GNU bug report logs - #74034
[PATCH 00/21] Add lint-hidden-cve property for near-leaf packages.

Previous Next

Package: guix-patches;

Reported by: Nicolas Graves <ngraves <at> ngraves.fr>

Date: Sat, 26 Oct 2024 22:31:02 UTC

Severity: normal

Tags: patch

Done: Nicolas Graves <ngraves <at> ngraves.fr>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Nicolas Graves <ngraves <at> ngraves.fr>
To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Cc: Ludovic Courtès <ludo <at> gnu.org>, 74034 <at> debbugs.gnu.org
Subject: [bug#74034] [Nicolas Graves] [PATCH v3 02/17] cve: Separate vendor and string.
Date: Wed, 13 Nov 2024 09:08:10 +0100

On 2024-11-13 11:53, Maxim Cournoyer wrote:

> Hi Nicolas,
>
> I think this one looks nicer without the parsing of colons every time we
> need to extract the vendor/package name, thanks for having taken the
> time to adjust it based on Ludovic's feedback.

Ok, will squash both commits then. 
>
> [...]
>
>>  (define (configuration-data->cve-configurations alist)
>>    "Given ALIST, a JSON dictionary for the baroque \"configurations\"
>> @@ -232,18 +234,12 @@ (define (vulnerability-matches? vuln vendor hidden-vendors)
>>    "Checks if a VENDOR matches at least one of <vulnerability> VULN
>>  packages.  When VENDOR is #f, ignore packages that have a vendor among
>>  HIDDEN-VENDORS."
>> -  (define (vendor-matches? vendor+name)
>> -    (if vendor
>> -        (string-prefix? (string-append vendor ":") vendor+name)
>> -        (or (null? hidden-vendors)
>> -            (not (any (cut string-prefix? (string-append <> ":") vendor+name)
>> -                  hidden-vendors)))))
>> -
>>    (match vuln
>>      (($ <vulnerability> id packages)
>>       (any (match-lambda
>> -            (((? vendor-matches? vendor+name) . _)  #t)
>> -            (_                                      #f))
>> +            (((? (cut string=? <> vendor)) _)        #t)
>> +            (((? (cut member <> hidden-vendors)) _)  #t)
>
> We are comparing <vulnerability> packages to the vendor strings; is this
> correct?

Actually the first sexp element of <vulnerability> packages (hence the
_). 
>
> At least I'd expect a hidden-vendors match to return #f, since I assume
> we do not want to process these further?

Indeed it looks like a mistake / forgotten not.  Will check the logic.


> The rest looks good to me.
>
> Could you please address my questions/suggestions and squash this into
> the previous commit (with the accompanied changelog commit message
> adjustment) ?

Yep.

-- 
Best regards,
Nicolas Graves
This bug report was last modified 130 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.