Received: (at 53721) by debbugs.gnu.org; 4 Feb 2022 21:56:25 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Feb 04 16:56:25 2022
Received: from localhost ([127.0.0.1]:33072 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1nG6Z7-00048j-Iv
for submit <at> debbugs.gnu.org; Fri, 04 Feb 2022 16:56:25 -0500
Received: from hera.aquilenet.fr ([185.233.100.1]:43910)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <ludo@HIDDEN>) id 1nG6Z5-00048V-TQ
for 53721 <at> debbugs.gnu.org; Fri, 04 Feb 2022 16:56:24 -0500
Received: from localhost (localhost [127.0.0.1])
by hera.aquilenet.fr (Postfix) with ESMTP id 2BB2C761;
Fri, 4 Feb 2022 22:56:17 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at aquilenet.fr
Received: from hera.aquilenet.fr ([127.0.0.1])
by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id syzRRj_FQFyI; Fri, 4 Feb 2022 22:56:16 +0100 (CET)
Received: from ribbon (91-160-117-201.subs.proxad.net [91.160.117.201])
by hera.aquilenet.fr (Postfix) with ESMTPSA id 8676815D;
Fri, 4 Feb 2022 22:56:15 +0100 (CET)
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: Efraim Flashner <efraim@HIDDEN>
Subject: Re: bug#53721: [PATCH] lint: Perform fuzzy search on package names
for CVE checker.
References: <839345988529640bb54feea0fa830f25bd5bb608.1643811188.git.efraim@HIDDEN>
Date: Fri, 04 Feb 2022 22:56:14 +0100
In-Reply-To: <839345988529640bb54feea0fa830f25bd5bb608.1643811188.git.efraim@HIDDEN>
(Efraim Flashner's message of "Wed, 2 Feb 2022 16:15:20 +0200")
Message-ID: <87bkzmmh35.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spamd-Bar: /
Authentication-Results: hera.aquilenet.fr;
none
X-Rspamd-Server: hera
X-Rspamd-Queue-Id: 2BB2C761
X-Spamd-Result: default: False [-0.10 / 15.00]; ARC_NA(0.00)[];
RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[];
RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[];
TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain];
FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+];
RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[];
MID_RHS_MATCH_FROM(0.00)[]
X-Spam-Score: 1.0 (+)
X-Debbugs-Envelope-To: 53721
Cc: Maxime Devos <maximedevos@HIDDEN>, 53721 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.0 (/)
Hello,
Efraim Flashner <efraim@HIDDEN> skribis:
> - (let ((name (or (assoc-ref (package-properties package)
> - 'cpe-name)
> - (package-name package)))
> - (version (or (assoc-ref (package-properties package)
> - 'cpe-version)
> - (package-version package))))
> + (let* ((pkg-name (package-name package))
> + (version (or (assoc-ref (package-properties package)
> + 'cpe-version)
> + (package-version package)))
> + (name
> + (or (assoc-ref (package-properties package)
> + 'cpe-name)
> + (false-if-exception
> + (first
> + (filter string?
> + (map (lambda (prefix)
> + (when (string-prefix? prefix pkg-n=
ame)
> + (string-drop pkg-name (string-le=
ngth prefix))))
> + '("java-" "perl-" "python-" "python2=
-" "ruby-")))))
> + pkg-name)))
I agree with Maxime=E2=80=99s suggestions.
In addition, I=E2=80=99d suggest moving this code out in two procedures,
=E2=80=98package-cpe-name=E2=80=99 and =E2=80=98package-cpe-version=E2=80=
=99, that would honor the
relevant property and fall back to stripping prefixes.
Then =E2=80=98package-vulnerabilities=E2=80=99 would simply call these two =
procedures.
How does that sound?
Longer-term, we should add a thing that proposes correct CPE names:
https://issues.guix.gnu.org/42299
Thanks,
Ludo=E2=80=99.
guix-patches@HIDDEN:bug#53721; Package guix-patches.
Full text available.
Received: (at 53721) by debbugs.gnu.org; 2 Feb 2022 15:14:08 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Feb 02 10:14:08 2022
Received: from localhost ([127.0.0.1]:53080 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1nFHKh-00057a-Sq
for submit <at> debbugs.gnu.org; Wed, 02 Feb 2022 10:14:08 -0500
Received: from flashner.co.il ([178.62.234.194]:43788)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <efraim@HIDDEN>) id 1nFHKf-00056x-Sj
for 53721 <at> debbugs.gnu.org; Wed, 02 Feb 2022 10:14:06 -0500
Received: from localhost (unknown [31.210.177.79])
by flashner.co.il (Postfix) with ESMTPSA id 5BD7A404A9;
Wed, 2 Feb 2022 15:13:59 +0000 (UTC)
Date: Wed, 2 Feb 2022 17:13:25 +0200
From: Efraim Flashner <efraim@HIDDEN>
To: Maxime Devos <maximedevos@HIDDEN>
Subject: Re: [bug#53721] [PATCH] lint: Perform fuzzy search on package names
for CVE checker.
Message-ID: <YfqfleUrtggE58IW@3900XT>
Mail-Followup-To: Efraim Flashner <efraim@HIDDEN>,
Maxime Devos <maximedevos@HIDDEN>, 53721 <at> debbugs.gnu.org
References: <839345988529640bb54feea0fa830f25bd5bb608.1643811188.git.efraim@HIDDEN>
<47b10d97f63c470b29087ec389d02c71dce038fc.camel@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature"; boundary="R6KOyuqS7ZzVGDrO"
Content-Disposition: inline
In-Reply-To: <47b10d97f63c470b29087ec389d02c71dce038fc.camel@HIDDEN>
X-PGP-Key-ID: 0x41AAE7DCCA3D8351
X-PGP-Key: https://flashner.co.il/~efraim/efraim_flashner.asc
X-PGP-Fingerprint: A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 53721
Cc: 53721 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
--R6KOyuqS7ZzVGDrO
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Wed, Feb 02, 2022 at 03:54:38PM +0100, Maxime Devos wrote:
> Efraim Flashner schreef op wo 02-02-2022 om 16:15 [+0200]:
> > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (false-if-exception
> > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (first
> > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (filter str=
ing?
> > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (map (lambda (prefix)
> > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0 (when (string-prefix? prefix pkg-name)
> > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0 (string-drop pkg-name (string-length prefix))))
> > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 '("java-=
" "perl-" "python-" "python2-" "ruby-")))))
> > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 pkg-name)))
>=20
> When can an exception happen here?
I tossed in 'glibc' since I know that always has CVEs listed against it,
you can't take first from an empty list.
> Also, the following seems simpler and equivalent:
>=20
> (any (lambda (prefix)
> (and (string-prefix? prefix)
> (string-drop pkg-name (string-length prefix))))
> '("java-" "perl-" "python-" "python2-" "ruby-"))
That is much nicer.
> It would be nice to test the code for guessing the CPE name of a
> package in a few unit tests.
Definitely. Also I should check if we should try dropping any of the
other prefixes. rust might work, go probably needs some actual
transformation to happen.
> Greetings,
> Maxime
--=20
Efraim Flashner <efraim@HIDDEN> =D7=A8=D7=A0=D7=A9=D7=9C=D7=A4 =
=D7=9D=D7=99=D7=A8=D7=A4=D7=90
GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
--R6KOyuqS7ZzVGDrO
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAmH6n5MACgkQQarn3Mo9
g1Fp9w//Ss6y5xdpRRGjGT+hD7SKiOREM5vLKpKuNMua0+GRkEguJMKO7aAmlpX3
oRXmrNWennndK/O3eoXKII4rOil0WNDQYkqvMzSwpaPGq3w3VXtYR48LD7I03/4r
pLHmBEAZ1c/uRi968Rd4KqdEj8MpJecYNohSAPRR3SMncHiGd6KgiOSdSayGaeJd
decUQEACFmG+MzZ46BMRo0IBsoft4hYVMsGV9n9e2c8I1Al6zLrSJf3FEML6H6gu
O6ooP6u8v3qnIhxykPgtx3mwpwnpXn5cQP9Ocg8cTgaFdnRNW3uTZySqHy68EU5A
nwjZNjrDpTVn6SO2bGN3DiOKhzZxNW+SsuUJsuRU7kuR9O/vkSFGbeQctGVMl7CB
yfwPecSAxyplp3DiWImMsfZ42Zj09mKyrtv1juS/8a16ueB9++bkHocmrb47jttA
fs6Fy3q1ZIa6G2QPSyy5p8RXvAzvcdunw1l4lf0IA5vwYA+BUia5YjHhsiPNjisD
4WEQK7I+zqONOAYFz7mZ/Q9tWF2UxJZ+lkV750AfrYCE1n9HRAjxJvdd3M6c8D2s
wxarBD4a8NrDjA9UnqhfRdh9uT0vKnlZvRGmFh8/UO90uV2GyIGoOryJlYQ+yblN
sTtrn3hoNMiEgpOvWoXFoDll5mReHUNg8UDd0GrweL7iw/uhqDI=
=/aKL
-----END PGP SIGNATURE-----
--R6KOyuqS7ZzVGDrO--
guix-patches@HIDDEN:bug#53721; Package guix-patches.
Full text available.Received: (at 53721) by debbugs.gnu.org; 2 Feb 2022 14:54:51 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Wed Feb 02 09:54:51 2022 Received: from localhost ([127.0.0.1]:51960 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1nFH23-00023F-4V for submit <at> debbugs.gnu.org; Wed, 02 Feb 2022 09:54:51 -0500 Received: from laurent.telenet-ops.be ([195.130.137.89]:34670) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <maximedevos@HIDDEN>) id 1nFH1z-00022n-GW for 53721 <at> debbugs.gnu.org; Wed, 02 Feb 2022 09:54:50 -0500 Received: from ptr-bvsjgyhxw7psv60dyze.18120a2.ip6.access.telenet.be ([IPv6:2a02:1811:8c09:9d00:3c5f:2eff:feb0:ba5a]) by laurent.telenet-ops.be with bizsmtp id qEul260044UW6Th01EulQm; Wed, 02 Feb 2022 15:54:45 +0100 Message-ID: <47b10d97f63c470b29087ec389d02c71dce038fc.camel@HIDDEN> Subject: Re: [bug#53721] [PATCH] lint: Perform fuzzy search on package names for CVE checker. From: Maxime Devos <maximedevos@HIDDEN> To: Efraim Flashner <efraim@HIDDEN>, 53721 <at> debbugs.gnu.org Date: Wed, 02 Feb 2022 15:54:38 +0100 In-Reply-To: <839345988529640bb54feea0fa830f25bd5bb608.1643811188.git.efraim@HIDDEN> References: <839345988529640bb54feea0fa830f25bd5bb608.1643811188.git.efraim@HIDDEN> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-4o49tTG4O66FaXzO4+Op" User-Agent: Evolution 3.38.3-1 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r22; t=1643813685; bh=SKFUFKD9E6lvf1ZH+vXhjM3JBjT5PSzpdSWQ4E2yD+Q=; h=Subject:From:To:Date:In-Reply-To:References; b=KWC4ovciEncLVLVmgcHbWs14Cut2EC/CcmV8mwsktR3LQ+4C7vuYjJKeDoNX+KTSi sHnKHifaZWhSIjNREIeMdPiXxj17YJ/hoPfosXKSSo/d4FudM0QT3E0C6G4puytTtn g6k4Ad3NJTIvxq4L1tbxC8D3Hs+LiCIGa2wo8AvSycqqe4+DBZT5j+EGe8mVvlyur2 gci0dn7kCWNPE1PLDat0x3OvfTnaD6yaeUDdXEjVWSJkTXIBt36BbNdghYcBGLI2pt gEjxfWQrisEM2XicHmlGb1vmL3GZxxOM+uT6MdE1ZTSG+lhvZhpSiml9FJSlaQ/pkE yxh5WSsc0W1Jg== X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 53721 X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.7 (-) --=-4o49tTG4O66FaXzO4+Op Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: base64 RWZyYWltIEZsYXNobmVyIHNjaHJlZWYgb3Agd28gMDItMDItMjAyMiBvbSAxNjoxNSBbKzAyMDBd Ogo+ICvCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqAgKGZhbHNlLWlmLWV4Y2Vw dGlvbgo+ICvCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgIChmaXJzdAo+ ICvCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoCAoZmlsdGVyIHN0 cmluZz8KPiArwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg wqDCoMKgwqDCoMKgIChtYXAgKGxhbWJkYSAocHJlZml4KQo+ICvCoMKgwqDCoMKgwqDCoMKgwqDC oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoCAo d2hlbiAoc3RyaW5nLXByZWZpeD8gcHJlZml4IHBrZy1uYW1lKQo+ICvCoMKgwqDCoMKgwqDCoMKg wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC oMKgwqAgKHN0cmluZy1kcm9wIHBrZy1uYW1lIChzdHJpbmctbGVuZ3RoIHByZWZpeCkpKSkKPiAr wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC oMKgwqDCoMKgwqDCoCAnKCJqYXZhLSIgInBlcmwtIiAicHl0aG9uLSIgInB5dGhvbjItIiAicnVi eS0iKSkpKSkKPiArwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgIHBrZy1uYW1l KSkpCgpXaGVuIGNhbiBhbiBleGNlcHRpb24gaGFwcGVuIGhlcmU/CgpBbHNvLCB0aGUgZm9sbG93 aW5nIHNlZW1zIHNpbXBsZXIgYW5kIGVxdWl2YWxlbnQ6CgooYW55IChsYW1iZGEgKHByZWZpeCkK ICAgICAgIChhbmQgKHN0cmluZy1wcmVmaXg/IHByZWZpeCkKICAgICAgICAgICAgKHN0cmluZy1k cm9wIHBrZy1uYW1lIChzdHJpbmctbGVuZ3RoIHByZWZpeCkpKSkKICAgICAnKCJqYXZhLSIgInBl cmwtIiAicHl0aG9uLSIgInB5dGhvbjItIiAicnVieS0iKSkKCkl0IHdvdWxkIGJlIG5pY2UgdG8g dGVzdCB0aGUgY29kZSBmb3IgZ3Vlc3NpbmcgdGhlIENQRSBuYW1lIG9mIGEKcGFja2FnZSBpbiBh IGZldyB1bml0IHRlc3RzLgoKR3JlZXRpbmdzLApNYXhpbWUK --=-4o49tTG4O66FaXzO4+Op Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYfqbLhccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7mpaAP41pV4Trf6Wf2mnBlP/NsVzm9E1 UrvsvYF7OI0fjLT/xQEA927yf4/3WOxIY5PxOhBFHJlO9YteHVB1gGZxU2mxWAY= =JK9i -----END PGP SIGNATURE----- --=-4o49tTG4O66FaXzO4+Op--
guix-patches@HIDDEN:bug#53721; Package guix-patches.
Full text available.
Received: (at submit) by debbugs.gnu.org; 2 Feb 2022 14:16:07 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Feb 02 09:16:07 2022
Received: from localhost ([127.0.0.1]:51894 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1nFGQV-0000xE-06
for submit <at> debbugs.gnu.org; Wed, 02 Feb 2022 09:16:07 -0500
Received: from lists.gnu.org ([209.51.188.17]:55270)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <efraim@HIDDEN>) id 1nFGQS-0000wh-6v
for submit <at> debbugs.gnu.org; Wed, 02 Feb 2022 09:16:01 -0500
Received: from eggs.gnu.org ([209.51.188.92]:53940)
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <efraim@HIDDEN>)
id 1nFGQS-0000LO-0b
for guix-patches@HIDDEN; Wed, 02 Feb 2022 09:16:00 -0500
Received: from flashner.co.il ([178.62.234.194]:60830)
by eggs.gnu.org with esmtp (Exim 4.90_1)
(envelope-from <efraim@HIDDEN>) id 1nFGQP-0006hN-BS
for guix-patches@HIDDEN; Wed, 02 Feb 2022 09:15:59 -0500
Received: from localhost (unknown [31.210.177.79])
by flashner.co.il (Postfix) with ESMTPSA id CA5EA40043;
Wed, 2 Feb 2022 14:15:55 +0000 (UTC)
From: Efraim Flashner <efraim@HIDDEN>
To: guix-patches@HIDDEN
Subject: [PATCH] lint: Perform fuzzy search on package names for CVE checker.
Date: Wed, 2 Feb 2022 16:15:20 +0200
Message-Id: <839345988529640bb54feea0fa830f25bd5bb608.1643811188.git.efraim@HIDDEN>
X-Mailer: git-send-email 2.34.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=178.62.234.194;
envelope-from=efraim@HIDDEN; helo=flashner.co.il
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001,
SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: submit
Cc: Efraim Flashner <efraim@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)
* guix/lint.scm (package-vulnerabilities): Also allow the name in the
CVE database to have the package name's prefix stripped off when
checking for CVEs.
---
When I checked for cpe-name in the Guix repo there weren't a lot of
hits. Clearly just stripping off the leading 'python2-' or whatever
isn't completely the correct answer, python-redis@HIDDEN isn't likely
vulnerable to redis@HIDDEN's CVEs, but as-is there are almost no CVEs
easily discovered for any of our language library packages.
guix/lint.scm | 23 ++++++++++++++++-------
1 file changed, 16 insertions(+), 7 deletions(-)
diff --git a/guix/lint.scm b/guix/lint.scm
index 3ca7a0b608..7f08d6af5e 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -7,7 +7,7 @@
;;; Copyright © 2016 Hartmut Goebel <h.goebel@HIDDEN>
;;; Copyright © 2017 Alex Kost <alezost@HIDDEN>
;;; Copyright © 2017, 2021 Tobias Geerinckx-Rice <me@HIDDEN>
-;;; Copyright © 2017, 2018, 2020 Efraim Flashner <efraim@HIDDEN>
+;;; Copyright © 2017, 2018, 2020, 2022 Efraim Flashner <efraim@HIDDEN>
;;; Copyright © 2018, 2019 Arun Isaac <arunisaac@HIDDEN>
;;; Copyright © 2020 Chris Marusich <cmmarusich@HIDDEN>
;;; Copyright © 2020 Timothy Sample <samplet@HIDDEN>
@@ -1416,12 +1416,21 @@ (define package-vulnerabilities
"Return a list of vulnerabilities affecting PACKAGE."
;; First we retrieve the Common Platform Enumeration (CPE) name and
;; version for PACKAGE, then we can pass them to LOOKUP.
- (let ((name (or (assoc-ref (package-properties package)
- 'cpe-name)
- (package-name package)))
- (version (or (assoc-ref (package-properties package)
- 'cpe-version)
- (package-version package))))
+ (let* ((pkg-name (package-name package))
+ (version (or (assoc-ref (package-properties package)
+ 'cpe-version)
+ (package-version package)))
+ (name
+ (or (assoc-ref (package-properties package)
+ 'cpe-name)
+ (false-if-exception
+ (first
+ (filter string?
+ (map (lambda (prefix)
+ (when (string-prefix? prefix pkg-name)
+ (string-drop pkg-name (string-length prefix))))
+ '("java-" "perl-" "python-" "python2-" "ruby-")))))
+ pkg-name)))
((force lookup) name version)))))
(define* (check-vulnerabilities package
base-commit: 8f585083277e64ea1e9a0848ef3c49f12327618c
--
2.34.0
Efraim Flashner <efraim@HIDDEN>:guix-patches@HIDDEN.
Full text available.guix-patches@HIDDEN:bug#53721; Package guix-patches.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.