From patchwork Wed Feb  2 14:15:20 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Efraim Flashner <efraim@flashner.co.il>
X-Patchwork-Id: 36933
Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>
X-Original-To: patchwork@mira.cbaines.net
Delivered-To: patchwork@mira.cbaines.net
Received: by mira.cbaines.net (Postfix, from userid 113)
	id D321127BBEA; Wed,  2 Feb 2022 14:43:52 +0000 (GMT)
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net
X-Spam-Level: 
X-Spam-Status: No, score=-3.9 required=5.0 tests=BAYES_00,MAILING_LIST_MULTI,
	RCVD_IN_MSPIKE_H2,SPF_HELO_PASS autolearn=unavailable
	autolearn_force=no version=3.4.6
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	by mira.cbaines.net (Postfix) with ESMTPS id 93E0D27BBE9
	for <patchwork@mira.cbaines.net>; Wed,  2 Feb 2022 14:43:52 +0000 (GMT)
Received: from localhost ([::1]:45946 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>)
	id 1nFGrP-0000UH-N4
	for patchwork@mira.cbaines.net; Wed, 02 Feb 2022 09:43:51 -0500
Received: from eggs.gnu.org ([209.51.188.92]:54412)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1nFGRY-0000pk-El
 for guix-patches@gnu.org; Wed, 02 Feb 2022 09:17:08 -0500
Received: from debbugs.gnu.org ([209.51.188.43]:58000)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1nFGRS-00070C-Ot
 for guix-patches@gnu.org; Wed, 02 Feb 2022 09:17:08 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1nFGRS-0000z0-Ix
 for guix-patches@gnu.org; Wed, 02 Feb 2022 09:17:02 -0500
X-Loop: help-debbugs@gnu.org
Subject: [bug#53721] [PATCH] lint: Perform fuzzy search on package names for
 CVE checker.
Resent-From: Efraim Flashner <efraim@flashner.co.il>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Wed, 02 Feb 2022 14:17:02 +0000
Resent-Message-ID: <handler.53721.B.16438113673689@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 53721
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 53721@debbugs.gnu.org
Cc: Efraim Flashner <efraim@flashner.co.il>
X-Debbugs-Original-To: guix-patches@gnu.org
Received: via spool by submit@debbugs.gnu.org id=B.16438113673689
 (code B ref -1); Wed, 02 Feb 2022 14:17:02 +0000
Received: (at submit) by debbugs.gnu.org; 2 Feb 2022 14:16:07 +0000
Received: from localhost ([127.0.0.1]:51894 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1nFGQV-0000xE-06
 for submit@debbugs.gnu.org; Wed, 02 Feb 2022 09:16:07 -0500
Received: from lists.gnu.org ([209.51.188.17]:55270)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <efraim@flashner.co.il>) id 1nFGQS-0000wh-6v
 for submit@debbugs.gnu.org; Wed, 02 Feb 2022 09:16:01 -0500
Received: from eggs.gnu.org ([209.51.188.92]:53940)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <efraim@flashner.co.il>)
 id 1nFGQS-0000LO-0b
 for guix-patches@gnu.org; Wed, 02 Feb 2022 09:16:00 -0500
Received: from flashner.co.il ([178.62.234.194]:60830)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <efraim@flashner.co.il>) id 1nFGQP-0006hN-BS
 for guix-patches@gnu.org; Wed, 02 Feb 2022 09:15:59 -0500
Received: from localhost (unknown [31.210.177.79])
 by flashner.co.il (Postfix) with ESMTPSA id CA5EA40043;
 Wed,  2 Feb 2022 14:15:55 +0000 (UTC)
From: Efraim Flashner <efraim@flashner.co.il>
Date: Wed,  2 Feb 2022 16:15:20 +0200
Message-Id: 
 <839345988529640bb54feea0fa830f25bd5bb608.1643811188.git.efraim@flashner.co.il>
X-Mailer: git-send-email 2.34.0
MIME-Version: 1.0
Received-SPF: pass client-ip=178.62.234.194;
 envelope-from=efraim@flashner.co.il; helo=flashner.co.il
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
Sender: "Guix-patches"
 <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>
X-getmail-retrieved-from-mailbox: Patches

* guix/lint.scm (package-vulnerabilities): Also allow the name in the
CVE database to have the package name's prefix stripped off when
checking for CVEs.
---

When I checked for cpe-name in the Guix repo there weren't a lot of
hits. Clearly just stripping off the leading 'python2-' or whatever
isn't completely the correct answer, python-redis@3.5.3 isn't likely
vulnerable to redis@3.5.3's CVEs, but as-is there are almost no CVEs
easily discovered for any of our language library packages.

 guix/lint.scm | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)


base-commit: 8f585083277e64ea1e9a0848ef3c49f12327618c

diff --git a/guix/lint.scm b/guix/lint.scm
index 3ca7a0b608..7f08d6af5e 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -7,7 +7,7 @@
 ;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
 ;;; Copyright © 2017 Alex Kost <alezost@gmail.com>
 ;;; Copyright © 2017, 2021 Tobias Geerinckx-Rice <me@tobias.gr>
-;;; Copyright © 2017, 2018, 2020 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2017, 2018, 2020, 2022 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2018, 2019 Arun Isaac <arunisaac@systemreboot.net>
 ;;; Copyright © 2020 Chris Marusich <cmmarusich@gmail.com>
 ;;; Copyright © 2020 Timothy Sample <samplet@ngyro.com>
@@ -1416,12 +1416,21 @@ (define package-vulnerabilities
       "Return a list of vulnerabilities affecting PACKAGE."
       ;; First we retrieve the Common Platform Enumeration (CPE) name and
       ;; version for PACKAGE, then we can pass them to LOOKUP.
-      (let ((name    (or (assoc-ref (package-properties package)
-                                    'cpe-name)
-                         (package-name package)))
-            (version (or (assoc-ref (package-properties package)
-                                    'cpe-version)
-                         (package-version package))))
+      (let* ((pkg-name (package-name package))
+             (version  (or (assoc-ref (package-properties package)
+                                      'cpe-version)
+                           (package-version package)))
+             (name
+               (or (assoc-ref (package-properties package)
+                              'cpe-name)
+                   (false-if-exception
+                     (first
+                       (filter string?
+                               (map (lambda (prefix)
+                                      (when (string-prefix? prefix pkg-name)
+                                        (string-drop pkg-name (string-length prefix))))
+                                    '("java-" "perl-" "python-" "python2-" "ruby-")))))
+                   pkg-name)))
         ((force lookup) name version)))))
 
 (define* (check-vulnerabilities package