[PATCH] lint: Perform fuzzy search on package names for CVE checker.

  • Open
  • quality assurance status badge
Details
3 participants
  • Efraim Flashner
  • Ludovic Courtès
  • Maxime Devos
Owner
unassigned
Submitted by
Efraim Flashner
Severity
normal
E
E
Efraim Flashner wrote on 2 Feb 2022 15:15
(address . guix-patches@gnu.org)(name . Efraim Flashner)(address . efraim@flashner.co.il)
839345988529640bb54feea0fa830f25bd5bb608.1643811188.git.efraim@flashner.co.il
* guix/lint.scm (package-vulnerabilities): Also allow the name in the
CVE database to have the package name's prefix stripped off when
checking for CVEs.
---

When I checked for cpe-name in the Guix repo there weren't a lot of
hits. Clearly just stripping off the leading 'python2-' or whatever
isn't completely the correct answer, python-redis@3.5.3 isn't likely
vulnerable to redis@3.5.3's CVEs, but as-is there are almost no CVEs
easily discovered for any of our language library packages.

guix/lint.scm | 23 ++++++++++++++++-------
1 file changed, 16 insertions(+), 7 deletions(-)

Toggle diff (45 lines)
diff --git a/guix/lint.scm b/guix/lint.scm
index 3ca7a0b608..7f08d6af5e 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -7,7 +7,7 @@
;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
;;; Copyright © 2017 Alex Kost <alezost@gmail.com>
;;; Copyright © 2017, 2021 Tobias Geerinckx-Rice <me@tobias.gr>
-;;; Copyright © 2017, 2018, 2020 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2017, 2018, 2020, 2022 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2018, 2019 Arun Isaac <arunisaac@systemreboot.net>
;;; Copyright © 2020 Chris Marusich <cmmarusich@gmail.com>
;;; Copyright © 2020 Timothy Sample <samplet@ngyro.com>
@@ -1416,12 +1416,21 @@ (define package-vulnerabilities
"Return a list of vulnerabilities affecting PACKAGE."
;; First we retrieve the Common Platform Enumeration (CPE) name and
;; version for PACKAGE, then we can pass them to LOOKUP.
- (let ((name (or (assoc-ref (package-properties package)
- 'cpe-name)
- (package-name package)))
- (version (or (assoc-ref (package-properties package)
- 'cpe-version)
- (package-version package))))
+ (let* ((pkg-name (package-name package))
+ (version (or (assoc-ref (package-properties package)
+ 'cpe-version)
+ (package-version package)))
+ (name
+ (or (assoc-ref (package-properties package)
+ 'cpe-name)
+ (false-if-exception
+ (first
+ (filter string?
+ (map (lambda (prefix)
+ (when (string-prefix? prefix pkg-name)
+ (string-drop pkg-name (string-length prefix))))
+ '("java-" "perl-" "python-" "python2-" "ruby-")))))
+ pkg-name)))
((force lookup) name version)))))
(define* (check-vulnerabilities package

base-commit: 8f585083277e64ea1e9a0848ef3c49f12327618c
--
2.34.0
M
M
Maxime Devos wrote on 2 Feb 2022 15:54
47b10d97f63c470b29087ec389d02c71dce038fc.camel@telenet.be
Efraim Flashner schreef op wo 02-02-2022 om 16:15 [+0200]:
Toggle quote (9 lines)
> +                   (false-if-exception
> +                     (first
> +                       (filter string?
> +                               (map (lambda (prefix)
> +                                      (when (string-prefix? prefix pkg-name)
> +                                        (string-drop pkg-name (string-length prefix))))
> +                                    '("java-" "perl-" "python-" "python2-" "ruby-")))))
> +                   pkg-name)))

When can an exception happen here?

Also, the following seems simpler and equivalent:

(any (lambda (prefix)
(and (string-prefix? prefix)
(string-drop pkg-name (string-length prefix))))
'("java-" "perl-" "python-" "python2-" "ruby-"))

It would be nice to test the code for guessing the CPE name of a
package in a few unit tests.

Greetings,
Maxime
-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYfqbLhccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7mpaAP41pV4Trf6Wf2mnBlP/NsVzm9E1
UrvsvYF7OI0fjLT/xQEA927yf4/3WOxIY5PxOhBFHJlO9YteHVB1gGZxU2mxWAY=
=JK9i
-----END PGP SIGNATURE-----


E
E
Efraim Flashner wrote on 2 Feb 2022 16:13
(name . Maxime Devos)(address . maximedevos@telenet.be)(address . 53721@debbugs.gnu.org)
YfqfleUrtggE58IW@3900XT
On Wed, Feb 02, 2022 at 03:54:38PM +0100, Maxime Devos wrote:
Toggle quote (12 lines)
> Efraim Flashner schreef op wo 02-02-2022 om 16:15 [+0200]:
> > +                   (false-if-exception
> > +                     (first
> > +                       (filter string?
> > +                               (map (lambda (prefix)
> > +                                      (when (string-prefix? prefix pkg-name)
> > +                                        (string-drop pkg-name (string-length prefix))))
> > +                                    '("java-" "perl-" "python-" "python2-" "ruby-")))))
> > +                   pkg-name)))
>
> When can an exception happen here?

I tossed in 'glibc' since I know that always has CVEs listed against it,
you can't take first from an empty list.

Toggle quote (7 lines)
> Also, the following seems simpler and equivalent:
>
> (any (lambda (prefix)
> (and (string-prefix? prefix)
> (string-drop pkg-name (string-length prefix))))
> '("java-" "perl-" "python-" "python2-" "ruby-"))

That is much nicer.

Toggle quote (3 lines)
> It would be nice to test the code for guessing the CPE name of a
> package in a few unit tests.

Definitely. Also I should check if we should try dropping any of the
other prefixes. rust might work, go probably needs some actual
transformation to happen.

Toggle quote (5 lines)
> Greetings,
> Maxime



--
Efraim Flashner <efraim@flashner.co.il> ????? ?????
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAmH6n5MACgkQQarn3Mo9
g1Fp9w//Ss6y5xdpRRGjGT+hD7SKiOREM5vLKpKuNMua0+GRkEguJMKO7aAmlpX3
oRXmrNWennndK/O3eoXKII4rOil0WNDQYkqvMzSwpaPGq3w3VXtYR48LD7I03/4r
pLHmBEAZ1c/uRi968Rd4KqdEj8MpJecYNohSAPRR3SMncHiGd6KgiOSdSayGaeJd
decUQEACFmG+MzZ46BMRo0IBsoft4hYVMsGV9n9e2c8I1Al6zLrSJf3FEML6H6gu
O6ooP6u8v3qnIhxykPgtx3mwpwnpXn5cQP9Ocg8cTgaFdnRNW3uTZySqHy68EU5A
nwjZNjrDpTVn6SO2bGN3DiOKhzZxNW+SsuUJsuRU7kuR9O/vkSFGbeQctGVMl7CB
yfwPecSAxyplp3DiWImMsfZ42Zj09mKyrtv1juS/8a16ueB9++bkHocmrb47jttA
fs6Fy3q1ZIa6G2QPSyy5p8RXvAzvcdunw1l4lf0IA5vwYA+BUia5YjHhsiPNjisD
4WEQK7I+zqONOAYFz7mZ/Q9tWF2UxJZ+lkV750AfrYCE1n9HRAjxJvdd3M6c8D2s
wxarBD4a8NrDjA9UnqhfRdh9uT0vKnlZvRGmFh8/UO90uV2GyIGoOryJlYQ+yblN
sTtrn3hoNMiEgpOvWoXFoDll5mReHUNg8UDd0GrweL7iw/uhqDI=
=/aKL
-----END PGP SIGNATURE-----


L
L
Ludovic Courtès wrote on 4 Feb 2022 22:56
Re: bug#53721: [PATCH] lint: Perform fuzzy search on package names for CVE checker.
(name . Efraim Flashner)(address . efraim@flashner.co.il)
87bkzmmh35.fsf@gnu.org
Hello,

Efraim Flashner <efraim@flashner.co.il> skribis:

Toggle quote (22 lines)
> - (let ((name (or (assoc-ref (package-properties package)
> - 'cpe-name)
> - (package-name package)))
> - (version (or (assoc-ref (package-properties package)
> - 'cpe-version)
> - (package-version package))))
> + (let* ((pkg-name (package-name package))
> + (version (or (assoc-ref (package-properties package)
> + 'cpe-version)
> + (package-version package)))
> + (name
> + (or (assoc-ref (package-properties package)
> + 'cpe-name)
> + (false-if-exception
> + (first
> + (filter string?
> + (map (lambda (prefix)
> + (when (string-prefix? prefix pkg-name)
> + (string-drop pkg-name (string-length prefix))))
> + '("java-" "perl-" "python-" "python2-" "ruby-")))))
> + pkg-name)))

I agree with Maxime’s suggestions.

In addition, I’d suggest moving this code out in two procedures,
‘package-cpe-name’ and ‘package-cpe-version’, that would honor the
relevant property and fall back to stripping prefixes.

Then ‘package-vulnerabilities’ would simply call these two procedures.

How does that sound?

Longer-term, we should add a thing that proposes correct CPE names:


Thanks,
Ludo’.
?