GNU bug report logs -
#53721
[PATCH] lint: Perform fuzzy search on package names for CVE checker.
Previous Next
To reply to this bug, email your comments to 53721 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#53721; Package
guix-patches.
(Wed, 02 Feb 2022 14:17:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Efraim Flashner <efraim <at> flashner.co.il>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Wed, 02 Feb 2022 14:17:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
* guix/lint.scm (package-vulnerabilities): Also allow the name in the
CVE database to have the package name's prefix stripped off when
checking for CVEs.
---
When I checked for cpe-name in the Guix repo there weren't a lot of
hits. Clearly just stripping off the leading 'python2-' or whatever
isn't completely the correct answer, python-redis <at> 3.5.3 isn't likely
vulnerable to redis <at> 3.5.3's CVEs, but as-is there are almost no CVEs
easily discovered for any of our language library packages.
guix/lint.scm | 23 ++++++++++++++++-------
1 file changed, 16 insertions(+), 7 deletions(-)
diff --git a/guix/lint.scm b/guix/lint.scm
index 3ca7a0b608..7f08d6af5e 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -7,7 +7,7 @@
;;; Copyright © 2016 Hartmut Goebel <h.goebel <at> crazy-compilers.com>
;;; Copyright © 2017 Alex Kost <alezost <at> gmail.com>
;;; Copyright © 2017, 2021 Tobias Geerinckx-Rice <me <at> tobias.gr>
-;;; Copyright © 2017, 2018, 2020 Efraim Flashner <efraim <at> flashner.co.il>
+;;; Copyright © 2017, 2018, 2020, 2022 Efraim Flashner <efraim <at> flashner.co.il>
;;; Copyright © 2018, 2019 Arun Isaac <arunisaac <at> systemreboot.net>
;;; Copyright © 2020 Chris Marusich <cmmarusich <at> gmail.com>
;;; Copyright © 2020 Timothy Sample <samplet <at> ngyro.com>
@@ -1416,12 +1416,21 @@ (define package-vulnerabilities
"Return a list of vulnerabilities affecting PACKAGE."
;; First we retrieve the Common Platform Enumeration (CPE) name and
;; version for PACKAGE, then we can pass them to LOOKUP.
- (let ((name (or (assoc-ref (package-properties package)
- 'cpe-name)
- (package-name package)))
- (version (or (assoc-ref (package-properties package)
- 'cpe-version)
- (package-version package))))
+ (let* ((pkg-name (package-name package))
+ (version (or (assoc-ref (package-properties package)
+ 'cpe-version)
+ (package-version package)))
+ (name
+ (or (assoc-ref (package-properties package)
+ 'cpe-name)
+ (false-if-exception
+ (first
+ (filter string?
+ (map (lambda (prefix)
+ (when (string-prefix? prefix pkg-name)
+ (string-drop pkg-name (string-length prefix))))
+ '("java-" "perl-" "python-" "python2-" "ruby-")))))
+ pkg-name)))
((force lookup) name version)))))
(define* (check-vulnerabilities package
base-commit: 8f585083277e64ea1e9a0848ef3c49f12327618c
--
2.34.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#53721; Package
guix-patches.
(Wed, 02 Feb 2022 14:55:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 53721 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Efraim Flashner schreef op wo 02-02-2022 om 16:15 [+0200]:
> + (false-if-exception
> + (first
> + (filter string?
> + (map (lambda (prefix)
> + (when (string-prefix? prefix pkg-name)
> + (string-drop pkg-name (string-length prefix))))
> + '("java-" "perl-" "python-" "python2-" "ruby-")))))
> + pkg-name)))
When can an exception happen here?
Also, the following seems simpler and equivalent:
(any (lambda (prefix)
(and (string-prefix? prefix)
(string-drop pkg-name (string-length prefix))))
'("java-" "perl-" "python-" "python2-" "ruby-"))
It would be nice to test the code for guessing the CPE name of a
package in a few unit tests.
Greetings,
Maxime
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#53721; Package
guix-patches.
(Wed, 02 Feb 2022 15:15:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 53721 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Wed, Feb 02, 2022 at 03:54:38PM +0100, Maxime Devos wrote:
> Efraim Flashner schreef op wo 02-02-2022 om 16:15 [+0200]:
> > + (false-if-exception
> > + (first
> > + (filter string?
> > + (map (lambda (prefix)
> > + (when (string-prefix? prefix pkg-name)
> > + (string-drop pkg-name (string-length prefix))))
> > + '("java-" "perl-" "python-" "python2-" "ruby-")))))
> > + pkg-name)))
>
> When can an exception happen here?
I tossed in 'glibc' since I know that always has CVEs listed against it,
you can't take first from an empty list.
> Also, the following seems simpler and equivalent:
>
> (any (lambda (prefix)
> (and (string-prefix? prefix)
> (string-drop pkg-name (string-length prefix))))
> '("java-" "perl-" "python-" "python2-" "ruby-"))
That is much nicer.
> It would be nice to test the code for guessing the CPE name of a
> package in a few unit tests.
Definitely. Also I should check if we should try dropping any of the
other prefixes. rust might work, go probably needs some actual
transformation to happen.
> Greetings,
> Maxime
--
Efraim Flashner <efraim <at> flashner.co.il> רנשלפ םירפא
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#53721; Package
guix-patches.
(Fri, 04 Feb 2022 21:57:01 GMT)
Full text and
rfc822 format available.
Message #14 received at 53721 <at> debbugs.gnu.org (full text, mbox):
Hello,
Efraim Flashner <efraim <at> flashner.co.il> skribis:
> - (let ((name (or (assoc-ref (package-properties package)
> - 'cpe-name)
> - (package-name package)))
> - (version (or (assoc-ref (package-properties package)
> - 'cpe-version)
> - (package-version package))))
> + (let* ((pkg-name (package-name package))
> + (version (or (assoc-ref (package-properties package)
> + 'cpe-version)
> + (package-version package)))
> + (name
> + (or (assoc-ref (package-properties package)
> + 'cpe-name)
> + (false-if-exception
> + (first
> + (filter string?
> + (map (lambda (prefix)
> + (when (string-prefix? prefix pkg-name)
> + (string-drop pkg-name (string-length prefix))))
> + '("java-" "perl-" "python-" "python2-" "ruby-")))))
> + pkg-name)))
I agree with Maxime’s suggestions.
In addition, I’d suggest moving this code out in two procedures,
‘package-cpe-name’ and ‘package-cpe-version’, that would honor the
relevant property and fall back to stripping prefixes.
Then ‘package-vulnerabilities’ would simply call these two procedures.
How does that sound?
Longer-term, we should add a thing that proposes correct CPE names:
https://issues.guix.gnu.org/42299
Thanks,
Ludo’.
This bug report was last modified 3 years and 131 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.