"guix lint -c cve" does not account for language prefixes (rust-,python-,go-,..)

OpenSubmitted by Léo Le Bouter.
Details
3 participants
  • Léo Le Bouter
  • Ludovic Courtès
  • zimoun
Owner
unassigned
Severity
normal
L
L
Léo Le Bouter wrote on 16 Mar 10:29 +0100
(address . bug-guix@gnu.org)
706d51950b7545eefd43a54f738bc82df0d7f36c.camel@zaclys.net
./pre-inst-env guix lint -c cve python-urllib3@1.26.2Here this should return at least CVE-2021-28363 but it does not becausethe CVE database contains urllib3 and not python-urllib3 (which AFAICTthe cve linter searches for).
Annotating each and every python-, go-, and rust- package with cpe-name properties is going to be very annoying. I suggest we add someheuristics that try both the full name and prefix-trimmed name. python-urllib3's cpe name and vendor is python (vendor) urllib3 (name).
Same story for CVE-2021-28305 and rust-diesel, though it doesnt evenhave a CPE entry yet.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBQeocACgkQRaix6GvNEKYwbRAAvxOJo9PUoxYyYGmQHbp+QgOBwdzrPBLxZs/rCRiyOW5pf8//By8pIKFRux0nKH92TNB3pLyWuAvwd+IvEGBeaAgFAPjXHhHkRoY/ywCdAam5BaBWmigdYd5PqcAc9CDJTjHrZTU43SG5NbXN/9xxeGrePLEs12PDN4nYUf+7G5qdYEEuaxn/pCTnT/+2gL2734IvnAOvWLMwcevi1v+brnrJDuC3s2jJxfCV4NCeAcBfyEDtqgiR5R4tCi46fjiVn4IbHfeMKB0gT3cs3xdeEsThaBFfB1Bd8MLy61PD/2ihHkmxWjm06FrTojjwUydPa5/VwEIfUJJRiLmb2EyhJRAyTaJRBkQNQsTmipd3kz8uQVPEsgIa0u0WdDcUPtCoDn3f9QLmZSUAZ3RbHsR/PaeXkidGv26Gwk2un7ctwlY9vM4oo5LbUS4FX6Ljr5xUAbh3VzD5bfnHfCaImIahXK5m/Jsmd+C78ubwcU0DszWwqY571jq3Vg8j9IPFNH7DMtg+ffEkqUUTZgMVAP8Xdm4KAvca2Ra7XqzxaHQphmofE0YgFFw36lod+Hdyg95hp8KRPnlhfU6EYopoMTdZwyOyFEHG08TS4GC7WKR+UOpZ4j19WDNMEt6ZuyKeHI9kcoJaIQ1genGKkv0BtAE18Fz1XWSgybsks4OSU0Ow8zA==j6lI-----END PGP SIGNATURE-----

Z
Z
zimoun wrote on 16 Mar 14:05 +0100
Re: bug#47188: "guix lint -c cve" does not account for language prefixes (rust-, python-, go-, ..)
(name . Léo Le Bouter)(address . lle-bout@zaclys.net)(address . 47188@debbugs.gnu.org)
CAJ3okZ2yHtxtbi0vhskAJCCWT_NkQuOUnLof9cm7MRDwpeAkug@mail.gmail.com
Hi,
On Tue, 16 Mar 2021 at 10:30, Léo Le Bouter via Bug reports for GNUGuix <bug-guix@gnu.org> wrote:
Toggle quote (5 lines)> ./pre-inst-env guix lint -c cve python-urllib3@1.26.2> Here this should return at least CVE-2021-28363 but it does not because> the CVE database contains urllib3 and not python-urllib3 (which AFAICT> the cve linter searches for).
Does the CVE use the upstream name? Or a normalized name?
I mean, in the R world, packages can have names as 'org.EcK12.eg.db'which becomes "r-org-eck12-eg-db". To easy the mapping for updatingand co, the package definition contains:
(properties `((upstream-name . "org.EcK12.eg.db")))
Maybe, it could be worth to have similar things. WDYT?

All the best,simon
L
L
Ludovic Courtès wrote on 18 Mar 14:26 +0100
Re: bug#47188: "guix lint -c cve" does not account for language prefixes (rust-,python-,go-,..)
(name . Léo Le Bouter)(address . lle-bout@zaclys.net)(address . 47188@debbugs.gnu.org)
87a6r0r3t1.fsf@gnu.org
Hi,
Léo Le Bouter <lle-bout@zaclys.net> skribis:
Toggle quote (13 lines)> ./pre-inst-env guix lint -c cve python-urllib3@1.26.2> Here this should return at least CVE-2021-28363 but it does not because> the CVE database contains urllib3 and not python-urllib3 (which AFAICT> the cve linter searches for).>> Annotating each and every python-, go-, and rust- package with cpe-name > properties is going to be very annoying. I suggest we add some> heuristics that try both the full name and prefix-trimmed name. python-> urllib3's cpe name and vendor is python (vendor) urllib3 (name).>> Same story for CVE-2021-28305 and rust-diesel, though it doesnt even> have a CPE entry yet.
Yes, that’s an issue. We can address these by adding a ‘cpe-name’property (info "(guix) Invoking guix lint"), but that’s going to betedious. We can at least add it to high-profile packages for now.
Tooling that suggests or deduces the CPE name would help a lot:
https://issues.guix.gnu.org/42299
Ludo’.
L
L
Ludovic Courtès wrote on 18 Mar 14:38 +0100
control message for bug #47188
(address . control@debbugs.gnu.org)
877dm4ponv.fsf@gnu.org
tags 47188 + securityquit
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send email to 47188@debbugs.gnu.org