‘guix lint’ should suggest CPE name

Ludovic Courtès wrote on 10 Jul 2020 00:10

Recipients:(address . bug-guix@gnu.org)

Message-ID:87sge09w6q.fsf@gnu.org

Hello!

On IRC earlier today we were looking at

https://repology.org/repository/gnuguix/problems and wondering about

the CPE suggestions (which are nice!).

I tried the attached hack, which produces a few useless and sometimes

erroneous suggestions, by comparing the “references” of each CVE

(usually URLs of a security advisory or bug report) to the home page of

the package:

Toggle snippet (37 lines)$ ./pre-inst-env  guix lint -c cpe
gnu/packages/admin.scm:1103:2: tcpdump@4.9.3: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1103:2: tcpdump@4.9.3: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1103:2: tcpdump@4.9.3: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1103:2: tcpdump@4.9.3: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1103:2: tcpdump@4.9.3: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:2866:2: pam-krb5@4.8: suggested CPE name: 'pam-krb5'
gnu/packages/admin.scm:1075:2: libpcap@1.9.1: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1075:2: libpcap@1.9.1: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1075:2: libpcap@1.9.1: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1075:2: libpcap@1.9.1: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1075:2: libpcap@1.9.1: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1367:2: sudo@1.9.1: suggested CPE name: 'element_software_management_node'
gnu/packages/admin.scm:1367:2: sudo@1.9.1: suggested CPE name: 'sudo'
gnu/packages/admin.scm:1367:2: sudo@1.9.1: suggested CPE name: 'sudo'
gnu/packages/admin.scm:1367:2: sudo@1.9.1: suggested CPE name: 'sudo'
gnu/packages/admin.scm:614:2: shadow@4.8.1: suggested CPE name: 'shadow'
gnu/packages/aspell.scm:99:2: aspell-dict-ar@1.2-0: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-mi@0.50-0: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-pl@0.51-0: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-ru@0.99f7-1: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-sv@0.51-0: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-fr@0.50-3: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-pt-br@20131030-12-0: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-el@0.08-0: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-hi@0.02-0: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-de@20161207-7-0: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-be@0.01: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-es@1.11-2: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-grc@0.02-0: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-fi@0.7-0: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-da@1.6.36-11-0: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-nl@0.50-2: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:41:2: aspell@0.60.8: suggested CPE name: 'aspell'
[…]

The conclusion is that, to make good suggestions, we need to parse the

CPE dictionary as well:

https://nvd.nist.gov/Products/CPE

This one is still XML (not JSON) and we’d have to merge duplicates, as

in this example:

Toggle snippet (53 lines)  <cpe-item name="cpe:/a:gnu:cpio:-">
    <title xml:lang="en-US">GNU cpio</title>
    <cpe-23:cpe23-item name="cpe:2.3:a:gnu:cpio:-:*:*:*:*:*:*:*"/>
  </cpe-item>
  <cpe-item name="cpe:/a:gnu:cpio:1.0">
    <title xml:lang="en-US">GNU cpio 1.0</title>
    <cpe-23:cpe23-item name="cpe:2.3:a:gnu:cpio:1.0:*:*:*:*:*:*:*"/>
  </cpe-item>
  <cpe-item name="cpe:/a:gnu:cpio:1.1">
    <title xml:lang="en-US">GNU cpio 1.1</title>
    <cpe-23:cpe23-item name="cpe:2.3:a:gnu:cpio:1.1:*:*:*:*:*:*:*"/>
  </cpe-item>
  <cpe-item name="cpe:/a:gnu:cpio:1.2">
    <title xml:lang="en-US">GNU cpio 1.2</title>
    <cpe-23:cpe23-item name="cpe:2.3:a:gnu:cpio:1.2:*:*:*:*:*:*:*"/>
  </cpe-item>
  <cpe-item name="cpe:/a:gnu:cpio:1.3">
    <title xml:lang="en-US">GNU cpio 1.3</title>
    <cpe-23:cpe23-item name="cpe:2.3:a:gnu:cpio:1.3:*:*:*:*:*:*:*"/>
  </cpe-item>
  <cpe-item name="cpe:/a:gnu:cpio:2.4-2">
    <title xml:lang="en-US">GNU cpio 2.4.2</title>
    <cpe-23:cpe23-item name="cpe:2.3:a:gnu:cpio:2.4-2:*:*:*:*:*:*:*"/>
  </cpe-item>
  <cpe-item name="cpe:/a:gnu:cpio:2.5">
    <title xml:lang="en-US">GNU cpio 2.5</title>
    <cpe-23:cpe23-item name="cpe:2.3:a:gnu:cpio:2.5:*:*:*:*:*:*:*"/>
  </cpe-item>
  <cpe-item name="cpe:/a:gnu:cpio:2.5.90">
    <title xml:lang="en-US">GNU cpio 2.5.90</title>
    <cpe-23:cpe23-item name="cpe:2.3:a:gnu:cpio:2.5.90:*:*:*:*:*:*:*"/>
  </cpe-item>
  <cpe-item name="cpe:/a:gnu:cpio:2.6">
    <title xml:lang="en-US">GNU cpio 2.6</title>
    <cpe-23:cpe23-item name="cpe:2.3:a:gnu:cpio:2.6:*:*:*:*:*:*:*"/>
  </cpe-item>
  <cpe-item name="cpe:/a:gnu:cpio:2.7">
    <title xml:lang="en-US">GNU cpio 2.7</title>
    <references>
      <reference href="https://ftp.gnu.org/gnu/cpio/">Change Log</reference>
    </references>
    <cpe-23:cpe23-item name="cpe:2.3:a:gnu:cpio:2.7:*:*:*:*:*:*:*"/>
  </cpe-item>
 --8<---------------cut here---------------end--------------->8---

The references are not always useful, as above, but sometimes there’s a
“Product” reference that is the package home page.

Anyway, would be nice to add that to (guix cve) instead of succumbing to
the convenience of SaaSS!

Ludo’.

Attachment: file

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date