X-Loop: help-debbugs@HIDDEN
Subject: [bug#53721] [PATCH] lint: Perform fuzzy search on package names for CVE checker.
Resent-From: Efraim Flashner <efraim@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Wed, 02 Feb 2022 14:17:02 +0000
Resent-Message-ID: <handler.53721.B.16438113673689 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: report 53721
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 53721 <at> debbugs.gnu.org
Cc: Efraim Flashner <efraim@HIDDEN>
X-Debbugs-Original-To: guix-patches@HIDDEN
Received: via spool by submit <at> debbugs.gnu.org id=B.16438113673689
(code B ref -1); Wed, 02 Feb 2022 14:17:02 +0000
Received: (at submit) by debbugs.gnu.org; 2 Feb 2022 14:16:07 +0000
Received: from localhost ([127.0.0.1]:51894 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1nFGQV-0000xE-06
for submit <at> debbugs.gnu.org; Wed, 02 Feb 2022 09:16:07 -0500
Received: from lists.gnu.org ([209.51.188.17]:55270)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <efraim@HIDDEN>) id 1nFGQS-0000wh-6v
for submit <at> debbugs.gnu.org; Wed, 02 Feb 2022 09:16:01 -0500
Received: from eggs.gnu.org ([209.51.188.92]:53940)
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <efraim@HIDDEN>)
id 1nFGQS-0000LO-0b
for guix-patches@HIDDEN; Wed, 02 Feb 2022 09:16:00 -0500
Received: from flashner.co.il ([178.62.234.194]:60830)
by eggs.gnu.org with esmtp (Exim 4.90_1)
(envelope-from <efraim@HIDDEN>) id 1nFGQP-0006hN-BS
for guix-patches@HIDDEN; Wed, 02 Feb 2022 09:15:59 -0500
Received: from localhost (unknown [31.210.177.79])
by flashner.co.il (Postfix) with ESMTPSA id CA5EA40043;
Wed, 2 Feb 2022 14:15:55 +0000 (UTC)
From: Efraim Flashner <efraim@HIDDEN>
Date: Wed, 2 Feb 2022 16:15:20 +0200
Message-Id: <839345988529640bb54feea0fa830f25bd5bb608.1643811188.git.efraim@HIDDEN>
X-Mailer: git-send-email 2.34.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=178.62.234.194;
envelope-from=efraim@HIDDEN; helo=flashner.co.il
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001,
SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)
* guix/lint.scm (package-vulnerabilities): Also allow the name in the
CVE database to have the package name's prefix stripped off when
checking for CVEs.
---
When I checked for cpe-name in the Guix repo there weren't a lot of
hits. Clearly just stripping off the leading 'python2-' or whatever
isn't completely the correct answer, python-redis@HIDDEN isn't likely
vulnerable to redis@HIDDEN's CVEs, but as-is there are almost no CVEs
easily discovered for any of our language library packages.
guix/lint.scm | 23 ++++++++++++++++-------
1 file changed, 16 insertions(+), 7 deletions(-)
diff --git a/guix/lint.scm b/guix/lint.scm
index 3ca7a0b608..7f08d6af5e 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -7,7 +7,7 @@
;;; Copyright © 2016 Hartmut Goebel <h.goebel@HIDDEN>
;;; Copyright © 2017 Alex Kost <alezost@HIDDEN>
;;; Copyright © 2017, 2021 Tobias Geerinckx-Rice <me@HIDDEN>
-;;; Copyright © 2017, 2018, 2020 Efraim Flashner <efraim@HIDDEN>
+;;; Copyright © 2017, 2018, 2020, 2022 Efraim Flashner <efraim@HIDDEN>
;;; Copyright © 2018, 2019 Arun Isaac <arunisaac@HIDDEN>
;;; Copyright © 2020 Chris Marusich <cmmarusich@HIDDEN>
;;; Copyright © 2020 Timothy Sample <samplet@HIDDEN>
@@ -1416,12 +1416,21 @@ (define package-vulnerabilities
"Return a list of vulnerabilities affecting PACKAGE."
;; First we retrieve the Common Platform Enumeration (CPE) name and
;; version for PACKAGE, then we can pass them to LOOKUP.
- (let ((name (or (assoc-ref (package-properties package)
- 'cpe-name)
- (package-name package)))
- (version (or (assoc-ref (package-properties package)
- 'cpe-version)
- (package-version package))))
+ (let* ((pkg-name (package-name package))
+ (version (or (assoc-ref (package-properties package)
+ 'cpe-version)
+ (package-version package)))
+ (name
+ (or (assoc-ref (package-properties package)
+ 'cpe-name)
+ (false-if-exception
+ (first
+ (filter string?
+ (map (lambda (prefix)
+ (when (string-prefix? prefix pkg-name)
+ (string-drop pkg-name (string-length prefix))))
+ '("java-" "perl-" "python-" "python2-" "ruby-")))))
+ pkg-name)))
((force lookup) name version)))))
(define* (check-vulnerabilities package
base-commit: 8f585083277e64ea1e9a0848ef3c49f12327618c
--
2.34.0
Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) Content-Type: text/plain; charset=utf-8 X-Loop: help-debbugs@HIDDEN From: help-debbugs@HIDDEN (GNU bug Tracking System) To: Efraim Flashner <efraim@HIDDEN> Subject: bug#53721: Acknowledgement ([PATCH] lint: Perform fuzzy search on package names for CVE checker.) Message-ID: <handler.53721.B.16438113673689.ack <at> debbugs.gnu.org> References: <839345988529640bb54feea0fa830f25bd5bb608.1643811188.git.efraim@HIDDEN> X-Gnu-PR-Message: ack 53721 X-Gnu-PR-Package: guix-patches X-Gnu-PR-Keywords: patch Reply-To: 53721 <at> debbugs.gnu.org Date: Wed, 02 Feb 2022 14:17:02 +0000 Thank you for filing a new bug report with debbugs.gnu.org. This is an automatically generated reply to let you know your message has been received. Your message is being forwarded to the package maintainers and other interested parties for their attention; they will reply in due course. Your message has been sent to the package maintainer(s): guix-patches@HIDDEN If you wish to submit further information on this problem, please send it to 53721 <at> debbugs.gnu.org. Please do not send mail to help-debbugs@HIDDEN unless you wish to report a problem with the Bug-tracking system. --=20 53721: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D53721 GNU Bug Tracking System Contact help-debbugs@HIDDEN with problems
X-Loop: help-debbugs@HIDDEN
Subject: [bug#53721] [PATCH] lint: Perform fuzzy search on package names for CVE checker.
Resent-From: Maxime Devos <maximedevos@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Wed, 02 Feb 2022 14:55:02 +0000
Resent-Message-ID: <handler.53721.B53721.16438136917893 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 53721
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Efraim Flashner <efraim@HIDDEN>, 53721 <at> debbugs.gnu.org
Received: via spool by 53721-submit <at> debbugs.gnu.org id=B53721.16438136917893
(code B ref 53721); Wed, 02 Feb 2022 14:55:02 +0000
Received: (at 53721) by debbugs.gnu.org; 2 Feb 2022 14:54:51 +0000
Received: from localhost ([127.0.0.1]:51960 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1nFH23-00023F-4V
for submit <at> debbugs.gnu.org; Wed, 02 Feb 2022 09:54:51 -0500
Received: from laurent.telenet-ops.be ([195.130.137.89]:34670)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <maximedevos@HIDDEN>) id 1nFH1z-00022n-GW
for 53721 <at> debbugs.gnu.org; Wed, 02 Feb 2022 09:54:50 -0500
Received: from ptr-bvsjgyhxw7psv60dyze.18120a2.ip6.access.telenet.be
([IPv6:2a02:1811:8c09:9d00:3c5f:2eff:feb0:ba5a])
by laurent.telenet-ops.be with bizsmtp
id qEul260044UW6Th01EulQm; Wed, 02 Feb 2022 15:54:45 +0100
Message-ID: <47b10d97f63c470b29087ec389d02c71dce038fc.camel@HIDDEN>
From: Maxime Devos <maximedevos@HIDDEN>
Date: Wed, 02 Feb 2022 15:54:38 +0100
In-Reply-To: <839345988529640bb54feea0fa830f25bd5bb608.1643811188.git.efraim@HIDDEN>
References: <839345988529640bb54feea0fa830f25bd5bb608.1643811188.git.efraim@HIDDEN>
Content-Type: multipart/signed; micalg="pgp-sha512";
protocol="application/pgp-signature"; boundary="=-4o49tTG4O66FaXzO4+Op"
User-Agent: Evolution 3.38.3-1
MIME-Version: 1.0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r22;
t=1643813685; bh=SKFUFKD9E6lvf1ZH+vXhjM3JBjT5PSzpdSWQ4E2yD+Q=;
h=Subject:From:To:Date:In-Reply-To:References;
b=KWC4ovciEncLVLVmgcHbWs14Cut2EC/CcmV8mwsktR3LQ+4C7vuYjJKeDoNX+KTSi
sHnKHifaZWhSIjNREIeMdPiXxj17YJ/hoPfosXKSSo/d4FudM0QT3E0C6G4puytTtn
g6k4Ad3NJTIvxq4L1tbxC8D3Hs+LiCIGa2wo8AvSycqqe4+DBZT5j+EGe8mVvlyur2
gci0dn7kCWNPE1PLDat0x3OvfTnaD6yaeUDdXEjVWSJkTXIBt36BbNdghYcBGLI2pt
gEjxfWQrisEM2XicHmlGb1vmL3GZxxOM+uT6MdE1ZTSG+lhvZhpSiml9FJSlaQ/pkE
yxh5WSsc0W1Jg==
X-Spam-Score: -0.7 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)
--=-4o49tTG4O66FaXzO4+Op
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: base64
RWZyYWltIEZsYXNobmVyIHNjaHJlZWYgb3Agd28gMDItMDItMjAyMiBvbSAxNjoxNSBbKzAyMDBd
Ogo+ICvCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqAgKGZhbHNlLWlmLWV4Y2Vw
dGlvbgo+ICvCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgIChmaXJzdAo+
ICvCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoCAoZmlsdGVyIHN0
cmluZz8KPiArwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgIChtYXAgKGxhbWJkYSAocHJlZml4KQo+ICvCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoCAo
d2hlbiAoc3RyaW5nLXByZWZpeD8gcHJlZml4IHBrZy1uYW1lKQo+ICvCoMKgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqAgKHN0cmluZy1kcm9wIHBrZy1uYW1lIChzdHJpbmctbGVuZ3RoIHByZWZpeCkpKSkKPiAr
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoCAnKCJqYXZhLSIgInBlcmwtIiAicHl0aG9uLSIgInB5dGhvbjItIiAicnVi
eS0iKSkpKSkKPiArwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgIHBrZy1uYW1l
KSkpCgpXaGVuIGNhbiBhbiBleGNlcHRpb24gaGFwcGVuIGhlcmU/CgpBbHNvLCB0aGUgZm9sbG93
aW5nIHNlZW1zIHNpbXBsZXIgYW5kIGVxdWl2YWxlbnQ6CgooYW55IChsYW1iZGEgKHByZWZpeCkK
ICAgICAgIChhbmQgKHN0cmluZy1wcmVmaXg/IHByZWZpeCkKICAgICAgICAgICAgKHN0cmluZy1k
cm9wIHBrZy1uYW1lIChzdHJpbmctbGVuZ3RoIHByZWZpeCkpKSkKICAgICAnKCJqYXZhLSIgInBl
cmwtIiAicHl0aG9uLSIgInB5dGhvbjItIiAicnVieS0iKSkKCkl0IHdvdWxkIGJlIG5pY2UgdG8g
dGVzdCB0aGUgY29kZSBmb3IgZ3Vlc3NpbmcgdGhlIENQRSBuYW1lIG9mIGEKcGFja2FnZSBpbiBh
IGZldyB1bml0IHRlc3RzLgoKR3JlZXRpbmdzLApNYXhpbWUK
--=-4o49tTG4O66FaXzO4+Op
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYfqbLhccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7mpaAP41pV4Trf6Wf2mnBlP/NsVzm9E1
UrvsvYF7OI0fjLT/xQEA927yf4/3WOxIY5PxOhBFHJlO9YteHVB1gGZxU2mxWAY=
=JK9i
-----END PGP SIGNATURE-----
--=-4o49tTG4O66FaXzO4+Op--
X-Loop: help-debbugs@HIDDEN
Subject: [bug#53721] [PATCH] lint: Perform fuzzy search on package names for CVE checker.
Resent-From: Efraim Flashner <efraim@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Wed, 02 Feb 2022 15:15:02 +0000
Resent-Message-ID: <handler.53721.B53721.164381484819694 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 53721
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Maxime Devos <maximedevos@HIDDEN>
Cc: 53721 <at> debbugs.gnu.org
Received: via spool by 53721-submit <at> debbugs.gnu.org id=B53721.164381484819694
(code B ref 53721); Wed, 02 Feb 2022 15:15:02 +0000
Received: (at 53721) by debbugs.gnu.org; 2 Feb 2022 15:14:08 +0000
Received: from localhost ([127.0.0.1]:53080 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1nFHKh-00057a-Sq
for submit <at> debbugs.gnu.org; Wed, 02 Feb 2022 10:14:08 -0500
Received: from flashner.co.il ([178.62.234.194]:43788)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <efraim@HIDDEN>) id 1nFHKf-00056x-Sj
for 53721 <at> debbugs.gnu.org; Wed, 02 Feb 2022 10:14:06 -0500
Received: from localhost (unknown [31.210.177.79])
by flashner.co.il (Postfix) with ESMTPSA id 5BD7A404A9;
Wed, 2 Feb 2022 15:13:59 +0000 (UTC)
Date: Wed, 2 Feb 2022 17:13:25 +0200
From: Efraim Flashner <efraim@HIDDEN>
Message-ID: <YfqfleUrtggE58IW@3900XT>
Mail-Followup-To: Efraim Flashner <efraim@HIDDEN>,
Maxime Devos <maximedevos@HIDDEN>, 53721 <at> debbugs.gnu.org
References: <839345988529640bb54feea0fa830f25bd5bb608.1643811188.git.efraim@HIDDEN>
<47b10d97f63c470b29087ec389d02c71dce038fc.camel@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature"; boundary="R6KOyuqS7ZzVGDrO"
Content-Disposition: inline
In-Reply-To: <47b10d97f63c470b29087ec389d02c71dce038fc.camel@HIDDEN>
X-PGP-Key-ID: 0x41AAE7DCCA3D8351
X-PGP-Key: https://flashner.co.il/~efraim/efraim_flashner.asc
X-PGP-Fingerprint: A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
X-Spam-Score: -0.0 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
--R6KOyuqS7ZzVGDrO
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Wed, Feb 02, 2022 at 03:54:38PM +0100, Maxime Devos wrote:
> Efraim Flashner schreef op wo 02-02-2022 om 16:15 [+0200]:
> > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (false-if-exception
> > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (first
> > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (filter str=
ing?
> > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (map (lambda (prefix)
> > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0 (when (string-prefix? prefix pkg-name)
> > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0 (string-drop pkg-name (string-length prefix))))
> > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 '("java-=
" "perl-" "python-" "python2-" "ruby-")))))
> > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 pkg-name)))
>=20
> When can an exception happen here?
I tossed in 'glibc' since I know that always has CVEs listed against it,
you can't take first from an empty list.
> Also, the following seems simpler and equivalent:
>=20
> (any (lambda (prefix)
> (and (string-prefix? prefix)
> (string-drop pkg-name (string-length prefix))))
> '("java-" "perl-" "python-" "python2-" "ruby-"))
That is much nicer.
> It would be nice to test the code for guessing the CPE name of a
> package in a few unit tests.
Definitely. Also I should check if we should try dropping any of the
other prefixes. rust might work, go probably needs some actual
transformation to happen.
> Greetings,
> Maxime
--=20
Efraim Flashner <efraim@HIDDEN> =D7=A8=D7=A0=D7=A9=D7=9C=D7=A4 =
=D7=9D=D7=99=D7=A8=D7=A4=D7=90
GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
--R6KOyuqS7ZzVGDrO
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAmH6n5MACgkQQarn3Mo9
g1Fp9w//Ss6y5xdpRRGjGT+hD7SKiOREM5vLKpKuNMua0+GRkEguJMKO7aAmlpX3
oRXmrNWennndK/O3eoXKII4rOil0WNDQYkqvMzSwpaPGq3w3VXtYR48LD7I03/4r
pLHmBEAZ1c/uRi968Rd4KqdEj8MpJecYNohSAPRR3SMncHiGd6KgiOSdSayGaeJd
decUQEACFmG+MzZ46BMRo0IBsoft4hYVMsGV9n9e2c8I1Al6zLrSJf3FEML6H6gu
O6ooP6u8v3qnIhxykPgtx3mwpwnpXn5cQP9Ocg8cTgaFdnRNW3uTZySqHy68EU5A
nwjZNjrDpTVn6SO2bGN3DiOKhzZxNW+SsuUJsuRU7kuR9O/vkSFGbeQctGVMl7CB
yfwPecSAxyplp3DiWImMsfZ42Zj09mKyrtv1juS/8a16ueB9++bkHocmrb47jttA
fs6Fy3q1ZIa6G2QPSyy5p8RXvAzvcdunw1l4lf0IA5vwYA+BUia5YjHhsiPNjisD
4WEQK7I+zqONOAYFz7mZ/Q9tWF2UxJZ+lkV750AfrYCE1n9HRAjxJvdd3M6c8D2s
wxarBD4a8NrDjA9UnqhfRdh9uT0vKnlZvRGmFh8/UO90uV2GyIGoOryJlYQ+yblN
sTtrn3hoNMiEgpOvWoXFoDll5mReHUNg8UDd0GrweL7iw/uhqDI=
=/aKL
-----END PGP SIGNATURE-----
--R6KOyuqS7ZzVGDrO--
X-Loop: help-debbugs@HIDDEN
Subject: [bug#53721] [PATCH] lint: Perform fuzzy search on package names for CVE checker.
Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Fri, 04 Feb 2022 21:57:01 +0000
Resent-Message-ID: <handler.53721.B53721.164401178515923 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 53721
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Efraim Flashner <efraim@HIDDEN>
Cc: Maxime Devos <maximedevos@HIDDEN>, 53721 <at> debbugs.gnu.org
Received: via spool by 53721-submit <at> debbugs.gnu.org id=B53721.164401178515923
(code B ref 53721); Fri, 04 Feb 2022 21:57:01 +0000
Received: (at 53721) by debbugs.gnu.org; 4 Feb 2022 21:56:25 +0000
Received: from localhost ([127.0.0.1]:33072 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1nG6Z7-00048j-Iv
for submit <at> debbugs.gnu.org; Fri, 04 Feb 2022 16:56:25 -0500
Received: from hera.aquilenet.fr ([185.233.100.1]:43910)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <ludo@HIDDEN>) id 1nG6Z5-00048V-TQ
for 53721 <at> debbugs.gnu.org; Fri, 04 Feb 2022 16:56:24 -0500
Received: from localhost (localhost [127.0.0.1])
by hera.aquilenet.fr (Postfix) with ESMTP id 2BB2C761;
Fri, 4 Feb 2022 22:56:17 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at aquilenet.fr
Received: from hera.aquilenet.fr ([127.0.0.1])
by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id syzRRj_FQFyI; Fri, 4 Feb 2022 22:56:16 +0100 (CET)
Received: from ribbon (91-160-117-201.subs.proxad.net [91.160.117.201])
by hera.aquilenet.fr (Postfix) with ESMTPSA id 8676815D;
Fri, 4 Feb 2022 22:56:15 +0100 (CET)
From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
References: <839345988529640bb54feea0fa830f25bd5bb608.1643811188.git.efraim@HIDDEN>
Date: Fri, 04 Feb 2022 22:56:14 +0100
In-Reply-To: <839345988529640bb54feea0fa830f25bd5bb608.1643811188.git.efraim@HIDDEN>
(Efraim Flashner's message of "Wed, 2 Feb 2022 16:15:20 +0200")
Message-ID: <87bkzmmh35.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spamd-Bar: /
Authentication-Results: hera.aquilenet.fr;
none
X-Rspamd-Server: hera
X-Rspamd-Queue-Id: 2BB2C761
X-Spamd-Result: default: False [-0.10 / 15.00]; ARC_NA(0.00)[];
RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[];
RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[];
TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain];
FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+];
RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[];
MID_RHS_MATCH_FROM(0.00)[]
X-Spam-Score: 1.0 (+)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.0 (/)
Hello,
Efraim Flashner <efraim@HIDDEN> skribis:
> - (let ((name (or (assoc-ref (package-properties package)
> - 'cpe-name)
> - (package-name package)))
> - (version (or (assoc-ref (package-properties package)
> - 'cpe-version)
> - (package-version package))))
> + (let* ((pkg-name (package-name package))
> + (version (or (assoc-ref (package-properties package)
> + 'cpe-version)
> + (package-version package)))
> + (name
> + (or (assoc-ref (package-properties package)
> + 'cpe-name)
> + (false-if-exception
> + (first
> + (filter string?
> + (map (lambda (prefix)
> + (when (string-prefix? prefix pkg-n=
ame)
> + (string-drop pkg-name (string-le=
ngth prefix))))
> + '("java-" "perl-" "python-" "python2=
-" "ruby-")))))
> + pkg-name)))
I agree with Maxime=E2=80=99s suggestions.
In addition, I=E2=80=99d suggest moving this code out in two procedures,
=E2=80=98package-cpe-name=E2=80=99 and =E2=80=98package-cpe-version=E2=80=
=99, that would honor the
relevant property and fall back to stripping prefixes.
Then =E2=80=98package-vulnerabilities=E2=80=99 would simply call these two =
procedures.
How does that sound?
Longer-term, we should add a thing that proposes correct CPE names:
https://issues.guix.gnu.org/42299
Thanks,
Ludo=E2=80=99.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.