"guix lint -c cve" does not account for language prefixes (rust-,python-,go-,..)

OpenSubmitted by Léo Le Bouter.
Details
3 participants
  • Léo Le Bouter
  • Ludovic Courtès
  • zimoun
Owner
unassigned
Severity
normal
L
L
Léo Le Bouter wrote on 16 Mar 2021 10:29
(address . bug-guix@gnu.org)
706d51950b7545eefd43a54f738bc82df0d7f36c.camel@zaclys.net
./pre-inst-env guix lint -c cve python-urllib3@1.26.2
Here this should return at least CVE-2021-28363 but it does not because
the CVE database contains urllib3 and not python-urllib3 (which AFAICT
the cve linter searches for).

Annotating each and every python-, go-, and rust- package with cpe-name
properties is going to be very annoying. I suggest we add some
heuristics that try both the full name and prefix-trimmed name. python-
urllib3's cpe name and vendor is python (vendor) urllib3 (name).

Same story for CVE-2021-28305 and rust-diesel, though it doesnt even
have a CPE entry yet.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBQeocACgkQRaix6GvN
EKYwbRAAvxOJo9PUoxYyYGmQHbp+QgOBwdzrPBLxZs/rCRiyOW5pf8//By8pIKFR
ux0nKH92TNB3pLyWuAvwd+IvEGBeaAgFAPjXHhHkRoY/ywCdAam5BaBWmigdYd5P
qcAc9CDJTjHrZTU43SG5NbXN/9xxeGrePLEs12PDN4nYUf+7G5qdYEEuaxn/pCTn
T/+2gL2734IvnAOvWLMwcevi1v+brnrJDuC3s2jJxfCV4NCeAcBfyEDtqgiR5R4t
Ci46fjiVn4IbHfeMKB0gT3cs3xdeEsThaBFfB1Bd8MLy61PD/2ihHkmxWjm06FrT
ojjwUydPa5/VwEIfUJJRiLmb2EyhJRAyTaJRBkQNQsTmipd3kz8uQVPEsgIa0u0W
dDcUPtCoDn3f9QLmZSUAZ3RbHsR/PaeXkidGv26Gwk2un7ctwlY9vM4oo5LbUS4F
X6Ljr5xUAbh3VzD5bfnHfCaImIahXK5m/Jsmd+C78ubwcU0DszWwqY571jq3Vg8j
9IPFNH7DMtg+ffEkqUUTZgMVAP8Xdm4KAvca2Ra7XqzxaHQphmofE0YgFFw36lod
+Hdyg95hp8KRPnlhfU6EYopoMTdZwyOyFEHG08TS4GC7WKR+UOpZ4j19WDNMEt6Z
uyKeHI9kcoJaIQ1genGKkv0BtAE18Fz1XWSgybsks4OSU0Ow8zA=
=j6lI
-----END PGP SIGNATURE-----


Z
Z
zimoun wrote on 16 Mar 2021 14:05
Re: bug#47188: "guix lint -c cve" does not account for language prefixes (rust-, python-, go-, ..)
(name . Léo Le Bouter)(address . lle-bout@zaclys.net)(address . 47188@debbugs.gnu.org)
CAJ3okZ2yHtxtbi0vhskAJCCWT_NkQuOUnLof9cm7MRDwpeAkug@mail.gmail.com
Hi,

On Tue, 16 Mar 2021 at 10:30, Léo Le Bouter via Bug reports for GNU
Guix <bug-guix@gnu.org> wrote:

Toggle quote (5 lines)
> ./pre-inst-env guix lint -c cve python-urllib3@1.26.2
> Here this should return at least CVE-2021-28363 but it does not because
> the CVE database contains urllib3 and not python-urllib3 (which AFAICT
> the cve linter searches for).

Does the CVE use the upstream name? Or a normalized name?

I mean, in the R world, packages can have names as 'org.EcK12.eg.db'
which becomes "r-org-eck12-eg-db". To easy the mapping for updating
and co, the package definition contains:

(properties
`((upstream-name . "org.EcK12.eg.db")))

Maybe, it could be worth to have similar things. WDYT?


All the best,
simon
L
L
Ludovic Courtès wrote on 18 Mar 2021 14:26
Re: bug#47188: "guix lint -c cve" does not account for language prefixes (rust-,python-,go-,..)
(name . Léo Le Bouter)(address . lle-bout@zaclys.net)(address . 47188@debbugs.gnu.org)
87a6r0r3t1.fsf@gnu.org
Hi,

Léo Le Bouter <lle-bout@zaclys.net> skribis:

Toggle quote (13 lines)
> ./pre-inst-env guix lint -c cve python-urllib3@1.26.2
> Here this should return at least CVE-2021-28363 but it does not because
> the CVE database contains urllib3 and not python-urllib3 (which AFAICT
> the cve linter searches for).
>
> Annotating each and every python-, go-, and rust- package with cpe-name
> properties is going to be very annoying. I suggest we add some
> heuristics that try both the full name and prefix-trimmed name. python-
> urllib3's cpe name and vendor is python (vendor) urllib3 (name).
>
> Same story for CVE-2021-28305 and rust-diesel, though it doesnt even
> have a CPE entry yet.

Yes, that’s an issue. We can address these by adding a ‘cpe-name’
property (info "(guix) Invoking guix lint"), but that’s going to be
tedious. We can at least add it to high-profile packages for now.

Tooling that suggests or deduces the CPE name would help a lot:


Ludo’.
L
L
Ludovic Courtès wrote on 18 Mar 2021 14:38
control message for bug #47188
(address . control@debbugs.gnu.org)
877dm4ponv.fsf@gnu.org
tags 47188 + security
quit
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send email to 47188@debbugs.gnu.org