Ludovic Courtès <ludo@HIDDEN>
to control <at> debbugs.gnu.org
.
Full text available.Received: (at 47188) by debbugs.gnu.org; 18 Mar 2021 13:26:31 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Thu Mar 18 09:26:30 2021 Received: from localhost ([127.0.0.1]:45357 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1lMsfW-0007rJ-HN for submit <at> debbugs.gnu.org; Thu, 18 Mar 2021 09:26:30 -0400 Received: from eggs.gnu.org ([209.51.188.92]:49102) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1lMsfT-0007r0-RY for 47188 <at> debbugs.gnu.org; Thu, 18 Mar 2021 09:26:28 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:54827) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from <ludo@HIDDEN>) id 1lMsfO-0001Aa-Ci; Thu, 18 Mar 2021 09:26:22 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=53148 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from <ludo@HIDDEN>) id 1lMsfM-0002yH-To; Thu, 18 Mar 2021 09:26:21 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> To: =?utf-8?Q?L=C3=A9o?= Le Bouter <lle-bout@HIDDEN> Subject: Re: bug#47188: "guix lint -c cve" does not account for language prefixes (rust-,python-,go-,..) References: <706d51950b7545eefd43a54f738bc82df0d7f36c.camel@HIDDEN> Date: Thu, 18 Mar 2021 14:26:18 +0100 In-Reply-To: <706d51950b7545eefd43a54f738bc82df0d7f36c.camel@HIDDEN> (=?utf-8?Q?=22L=C3=A9o?= Le Bouter"'s message of "Tue, 16 Mar 2021 10:29:43 +0100") Message-ID: <87a6r0r3t1.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 47188 Cc: 47188 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.7 (-) Hi, L=C3=A9o Le Bouter <lle-bout@HIDDEN> skribis: > ./pre-inst-env guix lint -c cve python-urllib3@HIDDEN > Here this should return at least CVE-2021-28363 but it does not because > the CVE database contains urllib3 and not python-urllib3 (which AFAICT > the cve linter searches for). > > Annotating each and every python-, go-, and rust- package with cpe-name=20 > properties is going to be very annoying. I suggest we add some > heuristics that try both the full name and prefix-trimmed name. python- > urllib3's cpe name and vendor is python (vendor) urllib3 (name). > > Same story for CVE-2021-28305 and rust-diesel, though it doesnt even > have a CPE entry yet. Yes, that=E2=80=99s an issue. We can address these by adding a =E2=80=98cp= e-name=E2=80=99 property (info "(guix) Invoking guix lint"), but that=E2=80=99s going to be tedious. We can at least add it to high-profile packages for now. Tooling that suggests or deduces the CPE name would help a lot: https://issues.guix.gnu.org/42299 Ludo=E2=80=99.
bug-guix@HIDDEN
:bug#47188
; Package guix
.
Full text available.Received: (at 47188) by debbugs.gnu.org; 16 Mar 2021 13:05:32 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Mar 16 09:05:32 2021 Received: from localhost ([127.0.0.1]:38472 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1lM9O8-00061U-2C for submit <at> debbugs.gnu.org; Tue, 16 Mar 2021 09:05:32 -0400 Received: from mail-qt1-f174.google.com ([209.85.160.174]:40505) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <zimon.toutoune@HIDDEN>) id 1lM9O6-00061I-59 for 47188 <at> debbugs.gnu.org; Tue, 16 Mar 2021 09:05:30 -0400 Received: by mail-qt1-f174.google.com with SMTP id r14so11521023qtt.7 for <47188 <at> debbugs.gnu.org>; Tue, 16 Mar 2021 06:05:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=Wm2CYO4ry7Xzo7QIo7u4shq5OY7E34c8DVGRqm2uMks=; b=MpSJ4mmeZ7zMZjhJvCxs1ew1v+I7womPLxg6o7tLfxCXCjY7j5MY8AFna+0DKKFNXy VOKwYzlDHY20KhcCuSG06F3OU/1lNseB35Nw5BxELh6n14Uj8My74b4PF6y3+G4vltwO g7LnE3J49IrE1YlhyeGnGa46gZyt6MmVjLUot9F1sHyh8JQ2V+dweuHPLZCTVhBqe8+n d08mMg85g4RIPvXDhXrMmhBDG458jxwZg/azaT6zF/pNDSuS4yXxKNpZV2vP0iyLXWw0 LYEeGy5UznfY+6Q8OUd2/4uj244P612SxkZtYGrgy9BajZBmiFRPvFHzA5xeTgKLgEPk s4qg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=Wm2CYO4ry7Xzo7QIo7u4shq5OY7E34c8DVGRqm2uMks=; b=Xqlo0RyiU+qM31t4CdHLii7h6NYaBj9O97iL1+ZAp4j8Is6PenfadXkOUdKFS8MI7L HyfOlQbywte4D1Ne6IZv9VjyeCR+DrUNvoXkLn8Hwfp2dffVVILQDjhDkOtaQ+sTAgH5 QmRnAZlHtSac7vx+47IdTE9Zfvbz1vYzL23fhnEKl9lH+3B3uOHQ8kTCvHZeVkvHbm3/ d2wTnjPPL0Xlmao98/2TdYsQw0Kyi5/MyG+3suCEJB/bwne+HJLnFedj31OtCbkOI3gU XGOLMXzO9AkUUjanW4rC9NbN5u2VrMclXGW2FDRL9EZ8ZRmDFCAIfB7eOUTdF0I3OvIs 2Q0g== X-Gm-Message-State: AOAM530bUS84rKklR6KJeu2C4YUwqBEj5F7xHOckSCyoBbQhitvRe/Q8 TyS6f9BAJiOxWFJPY3ecRcYiOGIqcBjfjexYM7o= X-Google-Smtp-Source: ABdhPJyPGgQSwV5VGH6URtHcpsYm/HOsZKqIZXNsfFptUOfcxtk/6q0mGhUEbwMdncYX84MeEYv8uI5VCuS021e+wAg= X-Received: by 2002:ac8:6c3b:: with SMTP id k27mr18698134qtu.354.1615899924595; Tue, 16 Mar 2021 06:05:24 -0700 (PDT) MIME-Version: 1.0 References: <706d51950b7545eefd43a54f738bc82df0d7f36c.camel@HIDDEN> In-Reply-To: <706d51950b7545eefd43a54f738bc82df0d7f36c.camel@HIDDEN> From: zimoun <zimon.toutoune@HIDDEN> Date: Tue, 16 Mar 2021 14:05:13 +0100 Message-ID: <CAJ3okZ2yHtxtbi0vhskAJCCWT_NkQuOUnLof9cm7MRDwpeAkug@HIDDEN> Subject: Re: bug#47188: "guix lint -c cve" does not account for language prefixes (rust-, python-, go-, ..) To: =?UTF-8?Q?L=C3=A9o_Le_Bouter?= <lle-bout@HIDDEN> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 47188 Cc: 47188 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Hi, On Tue, 16 Mar 2021 at 10:30, L=C3=A9o Le Bouter via Bug reports for GNU Guix <bug-guix@HIDDEN> wrote: > ./pre-inst-env guix lint -c cve python-urllib3@HIDDEN > Here this should return at least CVE-2021-28363 but it does not because > the CVE database contains urllib3 and not python-urllib3 (which AFAICT > the cve linter searches for). Does the CVE use the upstream name? Or a normalized name? I mean, in the R world, packages can have names as 'org.EcK12.eg.db' which becomes "r-org-eck12-eg-db". To easy the mapping for updating and co, the package definition contains: (properties `((upstream-name . "org.EcK12.eg.db"))) Maybe, it could be worth to have similar things. WDYT? All the best, simon
bug-guix@HIDDEN
:bug#47188
; Package guix
.
Full text available.Received: (at submit) by debbugs.gnu.org; 16 Mar 2021 09:29:55 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Mar 16 05:29:55 2021 Received: from localhost ([127.0.0.1]:38219 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1lM61T-0005yM-J9 for submit <at> debbugs.gnu.org; Tue, 16 Mar 2021 05:29:55 -0400 Received: from lists.gnu.org ([209.51.188.17]:49574) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <lle-bout@HIDDEN>) id 1lM61S-0005yE-08 for submit <at> debbugs.gnu.org; Tue, 16 Mar 2021 05:29:54 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:56198) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <lle-bout@HIDDEN>) id 1lM61R-0003tR-ON for bug-guix@HIDDEN; Tue, 16 Mar 2021 05:29:53 -0400 Received: from mail.zaclys.net ([178.33.93.72]:45189) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <lle-bout@HIDDEN>) id 1lM61P-0003Jg-CZ for bug-guix@HIDDEN; Tue, 16 Mar 2021 05:29:53 -0400 Received: from guix-xps.local (82-64-145-38.subs.proxad.net [82.64.145.38]) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12G9TmkD029553 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <bug-guix@HIDDEN>; Tue, 16 Mar 2021 10:29:48 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12G9TmkD029553 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@HIDDEN DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1615886988; bh=EPPqVv1ylnfQp1RtH24JJ5g7NjSyJ3NBoGNFpIMoOkQ=; h=Subject:From:To:Date:From; b=IP7/peOT/Vflj7iIH6ASKo7SBz4E3fZzHg+qA/g77690wgaHSHuaXInvTdJr4Kk55 vRKU3U/Q4QoahiFBMWEUTE6vncRLE4607C49Sj1/teHfcQfYx5k+S05l5sBPqw9f0X 2Gu8+hKaA5nmoDuV214BYIuK9JCCqbWbjVCCiih8= Message-ID: <706d51950b7545eefd43a54f738bc82df0d7f36c.camel@HIDDEN> Subject: "guix lint -c cve" does not account for language prefixes (rust-,python-,go-,..) From: =?ISO-8859-1?Q?L=E9o?= Le Bouter <lle-bout@HIDDEN> To: bug-guix@HIDDEN Date: Tue, 16 Mar 2021 10:29:43 +0100 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-bI67y0ZTY2dX0rtN6Z0z" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@HIDDEN; helo=mail.zaclys.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -2.3 (--) --=-bI67y0ZTY2dX0rtN6Z0z Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable ./pre-inst-env guix lint -c cve python-urllib3@HIDDEN Here this should return at least CVE-2021-28363 but it does not because the CVE database contains urllib3 and not python-urllib3 (which AFAICT the cve linter searches for). Annotating each and every python-, go-, and rust- package with cpe-name=20 properties is going to be very annoying. I suggest we add some heuristics that try both the full name and prefix-trimmed name. python- urllib3's cpe name and vendor is python (vendor) urllib3 (name). Same story for CVE-2021-28305 and rust-diesel, though it doesnt even have a CPE entry yet. --=-bI67y0ZTY2dX0rtN6Z0z Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBQeocACgkQRaix6GvN EKYwbRAAvxOJo9PUoxYyYGmQHbp+QgOBwdzrPBLxZs/rCRiyOW5pf8//By8pIKFR ux0nKH92TNB3pLyWuAvwd+IvEGBeaAgFAPjXHhHkRoY/ywCdAam5BaBWmigdYd5P qcAc9CDJTjHrZTU43SG5NbXN/9xxeGrePLEs12PDN4nYUf+7G5qdYEEuaxn/pCTn T/+2gL2734IvnAOvWLMwcevi1v+brnrJDuC3s2jJxfCV4NCeAcBfyEDtqgiR5R4t Ci46fjiVn4IbHfeMKB0gT3cs3xdeEsThaBFfB1Bd8MLy61PD/2ihHkmxWjm06FrT ojjwUydPa5/VwEIfUJJRiLmb2EyhJRAyTaJRBkQNQsTmipd3kz8uQVPEsgIa0u0W dDcUPtCoDn3f9QLmZSUAZ3RbHsR/PaeXkidGv26Gwk2un7ctwlY9vM4oo5LbUS4F X6Ljr5xUAbh3VzD5bfnHfCaImIahXK5m/Jsmd+C78ubwcU0DszWwqY571jq3Vg8j 9IPFNH7DMtg+ffEkqUUTZgMVAP8Xdm4KAvca2Ra7XqzxaHQphmofE0YgFFw36lod +Hdyg95hp8KRPnlhfU6EYopoMTdZwyOyFEHG08TS4GC7WKR+UOpZ4j19WDNMEt6Z uyKeHI9kcoJaIQ1genGKkv0BtAE18Fz1XWSgybsks4OSU0Ow8zA= =j6lI -----END PGP SIGNATURE----- --=-bI67y0ZTY2dX0rtN6Z0z--
Léo Le Bouter <lle-bout@HIDDEN>
:bug-guix@HIDDEN
.
Full text available.bug-guix@HIDDEN
:bug#47188
; Package guix
.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.