its CVSSv3 severity. This should be
+one of \"NONE\", \"LOW\", \"MEDIUM\", \"HIGH\", or \"CRITICAL\", but we
+return whatever we find, or #F if the severity cannot be determined."
+ (let* ((base-metric-v3 (assoc-ref alist "baseMetricV3"))
+ (cvss-v3 (assoc-ref base-metric-v3 "cvssV3")))
+ (assoc-ref cvss-v3 "baseSeverity")))
+
(define (json->cve-items json)
"Parse JSON, an input port or a string, and return a list of <cve-item>
records."
@@ -251,20 +265,21 @@ records."
(* 3600 24 (date-month %now)))
(define-record-type <vulnerability>
- (vulnerability id packages)
+ (vulnerability id severity packages)
vulnerability?
(id vulnerability-id) ;string
+ (severity vulnerability-severity) ;string
(packages vulnerability-packages)) ;((p1 sexp1) (p2 sexp2) ...)
(define vulnerability->sexp
(match-lambda
- (($ <vulnerability> id packages)
- `(v ,id ,packages))))
+ (($ <vulnerability> id severity packages)
+ `(v ,id ,severity ,packages))))
(define sexp->vulnerability
(match-lambda
- (('v id (packages ...))
- (vulnerability id packages))))
+ (('v id severity (packages ...))
+ (vulnerability id severity packages))))
(define (cve-configuration->package-list config)
"Parse CONFIG, a config sexp, and return a list of the form (P SEXP)
@@ -309,12 +324,13 @@ versions."
"Return a <vulnerability> corresponding to ITEM, a <cve-item> record;
return #f if ITEM does not list any configuration or if it does not list
any \"a\" (application) configuration."
- (let ((id (cve-id (cve-item-cve item))))
+ (let ((id (cve-id (cve-item-cve item)))
+ (severity (cve-item-base-severity item)))
(match (cve-item-configurations item)
(() ;no configurations
#f)
((configs ...)
- (vulnerability id
+ (vulnerability id severity
(merge-package-lists
(map cve-configuration->package-list configs)))))))
@@ -332,7 +348,7 @@ sexp to CACHE."
(json->vulnerabilities input))
(write `(vulnerabilities
- 1 ;format version
+ 2 ;format version
,(map vulnerability->sexp vulns))
cache))))
@@ -396,7 +412,7 @@ vulnerabilities affecting the given package version."
;; Map package names to lists of version/vulnerability pairs.
(fold (lambda (vuln table)
(match vuln
- (($ <vulnerability> id packages)
+ (($ <vulnerability> id severity packages)
(fold (lambda (package table)
(match package
((name . versions)
diff --git a/guix/lint.scm b/guix/lint.scm
index ed57e19fe2..f3c4e13052 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -48,6 +48,7 @@
#:use-module (guix monads)
#:use-module (guix scripts)
#:use-module ((guix ui) #:select (texi->plain-text fill-paragraph))
+ #:use-module (guix colors)
#:use-module (guix gnu-maintenance)
#:use-module (guix cve)
#:use-module ((guix swh) #:hide (origin?))
@@ -1165,6 +1166,35 @@ the NIST server non-fatal."
"Check for known vulnerabilities for PACKAGE. Obtain the list of
vulnerability records for PACKAGE by calling PACKAGE-VULNERABILITIES."
+ (define severity->color
+ ;; A standard CVE colour gradient is red > orange > yellow > green > none.
+ ;; However, ANSI non-bold YELLOW is actually orange whilst BOLD YELLOW
+ ;; is actual yellow, so BOLD would confusingly be less serious. Skip it.
+ (match-lambda
+ ("CRITICAL" (color BOLD RED))
+ ("HIGH" (color RED))
+ ("MEDIUM" (color YELLOW))
+ ("LOW" (color GREEN))
+ (_ (color))))
+
+ (define (colorize-vulnerability vulnerability)
+ ;; If the terminal supports ANSI colours, use them to indicate severity.
+ (colorize-string (vulnerability-id vulnerability)
+ (severity->color (vulnerability-severity
+ vulnerability))))
+
+ (define (simple-format-vulnerability vulnerability)
+ ;; Otherwise, omit colour coding and explicitly append the severity string.
+ (simple-format #f "~a (~a)"
+ (vulnerability-id vulnerability)
+ (string-downcase (vulnerability-severity vulnerability))))
+
+ (define format-vulnerability
+ ;; Check once which of the above to use for all PACKAGE vulnerabilities.
+ (if (color-output? (current-output-port))
+ colorize-vulnerability
+ simple-format-vulnerability))
+
(define (vulnerability< v1 v2)
(define (string-list< list1 list2)
(match list1
@@ -1201,7 +1231,7 @@ vulnerability records for PACKAGE by calling PACKAGE-VULNERABILITIES."
(make-warning
package
(G_ "probably vulnerable to ~a")
- (list (string-join (map vulnerability-id
+ (list (string-join (map format-vulnerability
(sort unpatched vulnerability<))
", "))))))))))
--
2.30.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#47193; Package
guix-patches.
(Tue, 16 Mar 2021 18:20:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 47193 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hello!
Thanks a lot for working on this!! :-D
I get a warning during compilation:
guix/cve.scm:328:18: warning: possibly unbound variable `cve-item-base-
severity'
I also just tried it on patch package and it fails:
$ ./pre-inst-env guix lint -c cve patch
Backtrace:atch <at> 2.7.6 [cve]...
In ice-9/boot-9.scm:
1736:10 18 (with-exception-handler _ _ #:unwind? _ # _)
In unknown file:
17 (apply-smob/0 #<thunk 7f5c56304520>)
In ice-9/boot-9.scm:
718:2 16 (call-with-prompt _ _ #<procedure default-prompt-handle…>)
In ice-9/eval.scm:
619:8 15 (_ #(#(#<directory (guile-user) 7f5c56307c80>)))
In guix/ui.scm:
2164:12 14 (run-guix-command _ . _)
In ice-9/boot-9.scm:
1736:10 13 (with-exception-handler _ _ #:unwind? _ # _)
1731:15 12 (with-exception-handler #<procedure 7f5c52ccde40 at ic…>
…)
In srfi/srfi-1.scm:
634:9 11 (for-each #<procedure 7f5c52ccb620 at guix/scripts/lin…>
…)
In guix/scripts/lint.scm:
65:4 10 (run-checkers #<package patch <at> 2.7.6 gnu/packages/base.…>
…)
In srfi/srfi-1.scm:
634:9 9 (for-each #<procedure 7f5c43b5df30 at guix/scripts/lin…>
…)
In guix/scripts/lint.scm:
74:21 8 (_ _)
In guix/lint.scm:
1205:4 7 (check-vulnerabilities #<package patch <at> 2.7.6 gnu/packa…>
…)
1151:9 6 (_ _)
In unknown file:
5 (force #<promise #<procedure 7f5c5303cab8 at guix/lint.…>)
In guix/lint.scm:
1134:2 4 (_)
1093:2 3 (call-with-networking-fail-safe _ _ _)
In ice-9/boot-9.scm:
1736:10 2 (with-exception-handler _ _ #:unwind? _ # _)
1669:16 1 (raise-exception _ #:continuable? _)
1667:16 0 (raise-exception _ #:continuable? _)
ice-9/boot-9.scm:1667:16: In procedure raise-exception:
Throw to key `match-error' with args `("match" "no matching pattern" (v
"CVE-2021-0212" (("contrail_networking" (< "1911.31")))))'.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#47193; Package
guix-patches.
(Tue, 16 Mar 2021 21:13:02 GMT)
Full text and
rfc822 format available.
Message #17 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Léo!
Léo Le Bouter via Guix-patches via 写道:
> guix/cve.scm:328:18: warning: possibly unbound variable
> `cve-item-base-
> severity'
One dark and stormy night I turned away an old woman at my doors,
and ever since I have been cursed to include at least one stupid
typo in each patch I send. True story.
Thanks for testing. Fixed but it should not affect running guix
lint.
> I also just tried it on patch package and it fails:
Hmm. I bet ‘rm -rf ~/.cache/guix/http’ will make this go
conveniently away, just like lady stormypants.
> (v "CVE-2021-0212" (("contrail_networking" ...
This is a stale cache file lacking the newly added ‘severity’
field:
(v "CVE-2021-0212" "MEDIUM" (("contrail_networking" ...
I bumped the format version to 2 in (guix cve) to signal this
incompatible change, but it appears this field may exist merely as
a friendly reminder to actually add version handling some day...?
I guess today is that day.
Bah,
T G-R
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#47193; Package
guix-patches.
(Tue, 16 Mar 2021 21:13:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
guix-patches <at> gnu.org:
bug#47193; Package
guix-patches.
(Wed, 17 Mar 2021 08:14:02 GMT)
Full text and
rfc822 format available.
Message #23 received at 47193 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Tue, 2021-03-16 at 22:12 +0100, Tobias Geerinckx-Rice wrote:
> Léo!
Tobias! :-)
> Léo Le Bouter via Guix-patches via 写道:
> > guix/cve.scm:328:18: warning: possibly unbound variable
> > `cve-item-base-
> > severity'
>
> One dark and stormy night I turned away an old woman at my doors,
> and ever since I have been cursed to include at least one stupid
> typo in each patch I send. True story.
>
> Thanks for testing. Fixed but it should not affect running guix
> lint.
I tried fixing it as well,
$ git diff
diff --git a/guix/cve.scm b/guix/cve.scm
index 3809e4493f..d52ea05117 100644
--- a/guix/cve.scm
+++ b/guix/cve.scm
@@ -325,7 +325,7 @@ versions."
return #f if ITEM does not list any configuration or if it does not
list
any \"a\" (application) configuration."
(let ((id (cve-id (cve-item-cve item)))
- (severity (cve-item-base-severity item)))
+ (severity (cve-item-cvssv3-base-severity item)))
(match (cve-item-configurations item)
(() ;no configurations
#f)
Look right?
> Hmm. I bet ‘rm -rf ~/.cache/guix/http’ will make this go
> conveniently away, just like lady stormypants.
I tried that (without the fix above) and:
$ ./pre-inst-env guix lint -c cve patch
fetching CVE database for 2021...
Backtrace:
In ice-9/boot-9.scm:
1736:10 18 (with-exception-handler _ _ #:unwind? _ # _)
In unknown file:
17 (apply-smob/0 #<thunk 7fd1e5545520>)
In ice-9/boot-9.scm:
718:2 16 (call-with-prompt _ _ #<procedure default-prompt-handle…>)
In ice-9/eval.scm:
619:8 15 (_ #(#(#<directory (guile-user) 7fd1e5548c80>)))
In guix/ui.scm:
2164:12 14 (run-guix-command _ . _)
In ice-9/boot-9.scm:
1736:10 13 (with-exception-handler _ _ #:unwind? _ # _)
1731:15 12 (with-exception-handler #<procedure 7fd1e1f0ee40 at ic…>
…)
In srfi/srfi-1.scm:
634:9 11 (for-each #<procedure 7fd1e1f0b000 at guix/scripts/lin…>
…)
In guix/scripts/lint.scm:
65:4 10 (run-checkers _ _ #:store _)
In srfi/srfi-1.scm:
634:9 9 (for-each #<procedure 7fd1d2f805d0 at guix/scripts/lin…>
…)
In guix/scripts/lint.scm:
74:21 8 (_ _)
In guix/lint.scm:
1205:4 7 (check-vulnerabilities _ _)
1151:9 6 (_ _)
In unknown file:
5 (force #<promise #<procedure 7fd1e227dab8 at guix/lint.…>)
In guix/lint.scm:
1134:2 4 (_)
1093:2 3 (call-with-networking-fail-safe _ _ _)
In ice-9/boot-9.scm:
1736:10 2 (with-exception-handler _ _ #:unwind? _ # _)
1669:16 1 (raise-exception _ #:continuable? _)
1667:16 0 (raise-exception _ #:continuable? _)
ice-9/boot-9.scm:1667:16: In procedure raise-exception:
error: cve-item-base-severity: unbound variable
Then *with* the fix:
$ ./pre-inst-env guix lint -c cve patch
fetching CVE database for 2021...
Backtrace:
In ice-9/boot-9.scm:
1736:10 18 (with-exception-handler _ _ #:unwind? _ # _)
In unknown file:
17 (apply-smob/0 #<thunk 7f4a634a5520>)
In ice-9/boot-9.scm:
718:2 16 (call-with-prompt _ _ #<procedure default-prompt-handle…>)
In ice-9/eval.scm:
619:8 15 (_ #(#(#<directory (guile-user) 7f4a634a8c80>)))
In guix/ui.scm:
2164:12 14 (run-guix-command _ . _)
In ice-9/boot-9.scm:
1736:10 13 (with-exception-handler _ _ #:unwind? _ # _)
1731:15 12 (with-exception-handler #<procedure 7f4a5fe6c8d0 at ic…>
…)
In srfi/srfi-1.scm:
634:9 11 (for-each #<procedure 7f4a5fe6ec20 at guix/scripts/lin…>
…)
In guix/scripts/lint.scm:
65:4 10 (run-checkers _ _ #:store _)
In srfi/srfi-1.scm:
634:9 9 (for-each #<procedure 7f4a50f5a0f0 at guix/scripts/lin…>
…)
In guix/scripts/lint.scm:
74:21 8 (_ _)
In guix/lint.scm:
1205:4 7 (check-vulnerabilities _ _)
1151:9 6 (_ _)
In unknown file:
5 (force #<promise #<procedure 7f4a601ddab8 at guix/lint.…>)
In guix/lint.scm:
1134:2 4 (_)
1093:2 3 (call-with-networking-fail-safe _ _ _)
In ice-9/boot-9.scm:
1736:10 2 (with-exception-handler _ _ #:unwind? _ # _)
1669:16 1 (raise-exception _ #:continuable? _)
1667:16 0 (raise-exception _ #:continuable? _)
ice-9/boot-9.scm:1667:16: In procedure raise-exception:
Throw to key `match-error' with args `("match" "no matching pattern"
(vulnerabilities 2 ((v "CVE-2021-0212" "MEDIUM" (("contrail_networking"
(< "1911.31")))) (v "CVE-2021-0220" "MEDIUM" (("junos_space" (or "19.1"
(or "18.4" (or "18.3" (or "18.2" (or "18.1r1" (or "18.1" (or "17.21.4"
(or "17.2" (or "17.1" (or "16.1" (or "15.2" (or "15.14" (or "15.12" (or
"15.1" (or "14.1" (or "13.33" (or "13.11.8" (or "13.1" (or "12.3" (or
"12.2" (or "12.1" (or "11.4" (or "11.3" (or "11.2" (or "11.1" (or "2.0"
(or "1.4" (or "1.3" (or "1.2" (or "1.1"
"1.0"))))))))))))))))))))))))))))))))) (v "CVE-2021-1051" "HIGH"
(("gpu_driver" (or (and (>= "460") (< "461.09")) (or (and (>= "450") (<
"452.77")) (or (and (>= "418") (< "427.11")) (and (>= "390") (<
"392.63")))))))) (v "CVE-2021-1052" "HIGH" (("gpu_driver" (or (or (and
(>= "460") (< "460.32.03")) (or (and (>= "450") (< "450.102.04")) (and
(>= "390") (< "390.141")))) (or (and (>= "460") (< "461.09")) (or (and
(>= "450") (< "452.77")) (or (and (>= "418") (< "427.11")) (and (>=
"390") (< "392.63"))))))))) (v "CVE-2021-1053" "MEDIUM" (("gpu_driver"
(or (or (and (>= "460") (< "460.32.03")) (or (and (>= "450") (<
"450.102.04")) (and (>= "390") (< "390.141")))) (or (and (>= "460") (<
"461.09")) (or (and (>= "450") (< "452.77")) (or (and (>= "418") (<
"427.11")) (and (>= "390") (< "392.63"))))))))) (v "CVE-2021-1054"
"MEDIUM" (("gpu_driver" (or (and (>= "460") (< "461.09")) (or (and (>=
"450") (< "452.77")) (or (and (>= "418") (< "427.11")) (and (>= "390")
(< "392.63")))))))) (v "CVE-2021-1055" "MEDIUM" (("gpu_driver" (or (and
(>= "460") (< "461.09")) (or (and (>= "450") (< "452.77")) (or (and (>=
"
[...]
I ran "$ rm -rf ~/.cache/guix/http" between each and every of these
attempts. The cache is clear, I also did make clean and recompiled (so
no left around .go file).
>
> > (v "CVE-2021-0212" (("contrail_networking" ...
>
> This is a stale cache file lacking the newly added ‘severity’
> field:
>
> (v "CVE-2021-0212" "MEDIUM" (("contrail_networking" ...
>
> I bumped the format version to 2 in (guix cve) to signal this
> incompatible change, but it appears this field may exist merely as
> a friendly reminder to actually add version handling some day...?
>
> I guess today is that day.
>
> Bah,
Don't know! I think there's some other issue here, or maybe you
modified the patch a little more on your side.
PS: I looked at the image you initially posted and the output looks
really nice and helpful!!
>
> T G-R
Thank you :-D
Léo
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#47193; Package
guix-patches.
(Wed, 17 Mar 2021 08:15:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
guix-patches <at> gnu.org:
bug#47193; Package
guix-patches.
(Wed, 17 Mar 2021 19:33:01 GMT)
Full text and
rfc822 format available.
Message #29 received at 47193 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Léo Le Bouter 写道:
> On Tue, 2021-03-16 at 22:12 +0100, Tobias Geerinckx-Rice wrote:
>> Léo!
>
> Tobias! :-)
Yes!
> ice-9/boot-9.scm:1667:16: In procedure raise-exception:
> Throw to key `match-error' with args `("match" "no matching
> pattern"
> (vulnerabilities 2 ((v "CVE-2021-0212" "MEDIUM"
> (("contrail_networking"
Thanks for including the full error message. Now the cached
data's as expected but the code chokes on it anyway. Sure, why
not.
> Don't know! I think there's some other issue here, or maybe you
> modified the patch a little more on your side.
I haven't, and like you've I (regularly) remove stale .go files
and delete ~/.cache/guix. Works like a screenshotted charm.
I'm not in the mood for spooks; time to bust out the flamethrower
that is a fresh git clone.
> PS: I looked at the image you initially posted and the output
> looks
> really nice and helpful!!
Oh, good to know that is what you had in mind. I wasn't sure.
Kind regards,
T G-R
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#47193; Package
guix-patches.
(Wed, 17 Mar 2021 19:34:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
guix-patches <at> gnu.org:
bug#47193; Package
guix-patches.
(Wed, 31 Mar 2021 12:54:02 GMT)
Full text and
rfc822 format available.
Message #35 received at 47193 <at> debbugs.gnu.org (full text, mbox):
Hi!
Tobias Geerinckx-Rice <me <at> tobias.gr> skribis:
> * guix/lint.scm (check-vulnerabilities): Sort unpatched vulnerabilities
> by ID.
[...]
> (make-warning
> package
> (G_ "probably vulnerable to ~a")
> - (list (string-join (map vulnerability-id unpatched)
> + (list (string-join (map vulnerability-id
> + (sort unpatched vulnerability<))
> ", "))))))))))
Nitpick: it might be a bit clearer done the other way around:
(sort (map vulnerability-id unpatched) cve-id<?)
… where ‘cve-id<?’ is like ‘vulnerability<’ but takes a CVE ID (a
string).
Otherwise LGTM!
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#47193; Package
guix-patches.
(Wed, 31 Mar 2021 13:04:02 GMT)
Full text and
rfc822 format available.
Message #38 received at 47193 <at> debbugs.gnu.org (full text, mbox):
Hi,
Tobias Geerinckx-Rice <me <at> tobias.gr> skribis:
> * guix/cve.scm <cve-item>[cvss3-base-severity]: New field.
> (impact-data->cve-cvss3-base-severity): New procedure.
> <vulnerability>[severity]: New field.
> (vulnerability->sexp, sexp->vulnerability, cve-item->vulnerability)
> (write-cache): Bump the format version to 2.
> (vulnerabilities->lookup-proc): Adjust accordingly.
> * guix/lint.scm (check-vulnerabilities): Indicate CVE severity according
> to the output port's terminal capabilities.
I would move the lint.scm bit to a separate patch.
Please also add a short test for ‘vulnerability-severity’ in
tests/cve.scm.
[...]
> + (cvssv3-base-severity cve-item-cvssv3-base-severity ;string
> + "impact" impact-data->cve-cvssv3-base-severity)
> + (published-date cve-item-published-date
> + "publishedDate" string->date*)
> + (last-modified-date cve-item-last-modified-date
> + "lastModifiedDate" string->date*))
>
> (define-json-mapping <cve> cve cve?
> json->cve
> @@ -183,6 +188,15 @@ element found in CVEs, return an sexp such as (\"binutils\" (<
> (let ((nodes (vector->list (assoc-ref alist "nodes"))))
> (filter-map node->configuration nodes)))
>
> +(define (impact-data->cve-cvssv3-base-severity alist)
> + "Given ALIST, a JSON dictionary for the \"impact\" element found in
> +CVEs, return a string indicating its CVSSv3 severity. This should be
> +one of \"NONE\", \"LOW\", \"MEDIUM\", \"HIGH\", or \"CRITICAL\", but we
> +return whatever we find, or #F if the severity cannot be determined."
> + (let* ((base-metric-v3 (assoc-ref alist "baseMetricV3"))
> + (cvss-v3 (assoc-ref base-metric-v3 "cvssV3")))
> + (assoc-ref cvss-v3 "baseSeverity")))
I would pass the result through (string->symbol (string-downcase …)).
For clarity, perhaps we can do:
(define-json-mapping <cvss> cvss cvss?
json->cvss
(vector-string cvss-vector-string “vector_String")
(base-severity cvss-severity "base_Severity"
(compose string->symbol string-downcase)))
… and use that instead of the last ‘assoc-ref’ call above.
The rest LGTM.
Thanks for this pleasant improvement!
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#47193; Package
guix-patches.
(Wed, 31 Mar 2021 13:07:01 GMT)
Full text and
rfc822 format available.
Message #41 received at 47193 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Wed, 2021-03-31 at 15:03 +0200, Ludovic Courtès wrote:
[...]
> The rest LGTM.
>
> Thanks for this pleasant improvement!
>
> Ludo’.
>
Hello Ludo!
Did you get it to work on your end?
Léo
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#47193; Package
guix-patches.
(Wed, 31 Mar 2021 20:58:02 GMT)
Full text and
rfc822 format available.
Message #44 received at 47193 <at> debbugs.gnu.org (full text, mbox):
Léo Le Bouter <lle-bout <at> zaclys.net> skribis:
> Did you get it to work on your end?
I didn’t try, but I’m confident Tobias will do the right thing!
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#47193; Package
guix-patches.
(Thu, 01 Apr 2021 23:37:02 GMT)
Full text and
rfc822 format available.
Message #47 received at 47193 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Wed, 2021-03-31 at 22:57 +0200, Ludovic Courtès wrote:
> Léo Le Bouter <lle-bout <at> zaclys.net> skribis:
>
> > Did you get it to work on your end?
>
> I didn’t try, but I’m confident Tobias will do the right thing!
>
> Ludo’.
I see, thanks, I was looking to get it to work for me since Tobias
seems busy maybe you had some elements I could use, I don't doubt they
will do the right thing!
[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 4 years and 75 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.