Fancify guix lint -c cve output

  • Open
  • quality assurance status badge
Details
3 participants
  • Léo Le Bouter
  • Ludovic Courtès
  • Tobias Geerinckx-Rice
Owner
unassigned
Submitted by
Tobias Geerinckx-Rice
Severity
normal
T
T
Tobias Geerinckx-Rice wrote on 16 Mar 2021 17:00
(address . guix-patches@gnu.org)
87im5rm6lw.fsf@nckx
Guix,

A quick hack requested by lle-bout: indicate CVE severity with
pretty/scary colours[0]. It's deliberately simple: no scoring, no
versioning, no importing (guix colors) from (guix cve), ...

Another patch adds order to the rainbow. Sort CVEs by ID, so
roughly
chronological. In combination with the other patch, I prefer this
to
more complex ordering and/or grouping by severity.

Kind regards,

T G-R

-----BEGIN PGP SIGNATURE-----

iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCYFDWCw0cbWVAdG9iaWFz
LmdyAAoJEA2w/4hPVW15RQ4BAI3yfWXQoiM1lTSdAvnUZHFf41BHMdUDMebqSQuz
9zR1AQCKwuoJ6L5rECbJ9dXPEz4qV+WCmLbjSCrdQZBITSj+Bw==
=0/gM
-----END PGP SIGNATURE-----

T
T
Tobias Geerinckx-Rice wrote on 16 Mar 2021 17:06
[PATCH 1/2] lint: Sort possible vulnerabilities.
(address . 47193@debbugs.gnu.org)
20210316160653.9891-1-me@tobias.gr
* guix/lint.scm (check-vulnerabilities): Sort unpatched vulnerabilities
by ID.
---
guix/lint.scm | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)

Toggle diff (40 lines)
diff --git a/guix/lint.scm b/guix/lint.scm
index 5144fa139d..ed57e19fe2 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -1164,6 +1164,23 @@ the NIST server non-fatal."
package-vulnerabilities))
"Check for known vulnerabilities for PACKAGE. Obtain the list of
vulnerability records for PACKAGE by calling PACKAGE-VULNERABILITIES."
+
+ (define (vulnerability< v1 v2)
+ (define (string-list< list1 list2)
+ (match list1
+ ((head1 tail1 ...)
+ (match list2
+ ((head2 tail2 ...)
+ (if (string=? head1 head2)
+ (string-list< tail1 tail2)
+ (string<? head1 head2)))
+ (_ #f)))
+ (_ #f)))
+
+ (let ((separators (char-set-complement char-set:letter+digit)))
+ (string-list< (string-split (vulnerability-id v1) separators)
+ (string-split (vulnerability-id v2) separators))))
+
(let ((package (or (package-replacement package) package)))
(match (package-vulnerabilities package)
(()
@@ -1184,7 +1201,8 @@ vulnerability records for PACKAGE by calling PACKAGE-VULNERABILITIES."
(make-warning
package
(G_ "probably vulnerable to ~a")
- (list (string-join (map vulnerability-id unpatched)
+ (list (string-join (map vulnerability-id
+ (sort unpatched vulnerability<))
", "))))))))))
(define (check-for-updates package)
--
2.30.1
T
T
Tobias Geerinckx-Rice wrote on 16 Mar 2021 17:06
[PATCH 2/2] lint: Indicate CVE severity.
(address . 47193@debbugs.gnu.org)
20210316160653.9891-2-me@tobias.gr
* guix/cve.scm <cve-item>[cvss3-base-severity]: New field.
(impact-data->cve-cvss3-base-severity): New procedure.
<vulnerability>[severity]: New field.
(vulnerability->sexp, sexp->vulnerability, cve-item->vulnerability)
(write-cache): Bump the format version to 2.
(vulnerabilities->lookup-proc): Adjust accordingly.
* guix/lint.scm (check-vulnerabilities): Indicate CVE severity according
to the output port's terminal capabilities.
---
guix/cve.scm | 48 ++++++++++++++++++++++++++++++++----------------
guix/lint.scm | 32 +++++++++++++++++++++++++++++++-
2 files changed, 63 insertions(+), 17 deletions(-)

Toggle diff (186 lines)
diff --git a/guix/cve.scm b/guix/cve.scm
index b3a8b13a06..3809e4493f 100644
--- a/guix/cve.scm
+++ b/guix/cve.scm
@@ -1,5 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2021 Tobias Geerinckx-Rice <me@tobias.gr>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -38,6 +39,7 @@
cve-item?
cve-item-cve
cve-item-configurations
+ cve-item-cvssv3-base-severity
cve-item-published-date
cve-item-last-modified-date
@@ -53,6 +55,7 @@
vulnerability?
vulnerability-id
+ vulnerability-severity
vulnerability-packages
json->vulnerabilities
@@ -72,13 +75,15 @@
(define-json-mapping <cve-item> cve-item cve-item?
json->cve-item
- (cve cve-item-cve "cve" json->cve) ;<cve>
- (configurations cve-item-configurations ;list of sexps
- "configurations" configuration-data->cve-configurations)
- (published-date cve-item-published-date
- "publishedDate" string->date*)
- (last-modified-date cve-item-last-modified-date
- "lastModifiedDate" string->date*))
+ (cve cve-item-cve "cve" json->cve) ;<cve>
+ (configurations cve-item-configurations ;list of sexps
+ "configurations" configuration-data->cve-configurations)
+ (cvssv3-base-severity cve-item-cvssv3-base-severity ;string
+ "impact" impact-data->cve-cvssv3-base-severity)
+ (published-date cve-item-published-date
+ "publishedDate" string->date*)
+ (last-modified-date cve-item-last-modified-date
+ "lastModifiedDate" string->date*))
(define-json-mapping <cve> cve cve?
json->cve
@@ -183,6 +188,15 @@ element found in CVEs, return an sexp such as (\"binutils\" (<
(let ((nodes (vector->list (assoc-ref alist "nodes"))))
(filter-map node->configuration nodes)))
+(define (impact-data->cve-cvssv3-base-severity alist)
+ "Given ALIST, a JSON dictionary for the \"impact\" element found in
+CVEs, return a string indicating its CVSSv3 severity. This should be
+one of \"NONE\", \"LOW\", \"MEDIUM\", \"HIGH\", or \"CRITICAL\", but we
+return whatever we find, or #F if the severity cannot be determined."
+ (let* ((base-metric-v3 (assoc-ref alist "baseMetricV3"))
+ (cvss-v3 (assoc-ref base-metric-v3 "cvssV3")))
+ (assoc-ref cvss-v3 "baseSeverity")))
+
(define (json->cve-items json)
"Parse JSON, an input port or a string, and return a list of <cve-item>
records."
@@ -251,20 +265,21 @@ records."
(* 3600 24 (date-month %now)))
(define-record-type <vulnerability>
- (vulnerability id packages)
+ (vulnerability id severity packages)
vulnerability?
(id vulnerability-id) ;string
+ (severity vulnerability-severity) ;string
(packages vulnerability-packages)) ;((p1 sexp1) (p2 sexp2) ...)
(define vulnerability->sexp
(match-lambda
- (($ <vulnerability> id packages)
- `(v ,id ,packages))))
+ (($ <vulnerability> id severity packages)
+ `(v ,id ,severity ,packages))))
(define sexp->vulnerability
(match-lambda
- (('v id (packages ...))
- (vulnerability id packages))))
+ (('v id severity (packages ...))
+ (vulnerability id severity packages))))
(define (cve-configuration->package-list config)
"Parse CONFIG, a config sexp, and return a list of the form (P SEXP)
@@ -309,12 +324,13 @@ versions."
"Return a <vulnerability> corresponding to ITEM, a <cve-item> record;
return #f if ITEM does not list any configuration or if it does not list
any \"a\" (application) configuration."
- (let ((id (cve-id (cve-item-cve item))))
+ (let ((id (cve-id (cve-item-cve item)))
+ (severity (cve-item-base-severity item)))
(match (cve-item-configurations item)
(() ;no configurations
#f)
((configs ...)
- (vulnerability id
+ (vulnerability id severity
(merge-package-lists
(map cve-configuration->package-list configs)))))))
@@ -332,7 +348,7 @@ sexp to CACHE."
(json->vulnerabilities input))
(write `(vulnerabilities
- 1 ;format version
+ 2 ;format version
,(map vulnerability->sexp vulns))
cache))))
@@ -396,7 +412,7 @@ vulnerabilities affecting the given package version."
;; Map package names to lists of version/vulnerability pairs.
(fold (lambda (vuln table)
(match vuln
- (($ <vulnerability> id packages)
+ (($ <vulnerability> id severity packages)
(fold (lambda (package table)
(match package
((name . versions)
diff --git a/guix/lint.scm b/guix/lint.scm
index ed57e19fe2..f3c4e13052 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -48,6 +48,7 @@
#:use-module (guix monads)
#:use-module (guix scripts)
#:use-module ((guix ui) #:select (texi->plain-text fill-paragraph))
+ #:use-module (guix colors)
#:use-module (guix gnu-maintenance)
#:use-module (guix cve)
#:use-module ((guix swh) #:hide (origin?))
@@ -1165,6 +1166,35 @@ the NIST server non-fatal."
"Check for known vulnerabilities for PACKAGE. Obtain the list of
vulnerability records for PACKAGE by calling PACKAGE-VULNERABILITIES."
+ (define severity->color
+ ;; A standard CVE colour gradient is red > orange > yellow > green > none.
+ ;; However, ANSI non-bold YELLOW is actually orange whilst BOLD YELLOW
+ ;; is actual yellow, so BOLD would confusingly be less serious. Skip it.
+ (match-lambda
+ ("CRITICAL" (color BOLD RED))
+ ("HIGH" (color RED))
+ ("MEDIUM" (color YELLOW))
+ ("LOW" (color GREEN))
+ (_ (color))))
+
+ (define (colorize-vulnerability vulnerability)
+ ;; If the terminal supports ANSI colours, use them to indicate severity.
+ (colorize-string (vulnerability-id vulnerability)
+ (severity->color (vulnerability-severity
+ vulnerability))))
+
+ (define (simple-format-vulnerability vulnerability)
+ ;; Otherwise, omit colour coding and explicitly append the severity string.
+ (simple-format #f "~a (~a)"
+ (vulnerability-id vulnerability)
+ (string-downcase (vulnerability-severity vulnerability))))
+
+ (define format-vulnerability
+ ;; Check once which of the above to use for all PACKAGE vulnerabilities.
+ (if (color-output? (current-output-port))
+ colorize-vulnerability
+ simple-format-vulnerability))
+
(define (vulnerability< v1 v2)
(define (string-list< list1 list2)
(match list1
@@ -1201,7 +1231,7 @@ vulnerability records for PACKAGE by calling PACKAGE-VULNERABILITIES."
(make-warning
package
(G_ "probably vulnerable to ~a")
- (list (string-join (map vulnerability-id
+ (list (string-join (map format-vulnerability
(sort unpatched vulnerability<))
", "))))))))))
--
2.30.1
L
L
Léo Le Bouter wrote on 16 Mar 2021 19:19
Fancify guix lint -c cve output
(address . 47193@debbugs.gnu.org)
0524f6bfe10befabf7969aa0fbf90503e7db1ab7.camel@zaclys.net
Hello!

Thanks a lot for working on this!! :-D

I get a warning during compilation:

guix/cve.scm:328:18: warning: possibly unbound variable `cve-item-base-
severity'

I also just tried it on patch package and it fails:

$ ./pre-inst-env guix lint -c cve patch
Backtrace:atch@2.7.6 [cve]...
In ice-9/boot-9.scm:
1736:10 18 (with-exception-handler _ _ #:unwind? _ # _)
In unknown file:
17 (apply-smob/0 #<thunk 7f5c56304520>)
In ice-9/boot-9.scm:
718:2 16 (call-with-prompt _ _ #<procedure default-prompt-handle…>)
In ice-9/eval.scm:
619:8 15 (_ #(#(#<directory (guile-user) 7f5c56307c80>)))
In guix/ui.scm:
2164:12 14 (run-guix-command _ . _)
In ice-9/boot-9.scm:
1736:10 13 (with-exception-handler _ _ #:unwind? _ # _)
1731:15 12 (with-exception-handler #<procedure 7f5c52ccde40 at ic…>
…)
In srfi/srfi-1.scm:
634:9 11 (for-each #<procedure 7f5c52ccb620 at guix/scripts/lin…>
…)
In guix/scripts/lint.scm:
65:4 10 (run-checkers #<package patch@2.7.6 gnu/packages/base.…>
…)
In srfi/srfi-1.scm:
634:9 9 (for-each #<procedure 7f5c43b5df30 at guix/scripts/lin…>
…)
In guix/scripts/lint.scm:
74:21 8 (_ _)
In guix/lint.scm:
1205:4 7 (check-vulnerabilities #<package patch@2.7.6 gnu/packa…>
…)
1151:9 6 (_ _)
In unknown file:
5 (force #<promise #<procedure 7f5c5303cab8 at guix/lint.…>)
In guix/lint.scm:
1134:2 4 (_)
1093:2 3 (call-with-networking-fail-safe _ _ _)
In ice-9/boot-9.scm:
1736:10 2 (with-exception-handler _ _ #:unwind? _ # _)
1669:16 1 (raise-exception _ #:continuable? _)
1667:16 0 (raise-exception _ #:continuable? _)

ice-9/boot-9.scm:1667:16: In procedure raise-exception:
Throw to key `match-error' with args `("match" "no matching pattern" (v
"CVE-2021-0212" (("contrail_networking" (< "1911.31")))))'.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBQ9soACgkQRaix6GvN
EKYXog//ez84TN6zVwbx16DnWHmRSgPPxnkPL4duWN6KevtxhZCEpB9oVMKO+5ao
WnJZt7c3XdkVUWM5KH6ik00p0kQehpz8AWvisGuhiBj43c3QKKXJ1j9dUZiFRfOw
uMiWqX7nv8ZAJa4Q3xp1Nd3j/S0vM/Wv/ZcvElnJFs1bsXTKPrCz8GwfbS4vzjI1
Z1yg838V54iPHWPnHjRWSEtLir5Z+3EImsIgkfj5BLunXYZWIqE88uzFn+lYQTes
WFqFNgW2JM6o16Gsa1d6lQ8Q76PUh2jwqDHjBUdTpcezKZ23J7rdG4pcdoxxxhry
TmzjgLbUuR/e+mHKULK1YpgFOZkcb/QzDx50m9h9fryGVp4fiUCcnEOLH8sobQnB
zAbMzFgaG2S7AMxA1lJ5pe1Y+kIQs5wBxUqCVVu8cyqBocXJH7yY8N6lfP/iEze9
gFUaXjahLjtSK+55r2m4AAxKI3ucfodpLaFtpJ0Cwlc2cSekdtkAOfmyh7GNDW19
dSEzpiE8eXuwXQ5vheHAYPpvH2dVrStOn4gHECZvB5NqutqeFGVQshb3AiwkSU+P
1Sb7Zq9ghNcRmnZ1/begvC/GEQgYRnCaXbB2yPwih5xrOIt1jFb9nqNnYdiOM9Nm
bMZ/yZ9Es5DQaqif9Rn9lKtec9NBU/hzuPP0r2ZVPAC6CnY9uxQ=
=MNBF
-----END PGP SIGNATURE-----


T
T
Tobias Geerinckx-Rice wrote on 16 Mar 2021 22:12
(name . Léo Le Bouter)(address . lle-bout@zaclys.net)
87a6r2n6pd.fsf@nckx
Léo!

Léo Le Bouter via Guix-patches via ???
Toggle quote (4 lines)
> guix/cve.scm:328:18: warning: possibly unbound variable
> `cve-item-base-
> severity'

One dark and stormy night I turned away an old woman at my doors,
and ever since I have been cursed to include at least one stupid
typo in each patch I send. True story.

Thanks for testing. Fixed but it should not affect running guix
lint.

Toggle quote (2 lines)
> I also just tried it on patch package and it fails:

Hmm. I bet ‘rm -rf ~/.cache/guix/http’ will make this go
conveniently away, just like lady stormypants.

Toggle quote (2 lines)
> (v "CVE-2021-0212" (("contrail_networking" ...

This is a stale cache file lacking the newly added ‘severity’
field:

(v "CVE-2021-0212" "MEDIUM" (("contrail_networking" ...

I bumped the format version to 2 in (guix cve) to signal this
incompatible change, but it appears this field may exist merely as
a friendly reminder to actually add version handling some day...?

I guess today is that day.

Bah,

T G-R
-----BEGIN PGP SIGNATURE-----

iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCYFEfTg0cbWVAdG9iaWFz
LmdyAAoJEA2w/4hPVW15JlIBAIvIK40UPqe2mRMqSsrtMakRYy7pIzXT/Eom5J+L
+f0mAP9yT4r4kD1gHQZf+Gu2gT5Z3ykwh6oDg1ENJSD2JEl/CA==
=Ljfm
-----END PGP SIGNATURE-----

L
L
Léo Le Bouter wrote on 17 Mar 2021 09:13
(name . Tobias Geerinckx-Rice)(address . me@tobias.gr)
f6dba3fcf4f524d85800b6c2c10b5dc88fd3c555.camel@zaclys.net
On Tue, 2021-03-16 at 22:12 +0100, Tobias Geerinckx-Rice wrote:
Toggle quote (2 lines)
> Léo!

Tobias! :-)

Toggle quote (12 lines)
> Léo Le Bouter via Guix-patches via ???
> > guix/cve.scm:328:18: warning: possibly unbound variable
> > `cve-item-base-
> > severity'
>
> One dark and stormy night I turned away an old woman at my doors,
> and ever since I have been cursed to include at least one stupid
> typo in each patch I send. True story.
>
> Thanks for testing. Fixed but it should not affect running guix
> lint.

I tried fixing it as well,

$ git diff
Toggle diff (167 lines)
diff --git a/guix/cve.scm b/guix/cve.scm
index 3809e4493f..d52ea05117 100644
--- a/guix/cve.scm
+++ b/guix/cve.scm
@@ -325,7 +325,7 @@ versions."
return #f if ITEM does not list any configuration or if it does not
list
any \"a\" (application) configuration."
(let ((id (cve-id (cve-item-cve item)))
- (severity (cve-item-base-severity item)))
+ (severity (cve-item-cvssv3-base-severity item)))
(match (cve-item-configurations item)
(() ;no configurations
#f)

Look right?

> Hmm. I bet ‘rm -rf ~/.cache/guix/http’ will make this go
> conveniently away, just like lady stormypants.

I tried that (without the fix above) and:

$ ./pre-inst-env guix lint -c cve patch
fetching CVE database for 2021...
Backtrace:
In ice-9/boot-9.scm:
1736:10 18 (with-exception-handler _ _ #:unwind? _ # _)
In unknown file:
17 (apply-smob/0 #<thunk 7fd1e5545520>)
In ice-9/boot-9.scm:
718:2 16 (call-with-prompt _ _ #<procedure default-prompt-handle…>)
In ice-9/eval.scm:
619:8 15 (_ #(#(#<directory (guile-user) 7fd1e5548c80>)))
In guix/ui.scm:
2164:12 14 (run-guix-command _ . _)
In ice-9/boot-9.scm:
1736:10 13 (with-exception-handler _ _ #:unwind? _ # _)
1731:15 12 (with-exception-handler #<procedure 7fd1e1f0ee40 at ic…>
…)
In srfi/srfi-1.scm:
634:9 11 (for-each #<procedure 7fd1e1f0b000 at guix/scripts/lin…>
…)
In guix/scripts/lint.scm:
65:4 10 (run-checkers _ _ #:store _)
In srfi/srfi-1.scm:
634:9 9 (for-each #<procedure 7fd1d2f805d0 at guix/scripts/lin…>
…)
In guix/scripts/lint.scm:
74:21 8 (_ _)
In guix/lint.scm:
1205:4 7 (check-vulnerabilities _ _)
1151:9 6 (_ _)
In unknown file:
5 (force #<promise #<procedure 7fd1e227dab8 at guix/lint.…>)
In guix/lint.scm:
1134:2 4 (_)
1093:2 3 (call-with-networking-fail-safe _ _ _)
In ice-9/boot-9.scm:
1736:10 2 (with-exception-handler _ _ #:unwind? _ # _)
1669:16 1 (raise-exception _ #:continuable? _)
1667:16 0 (raise-exception _ #:continuable? _)

ice-9/boot-9.scm:1667:16: In procedure raise-exception:
error: cve-item-base-severity: unbound variable

Then *with* the fix:

$ ./pre-inst-env guix lint -c cve patch
fetching CVE database for 2021...
Backtrace:
In ice-9/boot-9.scm:
1736:10 18 (with-exception-handler _ _ #:unwind? _ # _)
In unknown file:
17 (apply-smob/0 #<thunk 7f4a634a5520>)
In ice-9/boot-9.scm:
718:2 16 (call-with-prompt _ _ #<procedure default-prompt-handle…>)
In ice-9/eval.scm:
619:8 15 (_ #(#(#<directory (guile-user) 7f4a634a8c80>)))
In guix/ui.scm:
2164:12 14 (run-guix-command _ . _)
In ice-9/boot-9.scm:
1736:10 13 (with-exception-handler _ _ #:unwind? _ # _)
1731:15 12 (with-exception-handler #<procedure 7f4a5fe6c8d0 at ic…>
…)
In srfi/srfi-1.scm:
634:9 11 (for-each #<procedure 7f4a5fe6ec20 at guix/scripts/lin…>
…)
In guix/scripts/lint.scm:
65:4 10 (run-checkers _ _ #:store _)
In srfi/srfi-1.scm:
634:9 9 (for-each #<procedure 7f4a50f5a0f0 at guix/scripts/lin…>
…)
In guix/scripts/lint.scm:
74:21 8 (_ _)
In guix/lint.scm:
1205:4 7 (check-vulnerabilities _ _)
1151:9 6 (_ _)
In unknown file:
5 (force #<promise #<procedure 7f4a601ddab8 at guix/lint.…>)
In guix/lint.scm:
1134:2 4 (_)
1093:2 3 (call-with-networking-fail-safe _ _ _)
In ice-9/boot-9.scm:
1736:10 2 (with-exception-handler _ _ #:unwind? _ # _)
1669:16 1 (raise-exception _ #:continuable? _)
1667:16 0 (raise-exception _ #:continuable? _)

ice-9/boot-9.scm:1667:16: In procedure raise-exception:
Throw to key `match-error' with args `("match" "no matching pattern"
(vulnerabilities 2 ((v "CVE-2021-0212" "MEDIUM" (("contrail_networking"
(< "1911.31")))) (v "CVE-2021-0220" "MEDIUM" (("junos_space" (or "19.1"
(or "18.4" (or "18.3" (or "18.2" (or "18.1r1" (or "18.1" (or "17.21.4"
(or "17.2" (or "17.1" (or "16.1" (or "15.2" (or "15.14" (or "15.12" (or
"15.1" (or "14.1" (or "13.33" (or "13.11.8" (or "13.1" (or "12.3" (or
"12.2" (or "12.1" (or "11.4" (or "11.3" (or "11.2" (or "11.1" (or "2.0"
(or "1.4" (or "1.3" (or "1.2" (or "1.1"
"1.0"))))))))))))))))))))))))))))))))) (v "CVE-2021-1051" "HIGH"
(("gpu_driver" (or (and (>= "460") (< "461.09")) (or (and (>= "450") (<
"452.77")) (or (and (>= "418") (< "427.11")) (and (>= "390") (<
"392.63")))))))) (v "CVE-2021-1052" "HIGH" (("gpu_driver" (or (or (and
(>= "460") (< "460.32.03")) (or (and (>= "450") (< "450.102.04")) (and
(>= "390") (< "390.141")))) (or (and (>= "460") (< "461.09")) (or (and
(>= "450") (< "452.77")) (or (and (>= "418") (< "427.11")) (and (>=
"390") (< "392.63"))))))))) (v "CVE-2021-1053" "MEDIUM" (("gpu_driver"
(or (or (and (>= "460") (< "460.32.03")) (or (and (>= "450") (<
"450.102.04")) (and (>= "390") (< "390.141")))) (or (and (>= "460") (<
"461.09")) (or (and (>= "450") (< "452.77")) (or (and (>= "418") (<
"427.11")) (and (>= "390") (< "392.63"))))))))) (v "CVE-2021-1054"
"MEDIUM" (("gpu_driver" (or (and (>= "460") (< "461.09")) (or (and (>=
"450") (< "452.77")) (or (and (>= "418") (< "427.11")) (and (>= "390")
(< "392.63")))))))) (v "CVE-2021-1055" "MEDIUM" (("gpu_driver" (or (and
(>= "460") (< "461.09")) (or (and (>= "450") (< "452.77")) (or (and (>=
"
[...]

I ran "$ rm -rf ~/.cache/guix/http" between each and every of these
attempts. The cache is clear, I also did make clean and recompiled (so
no left around .go file).

>
> > (v "CVE-2021-0212" (("contrail_networking" ...
>
> This is a stale cache file lacking the newly added ‘severity’
> field:
>
> (v "CVE-2021-0212" "MEDIUM" (("contrail_networking" ...
>
> I bumped the format version to 2 in (guix cve) to signal this
> incompatible change, but it appears this field may exist merely as
> a friendly reminder to actually add version handling some day...?
>
> I guess today is that day.
>
> Bah,

Don't know! I think there's some other issue here, or maybe you
modified the patch a little more on your side.

PS: I looked at the image you initially posted and the output looks
really nice and helpful!!

>
> T G-R

Thank you :-D

Léo
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBRujAACgkQRaix6GvN
EKbABxAAxIQIanIXnFBBdfYDq37dBFdPHW76Ds7Ca7s6/SG5eEFd/W3vYQ2+e5qu
bru3iy/UWD7jXkwCwym0UdB1e5SRcOTfRO7raELjLIe/AfnIEg0KCE+wDCHkyxFv
uu2PmshtHbcIZHKumiXjL470PoG2v3OGUQHm6Zk4eSJPcxW6OoiNK/CB8oguBI5C
31iyGyyWri0Z4ITYCt7e3KuGVIbr6WkUO1yOc5v71rmfgrs7TVtkDXcEsBOeH5eF
Axaw77S+ehRDeI/UVaMYkjLG8aPdgMGitFQE7UNzonnUCNxMbPs1/1i3KE7pUHpt
0Kb9P+HbhgdmgL3keH3i2UFOTjh548fnGfbhFgR/9LFroQUY9DKSGQnQq2GCahFM
0fptMRcxsOFd/awIK9Ef35FzbLL9wxNB4nAs3xLeid8/mJ/3CJxLOz/eNuFfvvjP
7Wl9FagPhuVMhEbLAB+inKIRe8Jkhz2+XUMBih9utRFtNuUYUsoYIEmZp3CRq4LO
tLcIyhq9G5gLfKvw0VCQeT6f/LgiSVTeud0jsL40SrDoHmh/jue+Mvro2d4enmXu
epjtIXorc5DjAbjFgvbCpDhrWd6DrwPsPwS+O206RQcgPwwyFKiRoz9PW0f7yI7f
ZODDjyzkjyfPMwdD6r5oe27t68ZaeOn/PXHOQIhFzOeB3InDzKI=
=WI21
-----END PGP SIGNATURE-----


T
T
Tobias Geerinckx-Rice wrote on 17 Mar 2021 20:32
(name . Léo Le Bouter)(address . lle-bout@zaclys.net)
87y2ellgoh.fsf@nckx
Léo Le Bouter ???
Toggle quote (5 lines)
> On Tue, 2021-03-16 at 22:12 +0100, Tobias Geerinckx-Rice wrote:
>> Léo!
>
> Tobias! :-)

Yes!

Toggle quote (6 lines)
> ice-9/boot-9.scm:1667:16: In procedure raise-exception:
> Throw to key `match-error' with args `("match" "no matching
> pattern"
> (vulnerabilities 2 ((v "CVE-2021-0212" "MEDIUM"
> (("contrail_networking"

Thanks for including the full error message. Now the cached
data's as expected but the code chokes on it anyway. Sure, why
not.

Toggle quote (3 lines)
> Don't know! I think there's some other issue here, or maybe you
> modified the patch a little more on your side.

I haven't, and like you've I (regularly) remove stale .go files
and delete ~/.cache/guix. Works like a screenshotted charm.

I'm not in the mood for spooks; time to bust out the flamethrower
that is a fresh git clone.

Toggle quote (4 lines)
> PS: I looked at the image you initially posted and the output
> looks
> really nice and helpful!!

Oh, good to know that is what you had in mind. I wasn't sure.

Kind regards,

T G-R
-----BEGIN PGP SIGNATURE-----

iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCYFJZTg0cbWVAdG9iaWFz
LmdyAAoJEA2w/4hPVW15NvQA/RDGt0+xcfDPrAR4GMDg4YhxdltkQd4BWfl3giIs
nSF2AQDW3PqSAMXgDl0SZuHrghnr9GdvOqs/KScOhhD0LyI8BQ==
=p0xS
-----END PGP SIGNATURE-----

L
L
Ludovic Courtès wrote on 31 Mar 2021 14:53
Re: bug#47193: Fancify guix lint -c cve output
(name . Tobias Geerinckx-Rice)(address . me@tobias.gr)(address . 47193@debbugs.gnu.org)
87mtuja3ir.fsf_-_@gnu.org
Hi!

Tobias Geerinckx-Rice <me@tobias.gr> skribis:

Toggle quote (3 lines)
> * guix/lint.scm (check-vulnerabilities): Sort unpatched vulnerabilities
> by ID.

[...]

Toggle quote (8 lines)
> (make-warning
> package
> (G_ "probably vulnerable to ~a")
> - (list (string-join (map vulnerability-id unpatched)
> + (list (string-join (map vulnerability-id
> + (sort unpatched vulnerability<))
> ", "))))))))))

Nitpick: it might be a bit clearer done the other way around:

(sort (map vulnerability-id unpatched) cve-id<?)

… where ‘cve-id<?’ is like ‘vulnerability<’ but takes a CVE ID (a
string).

Otherwise LGTM!

Ludo’.
L
L
Ludovic Courtès wrote on 31 Mar 2021 15:03
(name . Tobias Geerinckx-Rice)(address . me@tobias.gr)(address . 47193@debbugs.gnu.org)
87h7kra30x.fsf_-_@gnu.org
Hi,

Tobias Geerinckx-Rice <me@tobias.gr> skribis:

Toggle quote (9 lines)
> * guix/cve.scm <cve-item>[cvss3-base-severity]: New field.
> (impact-data->cve-cvss3-base-severity): New procedure.
> <vulnerability>[severity]: New field.
> (vulnerability->sexp, sexp->vulnerability, cve-item->vulnerability)
> (write-cache): Bump the format version to 2.
> (vulnerabilities->lookup-proc): Adjust accordingly.
> * guix/lint.scm (check-vulnerabilities): Indicate CVE severity according
> to the output port's terminal capabilities.

I would move the lint.scm bit to a separate patch.

Please also add a short test for ‘vulnerability-severity’ in
tests/cve.scm.

[...]

Toggle quote (22 lines)
> + (cvssv3-base-severity cve-item-cvssv3-base-severity ;string
> + "impact" impact-data->cve-cvssv3-base-severity)
> + (published-date cve-item-published-date
> + "publishedDate" string->date*)
> + (last-modified-date cve-item-last-modified-date
> + "lastModifiedDate" string->date*))
>
> (define-json-mapping <cve> cve cve?
> json->cve
> @@ -183,6 +188,15 @@ element found in CVEs, return an sexp such as (\"binutils\" (<
> (let ((nodes (vector->list (assoc-ref alist "nodes"))))
> (filter-map node->configuration nodes)))
>
> +(define (impact-data->cve-cvssv3-base-severity alist)
> + "Given ALIST, a JSON dictionary for the \"impact\" element found in
> +CVEs, return a string indicating its CVSSv3 severity. This should be
> +one of \"NONE\", \"LOW\", \"MEDIUM\", \"HIGH\", or \"CRITICAL\", but we
> +return whatever we find, or #F if the severity cannot be determined."
> + (let* ((base-metric-v3 (assoc-ref alist "baseMetricV3"))
> + (cvss-v3 (assoc-ref base-metric-v3 "cvssV3")))
> + (assoc-ref cvss-v3 "baseSeverity")))

I would pass the result through (string->symbol (string-downcase …)).

For clarity, perhaps we can do:

(define-json-mapping <cvss> cvss cvss?
json->cvss
(vector-string cvss-vector-string “vector_String")
(base-severity cvss-severity "base_Severity"
(compose string->symbol string-downcase)))

… and use that instead of the last ‘assoc-ref’ call above.

The rest LGTM.

Thanks for this pleasant improvement!

Ludo’.
L
L
Léo Le Bouter wrote on 31 Mar 2021 15:06
Re: [bug#47193] Fancify guix lint -c cve output
(address . 47193@debbugs.gnu.org)
5ee2f722e9ad91ccacf6135d2e9b7e02e75c5977.camel@zaclys.net
On Wed, 2021-03-31 at 15:03 +0200, Ludovic Courtès wrote:

[...]

Toggle quote (7 lines)
> The rest LGTM.
>
> Thanks for this pleasant improvement!
>
> Ludo’.
>

Hello Ludo!

Did you get it to work on your end?

Léo
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBkc7oACgkQRaix6GvN
EKZAHhAAr73e221fgyWJuNEAEplBTeOlT+uIKBJx6xrPeUsh/hTvNde3hlOWh3pO
Wh8bmjGtSYFT/p3GBRhpLgUGigtCsj72h12EfWE3SCHKPzbeBq9ioHuSeb1BqpKT
OdseAdvz7L7GGYLiD5+DvHX6CUOUYKWLBSvspOJUadSB5MZYSiLMpVQ1MG6lHsjq
FMEDKxTQ9KwUhuZoMA9VwJ4bkGJQhh38uoDczSxwYgQx24l7suBoNWHM8TMixqP8
BOAbk6cSC4QeF4XEiyn4aV1zNRWXn4rNKTmOWUKNJRA+oCrq/fRK5pc/c04CMXUV
HXYOWbDpjCokw8z3HtzSxv346cBKsqs6ve/yw8NjRIq7129/qWPepDgXSg7DwhFV
a36Arq01guvHPBfi6NODxMsj8ab87g71qpF9HEpsWgcMuk6vi+gt3ggwlOW37Avy
OcYohGFXPGmRtsIWyoVr16K6qKOndstcFXQKmbuZp+Y2nCQ5MnbnE/nBDxFdRq8q
P4qefRtcbw09fBwqDQmXXWGKqqdtLOMjcBR+N7tyKgS8Imp1kUqSceHugQPXb/YE
w8DNeGMbI2SNOApgSfYecjzk1HbmS7OxBqGzpab7chEqS4wXLk9GLZBXa29kkS+X
leJr5aH7wZjlvHWGJbxO1lQQkt8q+ImcIBtJvofH4y42pCxhOmQ=
=U0tW
-----END PGP SIGNATURE-----


L
L
Ludovic Courtès wrote on 31 Mar 2021 22:57
(name . Léo Le Bouter)(address . lle-bout@zaclys.net)
87eefv59dn.fsf@gnu.org
Léo Le Bouter <lle-bout@zaclys.net> skribis:

Toggle quote (2 lines)
> Did you get it to work on your end?

I didn’t try, but I’m confident Tobias will do the right thing!

Ludo’.
L
L
Léo Le Bouter wrote on 2 Apr 2021 01:36
(name . Ludovic Courtès)(address . ludo@gnu.org)
20b933907295e6f8a7dc6b1c0b813823e7331022.camel@zaclys.net
On Wed, 2021-03-31 at 22:57 +0200, Ludovic Courtès wrote:
Toggle quote (8 lines)
> Léo Le Bouter <lle-bout@zaclys.net> skribis:
>
> > Did you get it to work on your end?
>
> I didn’t try, but I’m confident Tobias will do the right thing!
>
> Ludo’.

I see, thanks, I was looking to get it to work for me since Tobias
seems busy maybe you had some elements I could use, I don't doubt they
will do the right thing!
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBmWP0ACgkQRaix6GvN
EKZ2AA/+P3xDg5TupLcAbZAmeXz6gVWD5pEc4PjMCPJjfUo/zqLLUL/2vSqGNLR0
h2pyFQ7o2L/Z1novPcCZW3Pq5jS+ylB1isla0e/BqJ2ikmKvGSo1xBtvgJTTf+MU
/A0zUUFWeth3MFJUgNd7gX52o1LRK9DEIrJRDmnJnJgHuJAdbvIMEplFa9Wg0PbQ
5dL601P0lNYvV7uXa9YjOeKKH6s7F0s6miOQXg+l5bXeUxG/1wilh0qD/OS/8jxg
lVrUobLyYr8pLVh0wn1sjcm4TI8+AIMdPL+ydmtJPWNQpwNsvxsG618QjV37NZIY
pUX2PtnhjLh2oKbaZKzGzk2bwVVHPeAJ7ojKWxDzNPpDhfpETt/YyGOwNWv4cy8d
e02RgW1psmDf9UU1+ZPBDY6krNnzNirBXRWGiBsZ2EbcvuVwM4yBULWbgWLcCm8D
MTVdppgFIEHBZVnE/uVhCbaS8f0x2LnLWsaO0/c9Kcx4Il2F9YFm67IjC44O8spB
38wUH/0Iv2N6h2695YugWMWQUVqAQ4oQQMRVmY5aLKAis1u5K+sRuvpwrd4O6wbM
ouCgZJ+8GKzeYTczJBkXWmNafrLe8FODF4/nTHXwXdTDXet0Bpf8GVqy0i7uujtn
GJzxSdl757AFwJtynPPtPzdz0xBzsFgrpObsgBFjMDgAznZz/E0=
=DelZ
-----END PGP SIGNATURE-----


?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 47193@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 47193
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch