From patchwork Sun Oct 27 18:20:06 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicolas Graves X-Patchwork-Id: 69549 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 2632927BBE2; Sun, 27 Oct 2024 18:22:19 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-6.4 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 0B56527BBE9 for ; Sun, 27 Oct 2024 18:22:18 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1t57tw-00044h-62; Sun, 27 Oct 2024 14:22:08 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t57tH-0003th-2r for guix-patches@gnu.org; Sun, 27 Oct 2024 14:21:28 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1t57tG-0007o1-Qs for guix-patches@gnu.org; Sun, 27 Oct 2024 14:21:26 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:Date:From:To:In-Reply-To:References:Subject; bh=g4nQcyMzK+ts0qpKy2VcVEnJTWvYP6tNVttgy8sUZOc=; b=TOm7E/34PoKjq9LQBCwKsMpttahk5bURM0cBOowqS9fN77eMM1CieyJCZVcE9pxqF+XVbo5UpNDa4x//LyEGmKFY25+AdSqmBnlGpTZKxCUaSyc+35pYiOvsf0Cr8fCAWIGVwRqTvTRB1oxDV4IQcmsDNqnV/3+2+0BLZ4TSTTLjBEv9W78W3q0aL6rRaPR4t2fGca1Bur2ienTPKzUKo6h4+yU4lL2lzbiEyRqTlr2RwpR7J43EpVTNmHKirwYtqSMTBfpkm5JebLL0CxGNpG8G0DooLgzvfr941JYwHAWqTUnBBi3HzvaMZLp3dHi6hvVjxQILIWq0dMkccpG56Q==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1t57tp-0003TS-Qy for guix-patches@gnu.org; Sun, 27 Oct 2024 14:22:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#74034] [PATCH v2 01/16] guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties. References: <20241026222934.25890-1-ngraves@ngraves.fr> In-Reply-To: <20241026222934.25890-1-ngraves@ngraves.fr> Resent-From: Nicolas Graves Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 27 Oct 2024 18:22:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 74034 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: moreinfo patch To: 74034@debbugs.gnu.org Cc: Nicolas Graves Received: via spool by 74034-submit@debbugs.gnu.org id=B74034.173005327213102 (code B ref 74034); Sun, 27 Oct 2024 18:22:01 +0000 Received: (at 74034) by debbugs.gnu.org; 27 Oct 2024 18:21:12 +0000 Received: from localhost ([127.0.0.1]:46195 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t57t1-0003PF-IE for submit@debbugs.gnu.org; Sun, 27 Oct 2024 14:21:12 -0400 Received: from 4.mo575.mail-out.ovh.net ([46.105.59.63]:41669) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t57sz-0003P3-DJ for 74034@debbugs.gnu.org; Sun, 27 Oct 2024 14:21:10 -0400 Received: from director5.ghost.mail-out.ovh.net (unknown [10.108.17.160]) by mo575.mail-out.ovh.net (Postfix) with ESMTP id 4Xc4ZT0MFjz1j9P for <74034@debbugs.gnu.org>; Sun, 27 Oct 2024 18:20:32 +0000 (UTC) Received: from ghost-submission-5b5ff79f4f-98kcl (unknown [10.110.168.153]) by director5.ghost.mail-out.ovh.net (Postfix) with ESMTPS id B36831FE46; Sun, 27 Oct 2024 18:20:32 +0000 (UTC) Received: from ngraves.fr ([37.59.142.105]) by ghost-submission-5b5ff79f4f-98kcl with ESMTPSA id spNlFXCEHmeCCwAAalxWaw (envelope-from ); Sun, 27 Oct 2024 18:20:32 +0000 Authentication-Results: garm.ovh; auth=pass (GARM-105G0061260a392-ac5b-4e37-b6fc-f7b84fc4a2e4, E6BF9B87AE7FBE7894246B3B643E76DCC103CD4C) smtp.auth=ngraves@ngraves.fr X-OVh-ClientIp: 86.246.19.221 Date: Sun, 27 Oct 2024 19:20:06 +0100 Message-ID: <20241027182029.25707-1-ngraves@ngraves.fr> X-Mailer: git-send-email 2.46.0 MIME-Version: 1.0 X-Ovh-Tracer-Id: 9543127613904315106 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 0 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeeftddrvdejiedgieejucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttdenucenucfjughrpefhvfevufffkffoggfgsedtkeertdertddtnecuhfhrohhmpefpihgtohhlrghsucfirhgrvhgvshcuoehnghhrrghvvghssehnghhrrghvvghsrdhfrheqnecuggftrfgrthhtvghrnhepkeffgeetfffgffejgeejvdffgfdtvdeuueetgfefuedvjeegvdegjeejveeuueevnecukfhppeduvdejrddtrddtrddupdekiedrvdegiedrudelrddvvddupdefjedrheelrddugedvrddutdehnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepuddvjedrtddrtddruddpmhgrihhlfhhrohhmpehnghhrrghvvghssehnghhrrghvvghsrdhfrhdpnhgspghrtghpthhtohepuddprhgtphhtthhopeejgedtfeegseguvggssghughhsrdhgnhhurdhorhhgpdfovfetjfhoshhtpehmohehjeehpdhmohguvgepshhmthhpohhuth DKIM-Signature: a=rsa-sha256; bh=g4nQcyMzK+ts0qpKy2VcVEnJTWvYP6tNVttgy8sUZOc=; c=relaxed/relaxed; d=ngraves.fr; h=From; s=ovhmo4487190-selector1; t=1730053233; v=1; b=X8t0gvlUCHN+bt/6Ft9anH3bvBKcPGG+o5O9xP4FT36Ukzqb2sqBi8srCPBQD40cc7F1zi2J dDxV2wWXKL9AkOTwvexvnIhtN/GczdTvi3+JjgzaZztzV9tDaaiQRRFKGjP++ZdfNe28eIRrhSR OB0h0u/y+6T3NkLK0j2/aQW1KattEX5/DAnZ7gSel0w1VSHH11FOlHMwivjeEbbsKTGArpdwCMp GGL5spbmO9umsrEtk9behQo30/kRHrlRaA8l5nNAlencrSItTDVFovJpKwi62DFJSOK4SW7ZEMi Qt+KoO1GY5nU2QRgUhZ9peqsOUbdc4Td0bMFASsCU/FCw== X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Nicolas Graves X-ACL-Warn: , Nicolas Graves via Guix-patches X-Patchwork-Original-From: Nicolas Graves via Guix-patches via From: Nicolas Graves Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * guix/cve.scm: Exploit cpe vendors information. (cpe->package-name): Rename to cpe->package and use cpe_vendor:cpe_name in place or cpe_name. (filter-vendors): Add helper function. (vulnerabilities->lookup-proc): Extract cpe_name for table hashes. Add vendor and hidden-vendor arguments. Adapt condition to pass vulnerabilities to result in the fold. * guix/lint.scm (package-vulnerabilities): Use additional arguments from vulnerabilities->lookup-proc. * tests/cve.scm: Adapt tests. --- guix/cve.scm | 71 +++++++++++++++++++++++++++++++++------------------ guix/lint.scm | 11 ++++++-- tests/cve.scm | 30 +++++++++++----------- 3 files changed, 70 insertions(+), 42 deletions(-) diff --git a/guix/cve.scm b/guix/cve.scm index 9e1cf5b587..a2335f15ef 100644 --- a/guix/cve.scm +++ b/guix/cve.scm @@ -106,22 +106,22 @@ (define (reference-data->cve-references alist) (define %cpe-package-rx ;; For applications: "cpe:2.3:a:VENDOR:PACKAGE:VERSION", or sometimes ;; "cpe:2.3:a:VENDOR:PACKAGE:VERSION:PATCH-LEVEL". - (make-regexp "^cpe:2\\.3:a:([^:]+):([^:]+):([^:]+):([^:]+):")) + (make-regexp "^cpe:2\\.3:a:([^:]+:[^:]+):([^:]+):([^:]+):")) -(define (cpe->package-name cpe) +(define (cpe->package cpe) "Converts the Common Platform Enumeration (CPE) string CPE to a package -name, in a very naive way. Return two values: the package name, and its -version string. Return #f and #f if CPE does not look like an application CPE -string." +name, in a very naive way. Return two values: the package identifier +(composed from the CPE vendor and the package name), and its version string. +Return #f and #f if CPE does not look like an application CPE string." (cond ((regexp-exec %cpe-package-rx cpe) => (lambda (matches) - (values (match:substring matches 2) - (match (match:substring matches 3) + (values (match:substring matches 1) + (match (match:substring matches 2) ("*" '_) (version (string-append version - (match (match:substring matches 4) + (match (match:substring matches 3) ("" "") (patch-level ;; Drop the colon from things like @@ -142,7 +142,7 @@ (define (cpe-match->cve-configuration alist) ;; Normally "cpe23Uri" is here in each "cpe_match" item, but CVE-2020-0534 ;; has a configuration that lacks it. (and cpe - (let-values (((package version) (cpe->package-name cpe))) + (let-values (((package version) (cpe->package cpe))) (and package `(,package ,(cond ((and (or starti starte) (or endi ende)) @@ -228,6 +228,24 @@ (define (version-matches? version sexp) (('>= min) (version>=? version min)))) +(define (filter-vendors vuln vendor hidden-vendors) + + (define (vendor-matches? vendor+name) + (if vendor + (string-prefix? (string-append vendor ":") vendor+name) + (if hidden-vendors + (not (any (lambda (v) + (string-prefix? (string-append v ":") vendor+name)) + hidden-vendors)) + #t))) + + (match vuln + (($ id packages) + (any (match-lambda + (((? vendor-matches? vendor+name) . _) #t) + (_ #f)) + packages)))) + ;;; ;;; High-level interface. @@ -404,28 +422,31 @@ (define table (($ id packages) (fold (lambda (package table) (match package - ((name . versions) - (vhash-cons name (cons vuln versions) + ((vendor+name . versions) + (vhash-cons (match (string-split vendor+name #\:) + ((vendor name) name) + ((name) name)) + (cons vuln versions) table)))) table packages)))) vlist-null vulnerabilities)) - (lambda* (package #:optional version) - (vhash-fold* (if version - (lambda (pair result) - (match pair - ((vuln sexp) - (if (version-matches? version sexp) - (cons vuln result) - result)))) - (lambda (pair result) - (match pair - ((vuln . _) - (cons vuln result))))) - '() - package table))) + (lambda* (package #:key (version #f) (vendor #f) (hidden-vendors #f)) + (vhash-fold* + (lambda (pair result) + (match pair + ((vuln sexp) + (if (and (or (not (or vendor hidden-vendors)) + (and (or vendor hidden-vendors) + (filter-vendors vuln vendor hidden-vendors))) + (or (not version) + (and version (version-matches? version sexp)))) + (cons vuln result) + result)))) + '() + package table))) ;;; cve.scm ends here diff --git a/guix/lint.scm b/guix/lint.scm index 8c6c20c723..db3f59e3ec 100644 --- a/guix/lint.scm +++ b/guix/lint.scm @@ -1551,8 +1551,15 @@ (define package-vulnerabilities (package-name package))) (version (or (assoc-ref (package-properties package) 'cpe-version) - (package-version package)))) - ((force lookup) name version))))) + (package-version package))) + (vendor (assoc-ref (package-properties package) + 'cpe-vendor)) + (hidden-vendors (assoc-ref (package-properties package) + 'lint-hidden-cpe-vendors))) + ((force lookup) name + #:version version + #:vendor vendor + #:hidden-vendors hidden-vendors))))) ;; Prevent Guile 3 from inlining this procedure so we can mock it in tests. (set! package-vulnerabilities package-vulnerabilities) diff --git a/tests/cve.scm b/tests/cve.scm index b69da0e120..0b6346a4d4 100644 --- a/tests/cve.scm +++ b/tests/cve.scm @@ -34,19 +34,19 @@ (define %expected-vulnerabilities (vulnerability "CVE-2019-0001" ;; Only the "a" CPE configurations are kept; the "o" ;; configurations are discarded. - '(("junos" (or "18.21-s4" (or "18.21-s3" "18.2"))))) + '(("juniper:junos" (or "18.21-s4" (or "18.21-s3" "18.2"))))) (vulnerability "CVE-2019-0005" - '(("junos" (or "18.11" "18.1")))) + '(("juniper:junos" (or "18.11" "18.1")))) ;; CVE-2019-0005 has no "a" configurations. (vulnerability "CVE-2019-14811" - '(("ghostscript" (< "9.28")))) + '(("artifex:ghostscript" (< "9.28")))) (vulnerability "CVE-2019-17365" - '(("nix" (<= "2.3")))) + '(("nixos:nix" (<= "2.3")))) (vulnerability "CVE-2019-1010180" - '(("gdb" _))) ;any version + '(("gnu:gdb" _))) ;any version (vulnerability "CVE-2019-1010204" - '(("binutils" (and (>= "2.21") (<= "2.31.1"))) - ("binutils_gold" (and (>= "1.11") (<= "1.16"))))) + '(("gnu:binutils" (and (>= "2.21") (<= "2.31.1"))) + ("gnu:binutils_gold" (and (>= "1.11") (<= "1.16"))))) ;; CVE-2019-18192 has no associated configurations. )) @@ -92,15 +92,15 @@ (define %expected-vulnerabilities (let* ((vulns (call-with-input-file %sample json->vulnerabilities)) (lookup (vulnerabilities->lookup-proc vulns))) (list (lookup "ghostscript") - (lookup "ghostscript" "9.27") - (lookup "ghostscript" "9.28") + (lookup "ghostscript" #:version "9.27") + (lookup "ghostscript" #:version "9.28") (lookup "gdb") - (lookup "gdb" "42.0") + (lookup "gdb" #:version "42.0") (lookup "nix") - (lookup "nix" "2.4") - (lookup "binutils" "2.31.1") - (lookup "binutils" "2.10") - (lookup "binutils_gold" "1.11") - (lookup "binutils" "2.32")))) + (lookup "nix" #:version "2.4") + (lookup "binutils" #:version "2.31.1") + (lookup "binutils" #:version "2.10") + (lookup "binutils_gold" #:version "1.11") + (lookup "binutils" #:version "2.32")))) (test-end "cve")