Ludovic Courtès <ludo@HIDDEN>
to control <at> debbugs.gnu.org.
Full text available.Received: (at 40142) by debbugs.gnu.org; 21 Mar 2020 16:57:43 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Mar 21 12:57:43 2020 Received: from localhost ([127.0.0.1]:47914 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1jFhRP-0007SY-6N for submit <at> debbugs.gnu.org; Sat, 21 Mar 2020 12:57:43 -0400 Received: from relay3-d.mail.gandi.net ([217.70.183.195]:45587) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <brice@HIDDEN>) id 1jFhRM-0007SF-SO for 40142 <at> debbugs.gnu.org; Sat, 21 Mar 2020 12:57:41 -0400 Received: from webmail.gandi.net (webmail18.sd4.0x35.net [10.200.201.18]) (Authenticated sender: brice@HIDDEN) by relay3-d.mail.gandi.net (Postfix) with ESMTPA id 55E5060005; Sat, 21 Mar 2020 16:57:33 +0000 (UTC) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Sat, 21 Mar 2020 16:57:33 +0000 From: Brice Waegeneire <brice@HIDDEN> To: =?UTF-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> Subject: Re: bug#40142: CVE checker return false positives In-Reply-To: <87sgi1znd8.fsf@HIDDEN> References: <0bb3b7878b37095b4ed7fa49aee5936f@HIDDEN> <87sgi1znd8.fsf@HIDDEN> Message-ID: <95d598f98f65efd7a5c89aaf52b80df1@HIDDEN> X-Sender: brice@HIDDEN User-Agent: Roundcube Webmail/1.3.8 X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 40142 Cc: 40142 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.7 (-) Hello, On 2020-03-21 16:25, Ludovic Courtès wrote: > Probably the fix would be to preserve the vendor part in the API and to > somehow use it meaningfully. > > Ideas & patches welcome! I'll see what I can write a patch to fix it then. >> Also note the missing / on the first line and it output on `stderr' >> instead of `stdout'. > > What do you mean? I misunderstood the meaning of “gnu/packages/version-control.scm:149:2:” and thought there was a missing / before “gnu/”; this is irrelevant. About the output stream of “guix lint” I think it should output to `stdout', not `stderr' as it's currently the case. Brice.
bug-guix@HIDDEN:bug#40142; Package guix.
Full text available.
Received: (at 40142) by debbugs.gnu.org; 21 Mar 2020 16:25:41 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Mar 21 12:25:41 2020
Received: from localhost ([127.0.0.1]:47847 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1jFgwP-0006Q1-1j
for submit <at> debbugs.gnu.org; Sat, 21 Mar 2020 12:25:41 -0400
Received: from eggs.gnu.org ([209.51.188.92]:33524)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <ludo@HIDDEN>) id 1jFgwO-0006Pq-5e
for 40142 <at> debbugs.gnu.org; Sat, 21 Mar 2020 12:25:40 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:47576)
by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>)
id 1jFgwI-0001zO-0k; Sat, 21 Mar 2020 12:25:34 -0400
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=56016 helo=ribbon)
by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
(Exim 4.82) (envelope-from <ludo@HIDDEN>)
id 1jFgwA-0001Zh-Cu; Sat, 21 Mar 2020 12:25:33 -0400
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: Brice Waegeneire <brice@HIDDEN>
Subject: Re: bug#40142: CVE checker return false positives
References: <0bb3b7878b37095b4ed7fa49aee5936f@HIDDEN>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 2 Germinal an 228 de la =?utf-8?Q?R=C3=A9volution?=
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Sat, 21 Mar 2020 17:25:23 +0100
In-Reply-To: <0bb3b7878b37095b4ed7fa49aee5936f@HIDDEN> (Brice
Waegeneire's message of "Fri, 20 Mar 2020 09:10:31 +0000")
Message-ID: <87sgi1znd8.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 40142
Cc: 40142 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)
Hi,
Brice Waegeneire <brice@HIDDEN> skribis:
> The CVE checker of =E2=80=9Cguix lint=E2=80=9D returns false positives:
> =E2=94=8C=E2=94=80=E2=94=80=E2=94=80=E2=94=80
> =E2=94=82 LANGUAGE=3DC guix lint git 2>&1
> =E2=94=9C=E2=94=80=E2=94=80=E2=94=80
> =E2=94=82 gnu/packages/version-control.scm:149:2: git@HIDDEN: probably
> vulnerable to CVE-2020-2136, CVE-2019-1003010, CVE-2018-1000110,
> CVE-2018-1000182
[...]
> =E2=80=A2 [CVE-2020-2136]: =E2=80=9CJenkins Git Plugin 4.2.0 and earlier =
[=E2=80=A6]=E2=80=9D
> =E2=80=A2 [CVE-2019-1003010]: =E2=80=9C[=E2=80=A6] Jenkins Git Plugin 3.9=
.1 and earlier [=E2=80=A6]=E2=80=9D
> =E2=80=A2 [CVE-2018-1000110]: =E2=80=9C[=E2=80=A6] Jenkins Git Plugin ver=
sion 3.7.0 and earlier
> [=E2=80=A6]=E2=80=9D
> =E2=80=A2 [CVE-2018-1000182]: =E2=80=9C[=E2=80=A6] Jenkins Git Plugin 3.9=
.0 and older [=E2=80=A6]=E2=80=9D
(guix cve) reports it as applying to =E2=80=9Cgit=E2=80=9D:
--8<---------------cut here---------------start------------->8---
scheme@(guix cve)> (define items
(call-with-decompressed-port 'gzip (http-fetch (yearly-feed-uri 2020=
))
json->cve-items))
scheme@(guix cve)> (find (lambda (item)
(string=3D? (cve-id (cve-item-cve item)) "CVE-2020-2136"))
items)
$130 =3D #<<cve-item> cve: #<<cve> id: "CVE-2020-2136" data-type: CVE data-=
format: MITRE references: (#<<cve-reference> url: "http://www.openwall.com/=
lists/oss-security/2020/03/09/1" tags: ("Third Party Advisory")> #<<cve-ref=
erence> url: "https://jenkins.io/security/advisory/2020-03-09/#SECURITY-172=
3" tags: ("Vendor Advisory")>)> configurations: (("git" (<=3D "4.2.0"))) pu=
blished-date: #<date nanosecond: 0 second: 0 minute: 15 hour: 16 day: 9 mon=
th: 3 year: 2020 zone-offset: 0> last-modified-date: #<date nanosecond: 0 s=
econd: 0 minute: 4 hour: 20 day: 9 month: 3 year: 2020 zone-offset: 0>>
--8<---------------cut here---------------end--------------->8---
I think the problem stems from the fact that the CVE configuration
specify =E2=80=9Cjenkins:git=E2=80=9D (where =E2=80=9Cjenkins=E2=80=9D is t=
he =E2=80=9Cvendor=E2=80=9D and =E2=80=9Cgit=E2=80=9D is the
=E2=80=9Cproduct=E2=80=9D), but we just strip the vendor part:
--8<---------------cut here---------------start------------->8---
$ wget -O - -q https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2020.json=
.gz| gunzip | jq
[=E2=80=A6]
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"operator": "OR",
"cpe_match": [
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:jenkins:git:*:*:*:*:*:jenkins:*:*",
"versionEndIncluding": "4.2.0"
}
]
}
]
--8<---------------cut here---------------end--------------->8---
It=E2=80=99s usually the case that the vendor part has little relevance for=
free
software packages, but in this case it does make a difference.
Probably the fix would be to preserve the vendor part in the API and to
somehow use it meaningfully.
Ideas & patches welcome!
> Also note the missing / on the first line and it output on `stderr'
> instead of `stdout'.
What do you mean?
Thanks,
Ludo=E2=80=99.
bug-guix@HIDDEN:bug#40142; Package guix.
Full text available.Received: (at submit) by debbugs.gnu.org; 20 Mar 2020 09:10:39 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Fri Mar 20 05:10:38 2020 Received: from localhost ([127.0.0.1]:43967 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1jFDfq-0005Vm-Lx for submit <at> debbugs.gnu.org; Fri, 20 Mar 2020 05:10:38 -0400 Received: from lists.gnu.org ([209.51.188.17]:49081) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <brice@HIDDEN>) id 1jFDfo-0005Ve-Qz for submit <at> debbugs.gnu.org; Fri, 20 Mar 2020 05:10:37 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:50228) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from <brice@HIDDEN>) id 1jFDfn-0006Z7-JG for bug-guix@HIDDEN; Fri, 20 Mar 2020 05:10:36 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.1 required=5.0 tests=BAYES_50,RCVD_IN_DNSWL_LOW, URIBL_BLOCKED autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from <brice@HIDDEN>) id 1jFDfm-00077A-CN for bug-guix@HIDDEN; Fri, 20 Mar 2020 05:10:35 -0400 Received: from relay3-d.mail.gandi.net ([217.70.183.195]:56911) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from <brice@HIDDEN>) id 1jFDfm-00071v-5d for bug-guix@HIDDEN; Fri, 20 Mar 2020 05:10:34 -0400 Received: from webmail.gandi.net (webmail18.sd4.0x35.net [10.200.201.18]) (Authenticated sender: brice@HIDDEN) by relay3-d.mail.gandi.net (Postfix) with ESMTPA id 9E8A260009 for <bug-guix@HIDDEN>; Fri, 20 Mar 2020 09:10:31 +0000 (UTC) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Fri, 20 Mar 2020 09:10:31 +0000 From: Brice Waegeneire <brice@HIDDEN> To: bug-guix@HIDDEN Subject: CVE checker return false positives Message-ID: <0bb3b7878b37095b4ed7fa49aee5936f@HIDDEN> X-Sender: brice@HIDDEN User-Agent: Roundcube Webmail/1.3.8 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 217.70.183.195 X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Hello, The CVE checker of “guix lint” returns false positives: ┌──── │ LANGUAGE=C guix lint git 2>&1 ├─── │ gnu/packages/version-control.scm:149:2: git@HIDDEN: probably vulnerable to CVE-2020-2136, CVE-2019-1003010, CVE-2018-1000110, CVE-2018-1000182 │ /gnu/store/8q0nfd6vnc6lnjh13rwl7fyimwlv7fml-guix-module-union/share/guile/site/3.0/gnu/packages/version-control.scm:153:12: git@HIDDEN: can be upgraded to 2.25.2 │ /gnu/store/8q0nfd6vnc6lnjh13rwl7fyimwlv7fml-guix-module-union/share/guile/site/3.0/gnu/packages/version-control.scm:154:11: git@HIDDEN: source not archived on Software Heritage └──── • [CVE-2020-2136]: “Jenkins Git Plugin 4.2.0 and earlier […]” • [CVE-2019-1003010]: “[…] Jenkins Git Plugin 3.9.1 and earlier […]” • [CVE-2018-1000110]: “[…] Jenkins Git Plugin version 3.7.0 and earlier […]” • [CVE-2018-1000182]: “[…] Jenkins Git Plugin 3.9.0 and older […]” Also note the missing / on the first line and it output on `stderr' instead of `stdout'. [CVE-2020-2136] <https://nvd.nist.gov/vuln/detail/CVE-2020-2136> [CVE-2019-1003010] <https://nvd.nist.gov/vuln/detail/CVE-2019-1003010> [CVE-2018-1000110] <https://nvd.nist.gov/vuln/detail/CVE-2018-1000110> [CVE-2018-1000182] <https://nvd.nist.gov/vuln/detail/CVE-2018-1000182> Brice.
Brice Waegeneire <brice@HIDDEN>:bug-guix@HIDDEN.
Full text available.bug-guix@HIDDEN:bug#40142; Package guix.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.