From patchwork Wed Mar 17 08:13:36 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?L=C3=A9o_Le_Bouter?= <lle-bout@zaclys.net>
X-Patchwork-Id: 27892
Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>
X-Original-To: patchwork@mira.cbaines.net
Delivered-To: patchwork@mira.cbaines.net
Received: by mira.cbaines.net (Postfix, from userid 113)
	id 6FAB227BC55; Wed, 17 Mar 2021 08:14:41 +0000 (GMT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mira.cbaines.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	MAILING_LIST_MULTI,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,
	T_DKIM_INVALID,URIBL_BLOCKED autolearn=unavailable autolearn_force=no
	version=3.4.2
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	by mira.cbaines.net (Postfix) with ESMTPS id 7B51D27BC56
	for <patchwork@mira.cbaines.net>; Wed, 17 Mar 2021 08:14:40 +0000 (GMT)
Received: from localhost ([::1]:60134 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>)
	id 1lMRKB-0005z9-JM
	for patchwork@mira.cbaines.net; Wed, 17 Mar 2021 04:14:39 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:53232)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1lMRJa-0005fe-FU
 for guix-patches@gnu.org; Wed, 17 Mar 2021 04:14:02 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:58558)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1lMRJa-0005D0-86
 for guix-patches@gnu.org; Wed, 17 Mar 2021 04:14:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1lMRJa-0002vt-2a
 for guix-patches@gnu.org; Wed, 17 Mar 2021 04:14:02 -0400
X-Loop: help-debbugs@gnu.org
Subject: [bug#47193] Fancify guix lint -c cve output
Resent-From: =?utf-8?q?L=C3=A9o?= Le Bouter <lle-bout@zaclys.net>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Wed, 17 Mar 2021 08:14:02 +0000
Resent-Message-ID: <handler.47193.B47193.161596883311245@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 47193
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: 
To: Tobias Geerinckx-Rice <me@tobias.gr>
Cc: 47193@debbugs.gnu.org
X-Debbugs-Original-Cc: guix-patches@gnu.org, 47193@debbugs.gnu.org
Received: via spool by 47193-submit@debbugs.gnu.org id=B47193.161596883311245
 (code B ref 47193); Wed, 17 Mar 2021 08:14:02 +0000
Received: (at 47193) by debbugs.gnu.org; 17 Mar 2021 08:13:53 +0000
Received: from localhost ([127.0.0.1]:41868 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1lMRJR-0002vJ-FT
 for submit@debbugs.gnu.org; Wed, 17 Mar 2021 04:13:53 -0400
Received: from mail.zaclys.net ([178.33.93.72]:47083)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lle-bout@zaclys.net>) id 1lMRJN-0002v3-Or
 for 47193@debbugs.gnu.org; Wed, 17 Mar 2021 04:13:52 -0400
Received: from guix-xps.local (82-64-145-38.subs.proxad.net [82.64.145.38])
 (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12H8DgOw059913
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
 Wed, 17 Mar 2021 09:13:42 +0100
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12H8DgOw059913
Authentication-Results: mail.zaclys.net;
 dmarc=fail (p=reject dis=none) header.from=zaclys.net
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@zaclys.net
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1615968823;
 bh=ElJThSKmCIRopXH6G3XUQ8sxHE04Fz4WRi4SflMQx1Q=;
 h=Subject:From:To:Cc:Date:In-Reply-To:References:From;
 b=GF9UPesBhtGRu1RuStUWlUvIWV/h5ij1lnhfZVVWs+McWya3mFCEv8nzQ0KcIZEsq
 t6KJn/4+3ixYy3AYKQiXOcum+I7BcCiZnSRvWoqBxf5cVGQzlYqjg/x5wDThcpu1Is
 NgTVW/YEQ0fnxXswo1u0E4CoeFQsKjCTrrS4KiYA=
Message-ID: <f6dba3fcf4f524d85800b6c2c10b5dc88fd3c555.camel@zaclys.net>
Date: Wed, 17 Mar 2021 09:13:36 +0100
In-Reply-To: <87a6r2n6pd.fsf@nckx>
References: <87im5rm6lw.fsf@nckx>
 <0524f6bfe10befabf7969aa0fbf90503e7db1ab7.camel@zaclys.net>
 <87a6r2n6pd.fsf@nckx>
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
Sender: "Guix-patches"
 <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>
Reply-to: =?utf-8?q?L=C3=A9o?= Le Bouter <lle-bout@zaclys.net>
X-ACL-Warn: ,
  =?utf-8?q?L=C3=A9o?= Le Bouter via Guix-patches <guix-patches@gnu.org>
X-Patchwork-Original-From: =?utf-8?q?L=C3=A9o?= Le Bouter via Guix-patches via
 <guix-patches@gnu.org>
From: =?utf-8?q?L=C3=A9o_Le_Bouter?= <lle-bout@zaclys.net>
X-getmail-retrieved-from-mailbox: Patches

On Tue, 2021-03-16 at 22:12 +0100, Tobias Geerinckx-Rice wrote:
> Léo!

Tobias! :-)

> Léo Le Bouter via Guix-patches via 写道：
> > guix/cve.scm:328:18: warning: possibly unbound variable 
> > `cve-item-base-
> > severity'
> 
> One dark and stormy night I turned away an old woman at my doors, 
> and ever since I have been cursed to include at least one stupid 
> typo in each patch I send.  True story.
> 
> Thanks for testing.  Fixed but it should not affect running guix 
> lint.

I tried fixing it as well,

$ git diff
        #f)

Look right?

> Hmm.  I bet ‘rm -rf ~/.cache/guix/http’ will make this go 
> conveniently away, just like lady stormypants.

I tried that (without the fix above) and:

$ ./pre-inst-env guix lint -c cve patch
fetching CVE database for 2021...
Backtrace:
In ice-9/boot-9.scm:
  1736:10 18 (with-exception-handler _ _ #:unwind? _ # _)
In unknown file:
          17 (apply-smob/0 #<thunk 7fd1e5545520>)
In ice-9/boot-9.scm:
    718:2 16 (call-with-prompt _ _ #<procedure default-prompt-handle…>)
In ice-9/eval.scm:
    619:8 15 (_ #(#(#<directory (guile-user) 7fd1e5548c80>)))
In guix/ui.scm:
  2164:12 14 (run-guix-command _ . _)
In ice-9/boot-9.scm:
  1736:10 13 (with-exception-handler _ _ #:unwind? _ # _)
  1731:15 12 (with-exception-handler #<procedure 7fd1e1f0ee40 at ic…>
…)
In srfi/srfi-1.scm:
    634:9 11 (for-each #<procedure 7fd1e1f0b000 at guix/scripts/lin…>
…)
In guix/scripts/lint.scm:
     65:4 10 (run-checkers _ _ #:store _)
In srfi/srfi-1.scm:
    634:9  9 (for-each #<procedure 7fd1d2f805d0 at guix/scripts/lin…>
…)
In guix/scripts/lint.scm:
    74:21  8 (_ _)
In guix/lint.scm:
   1205:4  7 (check-vulnerabilities _ _)
   1151:9  6 (_ _)
In unknown file:
           5 (force #<promise #<procedure 7fd1e227dab8 at guix/lint.…>)
In guix/lint.scm:
   1134:2  4 (_)
   1093:2  3 (call-with-networking-fail-safe _ _ _)
In ice-9/boot-9.scm:
  1736:10  2 (with-exception-handler _ _ #:unwind? _ # _)
  1669:16  1 (raise-exception _ #:continuable? _)
  1667:16  0 (raise-exception _ #:continuable? _)

ice-9/boot-9.scm:1667:16: In procedure raise-exception:
error: cve-item-base-severity: unbound variable

Then *with* the fix:

$ ./pre-inst-env guix lint -c cve patch
fetching CVE database for 2021...
Backtrace:
In ice-9/boot-9.scm:
  1736:10 18 (with-exception-handler _ _ #:unwind? _ # _)
In unknown file:
          17 (apply-smob/0 #<thunk 7f4a634a5520>)
In ice-9/boot-9.scm:
    718:2 16 (call-with-prompt _ _ #<procedure default-prompt-handle…>)
In ice-9/eval.scm:
    619:8 15 (_ #(#(#<directory (guile-user) 7f4a634a8c80>)))
In guix/ui.scm:
  2164:12 14 (run-guix-command _ . _)
In ice-9/boot-9.scm:
  1736:10 13 (with-exception-handler _ _ #:unwind? _ # _)
  1731:15 12 (with-exception-handler #<procedure 7f4a5fe6c8d0 at ic…>
…)
In srfi/srfi-1.scm:
    634:9 11 (for-each #<procedure 7f4a5fe6ec20 at guix/scripts/lin…>
…)
In guix/scripts/lint.scm:
     65:4 10 (run-checkers _ _ #:store _)
In srfi/srfi-1.scm:
    634:9  9 (for-each #<procedure 7f4a50f5a0f0 at guix/scripts/lin…>
…)
In guix/scripts/lint.scm:
    74:21  8 (_ _)
In guix/lint.scm:
   1205:4  7 (check-vulnerabilities _ _)
   1151:9  6 (_ _)
In unknown file:
           5 (force #<promise #<procedure 7f4a601ddab8 at guix/lint.…>)
In guix/lint.scm:
   1134:2  4 (_)
   1093:2  3 (call-with-networking-fail-safe _ _ _)
In ice-9/boot-9.scm:
  1736:10  2 (with-exception-handler _ _ #:unwind? _ # _)
  1669:16  1 (raise-exception _ #:continuable? _)
  1667:16  0 (raise-exception _ #:continuable? _)

ice-9/boot-9.scm:1667:16: In procedure raise-exception:
Throw to key `match-error' with args `("match" "no matching pattern"
(vulnerabilities 2 ((v "CVE-2021-0212" "MEDIUM" (("contrail_networking"
(< "1911.31")))) (v "CVE-2021-0220" "MEDIUM" (("junos_space" (or "19.1"
(or "18.4" (or "18.3" (or "18.2" (or "18.1r1" (or "18.1" (or "17.21.4"
(or "17.2" (or "17.1" (or "16.1" (or "15.2" (or "15.14" (or "15.12" (or
"15.1" (or "14.1" (or "13.33" (or "13.11.8" (or "13.1" (or "12.3" (or
"12.2" (or "12.1" (or "11.4" (or "11.3" (or "11.2" (or "11.1" (or "2.0"
(or "1.4" (or "1.3" (or "1.2" (or "1.1"
"1.0"))))))))))))))))))))))))))))))))) (v "CVE-2021-1051" "HIGH"
(("gpu_driver" (or (and (>= "460") (< "461.09")) (or (and (>= "450") (<
"452.77")) (or (and (>= "418") (< "427.11")) (and (>= "390") (<
"392.63")))))))) (v "CVE-2021-1052" "HIGH" (("gpu_driver" (or (or (and
(>= "460") (< "460.32.03")) (or (and (>= "450") (< "450.102.04")) (and
(>= "390") (< "390.141")))) (or (and (>= "460") (< "461.09")) (or (and
(>= "450") (< "452.77")) (or (and (>= "418") (< "427.11")) (and (>=
"390") (< "392.63"))))))))) (v "CVE-2021-1053" "MEDIUM" (("gpu_driver"
(or (or (and (>= "460") (< "460.32.03")) (or (and (>= "450") (<
"450.102.04")) (and (>= "390") (< "390.141")))) (or (and (>= "460") (<
"461.09")) (or (and (>= "450") (< "452.77")) (or (and (>= "418") (<
"427.11")) (and (>= "390") (< "392.63"))))))))) (v "CVE-2021-1054"
"MEDIUM" (("gpu_driver" (or (and (>= "460") (< "461.09")) (or (and (>=
"450") (< "452.77")) (or (and (>= "418") (< "427.11")) (and (>= "390")
(< "392.63")))))))) (v "CVE-2021-1055" "MEDIUM" (("gpu_driver" (or (and
(>= "460") (< "461.09")) (or (and (>= "450") (< "452.77")) (or (and (>=
"
[...]

I ran "$ rm -rf ~/.cache/guix/http" between each and every of these
attempts. The cache is clear, I also did make clean and recompiled (so
no left around .go file).

> 
> > (v "CVE-2021-0212" (("contrail_networking" ...
> 
> This is a stale cache file lacking the newly added ‘severity’ 
> field:
> 
> (v "CVE-2021-0212" "MEDIUM" (("contrail_networking" ...
> 
> I bumped the format version to 2 in (guix cve) to signal this 
> incompatible change, but it appears this field may exist merely as 
> a friendly reminder to actually add version handling some day...?
> 
> I guess today is that day.
> 
> Bah,

Don't know! I think there's some other issue here, or maybe you
modified the patch a little more on your side.

PS: I looked at the image you initially posted and the output looks
really nice and helpful!!

> 
> T G-R

Thank you :-D

Léo

diff --git a/guix/cve.scm b/guix/cve.scm
index 3809e4493f..d52ea05117 100644
--- a/guix/cve.scm
+++ b/guix/cve.scm
@@ -325,7 +325,7 @@ versions."
 return #f if ITEM does not list any configuration or if it does not
list
 any \"a\" (application) configuration."
   (let ((id (cve-id (cve-item-cve item)))
-        (severity (cve-item-base-severity item)))
+        (severity (cve-item-cvssv3-base-severity item)))
     (match (cve-item-configurations item)
       (()                                         ;no configurations