Ludovic Courtès <ludo@HIDDEN>
to control <at> debbugs.gnu.org.
Full text available.
Received: (at submit) by debbugs.gnu.org; 9 Jul 2020 22:10:37 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jul 09 18:10:37 2020
Received: from localhost ([127.0.0.1]:41801 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1jtekM-0008AE-Rb
for submit <at> debbugs.gnu.org; Thu, 09 Jul 2020 18:10:37 -0400
Received: from lists.gnu.org ([209.51.188.17]:52448)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <ludo@HIDDEN>) id 1jtekK-0008A6-1X
for submit <at> debbugs.gnu.org; Thu, 09 Jul 2020 18:10:25 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:38330)
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <ludo@HIDDEN>) id 1jtekJ-0005Be-TD
for bug-guix@HIDDEN; Thu, 09 Jul 2020 18:10:23 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:37418)
by eggs.gnu.org with esmtp (Exim 4.90_1)
(envelope-from <ludo@HIDDEN>) id 1jtekJ-0003Vv-L8
for bug-guix@HIDDEN; Thu, 09 Jul 2020 18:10:23 -0400
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=35914 helo=ribbon)
by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
(Exim 4.82) (envelope-from <ludo@HIDDEN>) id 1jtekJ-0005pk-5k
for bug-guix@HIDDEN; Thu, 09 Jul 2020 18:10:23 -0400
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: <bug-guix@HIDDEN>
Subject: =?utf-8?B?4oCYZ3VpeCBsaW504oCZ?= should suggest CPE name
X-Debbugs-Cc: Tobias Geerinckx-Rice <me@HIDDEN>,
Maxim Cournoyer <maxim.cournoyer@HIDDEN>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 22 Messidor an 228 de la =?utf-8?Q?R=C3=A9volution?=
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Fri, 10 Jul 2020 00:10:21 +0200
Message-ID: <87sge09w6q.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)
--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Hello!
On IRC earlier today we were looking at
<https://repology.org/repository/gnuguix/problems> and wondering about
the CPE suggestions (which are nice!).
I tried the attached hack, which produces a few useless and sometimes
erroneous suggestions, by comparing the =E2=80=9Creferences=E2=80=9D of eac=
h CVE
(usually URLs of a security advisory or bug report) to the home page of
the package:
--8<---------------cut here---------------start------------->8---
$ ./pre-inst-env guix lint -c cpe
gnu/packages/admin.scm:1103:2: tcpdump@HIDDEN: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1103:2: tcpdump@HIDDEN: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1103:2: tcpdump@HIDDEN: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1103:2: tcpdump@HIDDEN: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1103:2: tcpdump@HIDDEN: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:2866:2: pam-krb5@HIDDEN: suggested CPE name: 'pam-krb5'
gnu/packages/admin.scm:1075:2: libpcap@HIDDEN: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1075:2: libpcap@HIDDEN: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1075:2: libpcap@HIDDEN: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1075:2: libpcap@HIDDEN: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1075:2: libpcap@HIDDEN: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1367:2: sudo@HIDDEN: suggested CPE name: 'element_sof=
tware_management_node'
gnu/packages/admin.scm:1367:2: sudo@HIDDEN: suggested CPE name: 'sudo'
gnu/packages/admin.scm:1367:2: sudo@HIDDEN: suggested CPE name: 'sudo'
gnu/packages/admin.scm:1367:2: sudo@HIDDEN: suggested CPE name: 'sudo'
gnu/packages/admin.scm:614:2: shadow@HIDDEN: suggested CPE name: 'shadow'
gnu/packages/aspell.scm:99:2: aspell-dict-ar@HIDDEN: suggested CPE name: 'as=
pell'
gnu/packages/aspell.scm:99:2: aspell-dict-mi@HIDDEN: suggested CPE name: 'a=
spell'
gnu/packages/aspell.scm:99:2: aspell-dict-pl@HIDDEN: suggested CPE name: 'a=
spell'
gnu/packages/aspell.scm:99:2: aspell-dict-ru@HIDDEN: suggested CPE name: =
'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-sv@HIDDEN: suggested CPE name: 'a=
spell'
gnu/packages/aspell.scm:99:2: aspell-dict-fr@HIDDEN: suggested CPE name: 'a=
spell'
gnu/packages/aspell.scm:99:2: aspell-dict-pt-br@20131030-12-0: suggested CP=
E name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-el@HIDDEN: suggested CPE name: 'a=
spell'
gnu/packages/aspell.scm:99:2: aspell-dict-hi@HIDDEN: suggested CPE name: 'a=
spell'
gnu/packages/aspell.scm:99:2: aspell-dict-de@20161207-7-0: suggested CPE na=
me: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-be@HIDDEN: suggested CPE name: 'asp=
ell'
gnu/packages/aspell.scm:99:2: aspell-dict-es@HIDDEN: suggested CPE name: 'a=
spell'
gnu/packages/aspell.scm:99:2: aspell-dict-grc@HIDDEN: suggested CPE name: '=
aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-fi@HIDDEN: suggested CPE name: 'as=
pell'
gnu/packages/aspell.scm:99:2: aspell-dict-da@HIDDEN: suggested CPE nam=
e: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-nl@HIDDEN: suggested CPE name: 'a=
spell'
gnu/packages/aspell.scm:41:2: aspell@HIDDEN: suggested CPE name: 'aspell'
[=E2=80=A6]
--8<---------------cut here---------------end--------------->8---
The conclusion is that, to make good suggestions, we need to parse the
CPE dictionary as well:
https://nvd.nist.gov/Products/CPE
This one is still XML (not JSON) and we=E2=80=99d have to merge duplicates,=
as
in this example:
--8<---------------cut here---------------start------------->8---
<cpe-item name=3D"cpe:/a:gnu:cpio:-">
<title xml:lang=3D"en-US">GNU cpio</title>
<cpe-23:cpe23-item name=3D"cpe:2.3:a:gnu:cpio:-:*:*:*:*:*:*:*"/>
</cpe-item>
<cpe-item name=3D"cpe:/a:gnu:cpio:1.0">
<title xml:lang=3D"en-US">GNU cpio 1.0</title>
<cpe-23:cpe23-item name=3D"cpe:2.3:a:gnu:cpio:1.0:*:*:*:*:*:*:*"/>
</cpe-item>
<cpe-item name=3D"cpe:/a:gnu:cpio:1.1">
<title xml:lang=3D"en-US">GNU cpio 1.1</title>
<cpe-23:cpe23-item name=3D"cpe:2.3:a:gnu:cpio:1.1:*:*:*:*:*:*:*"/>
</cpe-item>
<cpe-item name=3D"cpe:/a:gnu:cpio:1.2">
<title xml:lang=3D"en-US">GNU cpio 1.2</title>
<cpe-23:cpe23-item name=3D"cpe:2.3:a:gnu:cpio:1.2:*:*:*:*:*:*:*"/>
</cpe-item>
<cpe-item name=3D"cpe:/a:gnu:cpio:1.3">
<title xml:lang=3D"en-US">GNU cpio 1.3</title>
<cpe-23:cpe23-item name=3D"cpe:2.3:a:gnu:cpio:1.3:*:*:*:*:*:*:*"/>
</cpe-item>
<cpe-item name=3D"cpe:/a:gnu:cpio:2.4-2">
<title xml:lang=3D"en-US">GNU cpio 2.4.2</title>
<cpe-23:cpe23-item name=3D"cpe:2.3:a:gnu:cpio:2.4-2:*:*:*:*:*:*:*"/>
</cpe-item>
<cpe-item name=3D"cpe:/a:gnu:cpio:2.5">
<title xml:lang=3D"en-US">GNU cpio 2.5</title>
<cpe-23:cpe23-item name=3D"cpe:2.3:a:gnu:cpio:2.5:*:*:*:*:*:*:*"/>
</cpe-item>
<cpe-item name=3D"cpe:/a:gnu:cpio:2.5.90">
<title xml:lang=3D"en-US">GNU cpio 2.5.90</title>
<cpe-23:cpe23-item name=3D"cpe:2.3:a:gnu:cpio:2.5.90:*:*:*:*:*:*:*"/>
</cpe-item>
<cpe-item name=3D"cpe:/a:gnu:cpio:2.6">
<title xml:lang=3D"en-US">GNU cpio 2.6</title>
<cpe-23:cpe23-item name=3D"cpe:2.3:a:gnu:cpio:2.6:*:*:*:*:*:*:*"/>
</cpe-item>
<cpe-item name=3D"cpe:/a:gnu:cpio:2.7">
<title xml:lang=3D"en-US">GNU cpio 2.7</title>
<references>
<reference href=3D"https://ftp.gnu.org/gnu/cpio/">Change Log</referen=
ce>
</references>
<cpe-23:cpe23-item name=3D"cpe:2.3:a:gnu:cpio:2.7:*:*:*:*:*:*:*"/>
</cpe-item>
--8<---------------cut here---------------end--------------->8---
The references are not always useful, as above, but sometimes there=E2=80=
=99s a
=E2=80=9CProduct=E2=80=9D reference that is the package home page.
Anyway, would be nice to add that to (guix cve) instead of succumbing to
the convenience of SaaSS!
Ludo=E2=80=99.
--=-=-=
Content-Type: text/x-patch; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
diff --git a/guix/cve.scm b/guix/cve.scm
index 7dd9005f09..52a19e0523 100644
--- a/guix/cve.scm
+++ b/guix/cve.scm
@@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU
-;;; Copyright =C2=A9 2015, 2016, 2017, 2018, 2019 Ludovic Court=C3=A8s <lu=
do@HIDDEN>
+;;; Copyright =C2=A9 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Court=C3=
=A8s <ludo@HIDDEN>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -54,6 +54,7 @@
vulnerability?
vulnerability-id
vulnerability-packages
+ vulnerability-references
=20
json->vulnerabilities
current-vulnerabilities
@@ -255,20 +256,23 @@ records."
(* 3600 24 (date-month %now)))
=20
(define-record-type <vulnerability>
- (vulnerability id packages)
+ (vulnerability id packages references)
vulnerability?
(id vulnerability-id) ;string
- (packages vulnerability-packages)) ;((p1 sexp1) (p2 sexp2) ...)
+ (packages vulnerability-packages) ;((p1 sexp1) (p2 sexp2) ...)
+ (references vulnerability-references)) ;list of URLs
=20
(define vulnerability->sexp
(match-lambda
- (($ <vulnerability> id packages)
- `(v ,id ,packages))))
+ (($ <vulnerability> id packages references)
+ `(v ,id ,packages ,references))))
=20
(define sexp->vulnerability
(match-lambda
- (('v id (packages ...))
- (vulnerability id packages))))
+ (('v id (packages ...) (references ...)) ;format version 2
+ (vulnerability id packages references))
+ (('v id (packages ...)) ;format version 1
+ (vulnerability id packages '()))))
=20
(define (cve-configuration->package-list config)
"Parse CONFIG, a config sexp, and return a list of the form (P SEXP)
@@ -313,20 +317,23 @@ versions."
"Return a <vulnerability> corresponding to ITEM, a <cve-item> record;
return #f if ITEM does not list any configuration or if it does not list
any \"a\" (application) configuration."
- (let ((id (cve-id (cve-item-cve item))))
+ (let ((id (cve-id (cve-item-cve item)))
+ (references (cve-references (cve-item-cve item))))
(match (cve-item-configurations item)
(() ;no configurations
#f)
((configs ...)
(vulnerability id
(merge-package-lists
- (map cve-configuration->package-list configs)))))))
+ (map cve-configuration->package-list configs))
+ (filter-map cve-reference-url references))))))
=20
(define (json->vulnerabilities json)
"Parse JSON, an input port or a string, and return the list of
vulnerabilities found therein."
(filter-map cve-item->vulnerability (json->cve-items json)))
=20
+(use-modules (ice-9 pretty-print))
(define (write-cache input cache)
"Read vulnerabilities as gzipped JSON from INPUT, and write it as a comp=
act
sexp to CACHE."
@@ -335,8 +342,8 @@ sexp to CACHE."
(define vulns
(json->vulnerabilities input))
=20
- (write `(vulnerabilities
- 1 ;format version
+ (pretty-print `(vulnerabilities
+ 2 ;format version
,(map vulnerability->sexp vulns))
cache))))
=20
@@ -369,7 +376,7 @@ the given TTL (fetch from the NIST web site when TTL ha=
s expired)."
(sexp (read* port)))
(close-port port)
(match sexp
- (('vulnerabilities 1 vulns)
+ (('vulnerabilities (or 2 1) vulns)
(map sexp->vulnerability vulns)))))
=20
(define (current-vulnerabilities)
diff --git a/guix/lint.scm b/guix/lint.scm
index 445c06f8f4..6b65df34a3 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -1108,6 +1108,23 @@ vulnerability records for PACKAGE by calling PACKAGE=
-VULNERABILITIES."
(list (string-join (map vulnerability-id unpatched)
", "))))))))))
=20
+(define* (check-cpe-name package
+ #:optional (vulnerabilities
+ (current-vulnerabilities*)))
+ (define home-page
+ (package-home-page package))
+
+ (filter-map (lambda (vuln)
+ (and (any (cut string-prefix? home-page <>)
+ (vulnerability-references vuln))
+ (make-warning
+ package
+ (G_ "suggested CPE name: '~a'")
+ (match (vulnerability-packages vuln)
+ (((p _) _ ...)
+ (list p))))))
+ vulnerabilities))
+
(define (check-for-updates package)
"Check if there is an update available for PACKAGE."
(match (with-networking-fail-safe
@@ -1426,6 +1443,10 @@ or a list thereof")
(description "Check the Common Vulnerabilities and Exposures\
(CVE) database")
(check check-vulnerabilities))
+ (lint-checker
+ (name 'cpe)
+ (description "Check the Common Platform Enumeration names")
+ (check check-cpe-name))
(lint-checker
(name 'refresh)
(description "Check the package for new upstream releases")
--=-=-=--
Ludovic Courtès <ludo@HIDDEN>:me@HIDDEN, maxim.cournoyer@HIDDEN, bug-guix@HIDDEN.
Full text available.me@HIDDEN, maxim.cournoyer@HIDDEN, bug-guix@HIDDEN:bug#42299; Package guix.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.