Fancify guix lint -c cve output

Open

Details

3 participants

Léo Le Bouter
Ludovic Courtès
Tobias Geerinckx-Rice

Owner: unassigned

Submitted by: Tobias Geerinckx-Rice

Severity: normal

Tobias Geerinckx-Rice wrote on 16 Mar 2021 17:00

Recipients:(address . guix-patches@gnu.org)

Message-ID:87im5rm6lw.fsf@nckx

Guix,

A quick hack requested by lle-bout: indicate CVE severity with

pretty/scary colours[0]. It's deliberately simple: no scoring, no

versioning, no importing (guix colors) from (guix cve), ...

Another patch adds order to the rainbow. Sort CVEs by ID, so

roughly

chronological. In combination with the other patch, I prefer this

more complex ordering and/or grouping by severity.

Kind regards,

T G-R

[0]: https://tobias.gr/tmp.png

-----BEGIN PGP SIGNATURE-----

iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCYFDWCw0cbWVAdG9iaWFz

LmdyAAoJEA2w/4hPVW15RQ4BAI3yfWXQoiM1lTSdAvnUZHFf41BHMdUDMebqSQuz

9zR1AQCKwuoJ6L5rECbJ9dXPEz4qV+WCmLbjSCrdQZBITSj+Bw==

=0/gM

-----END PGP SIGNATURE-----

Tobias Geerinckx-Rice wrote on 16 Mar 2021 17:06

[PATCH 1/2] lint: Sort possible vulnerabilities.

Recipients:(address . 47193@debbugs.gnu.org)

Message-ID:20210316160653.9891-1-me@tobias.gr

* guix/lint.scm (check-vulnerabilities): Sort unpatched vulnerabilities
by ID.
---
 guix/lint.scm | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

Toggle diff (40 lines)diff --git a/guix/lint.scm b/guix/lint.scm
index 5144fa139d..ed57e19fe2 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -1164,6 +1164,23 @@ the NIST server non-fatal."
                                             package-vulnerabilities))
   "Check for known vulnerabilities for PACKAGE.  Obtain the list of
 vulnerability records for PACKAGE by calling PACKAGE-VULNERABILITIES."
+
+  (define (vulnerability< v1 v2)
+    (define (string-list< list1 list2)
+      (match list1
+        ((head1 tail1 ...)
+         (match list2
+           ((head2 tail2 ...)
+            (if (string=? head1 head2)
+                (string-list< tail1 tail2)
+                (string<? head1 head2)))
+           (_ #f)))
+        (_ #f)))
+
+    (let ((separators (char-set-complement char-set:letter+digit)))
+      (string-list< (string-split (vulnerability-id v1) separators)
+                    (string-split (vulnerability-id v2) separators))))
+
   (let ((package (or (package-replacement package) package)))
     (match (package-vulnerabilities package)
       (()
@@ -1184,7 +1201,8 @@ vulnerability records for PACKAGE by calling PACKAGE-VULNERABILITIES."
               (make-warning
                package
                (G_ "probably vulnerable to ~a")
-               (list (string-join (map vulnerability-id unpatched)
+               (list (string-join (map vulnerability-id
+                                       (sort unpatched vulnerability<))
                                   ", "))))))))))
 
 (define (check-for-updates package)
-- 
2.30.1

Tobias Geerinckx-Rice wrote on 16 Mar 2021 17:06

[PATCH 2/2] lint: Indicate CVE severity.

Recipients:(address . 47193@debbugs.gnu.org)

Message-ID:20210316160653.9891-2-me@tobias.gr

* guix/cve.scm <cve-item>[cvss3-base-severity]: New field.
(impact-data->cve-cvss3-base-severity): New procedure.
<vulnerability>[severity]: New field.
(vulnerability->sexp, sexp->vulnerability, cve-item->vulnerability)
(write-cache): Bump the format version to 2.
(vulnerabilities->lookup-proc): Adjust accordingly.
* guix/lint.scm (check-vulnerabilities): Indicate CVE severity according
to the output port's terminal capabilities.
---
 guix/cve.scm  | 48 ++++++++++++++++++++++++++++++++----------------
 guix/lint.scm | 32 +++++++++++++++++++++++++++++++-
 2 files changed, 63 insertions(+), 17 deletions(-)

Toggle diff (186 lines)diff --git a/guix/cve.scm b/guix/cve.scm
index b3a8b13a06..3809e4493f 100644
--- a/guix/cve.scm
+++ b/guix/cve.scm
@@ -1,5 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2021 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -38,6 +39,7 @@
             cve-item?
             cve-item-cve
             cve-item-configurations
+            cve-item-cvssv3-base-severity
             cve-item-published-date
             cve-item-last-modified-date
 
@@ -53,6 +55,7 @@
 
             vulnerability?
             vulnerability-id
+            vulnerability-severity
             vulnerability-packages
 
             json->vulnerabilities
@@ -72,13 +75,15 @@
 
 (define-json-mapping <cve-item> cve-item cve-item?
   json->cve-item
-  (cve            cve-item-cve "cve" json->cve)   ;<cve>
-  (configurations cve-item-configurations         ;list of sexps
-                  "configurations" configuration-data->cve-configurations)
-  (published-date cve-item-published-date
-                  "publishedDate" string->date*)
-  (last-modified-date cve-item-last-modified-date
-                      "lastModifiedDate" string->date*))
+  (cve                  cve-item-cve "cve" json->cve) ;<cve>
+  (configurations       cve-item-configurations       ;list of sexps
+                        "configurations" configuration-data->cve-configurations)
+  (cvssv3-base-severity cve-item-cvssv3-base-severity ;string
+                        "impact" impact-data->cve-cvssv3-base-severity)
+  (published-date       cve-item-published-date
+                        "publishedDate" string->date*)
+  (last-modified-date   cve-item-last-modified-date
+                        "lastModifiedDate" string->date*))
 
 (define-json-mapping <cve> cve cve?
   json->cve
@@ -183,6 +188,15 @@ element found in CVEs, return an sexp such as (\"binutils\" (<
   (let ((nodes (vector->list (assoc-ref alist "nodes"))))
     (filter-map node->configuration nodes)))
 
+(define (impact-data->cve-cvssv3-base-severity alist)
+  "Given ALIST, a JSON dictionary for the \"impact\" element found in
+CVEs, return a string indicating its CVSSv3 severity.  This should be
+one of \"NONE\", \"LOW\", \"MEDIUM\", \"HIGH\", or \"CRITICAL\", but we
+return whatever we find, or #F if the severity cannot be determined."
+  (let* ((base-metric-v3 (assoc-ref alist "baseMetricV3"))
+         (cvss-v3        (assoc-ref base-metric-v3 "cvssV3")))
+    (assoc-ref cvss-v3 "baseSeverity")))
+
 (define (json->cve-items json)
   "Parse JSON, an input port or a string, and return a list of <cve-item>
 records."
@@ -251,20 +265,21 @@ records."
   (* 3600 24 (date-month %now)))
 
 (define-record-type <vulnerability>
-  (vulnerability id packages)
+  (vulnerability id severity packages)
   vulnerability?
   (id         vulnerability-id)             ;string
+  (severity   vulnerability-severity)       ;string
   (packages   vulnerability-packages))      ;((p1 sexp1) (p2 sexp2) ...)
 
 (define vulnerability->sexp
   (match-lambda
-    (($ <vulnerability> id packages)
-     `(v ,id ,packages))))
+    (($ <vulnerability> id severity packages)
+     `(v ,id ,severity ,packages))))
 
 (define sexp->vulnerability
   (match-lambda
-    (('v id (packages ...))
-     (vulnerability id packages))))
+    (('v id severity (packages ...))
+     (vulnerability id severity packages))))
 
 (define (cve-configuration->package-list config)
   "Parse CONFIG, a config sexp, and return a list of the form (P SEXP)
@@ -309,12 +324,13 @@ versions."
   "Return a <vulnerability> corresponding to ITEM, a <cve-item> record;
 return #f if ITEM does not list any configuration or if it does not list
 any \"a\" (application) configuration."
-  (let ((id (cve-id (cve-item-cve item))))
+  (let ((id (cve-id (cve-item-cve item)))
+        (severity (cve-item-base-severity item)))
     (match (cve-item-configurations item)
       (()                                         ;no configurations
        #f)
       ((configs ...)
-       (vulnerability id
+       (vulnerability id severity
                       (merge-package-lists
                        (map cve-configuration->package-list configs)))))))
 
@@ -332,7 +348,7 @@ sexp to CACHE."
         (json->vulnerabilities input))
 
       (write `(vulnerabilities
-               1                                  ;format version
+               2                                  ;format version
                ,(map vulnerability->sexp vulns))
              cache))))
 
@@ -396,7 +412,7 @@ vulnerabilities affecting the given package version."
     ;; Map package names to lists of version/vulnerability pairs.
     (fold (lambda (vuln table)
             (match vuln
-              (($ <vulnerability> id packages)
+              (($ <vulnerability> id severity packages)
                (fold (lambda (package table)
                        (match package
                          ((name . versions)
diff --git a/guix/lint.scm b/guix/lint.scm
index ed57e19fe2..f3c4e13052 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -48,6 +48,7 @@
   #:use-module (guix monads)
   #:use-module (guix scripts)
   #:use-module ((guix ui) #:select (texi->plain-text fill-paragraph))
+  #:use-module (guix colors)
   #:use-module (guix gnu-maintenance)
   #:use-module (guix cve)
   #:use-module ((guix swh) #:hide (origin?))
@@ -1165,6 +1166,35 @@ the NIST server non-fatal."
   "Check for known vulnerabilities for PACKAGE.  Obtain the list of
 vulnerability records for PACKAGE by calling PACKAGE-VULNERABILITIES."
 
+  (define severity->color
+    ;; A standard CVE colour gradient is red > orange > yellow > green > none.
+    ;; However, ANSI non-bold YELLOW is actually orange whilst BOLD YELLOW
+    ;; is actual yellow, so BOLD would confusingly be less serious.  Skip it.
+    (match-lambda
+      ("CRITICAL"     (color BOLD RED))
+      ("HIGH"         (color RED))
+      ("MEDIUM"       (color YELLOW))
+      ("LOW"          (color GREEN))
+      (_              (color))))
+
+  (define (colorize-vulnerability vulnerability)
+    ;; If the terminal supports ANSI colours, use them to indicate severity.
+    (colorize-string (vulnerability-id vulnerability)
+                     (severity->color (vulnerability-severity
+                                       vulnerability))))
+
+  (define (simple-format-vulnerability vulnerability)
+    ;; Otherwise, omit colour coding and explicitly append the severity string.
+    (simple-format #f "~a (~a)"
+                   (vulnerability-id vulnerability)
+                   (string-downcase (vulnerability-severity vulnerability))))
+
+  (define format-vulnerability
+    ;; Check once which of the above to use for all PACKAGE vulnerabilities.
+    (if (color-output? (current-output-port))
+        colorize-vulnerability
+        simple-format-vulnerability))
+
   (define (vulnerability< v1 v2)
     (define (string-list< list1 list2)
       (match list1
@@ -1201,7 +1231,7 @@ vulnerability records for PACKAGE by calling PACKAGE-VULNERABILITIES."
               (make-warning
                package
                (G_ "probably vulnerable to ~a")
-               (list (string-join (map vulnerability-id
+               (list (string-join (map format-vulnerability
                                        (sort unpatched vulnerability<))
                                   ", "))))))))))
 
-- 
2.30.1

Léo Le Bouter wrote on 16 Mar 2021 19:19

Fancify guix lint -c cve output

Recipients:(address . 47193@debbugs.gnu.org)

Message-ID:0524f6bfe10befabf7969aa0fbf90503e7db1ab7.camel@zaclys.net

Hello!

Thanks a lot for working on this!! :-D

I get a warning during compilation:

guix/cve.scm:328:18: warning: possibly unbound variable `cve-item-base-
severity'

I also just tried it on patch package and it fails:

$ ./pre-inst-env guix lint -c cve patch
Backtrace:atch@2.7.6 [cve]...
In ice-9/boot-9.scm:
  1736:10 18 (with-exception-handler _ _ #:unwind? _ # _)
In unknown file:
          17 (apply-smob/0 #<thunk 7f5c56304520>)
In ice-9/boot-9.scm:
    718:2 16 (call-with-prompt _ _ #<procedure default-prompt-handle…>)
In ice-9/eval.scm:
    619:8 15 (_ #(#(#<directory (guile-user) 7f5c56307c80>)))
In guix/ui.scm:
  2164:12 14 (run-guix-command _ . _)
In ice-9/boot-9.scm:
  1736:10 13 (with-exception-handler _ _ #:unwind? _ # _)
  1731:15 12 (with-exception-handler #<procedure 7f5c52ccde40 at ic…>
…)
In srfi/srfi-1.scm:
    634:9 11 (for-each #<procedure 7f5c52ccb620 at guix/scripts/lin…>
…)
In guix/scripts/lint.scm:
     65:4 10 (run-checkers #<package patch@2.7.6 gnu/packages/base.…>
…)
In srfi/srfi-1.scm:
    634:9  9 (for-each #<procedure 7f5c43b5df30 at guix/scripts/lin…>
…)
In guix/scripts/lint.scm:
    74:21  8 (_ _)
In guix/lint.scm:
   1205:4  7 (check-vulnerabilities #<package patch@2.7.6 gnu/packa…>
…)
   1151:9  6 (_ _)
In unknown file:
           5 (force #<promise #<procedure 7f5c5303cab8 at guix/lint.…>)
In guix/lint.scm:
   1134:2  4 (_)
   1093:2  3 (call-with-networking-fail-safe _ _ _)
In ice-9/boot-9.scm:
  1736:10  2 (with-exception-handler _ _ #:unwind? _ # _)
  1669:16  1 (raise-exception _ #:continuable? _)
  1667:16  0 (raise-exception _ #:continuable? _)

ice-9/boot-9.scm:1667:16: In procedure raise-exception:
Throw to key `match-error' with args `("match" "no matching pattern" (v
"CVE-2021-0212" (("contrail_networking" (< "1911.31")))))'.

Tobias Geerinckx-Rice wrote on 16 Mar 2021 22:12

Recipients:(name . Léo Le Bouter)(address . lle-bout@zaclys.net)

Message-ID:87a6r2n6pd.fsf@nckx

Léo!

Léo Le Bouter via Guix-patches via ???

Toggle quote (4 lines)

> guix/cve.scm:328:18: warning: possibly unbound variable

> `cve-item-base-

> severity'

One dark and stormy night I turned away an old woman at my doors,

and ever since I have been cursed to include at least one stupid

typo in each patch I send. True story.

Thanks for testing. Fixed but it should not affect running guix

lint.

Toggle quote (2 lines)

> I also just tried it on patch package and it fails:

Hmm. I bet ‘rm -rf ~/.cache/guix/http’ will make this go

conveniently away, just like lady stormypants.

Toggle quote (2 lines)

> (v "CVE-2021-0212" (("contrail_networking" ...

This is a stale cache file lacking the newly added ‘severity’

field:

(v "CVE-2021-0212" "MEDIUM" (("contrail_networking" ...

I bumped the format version to 2 in (guix cve) to signal this

incompatible change, but it appears this field may exist merely as

a friendly reminder to actually add version handling some day...?

I guess today is that day.

Bah,

T G-R

-----BEGIN PGP SIGNATURE-----

iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCYFEfTg0cbWVAdG9iaWFz

LmdyAAoJEA2w/4hPVW15JlIBAIvIK40UPqe2mRMqSsrtMakRYy7pIzXT/Eom5J+L

+f0mAP9yT4r4kD1gHQZf+Gu2gT5Z3ykwh6oDg1ENJSD2JEl/CA==

=Ljfm

-----END PGP SIGNATURE-----

Léo Le Bouter wrote on 17 Mar 2021 09:13

Recipients:(name . Tobias Geerinckx-Rice)(address . me@tobias.gr)

Message-ID:f6dba3fcf4f524d85800b6c2c10b5dc88fd3c555.camel@zaclys.net

On Tue, 2021-03-16 at 22:12 +0100, Tobias Geerinckx-Rice wrote:

Toggle quote (2 lines)

> Léo!

Tobias! :-)

Toggle quote (12 lines)> Léo Le Bouter via Guix-patches via ???
> > guix/cve.scm:328:18: warning: possibly unbound variable 
> > `cve-item-base-
> > severity'
> 
> One dark and stormy night I turned away an old woman at my doors, 
> and ever since I have been cursed to include at least one stupid 
> typo in each patch I send.  True story.
> 
> Thanks for testing.  Fixed but it should not affect running guix 
> lint.

I tried fixing it as well,

$ git diff

Toggle diff (167 lines)diff --git a/guix/cve.scm b/guix/cve.scm
index 3809e4493f..d52ea05117 100644
--- a/guix/cve.scm
+++ b/guix/cve.scm
@@ -325,7 +325,7 @@ versions."
 return #f if ITEM does not list any configuration or if it does not
list
 any \"a\" (application) configuration."
   (let ((id (cve-id (cve-item-cve item)))
-        (severity (cve-item-base-severity item)))
+        (severity (cve-item-cvssv3-base-severity item)))
     (match (cve-item-configurations item)
       (()                                         ;no configurations
        #f)

Look right?

> Hmm.  I bet ‘rm -rf ~/.cache/guix/http’ will make this go 
> conveniently away, just like lady stormypants.

I tried that (without the fix above) and:

$ ./pre-inst-env guix lint -c cve patch
fetching CVE database for 2021...
Backtrace:
In ice-9/boot-9.scm:
  1736:10 18 (with-exception-handler _ _ #:unwind? _ # _)
In unknown file:
          17 (apply-smob/0 #<thunk 7fd1e5545520>)
In ice-9/boot-9.scm:
    718:2 16 (call-with-prompt _ _ #<procedure default-prompt-handle…>)
In ice-9/eval.scm:
    619:8 15 (_ #(#(#<directory (guile-user) 7fd1e5548c80>)))
In guix/ui.scm:
  2164:12 14 (run-guix-command _ . _)
In ice-9/boot-9.scm:
  1736:10 13 (with-exception-handler _ _ #:unwind? _ # _)
  1731:15 12 (with-exception-handler #<procedure 7fd1e1f0ee40 at ic…>
…)
In srfi/srfi-1.scm:
    634:9 11 (for-each #<procedure 7fd1e1f0b000 at guix/scripts/lin…>
…)
In guix/scripts/lint.scm:
     65:4 10 (run-checkers _ _ #:store _)
In srfi/srfi-1.scm:
    634:9  9 (for-each #<procedure 7fd1d2f805d0 at guix/scripts/lin…>
…)
In guix/scripts/lint.scm:
    74:21  8 (_ _)
In guix/lint.scm:
   1205:4  7 (check-vulnerabilities _ _)
   1151:9  6 (_ _)
In unknown file:
           5 (force #<promise #<procedure 7fd1e227dab8 at guix/lint.…>)
In guix/lint.scm:
   1134:2  4 (_)
   1093:2  3 (call-with-networking-fail-safe _ _ _)
In ice-9/boot-9.scm:
  1736:10  2 (with-exception-handler _ _ #:unwind? _ # _)
  1669:16  1 (raise-exception _ #:continuable? _)
  1667:16  0 (raise-exception _ #:continuable? _)

ice-9/boot-9.scm:1667:16: In procedure raise-exception:
error: cve-item-base-severity: unbound variable

Then *with* the fix:

$ ./pre-inst-env guix lint -c cve patch
fetching CVE database for 2021...
Backtrace:
In ice-9/boot-9.scm:
  1736:10 18 (with-exception-handler _ _ #:unwind? _ # _)
In unknown file:
          17 (apply-smob/0 #<thunk 7f4a634a5520>)
In ice-9/boot-9.scm:
    718:2 16 (call-with-prompt _ _ #<procedure default-prompt-handle…>)
In ice-9/eval.scm:
    619:8 15 (_ #(#(#<directory (guile-user) 7f4a634a8c80>)))
In guix/ui.scm:
  2164:12 14 (run-guix-command _ . _)
In ice-9/boot-9.scm:
  1736:10 13 (with-exception-handler _ _ #:unwind? _ # _)
  1731:15 12 (with-exception-handler #<procedure 7f4a5fe6c8d0 at ic…>
…)
In srfi/srfi-1.scm:
    634:9 11 (for-each #<procedure 7f4a5fe6ec20 at guix/scripts/lin…>
…)
In guix/scripts/lint.scm:
     65:4 10 (run-checkers _ _ #:store _)
In srfi/srfi-1.scm:
    634:9  9 (for-each #<procedure 7f4a50f5a0f0 at guix/scripts/lin…>
…)
In guix/scripts/lint.scm:
    74:21  8 (_ _)
In guix/lint.scm:
   1205:4  7 (check-vulnerabilities _ _)
   1151:9  6 (_ _)
In unknown file:
           5 (force #<promise #<procedure 7f4a601ddab8 at guix/lint.…>)
In guix/lint.scm:
   1134:2  4 (_)
   1093:2  3 (call-with-networking-fail-safe _ _ _)
In ice-9/boot-9.scm:
  1736:10  2 (with-exception-handler _ _ #:unwind? _ # _)
  1669:16  1 (raise-exception _ #:continuable? _)
  1667:16  0 (raise-exception _ #:continuable? _)

ice-9/boot-9.scm:1667:16: In procedure raise-exception:
Throw to key `match-error' with args `("match" "no matching pattern"
(vulnerabilities 2 ((v "CVE-2021-0212" "MEDIUM" (("contrail_networking"
(< "1911.31")))) (v "CVE-2021-0220" "MEDIUM" (("junos_space" (or "19.1"
(or "18.4" (or "18.3" (or "18.2" (or "18.1r1" (or "18.1" (or "17.21.4"
(or "17.2" (or "17.1" (or "16.1" (or "15.2" (or "15.14" (or "15.12" (or
"15.1" (or "14.1" (or "13.33" (or "13.11.8" (or "13.1" (or "12.3" (or
"12.2" (or "12.1" (or "11.4" (or "11.3" (or "11.2" (or "11.1" (or "2.0"
(or "1.4" (or "1.3" (or "1.2" (or "1.1"
"1.0"))))))))))))))))))))))))))))))))) (v "CVE-2021-1051" "HIGH"
(("gpu_driver" (or (and (>= "460") (< "461.09")) (or (and (>= "450") (<
"452.77")) (or (and (>= "418") (< "427.11")) (and (>= "390") (<
"392.63")))))))) (v "CVE-2021-1052" "HIGH" (("gpu_driver" (or (or (and
(>= "460") (< "460.32.03")) (or (and (>= "450") (< "450.102.04")) (and
(>= "390") (< "390.141")))) (or (and (>= "460") (< "461.09")) (or (and
(>= "450") (< "452.77")) (or (and (>= "418") (< "427.11")) (and (>=
"390") (< "392.63"))))))))) (v "CVE-2021-1053" "MEDIUM" (("gpu_driver"
(or (or (and (>= "460") (< "460.32.03")) (or (and (>= "450") (<
"450.102.04")) (and (>= "390") (< "390.141")))) (or (and (>= "460") (<
"461.09")) (or (and (>= "450") (< "452.77")) (or (and (>= "418") (<
"427.11")) (and (>= "390") (< "392.63"))))))))) (v "CVE-2021-1054"
"MEDIUM" (("gpu_driver" (or (and (>= "460") (< "461.09")) (or (and (>=
"450") (< "452.77")) (or (and (>= "418") (< "427.11")) (and (>= "390")
(< "392.63")))))))) (v "CVE-2021-1055" "MEDIUM" (("gpu_driver" (or (and
(>= "460") (< "461.09")) (or (and (>= "450") (< "452.77")) (or (and (>=
"
[...]

I ran "$ rm -rf ~/.cache/guix/http" between each and every of these
attempts. The cache is clear, I also did make clean and recompiled (so
no left around .go file).

> 
> > (v "CVE-2021-0212" (("contrail_networking" ...
> 
> This is a stale cache file lacking the newly added ‘severity’ 
> field:
> 
> (v "CVE-2021-0212" "MEDIUM" (("contrail_networking" ...
> 
> I bumped the format version to 2 in (guix cve) to signal this 
> incompatible change, but it appears this field may exist merely as 
> a friendly reminder to actually add version handling some day...?
> 
> I guess today is that day.
> 
> Bah,

Don't know! I think there's some other issue here, or maybe you
modified the patch a little more on your side.

PS: I looked at the image you initially posted and the output looks
really nice and helpful!!

> 
> T G-R

Thank you :-D

Léo

Tobias Geerinckx-Rice wrote on 17 Mar 2021 20:32

Recipients:(name . Léo Le Bouter)(address . lle-bout@zaclys.net)

Message-ID:87y2ellgoh.fsf@nckx

Léo Le Bouter ???

Toggle quote (5 lines)

> On Tue, 2021-03-16 at 22:12 +0100, Tobias Geerinckx-Rice wrote:

>> Léo!

> Tobias! :-)

Yes!

Toggle quote (6 lines)

> ice-9/boot-9.scm:1667:16: In procedure raise-exception:

> Throw to key `match-error' with args `("match" "no matching

> pattern"

> (vulnerabilities 2 ((v "CVE-2021-0212" "MEDIUM"

> (("contrail_networking"

Thanks for including the full error message. Now the cached

data's as expected but the code chokes on it anyway. Sure, why

not.

Toggle quote (3 lines)

> Don't know! I think there's some other issue here, or maybe you

> modified the patch a little more on your side.

I haven't, and like you've I (regularly) remove stale .go files

and delete ~/.cache/guix. Works like a screenshotted charm.

I'm not in the mood for spooks; time to bust out the flamethrower

that is a fresh git clone.

Toggle quote (4 lines)

> PS: I looked at the image you initially posted and the output

> looks

> really nice and helpful!!

Oh, good to know that is what you had in mind. I wasn't sure.

Kind regards,

T G-R

-----BEGIN PGP SIGNATURE-----

iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCYFJZTg0cbWVAdG9iaWFz

LmdyAAoJEA2w/4hPVW15NvQA/RDGt0+xcfDPrAR4GMDg4YhxdltkQd4BWfl3giIs

nSF2AQDW3PqSAMXgDl0SZuHrghnr9GdvOqs/KScOhhD0LyI8BQ==

=p0xS

-----END PGP SIGNATURE-----

Ludovic Courtès wrote on 31 Mar 2021 14:53

Re: bug#47193: Fancify guix lint -c cve output

Recipients:(name . Tobias Geerinckx-Rice)(address . me@tobias.gr)(address . 47193@debbugs.gnu.org)

Message-ID:87mtuja3ir.fsf_-_@gnu.org

Hi!

Tobias Geerinckx-Rice <me@tobias.gr> skribis:

Toggle quote (3 lines)

> * guix/lint.scm (check-vulnerabilities): Sort unpatched vulnerabilities

> by ID.

[...]

Toggle quote (8 lines)

> (make-warning

> package

> (G_ "probably vulnerable to ~a")

> - (list (string-join (map vulnerability-id unpatched)

> + (list (string-join (map vulnerability-id

> + (sort unpatched vulnerability<))

> ", "))))))))))

Nitpick: it might be a bit clearer done the other way around:

(sort (map vulnerability-id unpatched) cve-id<?)

… where ‘cve-id<?’ is like ‘vulnerability<’ but takes a CVE ID (a

string).

Otherwise LGTM!

Ludo’.

Ludovic Courtès wrote on 31 Mar 2021 15:03

Recipients:(name . Tobias Geerinckx-Rice)(address . me@tobias.gr)(address . 47193@debbugs.gnu.org)

Message-ID:87h7kra30x.fsf_-_@gnu.org

Hi,

Tobias Geerinckx-Rice <me@tobias.gr> skribis:

Toggle quote (9 lines)

> * guix/cve.scm <cve-item>[cvss3-base-severity]: New field.

> (impact-data->cve-cvss3-base-severity): New procedure.

> <vulnerability>[severity]: New field.

> (vulnerability->sexp, sexp->vulnerability, cve-item->vulnerability)

> (write-cache): Bump the format version to 2.

> (vulnerabilities->lookup-proc): Adjust accordingly.

> * guix/lint.scm (check-vulnerabilities): Indicate CVE severity according

> to the output port's terminal capabilities.

I would move the lint.scm bit to a separate patch.

Please also add a short test for ‘vulnerability-severity’ in

tests/cve.scm.

[...]

Toggle quote (22 lines)> +  (cvssv3-base-severity cve-item-cvssv3-base-severity ;string
> +                        "impact" impact-data->cve-cvssv3-base-severity)
> +  (published-date       cve-item-published-date
> +                        "publishedDate" string->date*)
> +  (last-modified-date   cve-item-last-modified-date
> +                        "lastModifiedDate" string->date*))
>  
>  (define-json-mapping <cve> cve cve?
>    json->cve
> @@ -183,6 +188,15 @@ element found in CVEs, return an sexp such as (\"binutils\" (<
>    (let ((nodes (vector->list (assoc-ref alist "nodes"))))
>      (filter-map node->configuration nodes)))
>  
> +(define (impact-data->cve-cvssv3-base-severity alist)
> +  "Given ALIST, a JSON dictionary for the \"impact\" element found in
> +CVEs, return a string indicating its CVSSv3 severity.  This should be
> +one of \"NONE\", \"LOW\", \"MEDIUM\", \"HIGH\", or \"CRITICAL\", but we
> +return whatever we find, or #F if the severity cannot be determined."
> +  (let* ((base-metric-v3 (assoc-ref alist "baseMetricV3"))
> +         (cvss-v3        (assoc-ref base-metric-v3 "cvssV3")))
> +    (assoc-ref cvss-v3 "baseSeverity")))

I would pass the result through (string->symbol (string-downcase …)).

For clarity, perhaps we can do:

(define-json-mapping <cvss> cvss cvss?

json->cvss

(vector-string cvss-vector-string “vector_String")

(base-severity cvss-severity "base_Severity"

(compose string->symbol string-downcase)))

… and use that instead of the last ‘assoc-ref’ call above.

The rest LGTM.

Thanks for this pleasant improvement!

Ludo’.

Léo Le Bouter wrote on 31 Mar 2021 15:06

Re: [bug#47193] Fancify guix lint -c cve output

Recipients:(address . 47193@debbugs.gnu.org)

Message-ID:5ee2f722e9ad91ccacf6135d2e9b7e02e75c5977.camel@zaclys.net

On Wed, 2021-03-31 at 15:03 +0200, Ludovic Courtès wrote:

[...]

Toggle quote (7 lines)

> The rest LGTM.

> Thanks for this pleasant improvement!

> Ludo’.

Hello Ludo!

Did you get it to work on your end?

Léo

Ludovic Courtès wrote on 31 Mar 2021 22:57

Recipients:(name . Léo Le Bouter)(address . lle-bout@zaclys.net)

Message-ID:87eefv59dn.fsf@gnu.org

Léo Le Bouter <lle-bout@zaclys.net> skribis:

Toggle quote (2 lines)

> Did you get it to work on your end?

I didn’t try, but I’m confident Tobias will do the right thing!

Ludo’.

Léo Le Bouter wrote on 2 Apr 2021 01:36

Recipients:(name . Ludovic Courtès)(address . ludo@gnu.org)

Message-ID:20b933907295e6f8a7dc6b1c0b813823e7331022.camel@zaclys.net

On Wed, 2021-03-31 at 22:57 +0200, Ludovic Courtès wrote:

Toggle quote (8 lines)

> Léo Le Bouter <lle-bout@zaclys.net> skribis:

> > Did you get it to work on your end?

> I didn’t try, but I’m confident Tobias will do the right thing!

> Ludo’.

I see, thanks, I was looking to get it to work for me since Tobias
seems busy maybe you had some elements I could use, I don't doubt they
will do the right thing!

Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 47193@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 47193

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date