Ludovic Courtès <ludo@HIDDEN>
to control <at> debbugs.gnu.org
.
Full text available.Received: (at 40142) by debbugs.gnu.org; 21 Mar 2020 16:57:43 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Mar 21 12:57:43 2020 Received: from localhost ([127.0.0.1]:47914 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1jFhRP-0007SY-6N for submit <at> debbugs.gnu.org; Sat, 21 Mar 2020 12:57:43 -0400 Received: from relay3-d.mail.gandi.net ([217.70.183.195]:45587) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <brice@HIDDEN>) id 1jFhRM-0007SF-SO for 40142 <at> debbugs.gnu.org; Sat, 21 Mar 2020 12:57:41 -0400 Received: from webmail.gandi.net (webmail18.sd4.0x35.net [10.200.201.18]) (Authenticated sender: brice@HIDDEN) by relay3-d.mail.gandi.net (Postfix) with ESMTPA id 55E5060005; Sat, 21 Mar 2020 16:57:33 +0000 (UTC) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Sat, 21 Mar 2020 16:57:33 +0000 From: Brice Waegeneire <brice@HIDDEN> To: =?UTF-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> Subject: Re: bug#40142: CVE checker return false positives In-Reply-To: <87sgi1znd8.fsf@HIDDEN> References: <0bb3b7878b37095b4ed7fa49aee5936f@HIDDEN> <87sgi1znd8.fsf@HIDDEN> Message-ID: <95d598f98f65efd7a5c89aaf52b80df1@HIDDEN> X-Sender: brice@HIDDEN User-Agent: Roundcube Webmail/1.3.8 X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 40142 Cc: 40142 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.7 (-) Hello, On 2020-03-21 16:25, Ludovic Courtès wrote: > Probably the fix would be to preserve the vendor part in the API and to > somehow use it meaningfully. > > Ideas & patches welcome! I'll see what I can write a patch to fix it then. >> Also note the missing / on the first line and it output on `stderr' >> instead of `stdout'. > > What do you mean? I misunderstood the meaning of “gnu/packages/version-control.scm:149:2:” and thought there was a missing / before “gnu/”; this is irrelevant. About the output stream of “guix lint” I think it should output to `stdout', not `stderr' as it's currently the case. Brice.
bug-guix@HIDDEN
:bug#40142
; Package guix
.
Full text available.Received: (at 40142) by debbugs.gnu.org; 21 Mar 2020 16:25:41 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Mar 21 12:25:41 2020 Received: from localhost ([127.0.0.1]:47847 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1jFgwP-0006Q1-1j for submit <at> debbugs.gnu.org; Sat, 21 Mar 2020 12:25:41 -0400 Received: from eggs.gnu.org ([209.51.188.92]:33524) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1jFgwO-0006Pq-5e for 40142 <at> debbugs.gnu.org; Sat, 21 Mar 2020 12:25:40 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:47576) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>) id 1jFgwI-0001zO-0k; Sat, 21 Mar 2020 12:25:34 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=56016 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from <ludo@HIDDEN>) id 1jFgwA-0001Zh-Cu; Sat, 21 Mar 2020 12:25:33 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> To: Brice Waegeneire <brice@HIDDEN> Subject: Re: bug#40142: CVE checker return false positives References: <0bb3b7878b37095b4ed7fa49aee5936f@HIDDEN> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 2 Germinal an 228 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Sat, 21 Mar 2020 17:25:23 +0100 In-Reply-To: <0bb3b7878b37095b4ed7fa49aee5936f@HIDDEN> (Brice Waegeneire's message of "Fri, 20 Mar 2020 09:10:31 +0000") Message-ID: <87sgi1znd8.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 40142 Cc: 40142 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.7 (-) Hi, Brice Waegeneire <brice@HIDDEN> skribis: > The CVE checker of =E2=80=9Cguix lint=E2=80=9D returns false positives: > =E2=94=8C=E2=94=80=E2=94=80=E2=94=80=E2=94=80 > =E2=94=82 LANGUAGE=3DC guix lint git 2>&1 > =E2=94=9C=E2=94=80=E2=94=80=E2=94=80 > =E2=94=82 gnu/packages/version-control.scm:149:2: git@HIDDEN: probably > vulnerable to CVE-2020-2136, CVE-2019-1003010, CVE-2018-1000110, > CVE-2018-1000182 [...] > =E2=80=A2 [CVE-2020-2136]: =E2=80=9CJenkins Git Plugin 4.2.0 and earlier = [=E2=80=A6]=E2=80=9D > =E2=80=A2 [CVE-2019-1003010]: =E2=80=9C[=E2=80=A6] Jenkins Git Plugin 3.9= .1 and earlier [=E2=80=A6]=E2=80=9D > =E2=80=A2 [CVE-2018-1000110]: =E2=80=9C[=E2=80=A6] Jenkins Git Plugin ver= sion 3.7.0 and earlier > [=E2=80=A6]=E2=80=9D > =E2=80=A2 [CVE-2018-1000182]: =E2=80=9C[=E2=80=A6] Jenkins Git Plugin 3.9= .0 and older [=E2=80=A6]=E2=80=9D (guix cve) reports it as applying to =E2=80=9Cgit=E2=80=9D: --8<---------------cut here---------------start------------->8--- scheme@(guix cve)> (define items (call-with-decompressed-port 'gzip (http-fetch (yearly-feed-uri 2020= )) json->cve-items)) scheme@(guix cve)> (find (lambda (item) (string=3D? (cve-id (cve-item-cve item)) "CVE-2020-2136")) items) $130 =3D #<<cve-item> cve: #<<cve> id: "CVE-2020-2136" data-type: CVE data-= format: MITRE references: (#<<cve-reference> url: "http://www.openwall.com/= lists/oss-security/2020/03/09/1" tags: ("Third Party Advisory")> #<<cve-ref= erence> url: "https://jenkins.io/security/advisory/2020-03-09/#SECURITY-172= 3" tags: ("Vendor Advisory")>)> configurations: (("git" (<=3D "4.2.0"))) pu= blished-date: #<date nanosecond: 0 second: 0 minute: 15 hour: 16 day: 9 mon= th: 3 year: 2020 zone-offset: 0> last-modified-date: #<date nanosecond: 0 s= econd: 0 minute: 4 hour: 20 day: 9 month: 3 year: 2020 zone-offset: 0>> --8<---------------cut here---------------end--------------->8--- I think the problem stems from the fact that the CVE configuration specify =E2=80=9Cjenkins:git=E2=80=9D (where =E2=80=9Cjenkins=E2=80=9D is t= he =E2=80=9Cvendor=E2=80=9D and =E2=80=9Cgit=E2=80=9D is the =E2=80=9Cproduct=E2=80=9D), but we just strip the vendor part: --8<---------------cut here---------------start------------->8--- $ wget -O - -q https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2020.json= .gz| gunzip | jq [=E2=80=A6] "configurations": { "CVE_data_version": "4.0", "nodes": [ { "operator": "OR", "cpe_match": [ { "vulnerable": true, "cpe23Uri": "cpe:2.3:a:jenkins:git:*:*:*:*:*:jenkins:*:*", "versionEndIncluding": "4.2.0" } ] } ] --8<---------------cut here---------------end--------------->8--- It=E2=80=99s usually the case that the vendor part has little relevance for= free software packages, but in this case it does make a difference. Probably the fix would be to preserve the vendor part in the API and to somehow use it meaningfully. Ideas & patches welcome! > Also note the missing / on the first line and it output on `stderr' > instead of `stdout'. What do you mean? Thanks, Ludo=E2=80=99.
bug-guix@HIDDEN
:bug#40142
; Package guix
.
Full text available.Received: (at submit) by debbugs.gnu.org; 20 Mar 2020 09:10:39 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Fri Mar 20 05:10:38 2020 Received: from localhost ([127.0.0.1]:43967 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1jFDfq-0005Vm-Lx for submit <at> debbugs.gnu.org; Fri, 20 Mar 2020 05:10:38 -0400 Received: from lists.gnu.org ([209.51.188.17]:49081) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <brice@HIDDEN>) id 1jFDfo-0005Ve-Qz for submit <at> debbugs.gnu.org; Fri, 20 Mar 2020 05:10:37 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:50228) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from <brice@HIDDEN>) id 1jFDfn-0006Z7-JG for bug-guix@HIDDEN; Fri, 20 Mar 2020 05:10:36 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.1 required=5.0 tests=BAYES_50,RCVD_IN_DNSWL_LOW, URIBL_BLOCKED autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from <brice@HIDDEN>) id 1jFDfm-00077A-CN for bug-guix@HIDDEN; Fri, 20 Mar 2020 05:10:35 -0400 Received: from relay3-d.mail.gandi.net ([217.70.183.195]:56911) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from <brice@HIDDEN>) id 1jFDfm-00071v-5d for bug-guix@HIDDEN; Fri, 20 Mar 2020 05:10:34 -0400 Received: from webmail.gandi.net (webmail18.sd4.0x35.net [10.200.201.18]) (Authenticated sender: brice@HIDDEN) by relay3-d.mail.gandi.net (Postfix) with ESMTPA id 9E8A260009 for <bug-guix@HIDDEN>; Fri, 20 Mar 2020 09:10:31 +0000 (UTC) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Fri, 20 Mar 2020 09:10:31 +0000 From: Brice Waegeneire <brice@HIDDEN> To: bug-guix@HIDDEN Subject: CVE checker return false positives Message-ID: <0bb3b7878b37095b4ed7fa49aee5936f@HIDDEN> X-Sender: brice@HIDDEN User-Agent: Roundcube Webmail/1.3.8 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 217.70.183.195 X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Hello, The CVE checker of “guix lint” returns false positives: ┌──── │ LANGUAGE=C guix lint git 2>&1 ├─── │ gnu/packages/version-control.scm:149:2: git@HIDDEN: probably vulnerable to CVE-2020-2136, CVE-2019-1003010, CVE-2018-1000110, CVE-2018-1000182 │ /gnu/store/8q0nfd6vnc6lnjh13rwl7fyimwlv7fml-guix-module-union/share/guile/site/3.0/gnu/packages/version-control.scm:153:12: git@HIDDEN: can be upgraded to 2.25.2 │ /gnu/store/8q0nfd6vnc6lnjh13rwl7fyimwlv7fml-guix-module-union/share/guile/site/3.0/gnu/packages/version-control.scm:154:11: git@HIDDEN: source not archived on Software Heritage └──── • [CVE-2020-2136]: “Jenkins Git Plugin 4.2.0 and earlier […]” • [CVE-2019-1003010]: “[…] Jenkins Git Plugin 3.9.1 and earlier […]” • [CVE-2018-1000110]: “[…] Jenkins Git Plugin version 3.7.0 and earlier […]” • [CVE-2018-1000182]: “[…] Jenkins Git Plugin 3.9.0 and older […]” Also note the missing / on the first line and it output on `stderr' instead of `stdout'. [CVE-2020-2136] <https://nvd.nist.gov/vuln/detail/CVE-2020-2136> [CVE-2019-1003010] <https://nvd.nist.gov/vuln/detail/CVE-2019-1003010> [CVE-2018-1000110] <https://nvd.nist.gov/vuln/detail/CVE-2018-1000110> [CVE-2018-1000182] <https://nvd.nist.gov/vuln/detail/CVE-2018-1000182> Brice.
Brice Waegeneire <brice@HIDDEN>
:bug-guix@HIDDEN
.
Full text available.bug-guix@HIDDEN
:bug#40142
; Package guix
.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.