GNU bug report logs - #74034
[PATCH 00/21] Add lint-hidden-cve property for near-leaf packages.

Previous Next

Full log

View this message in rfc822 format

From: Ludovic Courtès <ludo <at> gnu.org>
To: Nicolas Graves <ngraves <at> ngraves.fr>
Cc: 74034 <at> debbugs.gnu.org
Subject: [bug#74034] [PATCH v6 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.
Date: Fri, 24 Jan 2025 23:26:05 +0100

Hello,

Nicolas Graves <ngraves <at> ngraves.fr> skribis:

>> What I’m suggesting here is a pattern commonly used in Guix where:
>>
>>   1. There’s only one in-memory representation.
>>
>>   2. There may be several on-disk representations, but we convert them
>>      once for all when reading them.
>>
>> You can find this pattern in manifests, for instance with
>> ‘sexp->manifest’.
>>
>> That’s why I’m suggesting that ‘vulnerability->sexp’ converts to the
>> right in-memory representation when it’s reading a v1 sexp.
>>
>> Does that make sense?
>
> So convert v1-sexp to v2-sexp before passing it further?  The issue is
> that we don't necessarily have the vendor in v1 to be able to convert it
> to v2.  There are some cases where there's no vendor (don't remember if
> it's #f or 'none or something else), I can put that value by default. 

Yes, some default value for when vendor info is missing would be good, I
guess.

It’s temporary anyway: next time CVE data is downloaded, it’ll be stored
on-disk as v2.

The other option is to force a redownload if all we have in cache is v1
data.

Ludo’.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.