From debbugs-submit-bounces@debbugs.gnu.org Thu Jul 09 18:10:37 2020 Received: (at submit) by debbugs.gnu.org; 9 Jul 2020 22:10:37 +0000 Received: from localhost ([127.0.0.1]:41801 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jtekM-0008AE-Rb for submit@debbugs.gnu.org; Thu, 09 Jul 2020 18:10:37 -0400 Received: from lists.gnu.org ([209.51.188.17]:52448) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jtekK-0008A6-1X for submit@debbugs.gnu.org; Thu, 09 Jul 2020 18:10:25 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:38330) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jtekJ-0005Be-TD for bug-guix@gnu.org; Thu, 09 Jul 2020 18:10:23 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:37418) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jtekJ-0003Vv-L8 for bug-guix@gnu.org; Thu, 09 Jul 2020 18:10:23 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=35914 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1jtekJ-0005pk-5k for bug-guix@gnu.org; Thu, 09 Jul 2020 18:10:23 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Subject: =?utf-8?B?4oCYZ3VpeCBsaW504oCZ?= should suggest CPE name X-Debbugs-Cc: Tobias Geerinckx-Rice , Maxim Cournoyer X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 22 Messidor an 228 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Fri, 10 Jul 2020 00:10:21 +0200 Message-ID: <87sge09w6q.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hello! On IRC earlier today we were looking at and wondering about the CPE suggestions (which are nice!). I tried the attached hack, which produces a few useless and sometimes erroneous suggestions, by comparing the =E2=80=9Creferences=E2=80=9D of eac= h CVE (usually URLs of a security advisory or bug report) to the home page of the package: --8<---------------cut here---------------start------------->8--- $ ./pre-inst-env guix lint -c cpe gnu/packages/admin.scm:1103:2: tcpdump@4.9.3: suggested CPE name: 'libpcap' gnu/packages/admin.scm:1103:2: tcpdump@4.9.3: suggested CPE name: 'libpcap' gnu/packages/admin.scm:1103:2: tcpdump@4.9.3: suggested CPE name: 'libpcap' gnu/packages/admin.scm:1103:2: tcpdump@4.9.3: suggested CPE name: 'libpcap' gnu/packages/admin.scm:1103:2: tcpdump@4.9.3: suggested CPE name: 'libpcap' gnu/packages/admin.scm:2866:2: pam-krb5@4.8: suggested CPE name: 'pam-krb5' gnu/packages/admin.scm:1075:2: libpcap@1.9.1: suggested CPE name: 'libpcap' gnu/packages/admin.scm:1075:2: libpcap@1.9.1: suggested CPE name: 'libpcap' gnu/packages/admin.scm:1075:2: libpcap@1.9.1: suggested CPE name: 'libpcap' gnu/packages/admin.scm:1075:2: libpcap@1.9.1: suggested CPE name: 'libpcap' gnu/packages/admin.scm:1075:2: libpcap@1.9.1: suggested CPE name: 'libpcap' gnu/packages/admin.scm:1367:2: sudo@1.9.1: suggested CPE name: 'element_sof= tware_management_node' gnu/packages/admin.scm:1367:2: sudo@1.9.1: suggested CPE name: 'sudo' gnu/packages/admin.scm:1367:2: sudo@1.9.1: suggested CPE name: 'sudo' gnu/packages/admin.scm:1367:2: sudo@1.9.1: suggested CPE name: 'sudo' gnu/packages/admin.scm:614:2: shadow@4.8.1: suggested CPE name: 'shadow' gnu/packages/aspell.scm:99:2: aspell-dict-ar@1.2-0: suggested CPE name: 'as= pell' gnu/packages/aspell.scm:99:2: aspell-dict-mi@0.50-0: suggested CPE name: 'a= spell' gnu/packages/aspell.scm:99:2: aspell-dict-pl@0.51-0: suggested CPE name: 'a= spell' gnu/packages/aspell.scm:99:2: aspell-dict-ru@0.99f7-1: suggested CPE name: = 'aspell' gnu/packages/aspell.scm:99:2: aspell-dict-sv@0.51-0: suggested CPE name: 'a= spell' gnu/packages/aspell.scm:99:2: aspell-dict-fr@0.50-3: suggested CPE name: 'a= spell' gnu/packages/aspell.scm:99:2: aspell-dict-pt-br@20131030-12-0: suggested CP= E name: 'aspell' gnu/packages/aspell.scm:99:2: aspell-dict-el@0.08-0: suggested CPE name: 'a= spell' gnu/packages/aspell.scm:99:2: aspell-dict-hi@0.02-0: suggested CPE name: 'a= spell' gnu/packages/aspell.scm:99:2: aspell-dict-de@20161207-7-0: suggested CPE na= me: 'aspell' gnu/packages/aspell.scm:99:2: aspell-dict-be@0.01: suggested CPE name: 'asp= ell' gnu/packages/aspell.scm:99:2: aspell-dict-es@1.11-2: suggested CPE name: 'a= spell' gnu/packages/aspell.scm:99:2: aspell-dict-grc@0.02-0: suggested CPE name: '= aspell' gnu/packages/aspell.scm:99:2: aspell-dict-fi@0.7-0: suggested CPE name: 'as= pell' gnu/packages/aspell.scm:99:2: aspell-dict-da@1.6.36-11-0: suggested CPE nam= e: 'aspell' gnu/packages/aspell.scm:99:2: aspell-dict-nl@0.50-2: suggested CPE name: 'a= spell' gnu/packages/aspell.scm:41:2: aspell@0.60.8: suggested CPE name: 'aspell' [=E2=80=A6] --8<---------------cut here---------------end--------------->8--- The conclusion is that, to make good suggestions, we need to parse the CPE dictionary as well: https://nvd.nist.gov/Products/CPE This one is still XML (not JSON) and we=E2=80=99d have to merge duplicates,= as in this example: --8<---------------cut here---------------start------------->8--- GNU cpio GNU cpio 1.0 GNU cpio 1.1 GNU cpio 1.2 GNU cpio 1.3 GNU cpio 2.4.2 GNU cpio 2.5 GNU cpio 2.5.90 GNU cpio 2.6 GNU cpio 2.7 Change Log --8<---------------cut here---------------end--------------->8--- The references are not always useful, as above, but sometimes there=E2=80= =99s a =E2=80=9CProduct=E2=80=9D reference that is the package home page. Anyway, would be nice to add that to (guix cve) instead of succumbing to the convenience of SaaSS! Ludo=E2=80=99. --=-=-= Content-Type: text/x-patch; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable diff --git a/guix/cve.scm b/guix/cve.scm index 7dd9005f09..52a19e0523 100644 --- a/guix/cve.scm +++ b/guix/cve.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright =C2=A9 2015, 2016, 2017, 2018, 2019 Ludovic Court=C3=A8s +;;; Copyright =C2=A9 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Court=C3= =A8s ;;; ;;; This file is part of GNU Guix. ;;; @@ -54,6 +54,7 @@ vulnerability? vulnerability-id vulnerability-packages + vulnerability-references =20 json->vulnerabilities current-vulnerabilities @@ -255,20 +256,23 @@ records." (* 3600 24 (date-month %now))) =20 (define-record-type - (vulnerability id packages) + (vulnerability id packages references) vulnerability? (id vulnerability-id) ;string - (packages vulnerability-packages)) ;((p1 sexp1) (p2 sexp2) ...) + (packages vulnerability-packages) ;((p1 sexp1) (p2 sexp2) ...) + (references vulnerability-references)) ;list of URLs =20 (define vulnerability->sexp (match-lambda - (($ id packages) - `(v ,id ,packages)))) + (($ id packages references) + `(v ,id ,packages ,references)))) =20 (define sexp->vulnerability (match-lambda - (('v id (packages ...)) - (vulnerability id packages)))) + (('v id (packages ...) (references ...)) ;format version 2 + (vulnerability id packages references)) + (('v id (packages ...)) ;format version 1 + (vulnerability id packages '())))) =20 (define (cve-configuration->package-list config) "Parse CONFIG, a config sexp, and return a list of the form (P SEXP) @@ -313,20 +317,23 @@ versions." "Return a corresponding to ITEM, a record; return #f if ITEM does not list any configuration or if it does not list any \"a\" (application) configuration." - (let ((id (cve-id (cve-item-cve item)))) + (let ((id (cve-id (cve-item-cve item))) + (references (cve-references (cve-item-cve item)))) (match (cve-item-configurations item) (() ;no configurations #f) ((configs ...) (vulnerability id (merge-package-lists - (map cve-configuration->package-list configs))))))) + (map cve-configuration->package-list configs)) + (filter-map cve-reference-url references)))))) =20 (define (json->vulnerabilities json) "Parse JSON, an input port or a string, and return the list of vulnerabilities found therein." (filter-map cve-item->vulnerability (json->cve-items json))) =20 +(use-modules (ice-9 pretty-print)) (define (write-cache input cache) "Read vulnerabilities as gzipped JSON from INPUT, and write it as a comp= act sexp to CACHE." @@ -335,8 +342,8 @@ sexp to CACHE." (define vulns (json->vulnerabilities input)) =20 - (write `(vulnerabilities - 1 ;format version + (pretty-print `(vulnerabilities + 2 ;format version ,(map vulnerability->sexp vulns)) cache)))) =20 @@ -369,7 +376,7 @@ the given TTL (fetch from the NIST web site when TTL ha= s expired)." (sexp (read* port))) (close-port port) (match sexp - (('vulnerabilities 1 vulns) + (('vulnerabilities (or 2 1) vulns) (map sexp->vulnerability vulns))))) =20 (define (current-vulnerabilities) diff --git a/guix/lint.scm b/guix/lint.scm index 445c06f8f4..6b65df34a3 100644 --- a/guix/lint.scm +++ b/guix/lint.scm @@ -1108,6 +1108,23 @@ vulnerability records for PACKAGE by calling PACKAGE= -VULNERABILITIES." (list (string-join (map vulnerability-id unpatched) ", ")))))))))) =20 +(define* (check-cpe-name package + #:optional (vulnerabilities + (current-vulnerabilities*))) + (define home-page + (package-home-page package)) + + (filter-map (lambda (vuln) + (and (any (cut string-prefix? home-page <>) + (vulnerability-references vuln)) + (make-warning + package + (G_ "suggested CPE name: '~a'") + (match (vulnerability-packages vuln) + (((p _) _ ...) + (list p)))))) + vulnerabilities)) + (define (check-for-updates package) "Check if there is an update available for PACKAGE." (match (with-networking-fail-safe @@ -1426,6 +1443,10 @@ or a list thereof") (description "Check the Common Vulnerabilities and Exposures\ (CVE) database") (check check-vulnerabilities)) + (lint-checker + (name 'cpe) + (description "Check the Common Platform Enumeration names") + (check check-cpe-name)) (lint-checker (name 'refresh) (description "Check the package for new upstream releases") --=-=-=--