On IRC earlier today we were looking at
the CPE suggestions (which are nice!).
I tried the attached hack, which produces a few useless and sometimes
erroneous suggestions, by comparing the “references” of each CVE
(usually URLs of a security advisory or bug report) to the home page of
Toggle snippet (37 lines)
$ ./pre-inst-env guix lint -c cpe
gnu/packages/admin.scm:1103:2: tcpdump@4.9.3: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1103:2: tcpdump@4.9.3: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1103:2: tcpdump@4.9.3: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1103:2: tcpdump@4.9.3: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1103:2: tcpdump@4.9.3: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:2866:2: pam-krb5@4.8: suggested CPE name: 'pam-krb5'
gnu/packages/admin.scm:1075:2: libpcap@1.9.1: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1075:2: libpcap@1.9.1: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1075:2: libpcap@1.9.1: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1075:2: libpcap@1.9.1: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1075:2: libpcap@1.9.1: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1367:2: sudo@1.9.1: suggested CPE name: 'element_software_management_node'
gnu/packages/admin.scm:1367:2: sudo@1.9.1: suggested CPE name: 'sudo'
gnu/packages/admin.scm:1367:2: sudo@1.9.1: suggested CPE name: 'sudo'
gnu/packages/admin.scm:1367:2: sudo@1.9.1: suggested CPE name: 'sudo'
gnu/packages/admin.scm:614:2: shadow@4.8.1: suggested CPE name: 'shadow'
gnu/packages/aspell.scm:99:2: aspell-dict-ar@1.2-0: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-mi@0.50-0: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-pl@0.51-0: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-ru@0.99f7-1: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-sv@0.51-0: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-fr@0.50-3: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-pt-br@20131030-12-0: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-el@0.08-0: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-hi@0.02-0: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-de@20161207-7-0: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-be@0.01: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-es@1.11-2: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-grc@0.02-0: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-fi@0.7-0: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-da@1.6.36-11-0: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-nl@0.50-2: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:41:2: aspell@0.60.8: suggested CPE name: 'aspell'
[…]
The conclusion is that, to make good suggestions, we need to parse the
This one is still XML (not JSON) and we’d have to merge duplicates, as
Toggle snippet (53 lines)
<cpe-item name="cpe:/a:gnu:cpio:-">
<title xml:lang="en-US">GNU cpio</title>
<cpe-23:cpe23-item name="cpe:2.3:a:gnu:cpio:-:*:*:*:*:*:*:*"/>
</cpe-item>
<cpe-item name="cpe:/a:gnu:cpio:1.0">
<title xml:lang="en-US">GNU cpio 1.0</title>
<cpe-23:cpe23-item name="cpe:2.3:a:gnu:cpio:1.0:*:*:*:*:*:*:*"/>
</cpe-item>
<cpe-item name="cpe:/a:gnu:cpio:1.1">
<title xml:lang="en-US">GNU cpio 1.1</title>
<cpe-23:cpe23-item name="cpe:2.3:a:gnu:cpio:1.1:*:*:*:*:*:*:*"/>
</cpe-item>
<cpe-item name="cpe:/a:gnu:cpio:1.2">
<title xml:lang="en-US">GNU cpio 1.2</title>
<cpe-23:cpe23-item name="cpe:2.3:a:gnu:cpio:1.2:*:*:*:*:*:*:*"/>
</cpe-item>
<cpe-item name="cpe:/a:gnu:cpio:1.3">
<title xml:lang="en-US">GNU cpio 1.3</title>
<cpe-23:cpe23-item name="cpe:2.3:a:gnu:cpio:1.3:*:*:*:*:*:*:*"/>
</cpe-item>
<cpe-item name="cpe:/a:gnu:cpio:2.4-2">
<title xml:lang="en-US">GNU cpio 2.4.2</title>
<cpe-23:cpe23-item name="cpe:2.3:a:gnu:cpio:2.4-2:*:*:*:*:*:*:*"/>
</cpe-item>
<cpe-item name="cpe:/a:gnu:cpio:2.5">
<title xml:lang="en-US">GNU cpio 2.5</title>
<cpe-23:cpe23-item name="cpe:2.3:a:gnu:cpio:2.5:*:*:*:*:*:*:*"/>
</cpe-item>
<cpe-item name="cpe:/a:gnu:cpio:2.5.90">
<title xml:lang="en-US">GNU cpio 2.5.90</title>
<cpe-23:cpe23-item name="cpe:2.3:a:gnu:cpio:2.5.90:*:*:*:*:*:*:*"/>
</cpe-item>
<cpe-item name="cpe:/a:gnu:cpio:2.6">
<title xml:lang="en-US">GNU cpio 2.6</title>
<cpe-23:cpe23-item name="cpe:2.3:a:gnu:cpio:2.6:*:*:*:*:*:*:*"/>
</cpe-item>
<cpe-item name="cpe:/a:gnu:cpio:2.7">
<title xml:lang="en-US">GNU cpio 2.7</title>
<references>
<reference href="https://ftp.gnu.org/gnu/cpio/">Change Log</reference>
</references>
<cpe-23:cpe23-item name="cpe:2.3:a:gnu:cpio:2.7:*:*:*:*:*:*:*"/>
</cpe-item>
--8<---------------cut here---------------end--------------->8---
The references are not always useful, as above, but sometimes there’s a
“Product” reference that is the package home page.
Anyway, would be nice to add that to (guix cve) instead of succumbing to
the convenience of SaaSS!
Ludo’.