[PATCH] lint: Perform fuzzy search on package names for CVE checker.

  • Open
  • quality assurance status badge
Details
3 participants
  • Efraim Flashner
  • Ludovic Courtès
  • Maxime Devos
Owner
unassigned
Submitted by
Efraim Flashner
Severity
normal
E
E
Efraim Flashner wrote on 2 Feb 2022 15:15
(address . guix-patches@gnu.org)(name . Efraim Flashner)(address . efraim@flashner.co.il)
839345988529640bb54feea0fa830f25bd5bb608.1643811188.git.efraim@flashner.co.il
* guix/lint.scm (package-vulnerabilities): Also allow the name in the
CVE database to have the package name's prefix stripped off when
checking for CVEs.
---

When I checked for cpe-name in the Guix repo there weren't a lot of
hits. Clearly just stripping off the leading 'python2-' or whatever
isn't completely the correct answer, python-redis@3.5.3 isn't likely
vulnerable to redis@3.5.3's CVEs, but as-is there are almost no CVEs
easily discovered for any of our language library packages.

guix/lint.scm | 23 ++++++++++++++++-------
1 file changed, 16 insertions(+), 7 deletions(-)

Toggle diff (45 lines)
diff --git a/guix/lint.scm b/guix/lint.scm
index 3ca7a0b608..7f08d6af5e 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -7,7 +7,7 @@
;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
;;; Copyright © 2017 Alex Kost <alezost@gmail.com>
;;; Copyright © 2017, 2021 Tobias Geerinckx-Rice <me@tobias.gr>
-;;; Copyright © 2017, 2018, 2020 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2017, 2018, 2020, 2022 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2018, 2019 Arun Isaac <arunisaac@systemreboot.net>
;;; Copyright © 2020 Chris Marusich <cmmarusich@gmail.com>
;;; Copyright © 2020 Timothy Sample <samplet@ngyro.com>
@@ -1416,12 +1416,21 @@ (define package-vulnerabilities
"Return a list of vulnerabilities affecting PACKAGE."
;; First we retrieve the Common Platform Enumeration (CPE) name and
;; version for PACKAGE, then we can pass them to LOOKUP.
- (let ((name (or (assoc-ref (package-properties package)
- 'cpe-name)
- (package-name package)))
- (version (or (assoc-ref (package-properties package)
- 'cpe-version)
- (package-version package))))
+ (let* ((pkg-name (package-name package))
+ (version (or (assoc-ref (package-properties package)
+ 'cpe-version)
+ (package-version package)))
+ (name
+ (or (assoc-ref (package-properties package)
+ 'cpe-name)
+ (false-if-exception
+ (first
+ (filter string?
+ (map (lambda (prefix)
+ (when (string-prefix? prefix pkg-name)
+ (string-drop pkg-name (string-length prefix))))
+ '("java-" "perl-" "python-" "python2-" "ruby-")))))
+ pkg-name)))
((force lookup) name version)))))
(define* (check-vulnerabilities package

base-commit: 8f585083277e64ea1e9a0848ef3c49f12327618c
--
2.34.0
M
M
Maxime Devos wrote on 2 Feb 2022 15:54
47b10d97f63c470b29087ec389d02c71dce038fc.camel@telenet.be
Efraim Flashner schreef op wo 02-02-2022 om 16:15 [+0200]:
Toggle quote (9 lines)
> +                   (false-if-exception
> +                     (first
> +                       (filter string?
> +                               (map (lambda (prefix)
> +                                      (when (string-prefix? prefix pkg-name)
> +                                        (string-drop pkg-name (string-length prefix))))
> +                                    '("java-" "perl-" "python-" "python2-" "ruby-")))))
> +                   pkg-name)))

When can an exception happen here?

Also, the following seems simpler and equivalent:

(any (lambda (prefix)
(and (string-prefix? prefix)
(string-drop pkg-name (string-length prefix))))
'("java-" "perl-" "python-" "python2-" "ruby-"))

It would be nice to test the code for guessing the CPE name of a
package in a few unit tests.

Greetings,
Maxime
-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYfqbLhccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7mpaAP41pV4Trf6Wf2mnBlP/NsVzm9E1
UrvsvYF7OI0fjLT/xQEA927yf4/3WOxIY5PxOhBFHJlO9YteHVB1gGZxU2mxWAY=
=JK9i
-----END PGP SIGNATURE-----


E
E
Efraim Flashner wrote on 2 Feb 2022 16:13
(name . Maxime Devos)(address . maximedevos@telenet.be)(address . 53721@debbugs.gnu.org)
YfqfleUrtggE58IW@3900XT
On Wed, Feb 02, 2022 at 03:54:38PM +0100, Maxime Devos wrote:
Toggle quote (12 lines)
> Efraim Flashner schreef op wo 02-02-2022 om 16:15 [+0200]:
> > +                   (false-if-exception
> > +                     (first
> > +                       (filter string?
> > +                               (map (lambda (prefix)
> > +                                      (when (string-prefix? prefix pkg-name)
> > +                                        (string-drop pkg-name (string-length prefix))))
> > +                                    '("java-" "perl-" "python-" "python2-" "ruby-")))))
> > +                   pkg-name)))
>
> When can an exception happen here?

I tossed in 'glibc' since I know that always has CVEs listed against it,
you can't take first from an empty list.

Toggle quote (7 lines)
> Also, the following seems simpler and equivalent:
>
> (any (lambda (prefix)
> (and (string-prefix? prefix)
> (string-drop pkg-name (string-length prefix))))
> '("java-" "perl-" "python-" "python2-" "ruby-"))

That is much nicer.

Toggle quote (3 lines)
> It would be nice to test the code for guessing the CPE name of a
> package in a few unit tests.

Definitely. Also I should check if we should try dropping any of the
other prefixes. rust might work, go probably needs some actual
transformation to happen.

Toggle quote (5 lines)
> Greetings,
> Maxime



--
Efraim Flashner <efraim@flashner.co.il> ????? ?????
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAmH6n5MACgkQQarn3Mo9
g1Fp9w//Ss6y5xdpRRGjGT+hD7SKiOREM5vLKpKuNMua0+GRkEguJMKO7aAmlpX3
oRXmrNWennndK/O3eoXKII4rOil0WNDQYkqvMzSwpaPGq3w3VXtYR48LD7I03/4r
pLHmBEAZ1c/uRi968Rd4KqdEj8MpJecYNohSAPRR3SMncHiGd6KgiOSdSayGaeJd
decUQEACFmG+MzZ46BMRo0IBsoft4hYVMsGV9n9e2c8I1Al6zLrSJf3FEML6H6gu
O6ooP6u8v3qnIhxykPgtx3mwpwnpXn5cQP9Ocg8cTgaFdnRNW3uTZySqHy68EU5A
nwjZNjrDpTVn6SO2bGN3DiOKhzZxNW+SsuUJsuRU7kuR9O/vkSFGbeQctGVMl7CB
yfwPecSAxyplp3DiWImMsfZ42Zj09mKyrtv1juS/8a16ueB9++bkHocmrb47jttA
fs6Fy3q1ZIa6G2QPSyy5p8RXvAzvcdunw1l4lf0IA5vwYA+BUia5YjHhsiPNjisD
4WEQK7I+zqONOAYFz7mZ/Q9tWF2UxJZ+lkV750AfrYCE1n9HRAjxJvdd3M6c8D2s
wxarBD4a8NrDjA9UnqhfRdh9uT0vKnlZvRGmFh8/UO90uV2GyIGoOryJlYQ+yblN
sTtrn3hoNMiEgpOvWoXFoDll5mReHUNg8UDd0GrweL7iw/uhqDI=
=/aKL
-----END PGP SIGNATURE-----


L
L
Ludovic Courtès wrote on 4 Feb 2022 22:56
Re: bug#53721: [PATCH] lint: Perform fuzzy search on package names for CVE checker.
(name . Efraim Flashner)(address . efraim@flashner.co.il)
87bkzmmh35.fsf@gnu.org
Hello,

Efraim Flashner <efraim@flashner.co.il> skribis:

Toggle quote (22 lines)
> - (let ((name (or (assoc-ref (package-properties package)
> - 'cpe-name)
> - (package-name package)))
> - (version (or (assoc-ref (package-properties package)
> - 'cpe-version)
> - (package-version package))))
> + (let* ((pkg-name (package-name package))
> + (version (or (assoc-ref (package-properties package)
> + 'cpe-version)
> + (package-version package)))
> + (name
> + (or (assoc-ref (package-properties package)
> + 'cpe-name)
> + (false-if-exception
> + (first
> + (filter string?
> + (map (lambda (prefix)
> + (when (string-prefix? prefix pkg-name)
> + (string-drop pkg-name (string-length prefix))))
> + '("java-" "perl-" "python-" "python2-" "ruby-")))))
> + pkg-name)))

I agree with Maxime’s suggestions.

In addition, I’d suggest moving this code out in two procedures,
‘package-cpe-name’ and ‘package-cpe-version’, that would honor the
relevant property and fall back to stripping prefixes.

Then ‘package-vulnerabilities’ would simply call these two procedures.

How does that sound?

Longer-term, we should add a thing that proposes correct CPE names:


Thanks,
Ludo’.
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 53721@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 53721
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch