From patchwork Tue Mar 16 16:06:52 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tobias Geerinckx-Rice X-Patchwork-Id: 27885 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 3A86C27BC54; Tue, 16 Mar 2021 16:10:30 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, MAILING_LIST_MULTI,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS, T_DKIM_INVALID,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.2 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id C318027BC52 for ; Tue, 16 Mar 2021 16:10:29 +0000 (GMT) Received: from localhost ([::1]:52802 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lMCH6-0008GE-W8 for patchwork@mira.cbaines.net; Tue, 16 Mar 2021 12:10:29 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:38554) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lMCEk-0006Wy-UO for guix-patches@gnu.org; Tue, 16 Mar 2021 12:08:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:57530) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lMCEk-00044S-Lc for guix-patches@gnu.org; Tue, 16 Mar 2021 12:08:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lMCEk-0002iZ-Gk for guix-patches@gnu.org; Tue, 16 Mar 2021 12:08:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#47193] [PATCH 1/2] lint: Sort possible vulnerabilities. References: <87im5rm6lw.fsf@nckx> In-Reply-To: <87im5rm6lw.fsf@nckx> Resent-From: Tobias Geerinckx-Rice Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 16 Mar 2021 16:08:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47193 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 47193@debbugs.gnu.org Received: via spool by 47193-submit@debbugs.gnu.org id=B47193.161591082410371 (code B ref 47193); Tue, 16 Mar 2021 16:08:02 +0000 Received: (at 47193) by debbugs.gnu.org; 16 Mar 2021 16:07:04 +0000 Received: from localhost ([127.0.0.1]:40841 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lMCDo-0002h9-Cx for submit@debbugs.gnu.org; Tue, 16 Mar 2021 12:07:04 -0400 Received: from tobias.gr ([80.241.217.52]:40566) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lMCDm-0002gi-G7 for 47193@debbugs.gnu.org; Tue, 16 Mar 2021 12:07:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tobias.gr; s=2018; bh=pRogdOwWfN/snsklteKvUi9KNTFvioU54/6uRhMf6To=; h=date:subject:to: from; b=TJGvVyuj5L/N/648up6q2MHE+CvxIa17iFxZyOh1Q2R1gbdu7fDFq4XizA44Iw EVLYoW0kuZwbZFHPR4PT2JNgCOwXh24ndqUxuNHugqRLlr4ATASAvAGYyxi+afcoMX7jMv K1Oaihw/b85ql27YnFMY+mg/AFxjL6v6sD8inWSapPdRwegoEjpqLryFjbvJhpL+qL8o66 cMs/9+2IwSr66acoAHiIOeAQP9mVHNq1mLvRzIQZdFvbpRI7+ex1rIuFyXPgRDyC3r7H6j J9wmuWH2qM6yLp3dlDnRrQtPWv+lqZTnfCOo4Jb9YN00VBJl9rx91dmSWvNk2SjadbIJJA == Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id 489a24e1 (TLSv1.2:ECDHE-ECDSA-AES256-GCM-SHA384:256:NO) for <47193@debbugs.gnu.org>; Tue, 16 Mar 2021 16:08:02 +0000 (UTC) Date: Tue, 16 Mar 2021 17:06:52 +0100 Message-Id: <20210316160653.9891-1-me@tobias.gr> X-Mailer: git-send-email 2.30.1 MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" Reply-to: Tobias Geerinckx-Rice X-ACL-Warn: , Tobias Geerinckx-Rice via Guix-patches X-Patchwork-Original-From: Tobias Geerinckx-Rice via Guix-patches via From: Tobias Geerinckx-Rice X-getmail-retrieved-from-mailbox: Patches * guix/lint.scm (check-vulnerabilities): Sort unpatched vulnerabilities by ID. --- guix/lint.scm | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/guix/lint.scm b/guix/lint.scm index 5144fa139d..ed57e19fe2 100644 --- a/guix/lint.scm +++ b/guix/lint.scm @@ -1164,6 +1164,23 @@ the NIST server non-fatal." package-vulnerabilities)) "Check for known vulnerabilities for PACKAGE. Obtain the list of vulnerability records for PACKAGE by calling PACKAGE-VULNERABILITIES." + + (define (vulnerability< v1 v2) + (define (string-list< list1 list2) + (match list1 + ((head1 tail1 ...) + (match list2 + ((head2 tail2 ...) + (if (string=? head1 head2) + (string-list< tail1 tail2) + (string X-Patchwork-Id: 27886 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id BD70B27BC54; Tue, 16 Mar 2021 16:15:49 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, MAILING_LIST_MULTI,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS, T_DKIM_INVALID,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.2 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 1A3AD27BC52 for ; Tue, 16 Mar 2021 16:15:49 +0000 (GMT) Received: from localhost ([::1]:38322 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lMCMG-0006Mr-83 for patchwork@mira.cbaines.net; Tue, 16 Mar 2021 12:15:48 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:38556) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lMCEl-0006Xh-Ah for guix-patches@gnu.org; Tue, 16 Mar 2021 12:08:04 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:57531) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lMCEl-00044W-2s for guix-patches@gnu.org; Tue, 16 Mar 2021 12:08:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lMCEk-0002ig-UN for guix-patches@gnu.org; Tue, 16 Mar 2021 12:08:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#47193] [PATCH 2/2] lint: Indicate CVE severity. Resent-From: Tobias Geerinckx-Rice Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 16 Mar 2021 16:08:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47193 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 47193@debbugs.gnu.org Received: via spool by 47193-submit@debbugs.gnu.org id=B47193.161591082710381 (code B ref 47193); Tue, 16 Mar 2021 16:08:02 +0000 Received: (at 47193) by debbugs.gnu.org; 16 Mar 2021 16:07:07 +0000 Received: from localhost ([127.0.0.1]:40843 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lMCDq-0002hN-Lr for submit@debbugs.gnu.org; Tue, 16 Mar 2021 12:07:07 -0400 Received: from tobias.gr ([80.241.217.52]:40566) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lMCDn-0002gi-Ih for 47193@debbugs.gnu.org; Tue, 16 Mar 2021 12:07:04 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tobias.gr; s=2018; bh=PboByRz5iej9DIUZpuu/uFXHUQtJFQo+QgdshhvDfa4=; h=references: in-reply-to:date:subject:to:from; b=Fa6JCu9jodoT5U21DwFSAeOuwTq3aAsdaj 1M2Lb7XA2u5IndoMmDIcHtGtZ/qZf8s6OvbI8pw+2mbEJeI5R7h92C37gWgiq4oYYqr1KB Asbxgsqz5CcDmWnmmE+biLZwxZAdkSKu0R0YCbZ9eJnvVUxxsiPBd5i6M8xsUpeCDcZ0py r2r8nb7RZQcw0TlY6qbxhs2jbwB01oopKAVEgSRoWhZrHWcWA3OA8846e2Bh/cXqmEpi9g xdpW9FhYSDp8FIfBM5diJvy52zvMh/uhOy6SVkEb2vLIB96z/bcuLrRUuFSj77kfgUMgw5 SyVCcpFeXRwIOYR1BxiGrqnJhriQ== Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id ae76bf27 (TLSv1.2:ECDHE-ECDSA-AES256-GCM-SHA384:256:NO) for <47193@debbugs.gnu.org>; Tue, 16 Mar 2021 16:08:02 +0000 (UTC) Date: Tue, 16 Mar 2021 17:06:53 +0100 Message-Id: <20210316160653.9891-2-me@tobias.gr> X-Mailer: git-send-email 2.30.1 In-Reply-To: <20210316160653.9891-1-me@tobias.gr> References: <20210316160653.9891-1-me@tobias.gr> MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" Reply-to: Tobias Geerinckx-Rice X-ACL-Warn: , Tobias Geerinckx-Rice via Guix-patches X-Patchwork-Original-From: Tobias Geerinckx-Rice via Guix-patches via From: Tobias Geerinckx-Rice X-getmail-retrieved-from-mailbox: Patches * guix/cve.scm [cvss3-base-severity]: New field. (impact-data->cve-cvss3-base-severity): New procedure. [severity]: New field. (vulnerability->sexp, sexp->vulnerability, cve-item->vulnerability) (write-cache): Bump the format version to 2. (vulnerabilities->lookup-proc): Adjust accordingly. * guix/lint.scm (check-vulnerabilities): Indicate CVE severity according to the output port's terminal capabilities. --- guix/cve.scm | 48 ++++++++++++++++++++++++++++++++---------------- guix/lint.scm | 32 +++++++++++++++++++++++++++++++- 2 files changed, 63 insertions(+), 17 deletions(-) diff --git a/guix/cve.scm b/guix/cve.scm index b3a8b13a06..3809e4493f 100644 --- a/guix/cve.scm +++ b/guix/cve.scm @@ -1,5 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès +;;; Copyright © 2021 Tobias Geerinckx-Rice ;;; ;;; This file is part of GNU Guix. ;;; @@ -38,6 +39,7 @@ cve-item? cve-item-cve cve-item-configurations + cve-item-cvssv3-base-severity cve-item-published-date cve-item-last-modified-date @@ -53,6 +55,7 @@ vulnerability? vulnerability-id + vulnerability-severity vulnerability-packages json->vulnerabilities @@ -72,13 +75,15 @@ (define-json-mapping cve-item cve-item? json->cve-item - (cve cve-item-cve "cve" json->cve) ; - (configurations cve-item-configurations ;list of sexps - "configurations" configuration-data->cve-configurations) - (published-date cve-item-published-date - "publishedDate" string->date*) - (last-modified-date cve-item-last-modified-date - "lastModifiedDate" string->date*)) + (cve cve-item-cve "cve" json->cve) ; + (configurations cve-item-configurations ;list of sexps + "configurations" configuration-data->cve-configurations) + (cvssv3-base-severity cve-item-cvssv3-base-severity ;string + "impact" impact-data->cve-cvssv3-base-severity) + (published-date cve-item-published-date + "publishedDate" string->date*) + (last-modified-date cve-item-last-modified-date + "lastModifiedDate" string->date*)) (define-json-mapping cve cve? json->cve @@ -183,6 +188,15 @@ element found in CVEs, return an sexp such as (\"binutils\" (< (let ((nodes (vector->list (assoc-ref alist "nodes")))) (filter-map node->configuration nodes))) +(define (impact-data->cve-cvssv3-base-severity alist) + "Given ALIST, a JSON dictionary for the \"impact\" element found in +CVEs, return a string indicating its CVSSv3 severity. This should be +one of \"NONE\", \"LOW\", \"MEDIUM\", \"HIGH\", or \"CRITICAL\", but we +return whatever we find, or #F if the severity cannot be determined." + (let* ((base-metric-v3 (assoc-ref alist "baseMetricV3")) + (cvss-v3 (assoc-ref base-metric-v3 "cvssV3"))) + (assoc-ref cvss-v3 "baseSeverity"))) + (define (json->cve-items json) "Parse JSON, an input port or a string, and return a list of records." @@ -251,20 +265,21 @@ records." (* 3600 24 (date-month %now))) (define-record-type - (vulnerability id packages) + (vulnerability id severity packages) vulnerability? (id vulnerability-id) ;string + (severity vulnerability-severity) ;string (packages vulnerability-packages)) ;((p1 sexp1) (p2 sexp2) ...) (define vulnerability->sexp (match-lambda - (($ id packages) - `(v ,id ,packages)))) + (($ id severity packages) + `(v ,id ,severity ,packages)))) (define sexp->vulnerability (match-lambda - (('v id (packages ...)) - (vulnerability id packages)))) + (('v id severity (packages ...)) + (vulnerability id severity packages)))) (define (cve-configuration->package-list config) "Parse CONFIG, a config sexp, and return a list of the form (P SEXP) @@ -309,12 +324,13 @@ versions." "Return a corresponding to ITEM, a record; return #f if ITEM does not list any configuration or if it does not list any \"a\" (application) configuration." - (let ((id (cve-id (cve-item-cve item)))) + (let ((id (cve-id (cve-item-cve item))) + (severity (cve-item-base-severity item))) (match (cve-item-configurations item) (() ;no configurations #f) ((configs ...) - (vulnerability id + (vulnerability id severity (merge-package-lists (map cve-configuration->package-list configs))))))) @@ -332,7 +348,7 @@ sexp to CACHE." (json->vulnerabilities input)) (write `(vulnerabilities - 1 ;format version + 2 ;format version ,(map vulnerability->sexp vulns)) cache)))) @@ -396,7 +412,7 @@ vulnerabilities affecting the given package version." ;; Map package names to lists of version/vulnerability pairs. (fold (lambda (vuln table) (match vuln - (($ id packages) + (($ id severity packages) (fold (lambda (package table) (match package ((name . versions) diff --git a/guix/lint.scm b/guix/lint.scm index ed57e19fe2..f3c4e13052 100644 --- a/guix/lint.scm +++ b/guix/lint.scm @@ -48,6 +48,7 @@ #:use-module (guix monads) #:use-module (guix scripts) #:use-module ((guix ui) #:select (texi->plain-text fill-paragraph)) + #:use-module (guix colors) #:use-module (guix gnu-maintenance) #:use-module (guix cve) #:use-module ((guix swh) #:hide (origin?)) @@ -1165,6 +1166,35 @@ the NIST server non-fatal." "Check for known vulnerabilities for PACKAGE. Obtain the list of vulnerability records for PACKAGE by calling PACKAGE-VULNERABILITIES." + (define severity->color + ;; A standard CVE colour gradient is red > orange > yellow > green > none. + ;; However, ANSI non-bold YELLOW is actually orange whilst BOLD YELLOW + ;; is actual yellow, so BOLD would confusingly be less serious. Skip it. + (match-lambda + ("CRITICAL" (color BOLD RED)) + ("HIGH" (color RED)) + ("MEDIUM" (color YELLOW)) + ("LOW" (color GREEN)) + (_ (color)))) + + (define (colorize-vulnerability vulnerability) + ;; If the terminal supports ANSI colours, use them to indicate severity. + (colorize-string (vulnerability-id vulnerability) + (severity->color (vulnerability-severity + vulnerability)))) + + (define (simple-format-vulnerability vulnerability) + ;; Otherwise, omit colour coding and explicitly append the severity string. + (simple-format #f "~a (~a)" + (vulnerability-id vulnerability) + (string-downcase (vulnerability-severity vulnerability)))) + + (define format-vulnerability + ;; Check once which of the above to use for all PACKAGE vulnerabilities. + (if (color-output? (current-output-port)) + colorize-vulnerability + simple-format-vulnerability)) + (define (vulnerability< v1 v2) (define (string-list< list1 list2) (match list1 @@ -1201,7 +1231,7 @@ vulnerability records for PACKAGE by calling PACKAGE-VULNERABILITIES." (make-warning package (G_ "probably vulnerable to ~a") - (list (string-join (map vulnerability-id + (list (string-join (map format-vulnerability (sort unpatched vulnerability<)) ", "))))))))))