GNU bug report logs - #47193
Fancify guix lint -c cve output

Previous Next

Package: guix-patches;

Reported by: Tobias Geerinckx-Rice <me <at> tobias.gr>

Date: Tue, 16 Mar 2021 16:01:02 UTC

Severity: normal

Full log

View this message in rfc822 format

From: Ludovic Courtès <ludo <at> gnu.org>
To: Tobias Geerinckx-Rice <me <at> tobias.gr>
Cc: 47193 <at> debbugs.gnu.org
Subject: [bug#47193] Fancify guix lint -c cve output
Date: Wed, 31 Mar 2021 15:03:42 +0200

Hi,

Tobias Geerinckx-Rice <me <at> tobias.gr> skribis:

> * guix/cve.scm <cve-item>[cvss3-base-severity]: New field.
> (impact-data->cve-cvss3-base-severity): New procedure.
> <vulnerability>[severity]: New field.
> (vulnerability->sexp, sexp->vulnerability, cve-item->vulnerability)
> (write-cache): Bump the format version to 2.
> (vulnerabilities->lookup-proc): Adjust accordingly.
> * guix/lint.scm (check-vulnerabilities): Indicate CVE severity according
> to the output port's terminal capabilities.

I would move the lint.scm bit to a separate patch.

Please also add a short test for ‘vulnerability-severity’ in
tests/cve.scm.

[...]

> +  (cvssv3-base-severity cve-item-cvssv3-base-severity ;string
> +                        "impact" impact-data->cve-cvssv3-base-severity)
> +  (published-date       cve-item-published-date
> +                        "publishedDate" string->date*)
> +  (last-modified-date   cve-item-last-modified-date
> +                        "lastModifiedDate" string->date*))
>  
>  (define-json-mapping <cve> cve cve?
>    json->cve
> @@ -183,6 +188,15 @@ element found in CVEs, return an sexp such as (\"binutils\" (<
>    (let ((nodes (vector->list (assoc-ref alist "nodes"))))
>      (filter-map node->configuration nodes)))
>  
> +(define (impact-data->cve-cvssv3-base-severity alist)
> +  "Given ALIST, a JSON dictionary for the \"impact\" element found in
> +CVEs, return a string indicating its CVSSv3 severity.  This should be
> +one of \"NONE\", \"LOW\", \"MEDIUM\", \"HIGH\", or \"CRITICAL\", but we
> +return whatever we find, or #F if the severity cannot be determined."
> +  (let* ((base-metric-v3 (assoc-ref alist "baseMetricV3"))
> +         (cvss-v3        (assoc-ref base-metric-v3 "cvssV3")))
> +    (assoc-ref cvss-v3 "baseSeverity")))

I would pass the result through (string->symbol (string-downcase …)).

For clarity, perhaps we can do:

  (define-json-mapping <cvss> cvss cvss?
    json->cvss
    (vector-string  cvss-vector-string “vector_String")
    (base-severity  cvss-severity "base_Severity"
                    (compose string->symbol string-downcase)))

… and use that instead of the last ‘assoc-ref’ call above.

The rest LGTM.

Thanks for this pleasant improvement!

Ludo’.
This bug report was last modified 4 years and 76 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.