GNU bug report logs - #74034
[PATCH 00/21] Add lint-hidden-cve property for near-leaf packages.

Previous Next

Full log

Message #294 received at 74034 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Nicolas Graves <ngraves <at> ngraves.fr>
Cc: 74034 <at> debbugs.gnu.org
Subject: Re: [bug#74034] [PATCH v5 01/16] cve: Add cpe-vendor and
 lint-hidden-cpe-vendors properties.
Date: Wed, 20 Nov 2024 23:10:40 +0100

Nicolas Graves <ngraves <at> ngraves.fr> skribis:

> * guix/cve.scm: Exploit cpe vendors information.
> (cpe->package-name): Rename to...
> (cpe->package-identifier): Renamed from cpe->package-name. Use
> cpe_vendor:cpe_name in place or cpe_name.
> (vulnerabily-matches?): Add helper function.
> (vulnerabilities->lookup-proc): Extract cpe_name for table
> hashes. Add vendor and hidden-vendor arguments. Adapt condition to
> pass vulnerabilities to result in the fold.
> (write-cache): Update the format version.
>
> * guix/lint.scm (package-vulnerabilities): Use additional arguments
> from vulnerabilities->lookup-proc.
>
> * tests/cve.scm (%expected-vulnerabilities): Adapt variable to changes
> in guix/cve.scm.

[...]

>        (write `(vulnerabilities
> -               1                                  ;format version
> +               2                                  ;format version
>                 ,(map vulnerability->sexp vulns))
>               cache))))

This is good, but like I wrote, ‘fetch-vulnerabilities’ must be update
symmetrically, ideally to recognize both v1 and v2 sexps:

    (match sexp
      (('vulnerabilities 2 vulns)
       (map sexp->vulnerability vulns))
      (('vulnerabilities 1 vulns)  ;old format, lacks vendor info
       (map sexp-v1->vulnerability vulns)))

(This is the format used in ~/.cache/guix/cve.)

That’s the only thing missing IMO.

Ludo’.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.