[bug#53721] lint: Perform fuzzy search on package names for CVE checker.
Commit Message
* guix/lint.scm (package-vulnerabilities): Also allow the name in the
CVE database to have the package name's prefix stripped off when
checking for CVEs.
---
When I checked for cpe-name in the Guix repo there weren't a lot of
hits. Clearly just stripping off the leading 'python2-' or whatever
isn't completely the correct answer, python-redis@3.5.3 isn't likely
vulnerable to redis@3.5.3's CVEs, but as-is there are almost no CVEs
easily discovered for any of our language library packages.
guix/lint.scm | 23 ++++++++++++++++-------
1 file changed, 16 insertions(+), 7 deletions(-)
base-commit: 8f585083277e64ea1e9a0848ef3c49f12327618c
Comments
Efraim Flashner schreef op wo 02-02-2022 om 16:15 [+0200]:
> + (false-if-exception
> + (first
> + (filter string?
> + (map (lambda (prefix)
> + (when (string-prefix? prefix pkg-name)
> + (string-drop pkg-name (string-length prefix))))
> + '("java-" "perl-" "python-" "python2-" "ruby-")))))
> + pkg-name)))
When can an exception happen here?
Also, the following seems simpler and equivalent:
(any (lambda (prefix)
(and (string-prefix? prefix)
(string-drop pkg-name (string-length prefix))))
'("java-" "perl-" "python-" "python2-" "ruby-"))
It would be nice to test the code for guessing the CPE name of a
package in a few unit tests.
Greetings,
Maxime
On Wed, Feb 02, 2022 at 03:54:38PM +0100, Maxime Devos wrote:
> Efraim Flashner schreef op wo 02-02-2022 om 16:15 [+0200]:
> > + (false-if-exception
> > + (first
> > + (filter string?
> > + (map (lambda (prefix)
> > + (when (string-prefix? prefix pkg-name)
> > + (string-drop pkg-name (string-length prefix))))
> > + '("java-" "perl-" "python-" "python2-" "ruby-")))))
> > + pkg-name)))
>
> When can an exception happen here?
I tossed in 'glibc' since I know that always has CVEs listed against it,
you can't take first from an empty list.
> Also, the following seems simpler and equivalent:
>
> (any (lambda (prefix)
> (and (string-prefix? prefix)
> (string-drop pkg-name (string-length prefix))))
> '("java-" "perl-" "python-" "python2-" "ruby-"))
That is much nicer.
> It would be nice to test the code for guessing the CPE name of a
> package in a few unit tests.
Definitely. Also I should check if we should try dropping any of the
other prefixes. rust might work, go probably needs some actual
transformation to happen.
> Greetings,
> Maxime
Hello,
Efraim Flashner <efraim@flashner.co.il> skribis:
> - (let ((name (or (assoc-ref (package-properties package)
> - 'cpe-name)
> - (package-name package)))
> - (version (or (assoc-ref (package-properties package)
> - 'cpe-version)
> - (package-version package))))
> + (let* ((pkg-name (package-name package))
> + (version (or (assoc-ref (package-properties package)
> + 'cpe-version)
> + (package-version package)))
> + (name
> + (or (assoc-ref (package-properties package)
> + 'cpe-name)
> + (false-if-exception
> + (first
> + (filter string?
> + (map (lambda (prefix)
> + (when (string-prefix? prefix pkg-name)
> + (string-drop pkg-name (string-length prefix))))
> + '("java-" "perl-" "python-" "python2-" "ruby-")))))
> + pkg-name)))
I agree with Maxime’s suggestions.
In addition, I’d suggest moving this code out in two procedures,
‘package-cpe-name’ and ‘package-cpe-version’, that would honor the
relevant property and fall back to stripping prefixes.
Then ‘package-vulnerabilities’ would simply call these two procedures.
How does that sound?
Longer-term, we should add a thing that proposes correct CPE names:
https://issues.guix.gnu.org/42299
Thanks,
Ludo’.
@@ -7,7 +7,7 @@
;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
;;; Copyright © 2017 Alex Kost <alezost@gmail.com>
;;; Copyright © 2017, 2021 Tobias Geerinckx-Rice <me@tobias.gr>
-;;; Copyright © 2017, 2018, 2020 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2017, 2018, 2020, 2022 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2018, 2019 Arun Isaac <arunisaac@systemreboot.net>
;;; Copyright © 2020 Chris Marusich <cmmarusich@gmail.com>
;;; Copyright © 2020 Timothy Sample <samplet@ngyro.com>
@@ -1416,12 +1416,21 @@ (define package-vulnerabilities
"Return a list of vulnerabilities affecting PACKAGE."
;; First we retrieve the Common Platform Enumeration (CPE) name and
;; version for PACKAGE, then we can pass them to LOOKUP.
- (let ((name (or (assoc-ref (package-properties package)
- 'cpe-name)
- (package-name package)))
- (version (or (assoc-ref (package-properties package)
- 'cpe-version)
- (package-version package))))
+ (let* ((pkg-name (package-name package))
+ (version (or (assoc-ref (package-properties package)
+ 'cpe-version)
+ (package-version package)))
+ (name
+ (or (assoc-ref (package-properties package)
+ 'cpe-name)
+ (false-if-exception
+ (first
+ (filter string?
+ (map (lambda (prefix)
+ (when (string-prefix? prefix pkg-name)
+ (string-drop pkg-name (string-length prefix))))
+ '("java-" "perl-" "python-" "python2-" "ruby-")))))
+ pkg-name)))
((force lookup) name version)))))
(define* (check-vulnerabilities package