Received: (at 47193) by debbugs.gnu.org; 16 Mar 2021 18:20:01 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Mar 16 14:20:01 2021
Received: from localhost ([127.0.0.1]:41024 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1lMEIS-0005xw-QF
for submit <at> debbugs.gnu.org; Tue, 16 Mar 2021 14:20:01 -0400
Received: from mail.zaclys.net ([178.33.93.72]:54259)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <lle-bout@HIDDEN>) id 1lMEIR-0005xe-Ty
for 47193 <at> debbugs.gnu.org; Tue, 16 Mar 2021 14:20:00 -0400
Received: from [192.168.0.44] (82-64-145-38.subs.proxad.net [82.64.145.38])
(authenticated bits=0)
by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12GIJsVp009835
(version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
for <47193 <at> debbugs.gnu.org>; Tue, 16 Mar 2021 19:19:54 +0100
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12GIJsVp009835
Authentication-Results: mail.zaclys.net;
dmarc=fail (p=reject dis=none) header.from=zaclys.net
Authentication-Results: mail.zaclys.net;
spf=fail smtp.mailfrom=lle-bout@HIDDEN
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
s=default; t=1615918794;
bh=cEe+KKu9WFYEwFiDgxQ8dVXyj9kxHJ1Kgk/z+L7jq4I=;
h=Subject:From:To:Date:From;
b=Gvf7+B3q4j18TUEMnja77ILs++CbPOSZfDfSFD1au7zmwIk1Bm1y3PuHZjUIUgyNF
r4tSodZPa3LiaNTkhoXivvJmxoGu2PG9TpuGOfJJsZ0ZAhOld2Q7UPMyuZQ1J6b3xk
ssnlfVVl7ApFDEPIayS58M+zk47pv7WQt9DcTz+s=
Message-ID: <0524f6bfe10befabf7969aa0fbf90503e7db1ab7.camel@HIDDEN>
Subject: Fancify guix lint -c cve output
From: =?ISO-8859-1?Q?L=E9o?= Le Bouter <lle-bout@HIDDEN>
To: 47193 <at> debbugs.gnu.org
Date: Tue, 16 Mar 2021 19:19:54 +0100
Content-Type: multipart/signed; micalg="pgp-sha512";
protocol="application/pgp-signature"; boundary="=-+miriNulbJpzLW8VkL2r"
User-Agent: Evolution 3.34.2
MIME-Version: 1.0
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 47193
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
--=-+miriNulbJpzLW8VkL2r
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Hello!
Thanks a lot for working on this!! :-D
I get a warning during compilation:
guix/cve.scm:328:18: warning: possibly unbound variable `cve-item-base-
severity'
I also just tried it on patch package and it fails:
$ ./pre-inst-env guix lint -c cve patch
Backtrace:atch@HIDDEN [cve]...
In ice-9/boot-9.scm:
1736:10 18 (with-exception-handler _ _ #:unwind? _ # _)
In unknown file:
17 (apply-smob/0 #<thunk 7f5c56304520>)
In ice-9/boot-9.scm:
718:2 16 (call-with-prompt _ _ #<procedure default-prompt-handle=E2=80=
=A6>)
In ice-9/eval.scm:
619:8 15 (_ #(#(#<directory (guile-user) 7f5c56307c80>)))
In guix/ui.scm:
2164:12 14 (run-guix-command _ . _)
In ice-9/boot-9.scm:
1736:10 13 (with-exception-handler _ _ #:unwind? _ # _)
1731:15 12 (with-exception-handler #<procedure 7f5c52ccde40 at ic=E2=80=
=A6>
=E2=80=A6)
In srfi/srfi-1.scm:
634:9 11 (for-each #<procedure 7f5c52ccb620 at guix/scripts/lin=E2=80=
=A6>
=E2=80=A6)
In guix/scripts/lint.scm:
65:4 10 (run-checkers #<package patch@HIDDEN gnu/packages/base.=E2=80=
=A6>
=E2=80=A6)
In srfi/srfi-1.scm:
634:9 9 (for-each #<procedure 7f5c43b5df30 at guix/scripts/lin=E2=80=
=A6>
=E2=80=A6)
In guix/scripts/lint.scm:
74:21 8 (_ _)
In guix/lint.scm:
1205:4 7 (check-vulnerabilities #<package patch@HIDDEN gnu/packa=E2=80=
=A6>
=E2=80=A6)
1151:9 6 (_ _)
In unknown file:
5 (force #<promise #<procedure 7f5c5303cab8 at guix/lint.=E2=80=
=A6>)
In guix/lint.scm:
1134:2 4 (_)
1093:2 3 (call-with-networking-fail-safe _ _ _)
In ice-9/boot-9.scm:
1736:10 2 (with-exception-handler _ _ #:unwind? _ # _)
1669:16 1 (raise-exception _ #:continuable? _)
1667:16 0 (raise-exception _ #:continuable? _)
ice-9/boot-9.scm:1667:16: In procedure raise-exception:
Throw to key `match-error' with args `("match" "no matching pattern" (v
"CVE-2021-0212" (("contrail_networking" (< "1911.31")))))'.
--=-+miriNulbJpzLW8VkL2r
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBQ9soACgkQRaix6GvN
EKYXog//ez84TN6zVwbx16DnWHmRSgPPxnkPL4duWN6KevtxhZCEpB9oVMKO+5ao
WnJZt7c3XdkVUWM5KH6ik00p0kQehpz8AWvisGuhiBj43c3QKKXJ1j9dUZiFRfOw
uMiWqX7nv8ZAJa4Q3xp1Nd3j/S0vM/Wv/ZcvElnJFs1bsXTKPrCz8GwfbS4vzjI1
Z1yg838V54iPHWPnHjRWSEtLir5Z+3EImsIgkfj5BLunXYZWIqE88uzFn+lYQTes
WFqFNgW2JM6o16Gsa1d6lQ8Q76PUh2jwqDHjBUdTpcezKZ23J7rdG4pcdoxxxhry
TmzjgLbUuR/e+mHKULK1YpgFOZkcb/QzDx50m9h9fryGVp4fiUCcnEOLH8sobQnB
zAbMzFgaG2S7AMxA1lJ5pe1Y+kIQs5wBxUqCVVu8cyqBocXJH7yY8N6lfP/iEze9
gFUaXjahLjtSK+55r2m4AAxKI3ucfodpLaFtpJ0Cwlc2cSekdtkAOfmyh7GNDW19
dSEzpiE8eXuwXQ5vheHAYPpvH2dVrStOn4gHECZvB5NqutqeFGVQshb3AiwkSU+P
1Sb7Zq9ghNcRmnZ1/begvC/GEQgYRnCaXbB2yPwih5xrOIt1jFb9nqNnYdiOM9Nm
bMZ/yZ9Es5DQaqif9Rn9lKtec9NBU/hzuPP0r2ZVPAC6CnY9uxQ=
=MNBF
-----END PGP SIGNATURE-----
--=-+miriNulbJpzLW8VkL2r--
guix-patches@HIDDEN:bug#47193; Package guix-patches.
Full text available.
Received: (at 47193) by debbugs.gnu.org; 16 Mar 2021 16:07:07 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Mar 16 12:07:07 2021
Received: from localhost ([127.0.0.1]:40843 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1lMCDq-0002hN-Lr
for submit <at> debbugs.gnu.org; Tue, 16 Mar 2021 12:07:07 -0400
Received: from tobias.gr ([80.241.217.52]:40566)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <me@HIDDEN>) id 1lMCDn-0002gi-Ih
for 47193 <at> debbugs.gnu.org; Tue, 16 Mar 2021 12:07:04 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tobias.gr; s=2018;
bh=PboByRz5iej9DIUZpuu/uFXHUQtJFQo+QgdshhvDfa4=; h=references:
in-reply-to:date:subject:to:from; b=Fa6JCu9jodoT5U21DwFSAeOuwTq3aAsdaj
1M2Lb7XA2u5IndoMmDIcHtGtZ/qZf8s6OvbI8pw+2mbEJeI5R7h92C37gWgiq4oYYqr1KB
Asbxgsqz5CcDmWnmmE+biLZwxZAdkSKu0R0YCbZ9eJnvVUxxsiPBd5i6M8xsUpeCDcZ0py
r2r8nb7RZQcw0TlY6qbxhs2jbwB01oopKAVEgSRoWhZrHWcWA3OA8846e2Bh/cXqmEpi9g
xdpW9FhYSDp8FIfBM5diJvy52zvMh/uhOy6SVkEb2vLIB96z/bcuLrRUuFSj77kfgUMgw5
SyVCcpFeXRwIOYR1BxiGrqnJhriQ==
Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id ae76bf27
(TLSv1.2:ECDHE-ECDSA-AES256-GCM-SHA384:256:NO)
for <47193 <at> debbugs.gnu.org>; Tue, 16 Mar 2021 16:08:02 +0000 (UTC)
From: Tobias Geerinckx-Rice <me@HIDDEN>
To: 47193 <at> debbugs.gnu.org
Subject: [PATCH 2/2] lint: Indicate CVE severity.
Date: Tue, 16 Mar 2021 17:06:53 +0100
Message-Id: <20210316160653.9891-2-me@HIDDEN>
X-Mailer: git-send-email 2.30.1
In-Reply-To: <20210316160653.9891-1-me@HIDDEN>
References: <20210316160653.9891-1-me@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 47193
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)
* guix/cve.scm <cve-item>[cvss3-base-severity]: New field.
(impact-data->cve-cvss3-base-severity): New procedure.
<vulnerability>[severity]: New field.
(vulnerability->sexp, sexp->vulnerability, cve-item->vulnerability)
(write-cache): Bump the format version to 2.
(vulnerabilities->lookup-proc): Adjust accordingly.
* guix/lint.scm (check-vulnerabilities): Indicate CVE severity according
to the output port's terminal capabilities.
---
guix/cve.scm | 48 ++++++++++++++++++++++++++++++++----------------
guix/lint.scm | 32 +++++++++++++++++++++++++++++++-
2 files changed, 63 insertions(+), 17 deletions(-)
diff --git a/guix/cve.scm b/guix/cve.scm
index b3a8b13a06..3809e4493f 100644
--- a/guix/cve.scm
+++ b/guix/cve.scm
@@ -1,5 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès <ludo@HIDDEN>
+;;; Copyright © 2021 Tobias Geerinckx-Rice <me@HIDDEN>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -38,6 +39,7 @@
cve-item?
cve-item-cve
cve-item-configurations
+ cve-item-cvssv3-base-severity
cve-item-published-date
cve-item-last-modified-date
@@ -53,6 +55,7 @@
vulnerability?
vulnerability-id
+ vulnerability-severity
vulnerability-packages
json->vulnerabilities
@@ -72,13 +75,15 @@
(define-json-mapping <cve-item> cve-item cve-item?
json->cve-item
- (cve cve-item-cve "cve" json->cve) ;<cve>
- (configurations cve-item-configurations ;list of sexps
- "configurations" configuration-data->cve-configurations)
- (published-date cve-item-published-date
- "publishedDate" string->date*)
- (last-modified-date cve-item-last-modified-date
- "lastModifiedDate" string->date*))
+ (cve cve-item-cve "cve" json->cve) ;<cve>
+ (configurations cve-item-configurations ;list of sexps
+ "configurations" configuration-data->cve-configurations)
+ (cvssv3-base-severity cve-item-cvssv3-base-severity ;string
+ "impact" impact-data->cve-cvssv3-base-severity)
+ (published-date cve-item-published-date
+ "publishedDate" string->date*)
+ (last-modified-date cve-item-last-modified-date
+ "lastModifiedDate" string->date*))
(define-json-mapping <cve> cve cve?
json->cve
@@ -183,6 +188,15 @@ element found in CVEs, return an sexp such as (\"binutils\" (<
(let ((nodes (vector->list (assoc-ref alist "nodes"))))
(filter-map node->configuration nodes)))
+(define (impact-data->cve-cvssv3-base-severity alist)
+ "Given ALIST, a JSON dictionary for the \"impact\" element found in
+CVEs, return a string indicating its CVSSv3 severity. This should be
+one of \"NONE\", \"LOW\", \"MEDIUM\", \"HIGH\", or \"CRITICAL\", but we
+return whatever we find, or #F if the severity cannot be determined."
+ (let* ((base-metric-v3 (assoc-ref alist "baseMetricV3"))
+ (cvss-v3 (assoc-ref base-metric-v3 "cvssV3")))
+ (assoc-ref cvss-v3 "baseSeverity")))
+
(define (json->cve-items json)
"Parse JSON, an input port or a string, and return a list of <cve-item>
records."
@@ -251,20 +265,21 @@ records."
(* 3600 24 (date-month %now)))
(define-record-type <vulnerability>
- (vulnerability id packages)
+ (vulnerability id severity packages)
vulnerability?
(id vulnerability-id) ;string
+ (severity vulnerability-severity) ;string
(packages vulnerability-packages)) ;((p1 sexp1) (p2 sexp2) ...)
(define vulnerability->sexp
(match-lambda
- (($ <vulnerability> id packages)
- `(v ,id ,packages))))
+ (($ <vulnerability> id severity packages)
+ `(v ,id ,severity ,packages))))
(define sexp->vulnerability
(match-lambda
- (('v id (packages ...))
- (vulnerability id packages))))
+ (('v id severity (packages ...))
+ (vulnerability id severity packages))))
(define (cve-configuration->package-list config)
"Parse CONFIG, a config sexp, and return a list of the form (P SEXP)
@@ -309,12 +324,13 @@ versions."
"Return a <vulnerability> corresponding to ITEM, a <cve-item> record;
return #f if ITEM does not list any configuration or if it does not list
any \"a\" (application) configuration."
- (let ((id (cve-id (cve-item-cve item))))
+ (let ((id (cve-id (cve-item-cve item)))
+ (severity (cve-item-base-severity item)))
(match (cve-item-configurations item)
(() ;no configurations
#f)
((configs ...)
- (vulnerability id
+ (vulnerability id severity
(merge-package-lists
(map cve-configuration->package-list configs)))))))
@@ -332,7 +348,7 @@ sexp to CACHE."
(json->vulnerabilities input))
(write `(vulnerabilities
- 1 ;format version
+ 2 ;format version
,(map vulnerability->sexp vulns))
cache))))
@@ -396,7 +412,7 @@ vulnerabilities affecting the given package version."
;; Map package names to lists of version/vulnerability pairs.
(fold (lambda (vuln table)
(match vuln
- (($ <vulnerability> id packages)
+ (($ <vulnerability> id severity packages)
(fold (lambda (package table)
(match package
((name . versions)
diff --git a/guix/lint.scm b/guix/lint.scm
index ed57e19fe2..f3c4e13052 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -48,6 +48,7 @@
#:use-module (guix monads)
#:use-module (guix scripts)
#:use-module ((guix ui) #:select (texi->plain-text fill-paragraph))
+ #:use-module (guix colors)
#:use-module (guix gnu-maintenance)
#:use-module (guix cve)
#:use-module ((guix swh) #:hide (origin?))
@@ -1165,6 +1166,35 @@ the NIST server non-fatal."
"Check for known vulnerabilities for PACKAGE. Obtain the list of
vulnerability records for PACKAGE by calling PACKAGE-VULNERABILITIES."
+ (define severity->color
+ ;; A standard CVE colour gradient is red > orange > yellow > green > none.
+ ;; However, ANSI non-bold YELLOW is actually orange whilst BOLD YELLOW
+ ;; is actual yellow, so BOLD would confusingly be less serious. Skip it.
+ (match-lambda
+ ("CRITICAL" (color BOLD RED))
+ ("HIGH" (color RED))
+ ("MEDIUM" (color YELLOW))
+ ("LOW" (color GREEN))
+ (_ (color))))
+
+ (define (colorize-vulnerability vulnerability)
+ ;; If the terminal supports ANSI colours, use them to indicate severity.
+ (colorize-string (vulnerability-id vulnerability)
+ (severity->color (vulnerability-severity
+ vulnerability))))
+
+ (define (simple-format-vulnerability vulnerability)
+ ;; Otherwise, omit colour coding and explicitly append the severity string.
+ (simple-format #f "~a (~a)"
+ (vulnerability-id vulnerability)
+ (string-downcase (vulnerability-severity vulnerability))))
+
+ (define format-vulnerability
+ ;; Check once which of the above to use for all PACKAGE vulnerabilities.
+ (if (color-output? (current-output-port))
+ colorize-vulnerability
+ simple-format-vulnerability))
+
(define (vulnerability< v1 v2)
(define (string-list< list1 list2)
(match list1
@@ -1201,7 +1231,7 @@ vulnerability records for PACKAGE by calling PACKAGE-VULNERABILITIES."
(make-warning
package
(G_ "probably vulnerable to ~a")
- (list (string-join (map vulnerability-id
+ (list (string-join (map format-vulnerability
(sort unpatched vulnerability<))
", "))))))))))
--
2.30.1
guix-patches@HIDDEN:bug#47193; Package guix-patches.
Full text available.
Received: (at 47193) by debbugs.gnu.org; 16 Mar 2021 16:07:04 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Mar 16 12:07:04 2021
Received: from localhost ([127.0.0.1]:40841 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1lMCDo-0002h9-Cx
for submit <at> debbugs.gnu.org; Tue, 16 Mar 2021 12:07:04 -0400
Received: from tobias.gr ([80.241.217.52]:40566)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <me@HIDDEN>) id 1lMCDm-0002gi-G7
for 47193 <at> debbugs.gnu.org; Tue, 16 Mar 2021 12:07:03 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tobias.gr; s=2018;
bh=pRogdOwWfN/snsklteKvUi9KNTFvioU54/6uRhMf6To=; h=date:subject:to:
from; b=TJGvVyuj5L/N/648up6q2MHE+CvxIa17iFxZyOh1Q2R1gbdu7fDFq4XizA44Iw
EVLYoW0kuZwbZFHPR4PT2JNgCOwXh24ndqUxuNHugqRLlr4ATASAvAGYyxi+afcoMX7jMv
K1Oaihw/b85ql27YnFMY+mg/AFxjL6v6sD8inWSapPdRwegoEjpqLryFjbvJhpL+qL8o66
cMs/9+2IwSr66acoAHiIOeAQP9mVHNq1mLvRzIQZdFvbpRI7+ex1rIuFyXPgRDyC3r7H6j
J9wmuWH2qM6yLp3dlDnRrQtPWv+lqZTnfCOo4Jb9YN00VBJl9rx91dmSWvNk2SjadbIJJA
==
Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id 489a24e1
(TLSv1.2:ECDHE-ECDSA-AES256-GCM-SHA384:256:NO)
for <47193 <at> debbugs.gnu.org>; Tue, 16 Mar 2021 16:08:02 +0000 (UTC)
From: Tobias Geerinckx-Rice <me@HIDDEN>
To: 47193 <at> debbugs.gnu.org
Subject: [PATCH 1/2] lint: Sort possible vulnerabilities.
Date: Tue, 16 Mar 2021 17:06:52 +0100
Message-Id: <20210316160653.9891-1-me@HIDDEN>
X-Mailer: git-send-email 2.30.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 47193
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)
* guix/lint.scm (check-vulnerabilities): Sort unpatched vulnerabilities
by ID.
---
guix/lint.scm | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/guix/lint.scm b/guix/lint.scm
index 5144fa139d..ed57e19fe2 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -1164,6 +1164,23 @@ the NIST server non-fatal."
package-vulnerabilities))
"Check for known vulnerabilities for PACKAGE. Obtain the list of
vulnerability records for PACKAGE by calling PACKAGE-VULNERABILITIES."
+
+ (define (vulnerability< v1 v2)
+ (define (string-list< list1 list2)
+ (match list1
+ ((head1 tail1 ...)
+ (match list2
+ ((head2 tail2 ...)
+ (if (string=? head1 head2)
+ (string-list< tail1 tail2)
+ (string<? head1 head2)))
+ (_ #f)))
+ (_ #f)))
+
+ (let ((separators (char-set-complement char-set:letter+digit)))
+ (string-list< (string-split (vulnerability-id v1) separators)
+ (string-split (vulnerability-id v2) separators))))
+
(let ((package (or (package-replacement package) package)))
(match (package-vulnerabilities package)
(()
@@ -1184,7 +1201,8 @@ vulnerability records for PACKAGE by calling PACKAGE-VULNERABILITIES."
(make-warning
package
(G_ "probably vulnerable to ~a")
- (list (string-join (map vulnerability-id unpatched)
+ (list (string-join (map vulnerability-id
+ (sort unpatched vulnerability<))
", "))))))))))
(define (check-for-updates package)
--
2.30.1
guix-patches@HIDDEN:bug#47193; Package guix-patches.
Full text available.Received: (at submit) by debbugs.gnu.org; 16 Mar 2021 16:00:24 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Mar 16 12:00:24 2021 Received: from localhost ([127.0.0.1]:40820 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1lMC7L-0002Vr-Rk for submit <at> debbugs.gnu.org; Tue, 16 Mar 2021 12:00:24 -0400 Received: from lists.gnu.org ([209.51.188.17]:39060) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <me@HIDDEN>) id 1lMC7K-0002Vk-EF for submit <at> debbugs.gnu.org; Tue, 16 Mar 2021 12:00:22 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:36178) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <me@HIDDEN>) id 1lMC7J-0000wW-US for guix-patches@HIDDEN; Tue, 16 Mar 2021 12:00:22 -0400 Received: from tobias.gr ([2a02:c205:2020:6054::1]:50558) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <me@HIDDEN>) id 1lMC7H-0000Lc-BO for guix-patches@HIDDEN; Tue, 16 Mar 2021 12:00:21 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tobias.gr; s=2018; bh=YaGadJfusfpJ60RzUvJ0CRfSYjbhuarucFL15OvWwe0=; h=date:subject:to: from; b=k98WNv2yr8vV3L2HaBcuJNXf/zCkKLoMRwYPl7ZUxxMWjvpKkqbsQspTIK0a5z SVny/4oWYuxSmGM8HCmij9fCkK2P/ACCx4StrbzV7CNRRc6uX/n3iAuBEztNPHseK42oZ+ YyICmMEXHDnZm92W5zO7xZ+ARA0BucVs3Rs7eU2LcF4cOv+frK3gRsPUPF8U39+WIu5M4h AFNhJUqeFBtlP1ij5w+RWSCAGpTJy8ijlUmQl1kHoY3nsNZ7hPC02n1nYKqD72573Feix/ w4ucy+w/xT5pQI7c/VQcgzklMnBjwRddxhN1hs9VpjqOBVc41Q6GAz9CyASo9bO378BMaw == Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id 6d798cea (TLSv1.2:ECDHE-ECDSA-AES256-GCM-SHA384:256:NO) for <guix-patches@HIDDEN>; Tue, 16 Mar 2021 16:01:14 +0000 (UTC) BIMI-Selector: v=BIMI1; s=default; From: Tobias Geerinckx-Rice <me@HIDDEN> To: guix-patches@HIDDEN Subject: Fancify guix lint -c cve output Date: Tue, 16 Mar 2021 17:00:11 +0100 Message-ID: <87im5rm6lw.fsf@nckx> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: pass client-ip=2a02:c205:2020:6054::1; envelope-from=me@HIDDEN; helo=tobias.gr X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -2.4 (--) --=-=-= Content-Type: text/plain; format=flowed Guix, A quick hack requested by lle-bout: indicate CVE severity with pretty/scary colours[0]. It's deliberately simple: no scoring, no versioning, no importing (guix colors) from (guix cve), ... Another patch adds order to the rainbow. Sort CVEs by ID, so roughly chronological. In combination with the other patch, I prefer this to more complex ordering and/or grouping by severity. Kind regards, T G-R [0]: https://tobias.gr/tmp.png --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCYFDWCw0cbWVAdG9iaWFz LmdyAAoJEA2w/4hPVW15RQ4BAI3yfWXQoiM1lTSdAvnUZHFf41BHMdUDMebqSQuz 9zR1AQCKwuoJ6L5rECbJ9dXPEz4qV+WCmLbjSCrdQZBITSj+Bw== =0/gM -----END PGP SIGNATURE----- --=-=-=--
Tobias Geerinckx-Rice <me@HIDDEN>:guix-patches@HIDDEN.
Full text available.guix-patches@HIDDEN:bug#47193; Package guix-patches.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.