GNU logs - #42299, boring messages

Message sent to me@HIDDEN, maxim.cournoyer@HIDDEN, bug-guix@HIDDEN:

Subject: bug#42299: =?UTF-8?Q?=E2=80=98guix_?= =?UTF-8?Q?lint=E2=80=99?= should suggest CPE name
Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: me@HIDDEN, maxim.cournoyer@HIDDEN, bug-guix@HIDDEN
Resent-Date: Thu, 09 Jul 2020 22:11:02 +0000
Resent-Message-ID: <handler.42299.B.159433263731404 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
To: 42299 <at> debbugs.gnu.org
Cc: Tobias Geerinckx-Rice <me@HIDDEN>, Maxim Cournoyer <maxim.cournoyer@HIDDEN>
From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Date: Fri, 10 Jul 2020 00:10:21 +0200
Message-ID: <87sge09w6q.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
Precedence: list
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hello!

On IRC earlier today we were looking at
<https://repology.org/repository/gnuguix/problems> and wondering about
the CPE suggestions (which are nice!).

I tried the attached hack, which produces a few useless and sometimes
erroneous suggestions, by comparing the =E2=80=9Creferences=E2=80=9D of eac=
h CVE
(usually URLs of a security advisory or bug report) to the home page of
the package:

--8<---------------cut here---------------start------------->8---
$ ./pre-inst-env  guix lint -c cpe
gnu/packages/admin.scm:1103:2: tcpdump@HIDDEN: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1103:2: tcpdump@HIDDEN: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1103:2: tcpdump@HIDDEN: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1103:2: tcpdump@HIDDEN: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1103:2: tcpdump@HIDDEN: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:2866:2: pam-krb5@HIDDEN: suggested CPE name: 'pam-krb5'
gnu/packages/admin.scm:1075:2: libpcap@HIDDEN: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1075:2: libpcap@HIDDEN: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1075:2: libpcap@HIDDEN: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1075:2: libpcap@HIDDEN: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1075:2: libpcap@HIDDEN: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1367:2: sudo@HIDDEN: suggested CPE name: 'element_sof=
tware_management_node'
gnu/packages/admin.scm:1367:2: sudo@HIDDEN: suggested CPE name: 'sudo'
gnu/packages/admin.scm:1367:2: sudo@HIDDEN: suggested CPE name: 'sudo'
gnu/packages/admin.scm:1367:2: sudo@HIDDEN: suggested CPE name: 'sudo'
gnu/packages/admin.scm:614:2: shadow@HIDDEN: suggested CPE name: 'shadow'
gnu/packages/aspell.scm:99:2: aspell-dict-ar@HIDDEN: suggested CPE name: 'as=
pell'
gnu/packages/aspell.scm:99:2: aspell-dict-mi@HIDDEN: suggested CPE name: 'a=
spell'
gnu/packages/aspell.scm:99:2: aspell-dict-pl@HIDDEN: suggested CPE name: 'a=
spell'
gnu/packages/aspell.scm:99:2: aspell-dict-ru@HIDDEN: suggested CPE name: =
'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-sv@HIDDEN: suggested CPE name: 'a=
spell'
gnu/packages/aspell.scm:99:2: aspell-dict-fr@HIDDEN: suggested CPE name: 'a=
spell'
gnu/packages/aspell.scm:99:2: aspell-dict-pt-br@20131030-12-0: suggested CP=
E name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-el@HIDDEN: suggested CPE name: 'a=
spell'
gnu/packages/aspell.scm:99:2: aspell-dict-hi@HIDDEN: suggested CPE name: 'a=
spell'
gnu/packages/aspell.scm:99:2: aspell-dict-de@20161207-7-0: suggested CPE na=
me: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-be@HIDDEN: suggested CPE name: 'asp=
ell'
gnu/packages/aspell.scm:99:2: aspell-dict-es@HIDDEN: suggested CPE name: 'a=
spell'
gnu/packages/aspell.scm:99:2: aspell-dict-grc@HIDDEN: suggested CPE name: '=
aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-fi@HIDDEN: suggested CPE name: 'as=
pell'
gnu/packages/aspell.scm:99:2: aspell-dict-da@HIDDEN: suggested CPE nam=
e: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-nl@HIDDEN: suggested CPE name: 'a=
spell'
gnu/packages/aspell.scm:41:2: aspell@HIDDEN: suggested CPE name: 'aspell'
[=E2=80=A6]
--8<---------------cut here---------------end--------------->8---

The conclusion is that, to make good suggestions, we need to parse the
CPE dictionary as well:

  https://nvd.nist.gov/Products/CPE

This one is still XML (not JSON) and we=E2=80=99d have to merge duplicates,=
 as
in this example:

--8<---------------cut here---------------start------------->8---
  <cpe-item name=3D"cpe:/a:gnu:cpio:-">
    <title xml:lang=3D"en-US">GNU cpio</title>
    <cpe-23:cpe23-item name=3D"cpe:2.3:a:gnu:cpio:-:*:*:*:*:*:*:*"/>
  </cpe-item>
  <cpe-item name=3D"cpe:/a:gnu:cpio:1.0">
    <title xml:lang=3D"en-US">GNU cpio 1.0</title>
    <cpe-23:cpe23-item name=3D"cpe:2.3:a:gnu:cpio:1.0:*:*:*:*:*:*:*"/>
  </cpe-item>
  <cpe-item name=3D"cpe:/a:gnu:cpio:1.1">
    <title xml:lang=3D"en-US">GNU cpio 1.1</title>
    <cpe-23:cpe23-item name=3D"cpe:2.3:a:gnu:cpio:1.1:*:*:*:*:*:*:*"/>
  </cpe-item>
  <cpe-item name=3D"cpe:/a:gnu:cpio:1.2">
    <title xml:lang=3D"en-US">GNU cpio 1.2</title>
    <cpe-23:cpe23-item name=3D"cpe:2.3:a:gnu:cpio:1.2:*:*:*:*:*:*:*"/>
  </cpe-item>
  <cpe-item name=3D"cpe:/a:gnu:cpio:1.3">
    <title xml:lang=3D"en-US">GNU cpio 1.3</title>
    <cpe-23:cpe23-item name=3D"cpe:2.3:a:gnu:cpio:1.3:*:*:*:*:*:*:*"/>
  </cpe-item>
  <cpe-item name=3D"cpe:/a:gnu:cpio:2.4-2">
    <title xml:lang=3D"en-US">GNU cpio 2.4.2</title>
    <cpe-23:cpe23-item name=3D"cpe:2.3:a:gnu:cpio:2.4-2:*:*:*:*:*:*:*"/>
  </cpe-item>
  <cpe-item name=3D"cpe:/a:gnu:cpio:2.5">
    <title xml:lang=3D"en-US">GNU cpio 2.5</title>
    <cpe-23:cpe23-item name=3D"cpe:2.3:a:gnu:cpio:2.5:*:*:*:*:*:*:*"/>
  </cpe-item>
  <cpe-item name=3D"cpe:/a:gnu:cpio:2.5.90">
    <title xml:lang=3D"en-US">GNU cpio 2.5.90</title>
    <cpe-23:cpe23-item name=3D"cpe:2.3:a:gnu:cpio:2.5.90:*:*:*:*:*:*:*"/>
  </cpe-item>
  <cpe-item name=3D"cpe:/a:gnu:cpio:2.6">
    <title xml:lang=3D"en-US">GNU cpio 2.6</title>
    <cpe-23:cpe23-item name=3D"cpe:2.3:a:gnu:cpio:2.6:*:*:*:*:*:*:*"/>
  </cpe-item>
  <cpe-item name=3D"cpe:/a:gnu:cpio:2.7">
    <title xml:lang=3D"en-US">GNU cpio 2.7</title>
    <references>
      <reference href=3D"https://ftp.gnu.org/gnu/cpio/">Change Log</referen=
ce>
    </references>
    <cpe-23:cpe23-item name=3D"cpe:2.3:a:gnu:cpio:2.7:*:*:*:*:*:*:*"/>
  </cpe-item>
 --8<---------------cut here---------------end--------------->8---

The references are not always useful, as above, but sometimes there=E2=80=
=99s a
=E2=80=9CProduct=E2=80=9D reference that is the package home page.

Anyway, would be nice to add that to (guix cve) instead of succumbing to
the convenience of SaaSS!

Ludo=E2=80=99.


--=-=-=
Content-Type: text/x-patch; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

diff --git a/guix/cve.scm b/guix/cve.scm
index 7dd9005f09..52a19e0523 100644
--- a/guix/cve.scm
+++ b/guix/cve.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright =C2=A9 2015, 2016, 2017, 2018, 2019 Ludovic Court=C3=A8s <lu=
do@HIDDEN>
+;;; Copyright =C2=A9 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Court=C3=
=A8s <ludo@HIDDEN>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -54,6 +54,7 @@
             vulnerability?
             vulnerability-id
             vulnerability-packages
+            vulnerability-references
=20
             json->vulnerabilities
             current-vulnerabilities
@@ -255,20 +256,23 @@ records."
   (* 3600 24 (date-month %now)))
=20
 (define-record-type <vulnerability>
-  (vulnerability id packages)
+  (vulnerability id packages references)
   vulnerability?
   (id         vulnerability-id)             ;string
-  (packages   vulnerability-packages))      ;((p1 sexp1) (p2 sexp2) ...)
+  (packages   vulnerability-packages)       ;((p1 sexp1) (p2 sexp2) ...)
+  (references vulnerability-references))    ;list of URLs
=20
 (define vulnerability->sexp
   (match-lambda
-    (($ <vulnerability> id packages)
-     `(v ,id ,packages))))
+    (($ <vulnerability> id packages references)
+     `(v ,id ,packages ,references))))
=20
 (define sexp->vulnerability
   (match-lambda
-    (('v id (packages ...))
-     (vulnerability id packages))))
+    (('v id (packages ...) (references ...))      ;format version 2
+     (vulnerability id packages references))
+    (('v id (packages ...))                       ;format version 1
+     (vulnerability id packages '()))))
=20
 (define (cve-configuration->package-list config)
   "Parse CONFIG, a config sexp, and return a list of the form (P SEXP)
@@ -313,20 +317,23 @@ versions."
   "Return a <vulnerability> corresponding to ITEM, a <cve-item> record;
 return #f if ITEM does not list any configuration or if it does not list
 any \"a\" (application) configuration."
-  (let ((id (cve-id (cve-item-cve item))))
+  (let ((id         (cve-id (cve-item-cve item)))
+        (references (cve-references (cve-item-cve item))))
     (match (cve-item-configurations item)
       (()                                         ;no configurations
        #f)
       ((configs ...)
        (vulnerability id
                       (merge-package-lists
-                       (map cve-configuration->package-list configs)))))))
+                       (map cve-configuration->package-list configs))
+                      (filter-map cve-reference-url references))))))
=20
 (define (json->vulnerabilities json)
   "Parse JSON, an input port or a string, and return the list of
 vulnerabilities found therein."
   (filter-map cve-item->vulnerability (json->cve-items json)))
=20
+(use-modules (ice-9 pretty-print))
 (define (write-cache input cache)
   "Read vulnerabilities as gzipped JSON from INPUT, and write it as a comp=
act
 sexp to CACHE."
@@ -335,8 +342,8 @@ sexp to CACHE."
       (define vulns
         (json->vulnerabilities input))
=20
-      (write `(vulnerabilities
-               1                                  ;format version
+      (pretty-print `(vulnerabilities
+               2                                  ;format version
                ,(map vulnerability->sexp vulns))
              cache))))
=20
@@ -369,7 +376,7 @@ the given TTL (fetch from the NIST web site when TTL ha=
s expired)."
          (sexp (read* port)))
     (close-port port)
     (match sexp
-      (('vulnerabilities 1 vulns)
+      (('vulnerabilities (or 2 1) vulns)
        (map sexp->vulnerability vulns)))))
=20
 (define (current-vulnerabilities)
diff --git a/guix/lint.scm b/guix/lint.scm
index 445c06f8f4..6b65df34a3 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -1108,6 +1108,23 @@ vulnerability records for PACKAGE by calling PACKAGE=
-VULNERABILITIES."
                (list (string-join (map vulnerability-id unpatched)
                                   ", "))))))))))
=20
+(define* (check-cpe-name package
+                         #:optional (vulnerabilities
+                                     (current-vulnerabilities*)))
+  (define home-page
+    (package-home-page package))
+
+  (filter-map (lambda (vuln)
+                (and (any (cut string-prefix? home-page <>)
+                          (vulnerability-references vuln))
+                     (make-warning
+                      package
+                      (G_ "suggested CPE name: '~a'")
+                      (match (vulnerability-packages vuln)
+                        (((p _) _ ...)
+                         (list p))))))
+              vulnerabilities))
+
 (define (check-for-updates package)
   "Check if there is an update available for PACKAGE."
   (match (with-networking-fail-safe
@@ -1426,6 +1443,10 @@ or a list thereof")
      (description "Check the Common Vulnerabilities and Exposures\
  (CVE) database")
      (check       check-vulnerabilities))
+   (lint-checker
+     (name        'cpe)
+     (description "Check the Common Platform Enumeration names")
+     (check       check-cpe-name))
    (lint-checker
      (name        'refresh)
      (description "Check the package for new upstream releases")

--=-=-=--

Message sent:

Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
Content-Type: text/plain; charset=utf-8
X-Loop: help-debbugs@HIDDEN
From: help-debbugs@HIDDEN (GNU bug Tracking System)
To: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Subject: bug#42299: Acknowledgement (=?UTF-8?Q?=E2=80=98guix_?=
 =?UTF-8?Q?lint=E2=80=99?= should suggest CPE name)
Message-ID: <handler.42299.B.159433263731404.ack <at> debbugs.gnu.org>
References: <87sge09w6q.fsf@HIDDEN>
X-Gnu-PR-Message: ack 42299
X-Gnu-PR-Package: guix
Reply-To: 42299 <at> debbugs.gnu.org
Date: Thu, 09 Jul 2020 22:11:02 +0000

Thank you for filing a new bug report with debbugs.gnu.org.

This is an automatically generated reply to let you know your message
has been received.

Your message is being forwarded to the package maintainers and other
interested parties for their attention; they will reply in due course.

As you requested using X-Debbugs-CC, your message was also forwarded to
  Tobias Geerinckx-Rice <me@HIDDEN>, Maxim Cournoyer <maxim.cournoyer@gm=
ail.com>
(after having been given a bug report number, if it did not have one).

Your message has been sent to the package maintainer(s):
 bug-guix@HIDDEN

If you wish to submit further information on this problem, please
send it to 42299 <at> debbugs.gnu.org.

Please do not send mail to help-debbugs@HIDDEN unless you wish
to report a problem with the Bug-tracking system.

--=20
42299: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D42299
GNU Bug Tracking System
Contact help-debbugs@HIDDEN with problems

Message received at control <at> debbugs.gnu.org:

Received: (at control) by debbugs.gnu.org; 18 Mar 2021 13:26:52 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Mar 18 09:26:52 2021
Received: from localhost ([127.0.0.1]:45360 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lMsfr-0007rx-UL
	for submit <at> debbugs.gnu.org; Thu, 18 Mar 2021 09:26:52 -0400
Received: from eggs.gnu.org ([209.51.188.92]:49166)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1lMsfq-0007rk-B6
 for control <at> debbugs.gnu.org; Thu, 18 Mar 2021 09:26:50 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:54832)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ludo@HIDDEN>) id 1lMsfl-0001Od-5v
 for control <at> debbugs.gnu.org; Thu, 18 Mar 2021 09:26:45 -0400
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=53152 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>) id 1lMsfi-00034H-SL
 for control <at> debbugs.gnu.org; Thu, 18 Mar 2021 09:26:44 -0400
Date: Thu, 18 Mar 2021 14:26:41 +0100
Message-Id: <878s6kr3se.fsf@HIDDEN>
To: control <at> debbugs.gnu.org
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
Subject: control message for bug #42299
MIME-version: 1.0
Content-type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: control
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

tags 42299 + security
quit

Last modified: Thu, 18 Mar 2021 13:30:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.