X-Loop: help-debbugs@HIDDEN Subject: bug#40142: CVE checker return false positives Resent-From: Brice Waegeneire <brice@HIDDEN> Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> Resent-CC: bug-guix@HIDDEN Resent-Date: Fri, 20 Mar 2020 09:11:02 +0000 Resent-Message-ID: <handler.40142.B.158469543921194 <at> debbugs.gnu.org> Resent-Sender: help-debbugs@HIDDEN X-GNU-PR-Message: report 40142 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 40142 <at> debbugs.gnu.org X-Debbugs-Original-To: bug-guix@HIDDEN Received: via spool by submit <at> debbugs.gnu.org id=B.158469543921194 (code B ref -1); Fri, 20 Mar 2020 09:11:02 +0000 Received: (at submit) by debbugs.gnu.org; 20 Mar 2020 09:10:39 +0000 Received: from localhost ([127.0.0.1]:43967 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1jFDfq-0005Vm-Lx for submit <at> debbugs.gnu.org; Fri, 20 Mar 2020 05:10:38 -0400 Received: from lists.gnu.org ([209.51.188.17]:49081) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <brice@HIDDEN>) id 1jFDfo-0005Ve-Qz for submit <at> debbugs.gnu.org; Fri, 20 Mar 2020 05:10:37 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:50228) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from <brice@HIDDEN>) id 1jFDfn-0006Z7-JG for bug-guix@HIDDEN; Fri, 20 Mar 2020 05:10:36 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.1 required=5.0 tests=BAYES_50,RCVD_IN_DNSWL_LOW, URIBL_BLOCKED autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from <brice@HIDDEN>) id 1jFDfm-00077A-CN for bug-guix@HIDDEN; Fri, 20 Mar 2020 05:10:35 -0400 Received: from relay3-d.mail.gandi.net ([217.70.183.195]:56911) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from <brice@HIDDEN>) id 1jFDfm-00071v-5d for bug-guix@HIDDEN; Fri, 20 Mar 2020 05:10:34 -0400 Received: from webmail.gandi.net (webmail18.sd4.0x35.net [10.200.201.18]) (Authenticated sender: brice@HIDDEN) by relay3-d.mail.gandi.net (Postfix) with ESMTPA id 9E8A260009 for <bug-guix@HIDDEN>; Fri, 20 Mar 2020 09:10:31 +0000 (UTC) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Fri, 20 Mar 2020 09:10:31 +0000 From: Brice Waegeneire <brice@HIDDEN> Message-ID: <0bb3b7878b37095b4ed7fa49aee5936f@HIDDEN> X-Sender: brice@HIDDEN User-Agent: Roundcube Webmail/1.3.8 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 217.70.183.195 X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Hello, The CVE checker of “guix lint” returns false positives: ┌──── │ LANGUAGE=C guix lint git 2>&1 ├─── │ gnu/packages/version-control.scm:149:2: git@HIDDEN: probably vulnerable to CVE-2020-2136, CVE-2019-1003010, CVE-2018-1000110, CVE-2018-1000182 │ /gnu/store/8q0nfd6vnc6lnjh13rwl7fyimwlv7fml-guix-module-union/share/guile/site/3.0/gnu/packages/version-control.scm:153:12: git@HIDDEN: can be upgraded to 2.25.2 │ /gnu/store/8q0nfd6vnc6lnjh13rwl7fyimwlv7fml-guix-module-union/share/guile/site/3.0/gnu/packages/version-control.scm:154:11: git@HIDDEN: source not archived on Software Heritage └──── • [CVE-2020-2136]: “Jenkins Git Plugin 4.2.0 and earlier […]” • [CVE-2019-1003010]: “[…] Jenkins Git Plugin 3.9.1 and earlier […]” • [CVE-2018-1000110]: “[…] Jenkins Git Plugin version 3.7.0 and earlier […]” • [CVE-2018-1000182]: “[…] Jenkins Git Plugin 3.9.0 and older […]” Also note the missing / on the first line and it output on `stderr' instead of `stdout'. [CVE-2020-2136] <https://nvd.nist.gov/vuln/detail/CVE-2020-2136> [CVE-2019-1003010] <https://nvd.nist.gov/vuln/detail/CVE-2019-1003010> [CVE-2018-1000110] <https://nvd.nist.gov/vuln/detail/CVE-2018-1000110> [CVE-2018-1000182] <https://nvd.nist.gov/vuln/detail/CVE-2018-1000182> Brice.
Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) Content-Type: text/plain; charset=utf-8 X-Loop: help-debbugs@HIDDEN From: help-debbugs@HIDDEN (GNU bug Tracking System) To: Brice Waegeneire <brice@HIDDEN> Subject: bug#40142: Acknowledgement (CVE checker return false positives) Message-ID: <handler.40142.B.158469543921194.ack <at> debbugs.gnu.org> References: <0bb3b7878b37095b4ed7fa49aee5936f@HIDDEN> X-Gnu-PR-Message: ack 40142 X-Gnu-PR-Package: guix Reply-To: 40142 <at> debbugs.gnu.org Date: Fri, 20 Mar 2020 09:11:02 +0000 Thank you for filing a new bug report with debbugs.gnu.org. This is an automatically generated reply to let you know your message has been received. Your message is being forwarded to the package maintainers and other interested parties for their attention; they will reply in due course. Your message has been sent to the package maintainer(s): bug-guix@HIDDEN If you wish to submit further information on this problem, please send it to 40142 <at> debbugs.gnu.org. Please do not send mail to help-debbugs@HIDDEN unless you wish to report a problem with the Bug-tracking system. --=20 40142: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D40142 GNU Bug Tracking System Contact help-debbugs@HIDDEN with problems
X-Loop: help-debbugs@HIDDEN Subject: bug#40142: CVE checker return false positives Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN> Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> Resent-CC: bug-guix@HIDDEN Resent-Date: Sat, 21 Mar 2020 16:26:01 +0000 Resent-Message-ID: <handler.40142.B40142.158480794124681 <at> debbugs.gnu.org> Resent-Sender: help-debbugs@HIDDEN X-GNU-PR-Message: followup 40142 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Brice Waegeneire <brice@HIDDEN> Cc: 40142 <at> debbugs.gnu.org Received: via spool by 40142-submit <at> debbugs.gnu.org id=B40142.158480794124681 (code B ref 40142); Sat, 21 Mar 2020 16:26:01 +0000 Received: (at 40142) by debbugs.gnu.org; 21 Mar 2020 16:25:41 +0000 Received: from localhost ([127.0.0.1]:47847 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1jFgwP-0006Q1-1j for submit <at> debbugs.gnu.org; Sat, 21 Mar 2020 12:25:41 -0400 Received: from eggs.gnu.org ([209.51.188.92]:33524) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1jFgwO-0006Pq-5e for 40142 <at> debbugs.gnu.org; Sat, 21 Mar 2020 12:25:40 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:47576) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>) id 1jFgwI-0001zO-0k; Sat, 21 Mar 2020 12:25:34 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=56016 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from <ludo@HIDDEN>) id 1jFgwA-0001Zh-Cu; Sat, 21 Mar 2020 12:25:33 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN> References: <0bb3b7878b37095b4ed7fa49aee5936f@HIDDEN> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 2 Germinal an 228 de la =?UTF-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Sat, 21 Mar 2020 17:25:23 +0100 In-Reply-To: <0bb3b7878b37095b4ed7fa49aee5936f@HIDDEN> (Brice Waegeneire's message of "Fri, 20 Mar 2020 09:10:31 +0000") Message-ID: <87sgi1znd8.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.7 (-) Hi, Brice Waegeneire <brice@HIDDEN> skribis: > The CVE checker of =E2=80=9Cguix lint=E2=80=9D returns false positives: > =E2=94=8C=E2=94=80=E2=94=80=E2=94=80=E2=94=80 > =E2=94=82 LANGUAGE=3DC guix lint git 2>&1 > =E2=94=9C=E2=94=80=E2=94=80=E2=94=80 > =E2=94=82 gnu/packages/version-control.scm:149:2: git@HIDDEN: probably > vulnerable to CVE-2020-2136, CVE-2019-1003010, CVE-2018-1000110, > CVE-2018-1000182 [...] > =E2=80=A2 [CVE-2020-2136]: =E2=80=9CJenkins Git Plugin 4.2.0 and earlier = [=E2=80=A6]=E2=80=9D > =E2=80=A2 [CVE-2019-1003010]: =E2=80=9C[=E2=80=A6] Jenkins Git Plugin 3.9= .1 and earlier [=E2=80=A6]=E2=80=9D > =E2=80=A2 [CVE-2018-1000110]: =E2=80=9C[=E2=80=A6] Jenkins Git Plugin ver= sion 3.7.0 and earlier > [=E2=80=A6]=E2=80=9D > =E2=80=A2 [CVE-2018-1000182]: =E2=80=9C[=E2=80=A6] Jenkins Git Plugin 3.9= .0 and older [=E2=80=A6]=E2=80=9D (guix cve) reports it as applying to =E2=80=9Cgit=E2=80=9D: --8<---------------cut here---------------start------------->8--- scheme@(guix cve)> (define items (call-with-decompressed-port 'gzip (http-fetch (yearly-feed-uri 2020= )) json->cve-items)) scheme@(guix cve)> (find (lambda (item) (string=3D? (cve-id (cve-item-cve item)) "CVE-2020-2136")) items) $130 =3D #<<cve-item> cve: #<<cve> id: "CVE-2020-2136" data-type: CVE data-= format: MITRE references: (#<<cve-reference> url: "http://www.openwall.com/= lists/oss-security/2020/03/09/1" tags: ("Third Party Advisory")> #<<cve-ref= erence> url: "https://jenkins.io/security/advisory/2020-03-09/#SECURITY-172= 3" tags: ("Vendor Advisory")>)> configurations: (("git" (<=3D "4.2.0"))) pu= blished-date: #<date nanosecond: 0 second: 0 minute: 15 hour: 16 day: 9 mon= th: 3 year: 2020 zone-offset: 0> last-modified-date: #<date nanosecond: 0 s= econd: 0 minute: 4 hour: 20 day: 9 month: 3 year: 2020 zone-offset: 0>> --8<---------------cut here---------------end--------------->8--- I think the problem stems from the fact that the CVE configuration specify =E2=80=9Cjenkins:git=E2=80=9D (where =E2=80=9Cjenkins=E2=80=9D is t= he =E2=80=9Cvendor=E2=80=9D and =E2=80=9Cgit=E2=80=9D is the =E2=80=9Cproduct=E2=80=9D), but we just strip the vendor part: --8<---------------cut here---------------start------------->8--- $ wget -O - -q https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2020.json= .gz| gunzip | jq [=E2=80=A6] "configurations": { "CVE_data_version": "4.0", "nodes": [ { "operator": "OR", "cpe_match": [ { "vulnerable": true, "cpe23Uri": "cpe:2.3:a:jenkins:git:*:*:*:*:*:jenkins:*:*", "versionEndIncluding": "4.2.0" } ] } ] --8<---------------cut here---------------end--------------->8--- It=E2=80=99s usually the case that the vendor part has little relevance for= free software packages, but in this case it does make a difference. Probably the fix would be to preserve the vendor part in the API and to somehow use it meaningfully. Ideas & patches welcome! > Also note the missing / on the first line and it output on `stderr' > instead of `stdout'. What do you mean? Thanks, Ludo=E2=80=99.
X-Loop: help-debbugs@HIDDEN Subject: bug#40142: CVE checker return false positives Resent-From: Brice Waegeneire <brice@HIDDEN> Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> Resent-CC: bug-guix@HIDDEN Resent-Date: Sat, 21 Mar 2020 16:58:02 +0000 Resent-Message-ID: <handler.40142.B40142.158480986328682 <at> debbugs.gnu.org> Resent-Sender: help-debbugs@HIDDEN X-GNU-PR-Message: followup 40142 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN> Cc: 40142 <at> debbugs.gnu.org Received: via spool by 40142-submit <at> debbugs.gnu.org id=B40142.158480986328682 (code B ref 40142); Sat, 21 Mar 2020 16:58:02 +0000 Received: (at 40142) by debbugs.gnu.org; 21 Mar 2020 16:57:43 +0000 Received: from localhost ([127.0.0.1]:47914 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1jFhRP-0007SY-6N for submit <at> debbugs.gnu.org; Sat, 21 Mar 2020 12:57:43 -0400 Received: from relay3-d.mail.gandi.net ([217.70.183.195]:45587) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <brice@HIDDEN>) id 1jFhRM-0007SF-SO for 40142 <at> debbugs.gnu.org; Sat, 21 Mar 2020 12:57:41 -0400 Received: from webmail.gandi.net (webmail18.sd4.0x35.net [10.200.201.18]) (Authenticated sender: brice@HIDDEN) by relay3-d.mail.gandi.net (Postfix) with ESMTPA id 55E5060005; Sat, 21 Mar 2020 16:57:33 +0000 (UTC) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Sat, 21 Mar 2020 16:57:33 +0000 From: Brice Waegeneire <brice@HIDDEN> In-Reply-To: <87sgi1znd8.fsf@HIDDEN> References: <0bb3b7878b37095b4ed7fa49aee5936f@HIDDEN> <87sgi1znd8.fsf@HIDDEN> Message-ID: <95d598f98f65efd7a5c89aaf52b80df1@HIDDEN> X-Sender: brice@HIDDEN User-Agent: Roundcube Webmail/1.3.8 X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.7 (-) Hello, On 2020-03-21 16:25, Ludovic Courtès wrote: > Probably the fix would be to preserve the vendor part in the API and to > somehow use it meaningfully. > > Ideas & patches welcome! I'll see what I can write a patch to fix it then. >> Also note the missing / on the first line and it output on `stderr' >> instead of `stdout'. > > What do you mean? I misunderstood the meaning of “gnu/packages/version-control.scm:149:2:” and thought there was a missing / before “gnu/”; this is irrelevant. About the output stream of “guix lint” I think it should output to `stdout', not `stderr' as it's currently the case. Brice.
Received: (at control) by debbugs.gnu.org; 21 Mar 2020 21:57:31 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Mar 21 17:57:31 2020 Received: from localhost ([127.0.0.1]:48332 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1jFm7X-0007xb-JK for submit <at> debbugs.gnu.org; Sat, 21 Mar 2020 17:57:31 -0400 Received: from eggs.gnu.org ([209.51.188.92]:41708) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1jFm7W-0007xL-7P for control <at> debbugs.gnu.org; Sat, 21 Mar 2020 17:57:30 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:51653) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>) id 1jFm7R-0006BX-0z for control <at> debbugs.gnu.org; Sat, 21 Mar 2020 17:57:25 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=56264 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from <ludo@HIDDEN>) id 1jFm7P-000529-6b for control <at> debbugs.gnu.org; Sat, 21 Mar 2020 17:57:24 -0400 Date: Sat, 21 Mar 2020 22:57:20 +0100 Message-Id: <87y2rtwev3.fsf@HIDDEN> To: control <at> debbugs.gnu.org From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> Subject: control message for bug #40142 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.7 (-) retitle 40142 (guix cve) discards configuration "vendor", leading to false positives quit
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.