GNU bug report logs - #53721
[PATCH] lint: Perform fuzzy search on package names for CVE checker.

Previous Next

Package: guix-patches;

Reported by: Efraim Flashner <efraim <at> flashner.co.il>

Date: Wed, 2 Feb 2022 14:17:02 UTC

Severity: normal

Tags: patch

Full log

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Efraim Flashner <efraim <at> flashner.co.il>
To: guix-patches <at> gnu.org
Cc: Efraim Flashner <efraim <at> flashner.co.il>
Subject: [PATCH] lint: Perform fuzzy search on package names for CVE checker.
Date: Wed,  2 Feb 2022 16:15:20 +0200

* guix/lint.scm (package-vulnerabilities): Also allow the name in the
CVE database to have the package name's prefix stripped off when
checking for CVEs.
---

When I checked for cpe-name in the Guix repo there weren't a lot of
hits. Clearly just stripping off the leading 'python2-' or whatever
isn't completely the correct answer, python-redis <at> 3.5.3 isn't likely
vulnerable to redis <at> 3.5.3's CVEs, but as-is there are almost no CVEs
easily discovered for any of our language library packages.

 guix/lint.scm | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/guix/lint.scm b/guix/lint.scm
index 3ca7a0b608..7f08d6af5e 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -7,7 +7,7 @@
 ;;; Copyright © 2016 Hartmut Goebel <h.goebel <at> crazy-compilers.com>
 ;;; Copyright © 2017 Alex Kost <alezost <at> gmail.com>
 ;;; Copyright © 2017, 2021 Tobias Geerinckx-Rice <me <at> tobias.gr>
-;;; Copyright © 2017, 2018, 2020 Efraim Flashner <efraim <at> flashner.co.il>
+;;; Copyright © 2017, 2018, 2020, 2022 Efraim Flashner <efraim <at> flashner.co.il>
 ;;; Copyright © 2018, 2019 Arun Isaac <arunisaac <at> systemreboot.net>
 ;;; Copyright © 2020 Chris Marusich <cmmarusich <at> gmail.com>
 ;;; Copyright © 2020 Timothy Sample <samplet <at> ngyro.com>
@@ -1416,12 +1416,21 @@ (define package-vulnerabilities
       "Return a list of vulnerabilities affecting PACKAGE."
       ;; First we retrieve the Common Platform Enumeration (CPE) name and
       ;; version for PACKAGE, then we can pass them to LOOKUP.
-      (let ((name    (or (assoc-ref (package-properties package)
-                                    'cpe-name)
-                         (package-name package)))
-            (version (or (assoc-ref (package-properties package)
-                                    'cpe-version)
-                         (package-version package))))
+      (let* ((pkg-name (package-name package))
+             (version  (or (assoc-ref (package-properties package)
+                                      'cpe-version)
+                           (package-version package)))
+             (name
+               (or (assoc-ref (package-properties package)
+                              'cpe-name)
+                   (false-if-exception
+                     (first
+                       (filter string?
+                               (map (lambda (prefix)
+                                      (when (string-prefix? prefix pkg-name)
+                                        (string-drop pkg-name (string-length prefix))))
+                                    '("java-" "perl-" "python-" "python2-" "ruby-")))))
+                   pkg-name)))
         ((force lookup) name version)))))
 
 (define* (check-vulnerabilities package

base-commit: 8f585083277e64ea1e9a0848ef3c49f12327618c
-- 
2.34.0
This bug report was last modified 3 years and 132 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.