GNU bug report logs - #31443
[PATCH 0/5] 'guix health': a tool to report vulnerable packages

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Package: guix-patches; Reported by: Ludovic Courtès <ludo@HIDDEN>; Keywords: patch; merged with #31442, #31444; dated Sun, 13 May 2018 22:40:02 UTC; Maintainer for guix-patches is guix-patches@HIDDEN.
Merged 31442 31443 31444. Request was from ludo@HIDDEN (Ludovic Courtès) to control <at> debbugs.gnu.org. Full text available.
Merged 31442 31443. Request was from ludo@HIDDEN (Ludovic Courtès) to control <at> debbugs.gnu.org. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 13 May 2018 22:39:20 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun May 13 18:39:20 2018
Received: from localhost ([127.0.0.1]:32859 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1fHzeB-0008OG-Py
	for submit <at> debbugs.gnu.org; Sun, 13 May 2018 18:39:20 -0400
Received: from eggs.gnu.org ([208.118.235.92]:34043)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1fHze9-0008O2-2n
 for submit <at> debbugs.gnu.org; Sun, 13 May 2018 18:39:17 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1fHze2-0003CX-R5
 for submit <at> debbugs.gnu.org; Sun, 13 May 2018 18:39:11 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled
 version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:60242)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <ludo@HIDDEN>) id 1fHze2-0003CR-OP
 for submit <at> debbugs.gnu.org; Sun, 13 May 2018 18:39:10 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:53231)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1fHze1-0008GF-Dl
 for guix-patches@HIDDEN; Sun, 13 May 2018 18:39:10 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1fHyLY-0003B0-Ja
 for guix-patches@HIDDEN; Sun, 13 May 2018 17:16:01 -0400
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:51814)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>)
 id 1fHyLU-00039x-QH; Sun, 13 May 2018 17:15:56 -0400
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=46738 helo=gnu.org)
 by fencepost.gnu.org with esmtpsa
 (TLS1.2:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.82)
 (envelope-from <ludo@HIDDEN>)
 id 1fHyLU-0004TK-D4; Sun, 13 May 2018 17:15:56 -0400
From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@HIDDEN>
To: guix-patches@HIDDEN
Subject: [PATCH 0/5] 'guix health': a tool to report vulnerable packages
Date: Sun, 13 May 2018 23:15:46 +0200
Message-Id: <20180513211546.10858-1-ludo@HIDDEN>
X-Mailer: git-send-email 2.17.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: submit
Cc: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -6.0 (------)

Hello Guix!

On IRC davidl shared a shell script that checks the output of ‘guix lint
-c cve’ and uses that to determine vulnerable packages in a profile.
That reminds me of the plan for ‘guix health’ (a tool to do just that),
so I went ahead and tried to make it a reality at last.

This ‘guix health’ reports information about “leaf” packages in a
profile, but not about their dependencies:

--8<---------------cut here---------------start------------->8---
$ ./pre-inst-env guix health -p /run/current-system/profile/
guix health: warning: util-linux@HIDDEN may be vulnerable to CVE-2018-7738
guix health: warning: util-linux@HIDDEN is available but does not fix any of these
hint: Run `guix pull' and then re-run `guix health' to see if fixes are available.  If
none are available, please consider submitting a patch for the package definition of
'util-linux'.


guix health: warning: shadow@HIDDEN may be vulnerable to CVE-2018-7169
guix health: warning: shadow@HIDDEN is available and fixes CVE-2018-7169, consider ugprading
guix health: warning: tar@HIDDEN may be vulnerable to CVE-2016-6321
guix health: warning: tar@HIDDEN is available but does not fix any of these
hint: Run `guix pull' and then re-run `guix health' to see if fixes are available.  If
none are available, please consider submitting a patch for the package definition of
'tar'.
--8<---------------cut here---------------end--------------->8---

The difficulty here is that we need to know a package’s CPE name before
we can check the CVE database, and we also need to know whether the
package already includes fixes for known CVEs.  This patch set attaches
this information to manifest entries, so that ‘guix health’ can then
rely on it.

Fundamentally, that means we cannot reliably tell much about
dependencies: in cases where the CPE name differs from the Guix name, we
won’t have any match, and more generally, we cannot know what CVE are
patched in the package; we could infer part of this by looking at the
same-named package in the current Guix, but that’s hacky.

I think that longer-term we probably need to attach this kind of
meta-data to packages themselves, by adding a bunch of files in each
package, say under PREFIX/guix.  We could do that for search paths as
well.

Should we satisfy ourselves with the current approach in the meantime?
Thoughts?

Besides, support for properties in manifest entries seems useful to me,
so we may want to keep it regardless of whether we take ‘guix health’
as-is.

Ludo’.

Ludovic Courtès (5):
  profiles: Add '%current-profile', 'user-friendly-profile', & co.
  packages: Add 'package-patched-vulnerabilities'.
  profiles: Add 'properties' field to manifest entries.
  profiles: Record fixed vulnerabilities as properties of entries.
  DRAFT Add 'guix health'.

 Makefile.am              |   1 +
 guix/packages.scm        |  28 +++++++
 guix/profiles.scm        |  91 ++++++++++++++++++++--
 guix/scripts/health.scm  | 158 +++++++++++++++++++++++++++++++++++++++
 guix/scripts/lint.scm    |  23 +-----
 guix/scripts/package.scm |  40 ----------
 po/guix/POTFILES.in      |   1 +
 tests/packages.scm       |  15 ++++
 tests/profiles.scm       |  22 ++++++
 9 files changed, 312 insertions(+), 67 deletions(-)
 create mode 100644 guix/scripts/health.scm

-- 
2.17.0
Acknowledgement sent to Ludovic Courtès <ludo@HIDDEN>:
New bug report received and forwarded. Copy sent to guix-patches@HIDDEN. Full text available.
Report forwarded to guix-patches@HIDDEN:
bug#31443; Package guix-patches. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Mon, 25 Nov 2019 12:00:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.