[PATCH 00/21] Add lint-hidden-cve property for near-leaf packages.

  • Open
  • quality assurance status badge
Details
4 participants
  • ashish.is
  • Ludovic Courtès
  • Maxim Cournoyer
  • Nicolas Graves
Owner
unassigned
Submitted by
Nicolas Graves
Severity
normal
N
N
Nicolas Graves wrote on 27 Oct 00:21 +0200
(address . guix-patches@gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026222934.25890-1-ngraves@ngraves.fr
This patch series is adding lint-hidden-cve properties for packages
that have less than 10 dependents.

Some packages of these packages have been updated, only when the
update was trivial and harmless.

This is not applying any security fix by itself, but will help
security-related work.

Nicolas Graves (21):
gnu: libgda: Rename patch for guix lint.
gnu: upx: Update to 4.2.4.
gnu: halibut: Add lint-hidden-cve property.
gnu: portfolio: Update to 1.0.1.
gnu: folders: Add lint-hidden-cve property.
gnu: spectra: Add lint-hidden-cve property.
gnu: express: Add lint-hidden-cve property.
gnu: cli: Add lint-hidden-cve property.
gnu: h2c: Add lint-hidden-cve property.
gnu: xenon: Update to 0.9.3.
gnu: bolt: Update to 0.9.8.
gnu: sylpheed: Add release-monitoring-url property.
gnu: openvswitch: Update to 3.4.0.
gnu: quagga: Fix build and hide CVE.
gnu: bwm-ng: Add lint-hidden-cve property.
gnu: onedrive: Update to 2.5.2.
gnu: got: Update to 0.104.
gnu: dex: Update to 0.10.1.
gnu: immer: Add lint-hidden-cve property.
gnu: cvs: Add lint-hidden-cve property.
gnu: gerbv: Add lint-hidden-cve property.

gnu/local.mk | 2 +-
gnu/packages/algebra.scm | 2 ++
gnu/packages/bioinformatics.scm | 2 ++
gnu/packages/code.scm | 6 ++++--
gnu/packages/compression.scm | 7 ++++---
gnu/packages/cpp.scm | 4 ++++
gnu/packages/curl.scm | 2 ++
gnu/packages/documentation.scm | 16 ++++++++------
gnu/packages/engineering.scm | 2 ++
gnu/packages/esolangs.scm | 8 +++++++
gnu/packages/gnome-xyz.scm | 6 ++++--
gnu/packages/gnome.scm | 2 +-
gnu/packages/linux.scm | 21 ++++++++++++-------
gnu/packages/mail.scm | 2 ++
gnu/packages/networking.scm | 16 ++++++++++----
...9359.patch => libgda-CVE-2021-39359.patch} | 0
gnu/packages/sync.scm | 8 +++++--
gnu/packages/version-control.scm | 13 +++++++++---
gnu/packages/xdisorg.scm | 19 ++++++++++-------
19 files changed, 99 insertions(+), 39 deletions(-)
rename gnu/packages/patches/{libgda-cve-2021-39359.patch => libgda-CVE-2021-39359.patch} (100%)

--
2.46.0
N
N
Nicolas Graves wrote on 27 Oct 00:41 +0200
[PATCH 01/21] gnu: libgda: Rename patch for guix lint.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026224125.29272-1-ngraves@ngraves.fr
* gnu/packages/gnome.scm (libgda)[source]<origin>: Rename patch for
CVE to be ignored by guix lint.
---
gnu/local.mk | 2 +-
gnu/packages/gnome.scm | 2 +-
...{libgda-cve-2021-39359.patch => libgda-CVE-2021-39359.patch} | 0
3 files changed, 2 insertions(+), 2 deletions(-)
rename gnu/packages/patches/{libgda-cve-2021-39359.patch => libgda-CVE-2021-39359.patch} (100%)

Toggle diff (32 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index c432685775..d253b424bb 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1666,7 +1666,7 @@ dist_patch_DATA = \
%D%/packages/patches/libcroco-CVE-2020-12825.patch \
%D%/packages/patches/libcyaml-libyaml-compat.patch \
%D%/packages/patches/libexpected-use-provided-catch2.patch \
- %D%/packages/patches/libgda-cve-2021-39359.patch \
+ %D%/packages/patches/libgda-CVE-2021-39359.patch \
%D%/packages/patches/libgda-disable-data-proxy-test.patch \
%D%/packages/patches/libgda-fix-build.patch \
%D%/packages/patches/libgda-fix-missing-initialization.patch \
diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index 77a0633b50..9b26819261 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -13653,7 +13653,7 @@ (define-public libgda
name "-" version ".tar.xz"))
(sha256
(base32 "0w564z7krgjk19r39mi5qn4kggpdg9ggbyn9pb4aavb61r14npwr"))
- (patches (search-patches "libgda-cve-2021-39359.patch"
+ (patches (search-patches "libgda-CVE-2021-39359.patch"
"libgda-disable-data-proxy-test.patch"
"libgda-fix-build.patch"
"libgda-fix-missing-initialization.patch"
diff --git a/gnu/packages/patches/libgda-cve-2021-39359.patch b/gnu/packages/patches/libgda-CVE-2021-39359.patch
similarity index 100%
rename from gnu/packages/patches/libgda-cve-2021-39359.patch
rename to gnu/packages/patches/libgda-CVE-2021-39359.patch
--
2.46.0
N
N
Nicolas Graves wrote on 27 Oct 00:41 +0200
[PATCH 02/21] gnu: upx: Update to 4.2.4.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026224125.29272-2-ngraves@ngraves.fr
* gnu/packages/compression.scm (upx): Update to 4.2.4.
[properties]: Add lint-hidden-cve property.
---
gnu/packages/compression.scm | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)

Toggle diff (33 lines)
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index 97696ff0ef..a32b15a64a 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -2438,15 +2438,14 @@ (define-public ucl
(define-public upx
(package
(name "upx")
- (version "4.1.0")
+ (version "4.2.4")
(source
(origin
(method url-fetch)
(uri (string-append "https://github.com/upx/upx/releases/download/v"
version "/upx-" version "-src.tar.xz"))
(sha256
- (base32
- "1l273pwa573x9l3izw75cz8ysn2g8w8w3s56rahppa3ya65zg0h5"))))
+ (base32 "1i71p03861hlf5x1w217l67zm5inm449zhbg6kpv8zyj0wb5dmjy"))))
(build-system cmake-build-system)
(home-page "https://upx.github.io/")
(synopsis "Compression tool for executables")
@@ -2455,6 +2454,8 @@ (define-public upx
compressor. UPX typically reduces the file size of programs and shared
libraries by around 50%--70%, thus reducing disk space, network load times,
download times, and other distribution and storage costs.")
+ ;; These CVEs have been fixed since 4.0.2 but are still linted.
+ (properties `((lint-hidden-cve . ("CVE-2023-23456" "CVE-2023-23457"))))
(license license:gpl2+)))
(define-public quazip-0
--
2.46.0
N
N
Nicolas Graves wrote on 27 Oct 00:41 +0200
[PATCH 03/21] gnu: halibut: Add lint-hidden-cve property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026224125.29272-3-ngraves@ngraves.fr
* gnu/packages/documentation.scm (halibut)
[description]: Reformat field to match max chars.
[properties]: Add lint-hidden-cve property.
---
gnu/packages/documentation.scm | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)

Toggle diff (29 lines)
diff --git a/gnu/packages/documentation.scm b/gnu/packages/documentation.scm
index f0e37561f7..7522b5f769 100644
--- a/gnu/packages/documentation.scm
+++ b/gnu/packages/documentation.scm
@@ -264,12 +264,16 @@ (define-public halibut
(home-page "https://www.chiark.greenend.org.uk/~sgtatham/halibut/")
(synopsis "Documentation production system for software manuals")
(description
- "Halibut is a text formatting system designed primarily for writing software
-documentation. It accepts a single source format and outputs any combination of
-plain text, HTML, Unix man or info pages, PostScript or PDF. It has extensive
-support for indexing and cross-referencing, and generates hyperlinks within output
-documents wherever possible. It supports Unicode, with the ability to fall back to
-an alternative representation if Unicode output is not available.")
+ "Halibut is a text formatting system designed primarily for writing
+software documentation. It accepts a single source format and outputs any
+combination of plain text, HTML, Unix man or info pages, PostScript or PDF.
+It has extensive support for indexing and cross-referencing, and generates
+hyperlinks within output documents wherever possible. It supports Unicode,
+with the ability to fall back to an alternative representation if Unicode
+output is not available.")
+ ;; This CVE concerns the halibut RPC-based communication framework,
+ ;; rather than the halibut text formatting system.
+ (properties `((lint-hidden-cve . ("CVE-2021-31819"))))
(license license:expat)))
(define-public doc++
--
2.46.0
N
N
Nicolas Graves wrote on 27 Oct 00:41 +0200
[PATCH 05/21] gnu: folders: Add lint-hidden-cve property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026224125.29272-5-ngraves@ngraves.fr
* gnu/packages/esolangs.scm (folders):
[properties]: Add lint-hindden-cve property.
---
gnu/packages/esolangs.scm | 8 ++++++++
1 file changed, 8 insertions(+)

Toggle diff (21 lines)
diff --git a/gnu/packages/esolangs.scm b/gnu/packages/esolangs.scm
index 796f8d3f23..b29787e7bf 100644
--- a/gnu/packages/esolangs.scm
+++ b/gnu/packages/esolangs.scm
@@ -117,6 +117,14 @@ (define-public folders
(description "Folders is a programming language, in which programs
are encoded as (nested) directories. Note that the switches you pass to
@command{du} may affect your score when code golfing.")
+ (properties `((lint-hidden-cve
+ ;; These CVEs concern...
+ . ( ; ...the Wordpress Folders plugin
+ "CVE-2023-40204"
+ ;; ...the Jenkins Folders plugin
+ "CVE-2023-40336"
+ "CVE-2023-40337"
+ "CVE-2023-40338"))))
(license license:expat)))
(define-public shakespeare-spl
--
2.46.0
N
N
Nicolas Graves wrote on 27 Oct 00:41 +0200
[PATCH 06/21] gnu: spectra: Add lint-hidden-cve property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026224125.29272-6-ngraves@ngraves.fr
* gnu/packages/algebra.scm (spectra)[properties]: Add lint-hidden-cve
property.
---
gnu/packages/algebra.scm | 2 ++
1 file changed, 2 insertions(+)

Toggle diff (15 lines)
diff --git a/gnu/packages/algebra.scm b/gnu/packages/algebra.scm
index 2187cd062d..cb390ea976 100644
--- a/gnu/packages/algebra.scm
+++ b/gnu/packages/algebra.scm
@@ -1317,6 +1317,8 @@ (define-public spectra
built on top of Eigen. It is implemented as a header-only C++ library and can
be easily embedded in C++ projects that require calculating eigenvalues of
large matrices.")
+ ;; These CVEs concern the Wordpress Spectra plugin.
+ (properties `((lint-hidden-cve . ("CVE-2023-36676" "CVE-2023-49833"))))
(license license:mpl2.0)))
(define-public gappa
--
2.46.0
N
N
Nicolas Graves wrote on 27 Oct 00:41 +0200
[PATCH 07/21] gnu: express: Add lint-hidden-cve property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026224125.29272-7-ngraves@ngraves.fr
* gnu/packages/bioinformatics.scm (express)[properties]: Add
lint-hidden-cve property.
---
gnu/packages/bioinformatics.scm | 2 ++
1 file changed, 2 insertions(+)

Toggle diff (15 lines)
diff --git a/gnu/packages/bioinformatics.scm b/gnu/packages/bioinformatics.scm
index a2ffbd5155..2f463c8969 100644
--- a/gnu/packages/bioinformatics.scm
+++ b/gnu/packages/bioinformatics.scm
@@ -6924,6 +6924,8 @@ (define-public express
transcript-level RNA-Seq quantification, allele-specific/haplotype expression
analysis (from RNA-Seq), transcription factor binding quantification in
ChIP-Seq, and analysis of metagenomic data.")
+ ;; These CVEs concern the Express.js node framework.
+ (properties `((lint-hidden-cve . ("CVE-2022-24999" "CVE-2024-43796"))))
(license license:artistic2.0)))
(define-public express-beta-diversity
--
2.46.0
N
N
Nicolas Graves wrote on 27 Oct 00:41 +0200
[PATCH 08/21] gnu: cli: Add lint-hidden-cve property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026224125.29272-8-ngraves@ngraves.fr
* gnu/packages/cpp.scm (cli)[properties]: Add lint-cve-property.
---
gnu/packages/cpp.scm | 2 ++
1 file changed, 2 insertions(+)

Toggle diff (15 lines)
diff --git a/gnu/packages/cpp.scm b/gnu/packages/cpp.scm
index 26fc169154..e9c6dc096b 100644
--- a/gnu/packages/cpp.scm
+++ b/gnu/packages/cpp.scm
@@ -2304,6 +2304,8 @@ (define-public cli
options that your program supports, their types, default values, and
documentation.")
(home-page "https://codesynthesis.com/projects/cli/")
+ ;; This CVE concerns Snyk CLI rather than this package.
+ (properties `((lint-hidden-cve . ("CVE-2022-40764"))))
(license license:expat)))
(define-public xsd
--
2.46.0
N
N
Nicolas Graves wrote on 27 Oct 00:41 +0200
[PATCH 04/21] gnu: portfolio: Update to 1.0.1.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026224125.29272-4-ngraves@ngraves.fr
* gnu/packages/gnome-xyz.scm (portfolio): Update to 1.0.1.
[properties]: Add lint-hidden-cve property.
---
gnu/packages/gnome-xyz.scm | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

Toggle diff (33 lines)
diff --git a/gnu/packages/gnome-xyz.scm b/gnu/packages/gnome-xyz.scm
index a09c0befb0..b399d30886 100644
--- a/gnu/packages/gnome-xyz.scm
+++ b/gnu/packages/gnome-xyz.scm
@@ -485,7 +485,7 @@ (define-public gnome-plots
(define-public portfolio
(package
(name "portfolio")
- (version "1.0.0")
+ (version "1.0.1")
(source (origin
(method git-fetch)
(uri (git-reference
@@ -494,7 +494,7 @@ (define-public portfolio
(file-name (git-file-name name version))
(sha256
(base32
- "1ai9mx801m5lngkljg42vrpvhbvc3071sp4jypsvbzw55hxnn5ba"))))
+ "1s06kd2dhsb143piw89yzwfck7qwzlh4nlgjj2bxpsa3g68c1g11"))))
(arguments
(list #:glib-or-gtk? #t
#:imported-modules `(,@%meson-build-system-modules
@@ -537,6 +537,8 @@ (define-public portfolio
"Portfolio is a minimalist file manager for those who want to use Linux
mobile devices. Tap to activate and long press to select, to browse, open,
copy, move, delete, or edit your files.")
+ ;; This CVE concerns the Wordpress Portfolio plugin, not this package.
+ (properties `((lint-hidden-cve . ("CVE-2019-13232"))))
(license license:gpl3+)))
(define-public gnome-shell-extension-unite-shell
--
2.46.0
N
N
Nicolas Graves wrote on 27 Oct 00:41 +0200
[PATCH 10/21] gnu: xenon: Update to 0.9.3.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026224125.29272-10-ngraves@ngraves.fr
* gnu/packages/code.scm (xenon): Update to 0.9.3.
[properties]: Add lint-hidden-cve property.
---
gnu/packages/code.scm | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

Toggle diff (32 lines)
diff --git a/gnu/packages/code.scm b/gnu/packages/code.scm
index 3f7a6de478..bbf10be987 100644
--- a/gnu/packages/code.scm
+++ b/gnu/packages/code.scm
@@ -1077,14 +1077,14 @@ (define-public cscope
(define-public xenon
(package
(name "xenon")
- (version "0.9.0")
+ (version "0.9.3")
(source
(origin
(method url-fetch)
(uri (pypi-uri "xenon" version))
(sha256
(base32
- "1f4gynjzfckm3rjfywwgz1c7icfx3zjqirf16aj73xv0c9ncpffj"))))
+ "1yj31bqz2bphvvyb0jkas7bxc2rw76rf1csz0mwmvah8pbc3hxaa"))))
(build-system python-build-system)
(arguments (list #:tests? #f)) ;test suite not shipped with the PyPI archive
(inputs (list python-pyyaml python-radon python-requests))
@@ -1096,6 +1096,8 @@ (define-public xenon
line options, various thresholds can be set for the complexity of code. It
will fail (i.e., it will exit with a non-zero exit code) when any of these
requirements is not met.")
+ ;; This CVE is for another package named Xenon too.
+ (properties '((lint-hidden-cve . ("CVE-2023-39427"))))
(license license:expat)))
(define-public python-xenon
--
2.46.0
N
N
Nicolas Graves wrote on 27 Oct 00:41 +0200
[PATCH 11/21] gnu: bolt: Update to 0.9.8.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026224125.29272-11-ngraves@ngraves.fr
* gnu/packages/linux.scm (bolt): Update to 0.9.8.
[arguments]<#:phases>: Update phase 'replace-directories.
[properties]: Add lint-hidden-cve property.
---
gnu/packages/linux.scm | 21 +++++++++++++--------
1 file changed, 13 insertions(+), 8 deletions(-)

Toggle diff (55 lines)
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index e496f3c88d..f9f13ca28a 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -3366,7 +3366,7 @@ (define-public iptables-nft
(define-public bolt
(package
(name "bolt")
- (version "0.9.5")
+ (version "0.9.8")
(source (origin
(method git-fetch)
(uri (git-reference
@@ -3375,7 +3375,7 @@ (define-public bolt
(file-name (git-file-name name version))
(sha256
(base32
- "1b9z0sfrz6bj0mddng9s0dx59g9239zmrl03hxx2x88mb7r0wmcg"))))
+ "1i9nyvx3qcf4m607qmpklpl9xqzsh423k8y3fr6c5n0k4ajy4cxh"))))
(build-system meson-build-system)
(arguments
(list #:configure-flags '(list "--localstatedir=/var")
@@ -3384,12 +3384,11 @@ (define-public bolt
(add-after 'unpack 'replace-directories
(lambda* (#:key outputs #:allow-other-keys)
(substitute* "meson.build"
- (("udev.get_pkgconfig_variable..udevdir..")
- (string-append "'"
- #$output "/lib/udev'")))
- (substitute* "scripts/meson-install.sh"
- (("mkdir.*")
- ""))))
+ (("udev.get_variable\\(pkgconfig: 'udevdir'\\)")
+ (string-append "'" #$output "/lib/udev'"))
+ ;; Don't install in /var
+ (("not systemd\\.found\\(\\)")
+ "false"))))
(add-before 'install 'no-polkit-magic
(lambda* (#:key outputs #:allow-other-keys)
(setenv "PKEXEC_UID" "something"))))))
@@ -3411,6 +3410,12 @@ (define-public bolt
@command{boltd}. It can list devices, monitor changes, and initiate
authorization of devices.")
(home-page "https://gitlab.freedesktop.org/bolt/bolt")
+ (properties `((lint-hidden-cve . (;; These CVEs concern...
+ ;; ...the Bolt PHP cms
+ "CVE-2021-27367"
+ "CVE-2022-31321"
+ ;; ...the Bolt orchestration tool
+ "CVE-2023-5214"))))
(license license:gpl2+)))
(define-public jitterentropy-rngd
--
2.46.0
N
N
Nicolas Graves wrote on 27 Oct 00:41 +0200
[PATCH 12/21] gnu: sylpheed: Add release-monitoring-url property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026224125.29272-12-ngraves@ngraves.fr
* gnu/packages/mail.scm (sylpheed)[properties]: Add
release-monitoring-url.
---
gnu/packages/mail.scm | 2 ++
1 file changed, 2 insertions(+)

Toggle diff (15 lines)
diff --git a/gnu/packages/mail.scm b/gnu/packages/mail.scm
index 2c69a7b818..77be7626a9 100644
--- a/gnu/packages/mail.scm
+++ b/gnu/packages/mail.scm
@@ -4561,6 +4561,8 @@ (define-public sylpheed
"Sylpheed is a simple, lightweight but featureful, and easy-to-use e-mail
client. Sylpheed provides intuitive user-interface. Sylpheed is also
designed for keyboard-oriented operation.")
+ (properties '((release-monitoring-url
+ . "https://sylpheed.sraoss.jp/en/download.html")))
(license license:gpl2+)))
(define-public python-authres
--
2.46.0
N
N
Nicolas Graves wrote on 27 Oct 00:41 +0200
[PATCH 13/21] gnu: openvswitch: Update to 3.4.0.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026224125.29272-13-ngraves@ngraves.fr
* gnu/packages/networking.scm (openvswitch): Update to 3.4.0.
[properties]: Add lint-hidden-cve property.
---
gnu/packages/networking.scm | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)

Toggle diff (35 lines)
diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index a56b574e97..d98179cf2f 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -2877,7 +2877,7 @@ (define-public nzbget
(define-public openvswitch
(package
(name "openvswitch")
- (version "3.2.0")
+ (version "3.4.0")
(source (origin
(method url-fetch)
(uri (string-append
@@ -2885,7 +2885,7 @@ (define-public openvswitch
version ".tar.gz"))
(sha256
(base32
- "1i0lb40lwbakmmqklmfcgr01l1ymsawgdi7k9a1zzp8ariw7x4ff"))))
+ "10g84h6lis6fafyjhvmdrs8r539xcar04cc3rsk448gs6848hsqr"))))
(build-system gnu-build-system)
(arguments
'(#:configure-flags
@@ -2961,7 +2961,9 @@ (define-public openvswitch
supporting standard management interfaces and protocols (e.g. NetFlow, sFlow,
IPFIX, RSPAN, CLI, LACP, 802.1ag).")
(properties
- '((release-monitoring-url . "https://www.openvswitch.org/download/")))
+ '((release-monitoring-url . "https://www.openvswitch.org/download/")
+ ;; This CVE is fixed since 3.2.0.
+ (lint-hidden-cve . ("CVE-2023-5366"))))
(license ; see debian/copyright for detail
(list license:lgpl2.1 ; xenserver and utilities/bugtool
license:gpl2 ; datapath
--
2.46.0
N
N
Nicolas Graves wrote on 27 Oct 00:41 +0200
[PATCH 14/21] gnu: quagga: Fix build and hide CVE.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026224125.29272-14-ngraves@ngraves.fr
* gnu/packages/networking.scm (quagga)
[inputs]: Add libxcrypt.
[properties]: Add lint-hidden-cve property.
---
gnu/packages/networking.scm | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)

Toggle diff (26 lines)
diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index d98179cf2f..53bc670c41 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -3138,7 +3138,7 @@ (define-public quagga
(delete-file "vtysh/extract.pl")))))
(build-system gnu-build-system)
(native-inputs (list gawk gcc-9 pkg-config perl dejagnu))
- (inputs (list readline c-ares))
+ (inputs (list c-ares libxcrypt readline))
(synopsis "Routing Software Suite")
(description "Quagga is a routing software suite, providing implementations
of OSPFv2, OSPFv3, RIP v1 and v2, RIPng and BGP-4 for Unix platforms.
@@ -3149,6 +3149,10 @@ (define-public quagga
clients which typically implement a routing protocol and communicate routing
updates to the zebra daemon.")
(home-page "https://www.nongnu.org/quagga/")
+ ;; This CVE concerns systemd services files that we currently don't use.
+ ;; If we were to use them, a fixing patch can be found here:
+ ;; https://build.opensuse.org/request/show/1035188
+ (properties '((lint-hidden-cve . ("CVE-2021-44038"))))
(license license:gpl2+)))
(define-public bgpq3
--
2.46.0
N
N
Nicolas Graves wrote on 27 Oct 00:41 +0200
[PATCH 15/21] gnu: bwm-ng: Add lint-hidden-cve property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026224125.29272-15-ngraves@ngraves.fr
* gnu/packages/networking.scm (bwm-ng)[properties]: Add
lint-hidden-cve property.
---
gnu/packages/networking.scm | 2 ++
1 file changed, 2 insertions(+)

Toggle diff (15 lines)
diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index 53bc670c41..7ed011a7f4 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -2152,6 +2152,8 @@ (define-public bwm-ng
(description "Bandwidth Monitor NG is a small and simple console based
live network and disk I/O bandwidth monitor.")
(home-page "https://www.gropp.org/?id=projects&sub=bwm-ng")
+ ;; This CVE concerns the npm bwm-ng package rather than this one.
+ (properties '((lint-hidden-cve . ("CVE-2023-26129"))))
(license license:gpl2)))
(define-public aircrack-ng
--
2.46.0
N
N
Nicolas Graves wrote on 27 Oct 00:41 +0200
[PATCH 09/21] gnu: h2c: Add lint-hidden-cve property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026224125.29272-9-ngraves@ngraves.fr
* gnu/packages/curl.scm (h2c)[property]: Add lint-hidden-cve property.
---
gnu/packages/curl.scm | 2 ++
1 file changed, 2 insertions(+)

Toggle diff (15 lines)
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 9f74018205..bac1841c82 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -366,6 +366,8 @@ (define-public h2c
(description
"Provided a set of HTTP request headers, h2c outputs how to invoke
curl to obtain exactly that HTTP request.")
+ ;; This CVE is for the h2c function in Go.
+ (properties `((lint-hidden-cve . ("CVE-2022-41721"))))
(license license:expat)))
(define-public coeurl
--
2.46.0
N
N
Nicolas Graves wrote on 27 Oct 00:41 +0200
[PATCH 16/21] gnu: onedrive: Update to 2.5.2.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026224125.29272-16-ngraves@ngraves.fr
* gnu/packages/sync.scm (onedrive): Update to 2.5.2.
[properties]: Add lint-hidden-cve.
---
gnu/packages/sync.scm | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)

Toggle diff (35 lines)
diff --git a/gnu/packages/sync.scm b/gnu/packages/sync.scm
index af736d0c28..df3bcb6523 100644
--- a/gnu/packages/sync.scm
+++ b/gnu/packages/sync.scm
@@ -374,7 +374,7 @@ (define-public owncloud-client
(define-public onedrive
(package
(name "onedrive")
- (version "2.4.25")
+ (version "2.5.2")
(source
(origin
(method git-fetch)
@@ -383,7 +383,7 @@ (define-public onedrive
(commit (string-append "v" version))))
(file-name (git-file-name name version))
(sha256
- (base32 "1i93mq4r9w8cqrdfsfv8wparfd3dbrppc5z04ab056545hk0x89k"))))
+ (base32 "0307qa3nncarn6r5837nn9z5nv8j60ycykq6pfn93qriabk65qlx"))))
(build-system gnu-build-system)
(arguments
(list
@@ -420,6 +420,10 @@ (define-public onedrive
Business, OneDrive for Office365 and SharePoint and fully supports Azure
National Cloud Deployments. It supports one-way and two-way sync capabilities
and securely connects to Microsoft OneDrive services.")
+ ;; These CVEs concern another Microsoft product.
+ (properties '((lint-hidden-cve . ("CVE-2023-24882"
+ "CVE-2023-24890"
+ "CVE-2023-24923"))))
(license license:gpl3)))
(define-public lsyncd
--
2.46.0
N
N
Nicolas Graves wrote on 27 Oct 00:41 +0200
[PATCH 17/21] gnu: got: Update to 0.104.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026224125.29272-17-ngraves@ngraves.fr
* gnu/packages/version-control.scm (got): Update to 0.104.
[properties]: Add release-monitoring-url and lint-hidden-cve
properties.
---
gnu/packages/version-control.scm | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)

Toggle diff (38 lines)
diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index 6bd37fee82..9c8fdea0a6 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -971,7 +971,7 @@ (define-public git-tools
(define-public got
(package
(name "got")
- (version "0.103")
+ (version "0.104")
(source (origin
(method url-fetch)
(uri
@@ -980,7 +980,7 @@ (define-public got
version ".tar.gz"))
(sha256
(base32
- "0y18961xrj4rja850i31gadiaps2qnkfb4jlramlz9akyf9mwh1j"))))
+ "1jf8d7bd6jb09ci66n3rjfv94kvzgnqbw1js74hpajdw41wphbdk"))))
(inputs
(list libevent
`(,util-linux "lib")
@@ -1016,7 +1016,12 @@ (define-public got
"Game of Trees (Got) is a version control system which prioritizes ease of use
and simplicity over flexibility.")
(license license:isc)
- (home-page "https://gameoftrees.org/")))
+ (home-page "https://gameoftrees.org/")
+ (properties
+ ;; Can lint for updates, but not update in place.
+ '((release-monitoring-url . "https://gameoftrees.org/releases/")
+ ;; This CVE is for another Node got package.
+ (lint-hidden-cve . "CVE-2022-33987")))))
(define-public xdiff
(let ((revision "0")
--
2.46.0
N
N
Nicolas Graves wrote on 27 Oct 00:41 +0200
[PATCH 18/21] gnu: dex: Update to 0.10.1.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026224125.29272-18-ngraves@ngraves.fr
* gnu/packages/xdisorg.scm (dex): Update to 0.10.1.
[arguments]: Improve style.
[properties]: Add lint-hidden-cve property.
---
gnu/packages/xdisorg.scm | 19 ++++++++++++-------
1 file changed, 12 insertions(+), 7 deletions(-)

Toggle diff (49 lines)
diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm
index ca50bebab4..10c04fc4e8 100644
--- a/gnu/packages/xdisorg.scm
+++ b/gnu/packages/xdisorg.scm
@@ -3536,7 +3536,7 @@ (define-public nwg-launchers
(define-public dex
(package
(name "dex")
- (version "0.9.0")
+ (version "0.10.1")
(source (origin
(method git-fetch)
(uri (git-reference
@@ -3544,15 +3544,16 @@ (define-public dex
(commit (string-append "v" version))))
(sha256
(base32
- "03aapcywnz4kl548cygpi25m8adwbmqlmwgxa66v4156ax9dqs86"))
+ "1d7fqy63i4q0mw316i5ws1sgdq3f7h3bsf3avvmy0nzshz7i5y6m"))
(file-name (git-file-name name version))))
(build-system gnu-build-system)
(arguments
- `(#:make-flags (list (string-append "PREFIX=" (assoc-ref %outputs "out")))
- #:phases
- (modify-phases %standard-phases
- (delete 'configure))
- #:tests? #f))
+ (list
+ #:make-flags #~(list (string-append "PREFIX=" #$output))
+ #:phases
+ #~(modify-phases %standard-phases
+ (delete 'configure))
+ #:tests? #f)) ; No tests.
(inputs
(list python))
(native-inputs
@@ -3562,6 +3563,10 @@ (define-public dex
(description
"@command{dex}, @dfn{DesktopEntry Execution}, is a program to generate
and execute @file{.desktop} files of the Application type.")
+ (properties
+ ;; These CVEs concern...
+ '((lint-hidden-cve . ("CVE-2024-20802" ; ...a dex Samsung package.
+ "CVE-2022-39222")))) ; ...a OpenID connect tool.
(license license:gpl3+)))
(define-public sx
--
2.46.0
N
N
Nicolas Graves wrote on 27 Oct 00:41 +0200
[PATCH 19/21] gnu: immer: Add lint-hidden-cve property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026224125.29272-19-ngraves@ngraves.fr
* gnu/packages/cpp.scm (immer)[properties]: Add lint-hidden-cve
property.
---
gnu/packages/cpp.scm | 2 ++
1 file changed, 2 insertions(+)

Toggle diff (15 lines)
diff --git a/gnu/packages/cpp.scm b/gnu/packages/cpp.scm
index e9c6dc096b..80eaa26b37 100644
--- a/gnu/packages/cpp.scm
+++ b/gnu/packages/cpp.scm
@@ -1864,6 +1864,8 @@ (define-public immer
(synopsis "Immutable data structures")
(description "Immer is a library of persistent and immutable data structures
written in C++.")
+ ;; This CVEs concern the immer.js Node package.
+ (properties '((lint-hidden-cve . ("CVE-2021-23436" "CVE-2021-3757"))))
(license license:boost1.0)))
(define-public zug
--
2.46.0
N
N
Nicolas Graves wrote on 27 Oct 00:41 +0200
[PATCH 21/21] gnu: gerbv: Add lint-hidden-cve property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026224125.29272-21-ngraves@ngraves.fr
* gnu/packages/engineering.scm (gerbv)[properties]: Add
lint-hidden-cve property.
---
gnu/packages/engineering.scm | 2 ++
1 file changed, 2 insertions(+)

Toggle diff (15 lines)
diff --git a/gnu/packages/engineering.scm b/gnu/packages/engineering.scm
index 6f449f0c39..89e60a7218 100644
--- a/gnu/packages/engineering.scm
+++ b/gnu/packages/engineering.scm
@@ -868,6 +868,8 @@ (define-public gerbv
you load several files on top of each other, do measurements on the displayed
image, etc. Besides viewing Gerbers, you may also view Excellon drill files
as well as pick-place files.")
+ ;; This CVE has been fixed in version 2.10.0.
+ (properties '((lint-hidden-cve . ("CVE-2023-4508"))))
(license license:gpl2+)))
(define-public translate2geda
--
2.46.0
N
N
Nicolas Graves wrote on 27 Oct 00:41 +0200
[PATCH 20/21] gnu: cvs: Add lint-hidden-cve property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026224125.29272-20-ngraves@ngraves.fr
* gnu/packages/version-control.scm (cvs)[properties]: Add
lint-hidden-cve property.
---
gnu/packages/version-control.scm | 2 ++
1 file changed, 2 insertions(+)

Toggle diff (15 lines)
diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index 9c8fdea0a6..f4a0f577a9 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -2750,6 +2750,8 @@ (define-public cvs
Configuration Management (SCM). Using it, you can record the history of
sources files, and documents. It fills a similar role to the free software
RCS, PRCS, and Aegis packages.")
+ ;; This CVE concerns the Jenkins CVS plugin.
+ (properties '((lint-hidden-cve . ("CVE-2022-29037"))))
(license license:gpl1+)))
(define-public cvs-fast-export
--
2.46.0
N
N
Nicolas Graves wrote on 27 Oct 18:31 +0100
control message for bug #74034
(address . control@debbugs.gnu.org)
877c9tcv1j.fsf@ngraves.fr
tags 74034 + moreinfo
quit

I'm splitting this patch series in two.


--
Best regards,
Nicolas Graves
N
N
Nicolas Graves wrote on 27 Oct 19:16 +0100
[PATCH v2 00/16] Add cpe-vendor and lint-hidden-cpe-vendors properties.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027181946.25348-1-ngraves@ngraves.fr
This is a rewrite of 74034 after a new first commit introducing the
management of cpe-vendor data from the CVE database.

Nicolas Graves (16):
guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.
gnu: halibut: Add cpe-vendor property.
gnu: portfolio: Update to 1.0.1.
gnu: folders: Add lint-hidden-cpe-vendors property.
gnu: spectra: Add lint-hidden-cpe-vendors property.
gnu: express: Add lint-hidden-cpe-vendors property.
gnu: cli: Add lint-hidden-cpe-vendors property.
gnu: h2c: Add lint-hidden-cpe-vendors property.
gnu: xenon: Update to 0.9.3.
gnu: bolt: Update to 0.9.8.
gnu: bwm-ng: Add lint-hidden-cpe-vendors property.
gnu: onedrive: Update to 2.5.2.
gnu: got: Update to 0.104.
gnu: dex: Update to 0.10.1.
gnu: immer: Add lint-hidden-cpe-vendors property.
gnu: cvs: Add lint-hidden-cpe-vendors property.

gnu/packages/algebra.scm | 1 +
gnu/packages/bioinformatics.scm | 1 +
gnu/packages/code.scm | 5 ++-
gnu/packages/cpp.scm | 2 +
gnu/packages/curl.scm | 1 +
gnu/packages/documentation.scm | 14 ++++---
gnu/packages/esolangs.scm | 1 +
gnu/packages/gnome-xyz.scm | 5 ++-
gnu/packages/linux.scm | 16 +++----
gnu/packages/networking.scm | 1 +
gnu/packages/sync.scm | 5 ++-
gnu/packages/version-control.scm | 11 +++--
gnu/packages/xdisorg.scm | 17 ++++----
guix/cve.scm | 71 +++++++++++++++++++++-----------
guix/lint.scm | 11 ++++-
tests/cve.scm | 30 +++++++-------
16 files changed, 120 insertions(+), 72 deletions(-)

--
2.46.0
N
N
Nicolas Graves wrote on 27 Oct 19:16 +0100
[PATCH v2 01/16] guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027181946.25348-2-ngraves@ngraves.fr
* guix/cve.scm: Exploit cpe vendors information.
(cpe->package-name): Rename to cpe->package and use
cpe_vendor:cpe_name in place or cpe_name.
(filter-vendors): Add helper function.
(vulnerabilities->lookup-proc): Extract cpe_name for table
hashes. Add vendor and hidden-vendor arguments. Adapt condition to
pass vulnerabilities to result in the fold.

* guix/lint.scm (package-vulnerabilities): Use additional arguments
from vulnerabilities->lookup-proc.

* tests/cve.scm: Adapt tests.
---
guix/cve.scm | 71 +++++++++++++++++++++++++++++++++------------------
guix/lint.scm | 11 ++++++--
tests/cve.scm | 30 +++++++++++-----------
3 files changed, 70 insertions(+), 42 deletions(-)

Toggle diff (196 lines)
diff --git a/guix/cve.scm b/guix/cve.scm
index 9e1cf5b587..a2335f15ef 100644
--- a/guix/cve.scm
+++ b/guix/cve.scm
@@ -106,22 +106,22 @@ (define (reference-data->cve-references alist)
(define %cpe-package-rx
;; For applications: "cpe:2.3:a:VENDOR:PACKAGE:VERSION", or sometimes
;; "cpe:2.3:a:VENDOR:PACKAGE:VERSION:PATCH-LEVEL".
- (make-regexp "^cpe:2\\.3:a:([^:]+):([^:]+):([^:]+):([^:]+):"))
+ (make-regexp "^cpe:2\\.3:a:([^:]+:[^:]+):([^:]+):([^:]+):"))
-(define (cpe->package-name cpe)
+(define (cpe->package cpe)
"Converts the Common Platform Enumeration (CPE) string CPE to a package
-name, in a very naive way. Return two values: the package name, and its
-version string. Return #f and #f if CPE does not look like an application CPE
-string."
+name, in a very naive way. Return two values: the package identifier
+(composed from the CPE vendor and the package name), and its version string.
+Return #f and #f if CPE does not look like an application CPE string."
(cond ((regexp-exec %cpe-package-rx cpe)
=>
(lambda (matches)
- (values (match:substring matches 2)
- (match (match:substring matches 3)
+ (values (match:substring matches 1)
+ (match (match:substring matches 2)
("*" '_)
(version
(string-append version
- (match (match:substring matches 4)
+ (match (match:substring matches 3)
("" "")
(patch-level
;; Drop the colon from things like
@@ -142,7 +142,7 @@ (define (cpe-match->cve-configuration alist)
;; Normally "cpe23Uri" is here in each "cpe_match" item, but CVE-2020-0534
;; has a configuration that lacks it.
(and cpe
- (let-values (((package version) (cpe->package-name cpe)))
+ (let-values (((package version) (cpe->package cpe)))
(and package
`(,package
,(cond ((and (or starti starte) (or endi ende))
@@ -228,6 +228,24 @@ (define (version-matches? version sexp)
(('>= min)
(version>=? version min))))
+(define (filter-vendors vuln vendor hidden-vendors)
+
+ (define (vendor-matches? vendor+name)
+ (if vendor
+ (string-prefix? (string-append vendor ":") vendor+name)
+ (if hidden-vendors
+ (not (any (lambda (v)
+ (string-prefix? (string-append v ":") vendor+name))
+ hidden-vendors))
+ #t)))
+
+ (match vuln
+ (($ <vulnerability> id packages)
+ (any (match-lambda
+ (((? vendor-matches? vendor+name) . _) #t)
+ (_ #f))
+ packages))))
+
;;;
;;; High-level interface.
@@ -404,28 +422,31 @@ (define table
(($ <vulnerability> id packages)
(fold (lambda (package table)
(match package
- ((name . versions)
- (vhash-cons name (cons vuln versions)
+ ((vendor+name . versions)
+ (vhash-cons (match (string-split vendor+name #\:)
+ ((vendor name) name)
+ ((name) name))
+ (cons vuln versions)
table))))
table
packages))))
vlist-null
vulnerabilities))
- (lambda* (package #:optional version)
- (vhash-fold* (if version
- (lambda (pair result)
- (match pair
- ((vuln sexp)
- (if (version-matches? version sexp)
- (cons vuln result)
- result))))
- (lambda (pair result)
- (match pair
- ((vuln . _)
- (cons vuln result)))))
- '()
- package table)))
+ (lambda* (package #:key (version #f) (vendor #f) (hidden-vendors #f))
+ (vhash-fold*
+ (lambda (pair result)
+ (match pair
+ ((vuln sexp)
+ (if (and (or (not (or vendor hidden-vendors))
+ (and (or vendor hidden-vendors)
+ (filter-vendors vuln vendor hidden-vendors)))
+ (or (not version)
+ (and version (version-matches? version sexp))))
+ (cons vuln result)
+ result))))
+ '()
+ package table)))
;;; cve.scm ends here
diff --git a/guix/lint.scm b/guix/lint.scm
index 8c6c20c723..db3f59e3ec 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -1551,8 +1551,15 @@ (define package-vulnerabilities
(package-name package)))
(version (or (assoc-ref (package-properties package)
'cpe-version)
- (package-version package))))
- ((force lookup) name version)))))
+ (package-version package)))
+ (vendor (assoc-ref (package-properties package)
+ 'cpe-vendor))
+ (hidden-vendors (assoc-ref (package-properties package)
+ 'lint-hidden-cpe-vendors)))
+ ((force lookup) name
+ #:version version
+ #:vendor vendor
+ #:hidden-vendors hidden-vendors)))))
;; Prevent Guile 3 from inlining this procedure so we can mock it in tests.
(set! package-vulnerabilities package-vulnerabilities)
diff --git a/tests/cve.scm b/tests/cve.scm
index b69da0e120..0b6346a4d4 100644
--- a/tests/cve.scm
+++ b/tests/cve.scm
@@ -34,19 +34,19 @@ (define %expected-vulnerabilities
(vulnerability "CVE-2019-0001"
;; Only the "a" CPE configurations are kept; the "o"
;; configurations are discarded.
- '(("junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
+ '(("juniper:junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
(vulnerability "CVE-2019-0005"
- '(("junos" (or "18.11" "18.1"))))
+ '(("juniper:junos" (or "18.11" "18.1"))))
;; CVE-2019-0005 has no "a" configurations.
(vulnerability "CVE-2019-14811"
- '(("ghostscript" (< "9.28"))))
+ '(("artifex:ghostscript" (< "9.28"))))
(vulnerability "CVE-2019-17365"
- '(("nix" (<= "2.3"))))
+ '(("nixos:nix" (<= "2.3"))))
(vulnerability "CVE-2019-1010180"
- '(("gdb" _))) ;any version
+ '(("gnu:gdb" _))) ;any version
(vulnerability "CVE-2019-1010204"
- '(("binutils" (and (>= "2.21") (<= "2.31.1")))
- ("binutils_gold" (and (>= "1.11") (<= "1.16")))))
+ '(("gnu:binutils" (and (>= "2.21") (<= "2.31.1")))
+ ("gnu:binutils_gold" (and (>= "1.11") (<= "1.16")))))
;; CVE-2019-18192 has no associated configurations.
))
@@ -92,15 +92,15 @@ (define %expected-vulnerabilities
(let* ((vulns (call-with-input-file %sample json->vulnerabilities))
(lookup (vulnerabilities->lookup-proc vulns)))
(list (lookup "ghostscript")
- (lookup "ghostscript" "9.27")
- (lookup "ghostscript" "9.28")
+ (lookup "ghostscript" #:version "9.27")
+ (lookup "ghostscript" #:version "9.28")
(lookup "gdb")
- (lookup "gdb" "42.0")
+ (lookup "gdb" #:version "42.0")
(lookup "nix")
- (lookup "nix" "2.4")
- (lookup "binutils" "2.31.1")
- (lookup "binutils" "2.10")
- (lookup "binutils_gold" "1.11")
- (lookup "binutils" "2.32"))))
+ (lookup "nix" #:version "2.4")
+ (lookup "binutils" #:version "2.31.1")
+ (lookup "binutils" #:version "2.10")
+ (lookup "binutils_gold" #:version "1.11")
+ (lookup "binutils" #:version "2.32"))))
(test-end "cve")
--
2.46.0
N
N
Nicolas Graves wrote on 27 Oct 19:16 +0100
[PATCH v2 02/16] gnu: halibut: Add cpe-vendor property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027181946.25348-3-ngraves@ngraves.fr
* gnu/packages/documentation.scm (halibut)
[description]: Reformat field to match max chars.
[properties]: Add cpe-vendor property.
---
gnu/packages/documentation.scm | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)

Toggle diff (27 lines)
diff --git a/gnu/packages/documentation.scm b/gnu/packages/documentation.scm
index f0e37561f7..e1d563945a 100644
--- a/gnu/packages/documentation.scm
+++ b/gnu/packages/documentation.scm
@@ -264,12 +264,14 @@ (define-public halibut
(home-page "https://www.chiark.greenend.org.uk/~sgtatham/halibut/")
(synopsis "Documentation production system for software manuals")
(description
- "Halibut is a text formatting system designed primarily for writing software
-documentation. It accepts a single source format and outputs any combination of
-plain text, HTML, Unix man or info pages, PostScript or PDF. It has extensive
-support for indexing and cross-referencing, and generates hyperlinks within output
-documents wherever possible. It supports Unicode, with the ability to fall back to
-an alternative representation if Unicode output is not available.")
+ "Halibut is a text formatting system designed primarily for writing
+software documentation. It accepts a single source format and outputs any
+combination of plain text, HTML, Unix man or info pages, PostScript or PDF.
+It has extensive support for indexing and cross-referencing, and generates
+hyperlinks within output documents wherever possible. It supports Unicode,
+with the ability to fall back to an alternative representation if Unicode
+output is not available.")
+ (properties `((cpe-vendor . "halibut_project")))
(license license:expat)))
(define-public doc++
--
2.46.0
N
N
Nicolas Graves wrote on 27 Oct 19:20 +0100
[PATCH v2 01/16] guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027182029.25707-1-ngraves@ngraves.fr
* guix/cve.scm: Exploit cpe vendors information.
(cpe->package-name): Rename to cpe->package and use
cpe_vendor:cpe_name in place or cpe_name.
(filter-vendors): Add helper function.
(vulnerabilities->lookup-proc): Extract cpe_name for table
hashes. Add vendor and hidden-vendor arguments. Adapt condition to
pass vulnerabilities to result in the fold.

* guix/lint.scm (package-vulnerabilities): Use additional arguments
from vulnerabilities->lookup-proc.

* tests/cve.scm: Adapt tests.
---
guix/cve.scm | 71 +++++++++++++++++++++++++++++++++------------------
guix/lint.scm | 11 ++++++--
tests/cve.scm | 30 +++++++++++-----------
3 files changed, 70 insertions(+), 42 deletions(-)

Toggle diff (196 lines)
diff --git a/guix/cve.scm b/guix/cve.scm
index 9e1cf5b587..a2335f15ef 100644
--- a/guix/cve.scm
+++ b/guix/cve.scm
@@ -106,22 +106,22 @@ (define (reference-data->cve-references alist)
(define %cpe-package-rx
;; For applications: "cpe:2.3:a:VENDOR:PACKAGE:VERSION", or sometimes
;; "cpe:2.3:a:VENDOR:PACKAGE:VERSION:PATCH-LEVEL".
- (make-regexp "^cpe:2\\.3:a:([^:]+):([^:]+):([^:]+):([^:]+):"))
+ (make-regexp "^cpe:2\\.3:a:([^:]+:[^:]+):([^:]+):([^:]+):"))
-(define (cpe->package-name cpe)
+(define (cpe->package cpe)
"Converts the Common Platform Enumeration (CPE) string CPE to a package
-name, in a very naive way. Return two values: the package name, and its
-version string. Return #f and #f if CPE does not look like an application CPE
-string."
+name, in a very naive way. Return two values: the package identifier
+(composed from the CPE vendor and the package name), and its version string.
+Return #f and #f if CPE does not look like an application CPE string."
(cond ((regexp-exec %cpe-package-rx cpe)
=>
(lambda (matches)
- (values (match:substring matches 2)
- (match (match:substring matches 3)
+ (values (match:substring matches 1)
+ (match (match:substring matches 2)
("*" '_)
(version
(string-append version
- (match (match:substring matches 4)
+ (match (match:substring matches 3)
("" "")
(patch-level
;; Drop the colon from things like
@@ -142,7 +142,7 @@ (define (cpe-match->cve-configuration alist)
;; Normally "cpe23Uri" is here in each "cpe_match" item, but CVE-2020-0534
;; has a configuration that lacks it.
(and cpe
- (let-values (((package version) (cpe->package-name cpe)))
+ (let-values (((package version) (cpe->package cpe)))
(and package
`(,package
,(cond ((and (or starti starte) (or endi ende))
@@ -228,6 +228,24 @@ (define (version-matches? version sexp)
(('>= min)
(version>=? version min))))
+(define (filter-vendors vuln vendor hidden-vendors)
+
+ (define (vendor-matches? vendor+name)
+ (if vendor
+ (string-prefix? (string-append vendor ":") vendor+name)
+ (if hidden-vendors
+ (not (any (lambda (v)
+ (string-prefix? (string-append v ":") vendor+name))
+ hidden-vendors))
+ #t)))
+
+ (match vuln
+ (($ <vulnerability> id packages)
+ (any (match-lambda
+ (((? vendor-matches? vendor+name) . _) #t)
+ (_ #f))
+ packages))))
+
;;;
;;; High-level interface.
@@ -404,28 +422,31 @@ (define table
(($ <vulnerability> id packages)
(fold (lambda (package table)
(match package
- ((name . versions)
- (vhash-cons name (cons vuln versions)
+ ((vendor+name . versions)
+ (vhash-cons (match (string-split vendor+name #\:)
+ ((vendor name) name)
+ ((name) name))
+ (cons vuln versions)
table))))
table
packages))))
vlist-null
vulnerabilities))
- (lambda* (package #:optional version)
- (vhash-fold* (if version
- (lambda (pair result)
- (match pair
- ((vuln sexp)
- (if (version-matches? version sexp)
- (cons vuln result)
- result))))
- (lambda (pair result)
- (match pair
- ((vuln . _)
- (cons vuln result)))))
- '()
- package table)))
+ (lambda* (package #:key (version #f) (vendor #f) (hidden-vendors #f))
+ (vhash-fold*
+ (lambda (pair result)
+ (match pair
+ ((vuln sexp)
+ (if (and (or (not (or vendor hidden-vendors))
+ (and (or vendor hidden-vendors)
+ (filter-vendors vuln vendor hidden-vendors)))
+ (or (not version)
+ (and version (version-matches? version sexp))))
+ (cons vuln result)
+ result))))
+ '()
+ package table)))
;;; cve.scm ends here
diff --git a/guix/lint.scm b/guix/lint.scm
index 8c6c20c723..db3f59e3ec 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -1551,8 +1551,15 @@ (define package-vulnerabilities
(package-name package)))
(version (or (assoc-ref (package-properties package)
'cpe-version)
- (package-version package))))
- ((force lookup) name version)))))
+ (package-version package)))
+ (vendor (assoc-ref (package-properties package)
+ 'cpe-vendor))
+ (hidden-vendors (assoc-ref (package-properties package)
+ 'lint-hidden-cpe-vendors)))
+ ((force lookup) name
+ #:version version
+ #:vendor vendor
+ #:hidden-vendors hidden-vendors)))))
;; Prevent Guile 3 from inlining this procedure so we can mock it in tests.
(set! package-vulnerabilities package-vulnerabilities)
diff --git a/tests/cve.scm b/tests/cve.scm
index b69da0e120..0b6346a4d4 100644
--- a/tests/cve.scm
+++ b/tests/cve.scm
@@ -34,19 +34,19 @@ (define %expected-vulnerabilities
(vulnerability "CVE-2019-0001"
;; Only the "a" CPE configurations are kept; the "o"
;; configurations are discarded.
- '(("junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
+ '(("juniper:junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
(vulnerability "CVE-2019-0005"
- '(("junos" (or "18.11" "18.1"))))
+ '(("juniper:junos" (or "18.11" "18.1"))))
;; CVE-2019-0005 has no "a" configurations.
(vulnerability "CVE-2019-14811"
- '(("ghostscript" (< "9.28"))))
+ '(("artifex:ghostscript" (< "9.28"))))
(vulnerability "CVE-2019-17365"
- '(("nix" (<= "2.3"))))
+ '(("nixos:nix" (<= "2.3"))))
(vulnerability "CVE-2019-1010180"
- '(("gdb" _))) ;any version
+ '(("gnu:gdb" _))) ;any version
(vulnerability "CVE-2019-1010204"
- '(("binutils" (and (>= "2.21") (<= "2.31.1")))
- ("binutils_gold" (and (>= "1.11") (<= "1.16")))))
+ '(("gnu:binutils" (and (>= "2.21") (<= "2.31.1")))
+ ("gnu:binutils_gold" (and (>= "1.11") (<= "1.16")))))
;; CVE-2019-18192 has no associated configurations.
))
@@ -92,15 +92,15 @@ (define %expected-vulnerabilities
(let* ((vulns (call-with-input-file %sample json->vulnerabilities))
(lookup (vulnerabilities->lookup-proc vulns)))
(list (lookup "ghostscript")
- (lookup "ghostscript" "9.27")
- (lookup "ghostscript" "9.28")
+ (lookup "ghostscript" #:version "9.27")
+ (lookup "ghostscript" #:version "9.28")
(lookup "gdb")
- (lookup "gdb" "42.0")
+ (lookup "gdb" #:version "42.0")
(lookup "nix")
- (lookup "nix" "2.4")
- (lookup "binutils" "2.31.1")
- (lookup "binutils" "2.10")
- (lookup "binutils_gold" "1.11")
- (lookup "binutils" "2.32"))))
+ (lookup "nix" #:version "2.4")
+ (lookup "binutils" #:version "2.31.1")
+ (lookup "binutils" #:version "2.10")
+ (lookup "binutils_gold" #:version "1.11")
+ (lookup "binutils" #:version "2.32"))))
(test-end "cve")
--
2.46.0
N
N
Nicolas Graves wrote on 27 Oct 19:20 +0100
[PATCH v2 02/16] gnu: halibut: Add cpe-vendor property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027182029.25707-2-ngraves@ngraves.fr
* gnu/packages/documentation.scm (halibut)
[description]: Reformat field to match max chars.
[properties]: Add cpe-vendor property.
---
gnu/packages/documentation.scm | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)

Toggle diff (27 lines)
diff --git a/gnu/packages/documentation.scm b/gnu/packages/documentation.scm
index f0e37561f7..e1d563945a 100644
--- a/gnu/packages/documentation.scm
+++ b/gnu/packages/documentation.scm
@@ -264,12 +264,14 @@ (define-public halibut
(home-page "https://www.chiark.greenend.org.uk/~sgtatham/halibut/")
(synopsis "Documentation production system for software manuals")
(description
- "Halibut is a text formatting system designed primarily for writing software
-documentation. It accepts a single source format and outputs any combination of
-plain text, HTML, Unix man or info pages, PostScript or PDF. It has extensive
-support for indexing and cross-referencing, and generates hyperlinks within output
-documents wherever possible. It supports Unicode, with the ability to fall back to
-an alternative representation if Unicode output is not available.")
+ "Halibut is a text formatting system designed primarily for writing
+software documentation. It accepts a single source format and outputs any
+combination of plain text, HTML, Unix man or info pages, PostScript or PDF.
+It has extensive support for indexing and cross-referencing, and generates
+hyperlinks within output documents wherever possible. It supports Unicode,
+with the ability to fall back to an alternative representation if Unicode
+output is not available.")
+ (properties `((cpe-vendor . "halibut_project")))
(license license:expat)))
(define-public doc++
--
2.46.0
N
N
Nicolas Graves wrote on 27 Oct 19:20 +0100
[PATCH v2 03/16] gnu: portfolio: Update to 1.0.1.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027182029.25707-3-ngraves@ngraves.fr
* gnu/packages/gnome-xyz.scm (portfolio): Update to 1.0.1.
[properties]: Add lint-hidden-cpe-vendors property.
---
gnu/packages/gnome-xyz.scm | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

Toggle diff (32 lines)
diff --git a/gnu/packages/gnome-xyz.scm b/gnu/packages/gnome-xyz.scm
index a09c0befb0..74c2600b60 100644
--- a/gnu/packages/gnome-xyz.scm
+++ b/gnu/packages/gnome-xyz.scm
@@ -485,7 +485,7 @@ (define-public gnome-plots
(define-public portfolio
(package
(name "portfolio")
- (version "1.0.0")
+ (version "1.0.1")
(source (origin
(method git-fetch)
(uri (git-reference
@@ -494,7 +494,7 @@ (define-public portfolio
(file-name (git-file-name name version))
(sha256
(base32
- "1ai9mx801m5lngkljg42vrpvhbvc3071sp4jypsvbzw55hxnn5ba"))))
+ "1s06kd2dhsb143piw89yzwfck7qwzlh4nlgjj2bxpsa3g68c1g11"))))
(arguments
(list #:glib-or-gtk? #t
#:imported-modules `(,@%meson-build-system-modules
@@ -537,6 +537,7 @@ (define-public portfolio
"Portfolio is a minimalist file manager for those who want to use Linux
mobile devices. Tap to activate and long press to select, to browse, open,
copy, move, delete, or edit your files.")
+ (properties `((lint-hidden-cpe-vendors . ("radiustheme"))))
(license license:gpl3+)))
(define-public gnome-shell-extension-unite-shell
--
2.46.0
N
N
Nicolas Graves wrote on 27 Oct 19:20 +0100
[PATCH v2 04/16] gnu: folders: Add lint-hidden-cpe-vendors property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027182029.25707-4-ngraves@ngraves.fr
* gnu/packages/esolangs.scm (folders):
[properties]: Add lint-hindden-cpe-vendors property.
---
gnu/packages/esolangs.scm | 1 +
1 file changed, 1 insertion(+)

Toggle diff (14 lines)
diff --git a/gnu/packages/esolangs.scm b/gnu/packages/esolangs.scm
index 796f8d3f23..58c5307fdc 100644
--- a/gnu/packages/esolangs.scm
+++ b/gnu/packages/esolangs.scm
@@ -117,6 +117,7 @@ (define-public folders
(description "Folders is a programming language, in which programs
are encoded as (nested) directories. Note that the switches you pass to
@command{du} may affect your score when code golfing.")
+ (properties `((lint-hidden-cpe-vendors . ("premio" "jenkins"))))
(license license:expat)))
(define-public shakespeare-spl
--
2.46.0
N
N
Nicolas Graves wrote on 27 Oct 19:20 +0100
[PATCH v2 05/16] gnu: spectra: Add lint-hidden-cpe-vendors property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027182029.25707-5-ngraves@ngraves.fr
* gnu/packages/algebra.scm (spectra)[properties]: Add
lint-hidden-cpe-vendors property.
---
gnu/packages/algebra.scm | 1 +
1 file changed, 1 insertion(+)

Toggle diff (14 lines)
diff --git a/gnu/packages/algebra.scm b/gnu/packages/algebra.scm
index 2187cd062d..5822431373 100644
--- a/gnu/packages/algebra.scm
+++ b/gnu/packages/algebra.scm
@@ -1317,6 +1317,7 @@ (define-public spectra
built on top of Eigen. It is implemented as a header-only C++ library and can
be easily embedded in C++ projects that require calculating eigenvalues of
large matrices.")
+ (properties `((lint-hidden-cpe-vendors . ("brainstormforce"))))
(license license:mpl2.0)))
(define-public gappa
--
2.46.0
N
N
Nicolas Graves wrote on 27 Oct 19:20 +0100
[PATCH v2 06/16] gnu: express: Add lint-hidden-cpe-vendors property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027182029.25707-6-ngraves@ngraves.fr
* gnu/packages/bioinformatics.scm (express)[properties]: Add
lint-hidden-cpe-vendors property.
---
gnu/packages/bioinformatics.scm | 1 +
1 file changed, 1 insertion(+)

Toggle diff (14 lines)
diff --git a/gnu/packages/bioinformatics.scm b/gnu/packages/bioinformatics.scm
index a2ffbd5155..bb356f4903 100644
--- a/gnu/packages/bioinformatics.scm
+++ b/gnu/packages/bioinformatics.scm
@@ -6924,6 +6924,7 @@ (define-public express
transcript-level RNA-Seq quantification, allele-specific/haplotype expression
analysis (from RNA-Seq), transcription factor binding quantification in
ChIP-Seq, and analysis of metagenomic data.")
+ (properties `((lint-hidden-cpe-vendors . ("openjsf"))))
(license license:artistic2.0)))
(define-public express-beta-diversity
--
2.46.0
N
N
Nicolas Graves wrote on 27 Oct 19:20 +0100
[PATCH v2 07/16] gnu: cli: Add lint-hidden-cpe-vendors property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027182029.25707-7-ngraves@ngraves.fr
* gnu/packages/cpp.scm (cli)[properties]: Add lint-hidden-cpe-vendors
property.
---
gnu/packages/cpp.scm | 1 +
1 file changed, 1 insertion(+)

Toggle diff (14 lines)
diff --git a/gnu/packages/cpp.scm b/gnu/packages/cpp.scm
index 26fc169154..550f57c6bf 100644
--- a/gnu/packages/cpp.scm
+++ b/gnu/packages/cpp.scm
@@ -2304,6 +2304,7 @@ (define-public cli
options that your program supports, their types, default values, and
documentation.")
(home-page "https://codesynthesis.com/projects/cli/")
+ (properties `((lint-hidden-cpe-vendors . ("snyk"))))
(license license:expat)))
(define-public xsd
--
2.46.0
N
N
Nicolas Graves wrote on 27 Oct 19:20 +0100
[PATCH v2 08/16] gnu: h2c: Add lint-hidden-cpe-vendors property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027182029.25707-8-ngraves@ngraves.fr
* gnu/packages/curl.scm (h2c)[property]: Add lint-hidden-cpe-vendors property.
---
gnu/packages/curl.scm | 1 +
1 file changed, 1 insertion(+)

Toggle diff (14 lines)
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 9f74018205..2b4b7ebdd8 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -366,6 +366,7 @@ (define-public h2c
(description
"Provided a set of HTTP request headers, h2c outputs how to invoke
curl to obtain exactly that HTTP request.")
+ (properties `((lint-hidden-cpe-vendors . ("golang"))))
(license license:expat)))
(define-public coeurl
--
2.46.0
N
N
Nicolas Graves wrote on 27 Oct 19:20 +0100
[PATCH v2 09/16] gnu: xenon: Update to 0.9.3.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027182029.25707-9-ngraves@ngraves.fr
* gnu/packages/code.scm (xenon): Update to 0.9.3.
[properties]: Add lint-hidden-cpe-vendors property.
---
gnu/packages/code.scm | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

Toggle diff (31 lines)
diff --git a/gnu/packages/code.scm b/gnu/packages/code.scm
index 3f7a6de478..ed48119fe1 100644
--- a/gnu/packages/code.scm
+++ b/gnu/packages/code.scm
@@ -1077,14 +1077,14 @@ (define-public cscope
(define-public xenon
(package
(name "xenon")
- (version "0.9.0")
+ (version "0.9.3")
(source
(origin
(method url-fetch)
(uri (pypi-uri "xenon" version))
(sha256
(base32
- "1f4gynjzfckm3rjfywwgz1c7icfx3zjqirf16aj73xv0c9ncpffj"))))
+ "1yj31bqz2bphvvyb0jkas7bxc2rw76rf1csz0mwmvah8pbc3hxaa"))))
(build-system python-build-system)
(arguments (list #:tests? #f)) ;test suite not shipped with the PyPI archive
(inputs (list python-pyyaml python-radon python-requests))
@@ -1096,6 +1096,7 @@ (define-public xenon
line options, various thresholds can be set for the complexity of code. It
will fail (i.e., it will exit with a non-zero exit code) when any of these
requirements is not met.")
+ (properties '((lint-hidden-cpe-vendors . ("ashlar"))))
(license license:expat)))
(define-public python-xenon
--
2.46.0
N
N
Nicolas Graves wrote on 27 Oct 19:20 +0100
[PATCH v2 11/16] gnu: bwm-ng: Add lint-hidden-cpe-vendors property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027182029.25707-11-ngraves@ngraves.fr
* gnu/packages/networking.scm (bwm-ng)[properties]: Add
lint-hidden-cpe-vendors property.
---
gnu/packages/networking.scm | 1 +
1 file changed, 1 insertion(+)

Toggle diff (14 lines)
diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index a56b574e97..8c5548323f 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -2152,6 +2152,7 @@ (define-public bwm-ng
(description "Bandwidth Monitor NG is a small and simple console based
live network and disk I/O bandwidth monitor.")
(home-page "https://www.gropp.org/?id=projects&sub=bwm-ng")
+ (properties '((lint-hidden-cpe-vendors . ("bwm-ng_project"))))
(license license:gpl2)))
(define-public aircrack-ng
--
2.46.0
N
N
Nicolas Graves wrote on 27 Oct 19:20 +0100
[PATCH v2 12/16] gnu: onedrive: Update to 2.5.2.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027182029.25707-12-ngraves@ngraves.fr
* gnu/packages/sync.scm (onedrive): Update to 2.5.2.
[properties]: Add lint-hidden-cpe-vendors.
---
gnu/packages/sync.scm | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

Toggle diff (32 lines)
diff --git a/gnu/packages/sync.scm b/gnu/packages/sync.scm
index af736d0c28..b21993a639 100644
--- a/gnu/packages/sync.scm
+++ b/gnu/packages/sync.scm
@@ -374,7 +374,7 @@ (define-public owncloud-client
(define-public onedrive
(package
(name "onedrive")
- (version "2.4.25")
+ (version "2.5.2")
(source
(origin
(method git-fetch)
@@ -383,7 +383,7 @@ (define-public onedrive
(commit (string-append "v" version))))
(file-name (git-file-name name version))
(sha256
- (base32 "1i93mq4r9w8cqrdfsfv8wparfd3dbrppc5z04ab056545hk0x89k"))))
+ (base32 "0307qa3nncarn6r5837nn9z5nv8j60ycykq6pfn93qriabk65qlx"))))
(build-system gnu-build-system)
(arguments
(list
@@ -420,6 +420,7 @@ (define-public onedrive
Business, OneDrive for Office365 and SharePoint and fully supports Azure
National Cloud Deployments. It supports one-way and two-way sync capabilities
and securely connects to Microsoft OneDrive services.")
+ (properties '((lint-hidden-cpe-vendors . ("microsoft"))))
(license license:gpl3)))
(define-public lsyncd
--
2.46.0
N
N
Nicolas Graves wrote on 27 Oct 19:20 +0100
[PATCH v2 10/16] gnu: bolt: Update to 0.9.8.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027182029.25707-10-ngraves@ngraves.fr
* gnu/packages/linux.scm (bolt): Update to 0.9.8.
[arguments]<#:phases>: Update phase 'replace-directories.
[properties]: Add lint-hidden-cpe-vendors property.
---
gnu/packages/linux.scm | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)

Toggle diff (50 lines)
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index e496f3c88d..9d16c0a9b3 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -3366,7 +3366,7 @@ (define-public iptables-nft
(define-public bolt
(package
(name "bolt")
- (version "0.9.5")
+ (version "0.9.8")
(source (origin
(method git-fetch)
(uri (git-reference
@@ -3375,7 +3375,7 @@ (define-public bolt
(file-name (git-file-name name version))
(sha256
(base32
- "1b9z0sfrz6bj0mddng9s0dx59g9239zmrl03hxx2x88mb7r0wmcg"))))
+ "1i9nyvx3qcf4m607qmpklpl9xqzsh423k8y3fr6c5n0k4ajy4cxh"))))
(build-system meson-build-system)
(arguments
(list #:configure-flags '(list "--localstatedir=/var")
@@ -3384,12 +3384,11 @@ (define-public bolt
(add-after 'unpack 'replace-directories
(lambda* (#:key outputs #:allow-other-keys)
(substitute* "meson.build"
- (("udev.get_pkgconfig_variable..udevdir..")
- (string-append "'"
- #$output "/lib/udev'")))
- (substitute* "scripts/meson-install.sh"
- (("mkdir.*")
- ""))))
+ (("udev.get_variable\\(pkgconfig: 'udevdir'\\)")
+ (string-append "'" #$output "/lib/udev'"))
+ ;; Don't install in /var
+ (("not systemd\\.found\\(\\)")
+ "false"))))
(add-before 'install 'no-polkit-magic
(lambda* (#:key outputs #:allow-other-keys)
(setenv "PKEXEC_UID" "something"))))))
@@ -3411,6 +3410,7 @@ (define-public bolt
@command{boltd}. It can list devices, monitor changes, and initiate
authorization of devices.")
(home-page "https://gitlab.freedesktop.org/bolt/bolt")
+ (properties `((lint-hidden-cpe-vendors . ("boltcms" "puppet"))))
(license license:gpl2+)))
(define-public jitterentropy-rngd
--
2.46.0
N
N
Nicolas Graves wrote on 27 Oct 19:20 +0100
[PATCH v2 13/16] gnu: got: Update to 0.104.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027182029.25707-13-ngraves@ngraves.fr
* gnu/packages/version-control.scm (got): Update to 0.104.
[properties]: Add release-monitoring-url and lint-hidden-cpe-vendors
properties.
---
gnu/packages/version-control.scm | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)

Toggle diff (37 lines)
diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index 6bd37fee82..df0739a39c 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -971,7 +971,7 @@ (define-public git-tools
(define-public got
(package
(name "got")
- (version "0.103")
+ (version "0.104")
(source (origin
(method url-fetch)
(uri
@@ -980,7 +980,7 @@ (define-public got
version ".tar.gz"))
(sha256
(base32
- "0y18961xrj4rja850i31gadiaps2qnkfb4jlramlz9akyf9mwh1j"))))
+ "1jf8d7bd6jb09ci66n3rjfv94kvzgnqbw1js74hpajdw41wphbdk"))))
(inputs
(list libevent
`(,util-linux "lib")
@@ -1016,7 +1016,11 @@ (define-public got
"Game of Trees (Got) is a version control system which prioritizes ease of use
and simplicity over flexibility.")
(license license:isc)
- (home-page "https://gameoftrees.org/")))
+ (home-page "https://gameoftrees.org/")
+ (properties
+ ;; Can lint for updates, but not update in place.
+ '((release-monitoring-url . "https://gameoftrees.org/releases/")
+ (lint-hidden-cpe-vendors . ("got_project"))))))
(define-public xdiff
(let ((revision "0")
--
2.46.0
N
N
Nicolas Graves wrote on 27 Oct 19:20 +0100
[PATCH v2 14/16] gnu: dex: Update to 0.10.1.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027182029.25707-14-ngraves@ngraves.fr
* gnu/packages/xdisorg.scm (dex): Update to 0.10.1.
[arguments]: Improve style.
[properties]: Add lint-hidden-cpe-vendors property.
---
gnu/packages/xdisorg.scm | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)

Toggle diff (47 lines)
diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm
index ca50bebab4..0977a856cb 100644
--- a/gnu/packages/xdisorg.scm
+++ b/gnu/packages/xdisorg.scm
@@ -3536,7 +3536,7 @@ (define-public nwg-launchers
(define-public dex
(package
(name "dex")
- (version "0.9.0")
+ (version "0.10.1")
(source (origin
(method git-fetch)
(uri (git-reference
@@ -3544,15 +3544,16 @@ (define-public dex
(commit (string-append "v" version))))
(sha256
(base32
- "03aapcywnz4kl548cygpi25m8adwbmqlmwgxa66v4156ax9dqs86"))
+ "1d7fqy63i4q0mw316i5ws1sgdq3f7h3bsf3avvmy0nzshz7i5y6m"))
(file-name (git-file-name name version))))
(build-system gnu-build-system)
(arguments
- `(#:make-flags (list (string-append "PREFIX=" (assoc-ref %outputs "out")))
- #:phases
- (modify-phases %standard-phases
- (delete 'configure))
- #:tests? #f))
+ (list
+ #:make-flags #~(list (string-append "PREFIX=" #$output))
+ #:phases
+ #~(modify-phases %standard-phases
+ (delete 'configure))
+ #:tests? #f)) ; No tests.
(inputs
(list python))
(native-inputs
@@ -3562,6 +3563,8 @@ (define-public dex
(description
"@command{dex}, @dfn{DesktopEntry Execution}, is a program to generate
and execute @file{.desktop} files of the Application type.")
+ (properties
+ '((lint-hidden-cpe-vendors . ("samsung" "linuxfoundation"))))
(license license:gpl3+)))
(define-public sx
--
2.46.0
N
N
Nicolas Graves wrote on 27 Oct 19:20 +0100
[PATCH v2 16/16] gnu: cvs: Add lint-hidden-cpe-vendors property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027182029.25707-16-ngraves@ngraves.fr
* gnu/packages/version-control.scm (cvs)[properties]: Add
lint-hidden-cpe-vendors property.
---
gnu/packages/version-control.scm | 1 +
1 file changed, 1 insertion(+)

Toggle diff (14 lines)
diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index df0739a39c..28ffd454df 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -2749,6 +2749,7 @@ (define-public cvs
Configuration Management (SCM). Using it, you can record the history of
sources files, and documents. It fills a similar role to the free software
RCS, PRCS, and Aegis packages.")
+ (properties '((lint-hidden-cpe-vendors . ("jenkins"))))
(license license:gpl1+)))
(define-public cvs-fast-export
--
2.46.0
N
N
Nicolas Graves wrote on 27 Oct 19:20 +0100
[PATCH v2 15/16] gnu: immer: Add lint-hidden-cpe-vendors property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027182029.25707-15-ngraves@ngraves.fr
* gnu/packages/cpp.scm (immer)[properties]: Add
lint-hidden-cpe-vendors property.
---
gnu/packages/cpp.scm | 1 +
1 file changed, 1 insertion(+)

Toggle diff (14 lines)
diff --git a/gnu/packages/cpp.scm b/gnu/packages/cpp.scm
index 550f57c6bf..c0f9620f78 100644
--- a/gnu/packages/cpp.scm
+++ b/gnu/packages/cpp.scm
@@ -1864,6 +1864,7 @@ (define-public immer
(synopsis "Immutable data structures")
(description "Immer is a library of persistent and immutable data structures
written in C++.")
+ (properties '((lint-hidden-cpe-vendors . ("immer_project"))))
(license license:boost1.0)))
(define-public zug
--
2.46.0
N
N
Nicolas Graves wrote on 27 Oct 19:32 +0100
control message for bug #74034
(address . control@debbugs.gnu.org)
87y129bdmj.fsf@ngraves.fr
tags 74034 - moreinfo
quit

Ready to review.


--
Best regards,
Nicolas Graves
L
L
Ludovic Courtès wrote on 6 Nov 22:43 +0100
Re: [bug#74034] [PATCH v2 01/16] guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.
(name . Nicolas Graves)(address . ngraves@ngraves.fr)(address . 74034@debbugs.gnu.org)
87h68kujfs.fsf@gnu.org
Hi,

Nicolas Graves <ngraves@ngraves.fr> skribis:

Toggle quote (13 lines)
> * guix/cve.scm: Exploit cpe vendors information.
> (cpe->package-name): Rename to cpe->package and use
> cpe_vendor:cpe_name in place or cpe_name.
> (filter-vendors): Add helper function.
> (vulnerabilities->lookup-proc): Extract cpe_name for table
> hashes. Add vendor and hidden-vendor arguments. Adapt condition to
> pass vulnerabilities to result in the fold.
>
> * guix/lint.scm (package-vulnerabilities): Use additional arguments
> from vulnerabilities->lookup-proc.
>
> * tests/cve.scm: Adapt tests.

Nice!

Please mention the names of tests being change in the commit log (see
‘git log’ for examples).

Toggle quote (3 lines)
> -(define (cpe->package-name cpe)
> +(define (cpe->package cpe)

Or ‘cpe->package-identifier’?

It’s unpleasant that said identifier is an unparsed “vendor:package”
string. I wonder if we should instead leave ‘%cpe-package-rx’ unchanged
and return three values: package, version, vendor.

The downside is that it would lead to more changes down the road because
we’d have to carry the vendor bit along.

Thoughts?

Toggle quote (3 lines)
> +(define (filter-vendors vuln vendor hidden-vendors)
> +

Always add a docstring for top-level procedures.

Toggle quote (9 lines)
> + (define (vendor-matches? vendor+name)
> + (if vendor
> + (string-prefix? (string-append vendor ":") vendor+name)
> + (if hidden-vendors
> + (not (any (lambda (v)
> + (string-prefix? (string-append v ":") vendor+name))
> + hidden-vendors))
> + #t)))

(if x y #t) => (or (not x) y)
s/v/vendor/

Toggle quote (2 lines)
> + (lambda* (package #:key (version #f) (vendor #f) (hidden-vendors #f))

I’d keep ‘version’ option rather than keyword, for compatibility and
because it’s more commonly useful than the others.

‘hidden-vendors’ should always be a list, the empty list by default
(rule of thumb: avoid “#f | list” polymorphism if a list is as
expressive.)

Toggle quote (10 lines)
> + (vhash-fold*
> + (lambda (pair result)
> + (match pair
> + ((vuln sexp)
> + (if (and (or (not (or vendor hidden-vendors))
> + (and (or vendor hidden-vendors)
> + (filter-vendors vuln vendor hidden-vendors)))
> + (or (not version)
> + (and version (version-matches? version sexp))))

(or (not x) (and x y)) => (or (not x) y)

Thanks,
Ludo’.
N
N
Nicolas Graves wrote on 7 Nov 09:45 +0100
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 74034@debbugs.gnu.org)
878qtvv3e5.fsf@ngraves.fr
On 2024-11-06 22:43, Ludovic Courtès wrote:

Toggle quote (36 lines)
> Hi,
>
> Nicolas Graves <ngraves@ngraves.fr> skribis:
>
>> * guix/cve.scm: Exploit cpe vendors information.
>> (cpe->package-name): Rename to cpe->package and use
>> cpe_vendor:cpe_name in place or cpe_name.
>> (filter-vendors): Add helper function.
>> (vulnerabilities->lookup-proc): Extract cpe_name for table
>> hashes. Add vendor and hidden-vendor arguments. Adapt condition to
>> pass vulnerabilities to result in the fold.
>>
>> * guix/lint.scm (package-vulnerabilities): Use additional arguments
>> from vulnerabilities->lookup-proc.
>>
>> * tests/cve.scm: Adapt tests.
>
> Nice!
>
> Please mention the names of tests being change in the commit log (see
> ‘git log’ for examples).
>
>> -(define (cpe->package-name cpe)
>> +(define (cpe->package cpe)
>
> Or ‘cpe->package-identifier’?
>
> It’s unpleasant that said identifier is an unparsed “vendor:package”
> string. I wonder if we should instead leave ‘%cpe-package-rx’ unchanged
> and return three values: package, version, vendor.
>
> The downside is that it would lead to more changes down the road because
> we’d have to carry the vendor bit along.
>
> Thoughts?

I actually took this route first, then reverted back to editing the
regexp. This was indeed for simplicity (rationale: make a first working
version with minimal changes, then if necessary improve). Yes indeed
doing this makes a lot of changes in the code, although not complex.

I agree with the rest of the changes. I'll try to make a commit on top
of that, possibly this weekend.


--
Best regards,
Nicolas Graves
N
N
Nicolas Graves wrote on 7 Nov 21:07 +0100
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 74034@debbugs.gnu.org)
87ed3molil.fsf@ngraves.fr
On 2024-11-07 09:45, Nicolas Graves via Guix-patches via wrote:


Toggle quote (9 lines)
>
> I actually took this route first, then reverted back to editing the
> regexp. This was indeed for simplicity (rationale: make a first working
> version with minimal changes, then if necessary improve). Yes indeed
> doing this makes a lot of changes in the code, although not complex.
>
> I agree with the rest of the changes. I'll try to make a commit on top
> of that, possibly this weekend.

Indeed it's quite tedious to dig into nested folds. Maybe we can just
leave a TODO comment inviting a courageous candidate to tackle this in
the future ? I feel we should block this by perfectionism it we have a
suitable enough package-identifier. Not that I don't like to dig,
rather than I'll me more at peace tackling this when I have more time.

--
Best regards,
Nicolas Graves
N
N
Nicolas Graves wrote on 8 Nov 19:02 +0100
[PATCH v3 01/17] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241108180330.18126-1-ngraves@ngraves.fr
* guix/cve.scm: Exploit cpe vendors information.
(cpe->package-name): Rename to...
(cpe->package-identifier): Renamed from cpe->package-name. Use
cpe_vendor:cpe_name in place or cpe_name.
(vulnerabily-matches?): Add helper function.
(vulnerabilities->lookup-proc): Extract cpe_name for table
hashes. Add vendor and hidden-vendor arguments. Adapt condition to
pass vulnerabilities to result in the fold.

* guix/lint.scm (package-vulnerabilities): Use additional arguments
from vulnerabilities->lookup-proc.

* tests/cve.scm (%expected-vulnerabilities): Adapt variable to changes
in guix/cve.scm.
---
guix/cve.scm | 69 ++++++++++++++++++++++++++++++++-------------------
guix/lint.scm | 10 ++++++--
tests/cve.scm | 14 +++++------
3 files changed, 59 insertions(+), 34 deletions(-)

Toggle diff (169 lines)
diff --git a/guix/cve.scm b/guix/cve.scm
index 9e1cf5b587..f7984be0ad 100644
--- a/guix/cve.scm
+++ b/guix/cve.scm
@@ -106,22 +106,22 @@ (define (reference-data->cve-references alist)
(define %cpe-package-rx
;; For applications: "cpe:2.3:a:VENDOR:PACKAGE:VERSION", or sometimes
;; "cpe:2.3:a:VENDOR:PACKAGE:VERSION:PATCH-LEVEL".
- (make-regexp "^cpe:2\\.3:a:([^:]+):([^:]+):([^:]+):([^:]+):"))
+ (make-regexp "^cpe:2\\.3:a:([^:]+:[^:]+):([^:]+):([^:]+):"))
-(define (cpe->package-name cpe)
+(define (cpe->package-identifier cpe)
"Converts the Common Platform Enumeration (CPE) string CPE to a package
-name, in a very naive way. Return two values: the package name, and its
-version string. Return #f and #f if CPE does not look like an application CPE
-string."
+identifier, in a very naive way. Return two values: the package identifier
+(composed from the CPE vendor and the package name), and its version string.
+Return #f and #f if CPE does not look like an application CPE string."
(cond ((regexp-exec %cpe-package-rx cpe)
=>
(lambda (matches)
- (values (match:substring matches 2)
- (match (match:substring matches 3)
+ (values (match:substring matches 1)
+ (match (match:substring matches 2)
("*" '_)
(version
(string-append version
- (match (match:substring matches 4)
+ (match (match:substring matches 3)
("" "")
(patch-level
;; Drop the colon from things like
@@ -142,7 +142,7 @@ (define (cpe-match->cve-configuration alist)
;; Normally "cpe23Uri" is here in each "cpe_match" item, but CVE-2020-0534
;; has a configuration that lacks it.
(and cpe
- (let-values (((package version) (cpe->package-name cpe)))
+ (let-values (((package version) (cpe->package-identifier cpe)))
(and package
`(,package
,(cond ((and (or starti starte) (or endi ende))
@@ -228,6 +228,24 @@ (define (version-matches? version sexp)
(('>= min)
(version>=? version min))))
+(define (vulnerability-matches? vuln vendor hidden-vendors)
+ "Checks if a VENDOR matches at least one of <vulnerability> VULN
+packages. When VENDOR is #f, ignore packages that have a vendor among
+HIDDEN-VENDORS."
+ (define (vendor-matches? vendor+name)
+ (if vendor
+ (string-prefix? (string-append vendor ":") vendor+name)
+ (or (null? hidden-vendors)
+ (not (any (cut string-prefix? (string-append <> ":") vendor+name)
+ hidden-vendors)))))
+
+ (match vuln
+ (($ <vulnerability> id packages)
+ (any (match-lambda
+ (((? vendor-matches? vendor+name) . _) #t)
+ (_ #f))
+ packages))))
+
;;;
;;; High-level interface.
@@ -404,28 +422,29 @@ (define table
(($ <vulnerability> id packages)
(fold (lambda (package table)
(match package
- ((name . versions)
- (vhash-cons name (cons vuln versions)
+ ((vendor+name . versions)
+ (vhash-cons (match (string-split vendor+name #\:)
+ ((vendor name) name)
+ ((name) name))
+ (cons vuln versions)
table))))
table
packages))))
vlist-null
vulnerabilities))
- (lambda* (package #:optional version)
- (vhash-fold* (if version
- (lambda (pair result)
- (match pair
- ((vuln sexp)
- (if (version-matches? version sexp)
- (cons vuln result)
- result))))
- (lambda (pair result)
- (match pair
- ((vuln . _)
- (cons vuln result)))))
- '()
- package table)))
+ (lambda* (package #:optional version #:key (vendor #f) (hidden-vendors '()))
+ (vhash-fold*
+ (lambda (pair result)
+ (match pair
+ ((vuln sexp)
+ (if (and (or (and (not vendor) (null? hidden-vendors))
+ (vulnerability-matches? vuln vendor hidden-vendors))
+ (or (not version) (version-matches? version sexp)))
+ (cons vuln result)
+ result))))
+ '()
+ package table)))
;;; cve.scm ends here
diff --git a/guix/lint.scm b/guix/lint.scm
index 8c6c20c723..bea6d0a194 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -1551,8 +1551,14 @@ (define package-vulnerabilities
(package-name package)))
(version (or (assoc-ref (package-properties package)
'cpe-version)
- (package-version package))))
- ((force lookup) name version)))))
+ (package-version package)))
+ (vendor (assoc-ref (package-properties package)
+ 'cpe-vendor))
+ (hidden-vendors (assoc-ref (package-properties package)
+ 'lint-hidden-cpe-vendors)))
+ ((force lookup) name version
+ #:vendor vendor
+ #:hidden-vendors hidden-vendors)))))
;; Prevent Guile 3 from inlining this procedure so we can mock it in tests.
(set! package-vulnerabilities package-vulnerabilities)
diff --git a/tests/cve.scm b/tests/cve.scm
index b69da0e120..6567d73c69 100644
--- a/tests/cve.scm
+++ b/tests/cve.scm
@@ -34,19 +34,19 @@ (define %expected-vulnerabilities
(vulnerability "CVE-2019-0001"
;; Only the "a" CPE configurations are kept; the "o"
;; configurations are discarded.
- '(("junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
+ '(("juniper:junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
(vulnerability "CVE-2019-0005"
- '(("junos" (or "18.11" "18.1"))))
+ '(("juniper:junos" (or "18.11" "18.1"))))
;; CVE-2019-0005 has no "a" configurations.
(vulnerability "CVE-2019-14811"
- '(("ghostscript" (< "9.28"))))
+ '(("artifex:ghostscript" (< "9.28"))))
(vulnerability "CVE-2019-17365"
- '(("nix" (<= "2.3"))))
+ '(("nixos:nix" (<= "2.3"))))
(vulnerability "CVE-2019-1010180"
- '(("gdb" _))) ;any version
+ '(("gnu:gdb" _))) ;any version
(vulnerability "CVE-2019-1010204"
- '(("binutils" (and (>= "2.21") (<= "2.31.1")))
- ("binutils_gold" (and (>= "1.11") (<= "1.16")))))
+ '(("gnu:binutils" (and (>= "2.21") (<= "2.31.1")))
+ ("gnu:binutils_gold" (and (>= "1.11") (<= "1.16")))))
;; CVE-2019-18192 has no associated configurations.
))
--
2.46.0
N
N
Nicolas Graves wrote on 8 Nov 19:02 +0100
[PATCH v3 03/17] gnu: halibut: Add cpe-vendor property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241108180330.18126-3-ngraves@ngraves.fr
* gnu/packages/documentation.scm (halibut)
[description]: Reformat field to match max chars.
[properties]: Add cpe-vendor property.
---
gnu/packages/documentation.scm | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)

Toggle diff (27 lines)
diff --git a/gnu/packages/documentation.scm b/gnu/packages/documentation.scm
index f0e37561f7..e1d563945a 100644
--- a/gnu/packages/documentation.scm
+++ b/gnu/packages/documentation.scm
@@ -264,12 +264,14 @@ (define-public halibut
(home-page "https://www.chiark.greenend.org.uk/~sgtatham/halibut/")
(synopsis "Documentation production system for software manuals")
(description
- "Halibut is a text formatting system designed primarily for writing software
-documentation. It accepts a single source format and outputs any combination of
-plain text, HTML, Unix man or info pages, PostScript or PDF. It has extensive
-support for indexing and cross-referencing, and generates hyperlinks within output
-documents wherever possible. It supports Unicode, with the ability to fall back to
-an alternative representation if Unicode output is not available.")
+ "Halibut is a text formatting system designed primarily for writing
+software documentation. It accepts a single source format and outputs any
+combination of plain text, HTML, Unix man or info pages, PostScript or PDF.
+It has extensive support for indexing and cross-referencing, and generates
+hyperlinks within output documents wherever possible. It supports Unicode,
+with the ability to fall back to an alternative representation if Unicode
+output is not available.")
+ (properties `((cpe-vendor . "halibut_project")))
(license license:expat)))
(define-public doc++
--
2.46.0
N
N
Nicolas Graves wrote on 8 Nov 19:02 +0100
[PATCH v3 02/17] cve: Separate vendor and string.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241108180330.18126-2-ngraves@ngraves.fr
---
guix/cve.scm | 111 +++++++++++++++++++++++++-------------------------
tests/cve.scm | 14 +++----
2 files changed, 63 insertions(+), 62 deletions(-)

Toggle diff (221 lines)
diff --git a/guix/cve.scm b/guix/cve.scm
index f7984be0ad..4f410ccc5e 100644
--- a/guix/cve.scm
+++ b/guix/cve.scm
@@ -25,11 +25,11 @@ (define-module (guix cve)
#:use-module (web uri)
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-9)
- #:use-module (srfi srfi-11)
#:use-module (srfi srfi-19)
#:use-module (srfi srfi-26)
#:use-module (srfi srfi-34)
#:use-module (srfi srfi-35)
+ #:use-module (srfi srfi-71)
#:use-module (ice-9 match)
#:use-module (ice-9 regex)
#:use-module (ice-9 vlist)
@@ -106,7 +106,7 @@ (define (reference-data->cve-references alist)
(define %cpe-package-rx
;; For applications: "cpe:2.3:a:VENDOR:PACKAGE:VERSION", or sometimes
;; "cpe:2.3:a:VENDOR:PACKAGE:VERSION:PATCH-LEVEL".
- (make-regexp "^cpe:2\\.3:a:([^:]+:[^:]+):([^:]+):([^:]+):"))
+ (make-regexp "^cpe:2\\.3:a:([^:]+):([^:]+):([^:]+):([^:]+):"))
(define (cpe->package-identifier cpe)
"Converts the Common Platform Enumeration (CPE) string CPE to a package
@@ -117,18 +117,19 @@ (define (cpe->package-identifier cpe)
=>
(lambda (matches)
(values (match:substring matches 1)
- (match (match:substring matches 2)
+ (match:substring matches 2)
+ (match (match:substring matches 3)
("*" '_)
(version
(string-append version
- (match (match:substring matches 3)
+ (match (match:substring matches 4)
("" "")
(patch-level
;; Drop the colon from things like
;; "cpe:2.3:a:openbsd:openssh:6.8:p1".
(string-drop patch-level 1)))))))))
(else
- (values #f #f))))
+ (values #f #f #f))))
(define (cpe-match->cve-configuration alist)
"Convert ALIST, a \"cpe_match\" alist, into an sexp representing the package
@@ -142,17 +143,18 @@ (define (cpe-match->cve-configuration alist)
;; Normally "cpe23Uri" is here in each "cpe_match" item, but CVE-2020-0534
;; has a configuration that lacks it.
(and cpe
- (let-values (((package version) (cpe->package-identifier cpe)))
+ (let ((vendor package version (cpe->package-identifier cpe)))
(and package
- `(,package
- ,(cond ((and (or starti starte) (or endi ende))
- `(and ,(if starti `(>= ,starti) `(> ,starte))
- ,(if endi `(<= ,endi) `(< ,ende))))
- (starti `(>= ,starti))
- (starte `(> ,starte))
- (endi `(<= ,endi))
- (ende `(< ,ende))
- (else version))))))))
+ `(,vendor
+ ,package
+ ,(cond ((and (or starti starte) (or endi ende))
+ `(and ,(if starti `(>= ,starti) `(> ,starte))
+ ,(if endi `(<= ,endi) `(< ,ende))))
+ (starti `(>= ,starti))
+ (starte `(> ,starte))
+ (endi `(<= ,endi))
+ (ende `(< ,ende))
+ (else version))))))))
(define (configuration-data->cve-configurations alist)
"Given ALIST, a JSON dictionary for the baroque \"configurations\"
@@ -232,18 +234,12 @@ (define (vulnerability-matches? vuln vendor hidden-vendors)
"Checks if a VENDOR matches at least one of <vulnerability> VULN
packages. When VENDOR is #f, ignore packages that have a vendor among
HIDDEN-VENDORS."
- (define (vendor-matches? vendor+name)
- (if vendor
- (string-prefix? (string-append vendor ":") vendor+name)
- (or (null? hidden-vendors)
- (not (any (cut string-prefix? (string-append <> ":") vendor+name)
- hidden-vendors)))))
-
(match vuln
(($ <vulnerability> id packages)
(any (match-lambda
- (((? vendor-matches? vendor+name) . _) #t)
- (_ #f))
+ (((? (cut string=? <> vendor)) _) #t)
+ (((? (cut member <> hidden-vendors)) _) #t)
+ (_ #f))
packages))))
@@ -290,39 +286,47 @@ (define sexp->vulnerability
(vulnerability id packages))))
(define (cve-configuration->package-list config)
- "Parse CONFIG, a config sexp, and return a list of the form (P SEXP)
-where P is a package name and SEXP expresses constraints on the matching
-versions."
+ "Parse CONFIG, a config sexp, and return a list of the form (V P SEXP)
+where V is a CPE vendor, P is a package name and SEXP expresses constraints on
+the matching versions."
(let loop ((config config)
- (packages '()))
+ (vendor+package-list '()))
(match config
(('or configs ...)
- (fold loop packages configs))
- (('and config _ ...) ;XXX
- (loop config packages))
- (((? string? package) '_) ;any version
- (cons `(,package _)
- (alist-delete package packages)))
- (((? string? package) sexp)
- (let ((previous (assoc-ref packages package)))
- (if previous
- (cons `(,package (or ,sexp ,@previous))
- (alist-delete package packages))
- (cons `(,package ,sexp) packages)))))))
+ (fold loop vendor+package-list configs))
+ (('and config _ ...) ;XXX
+ (loop config vendor+package-list))
+ (((? string? vendor) (? string? package) sexp)
+ (let ((filtered-list (filter (match-lambda
+ ((vendor package _) #f)
+ (otherwise otherwise))
+ vendor+package-list)))
+ (match sexp
+ ('_ ;any version
+ (cons `(,vendor ,package _) filtered-list))
+ (_
+ (match (assoc-ref (assoc-ref vendor+package-list vendor) package)
+ ((previous)
+ (cons `(,vendor ,package (or ,sexp ,previous)) filtered-list))
+ (_
+ (cons `(,vendor ,package ,sexp) vendor+package-list))))))))))
(define (merge-package-lists lst)
- "Merge the list in LST, each of which has the form (p sexp), where P
-is the name of a package and SEXP is an sexp that constrains matching
-versions."
+ "Merge the list in LST, each of which has the form (V P SEXP), where V is a
+CPE vendor, P is the name of a package and SEXP is an sexp that constrains
+matching versions."
(fold (lambda (plist result) ;XXX: quadratic
(fold (match-lambda*
- (((package version) result)
- (match (assoc-ref result package)
- (#f
- (cons `(,package ,version) result))
- ((previous)
- (cons `(,package (or ,version ,previous))
- (alist-delete package result))))))
+ (((vendor package version) result)
+ (match (assoc-ref result vendor)
+ (((? (cut string=? package <>)) previous)
+ (cons `(,vendor ,package (or ,version ,previous))
+ (filter (match-lambda
+ ((vendor package _) #f)
+ (otherwise otherwise))
+ result)))
+ (_
+ (cons `(,vendor ,package ,version) result)))))
result
plist))
'()
@@ -422,11 +426,8 @@ (define table
(($ <vulnerability> id packages)
(fold (lambda (package table)
(match package
- ((vendor+name . versions)
- (vhash-cons (match (string-split vendor+name #\:)
- ((vendor name) name)
- ((name) name))
- (cons vuln versions)
+ ((vendor name versions)
+ (vhash-cons name (cons vuln `(,versions))
table))))
table
packages))))
diff --git a/tests/cve.scm b/tests/cve.scm
index 6567d73c69..90ada2b647 100644
--- a/tests/cve.scm
+++ b/tests/cve.scm
@@ -34,19 +34,19 @@ (define %expected-vulnerabilities
(vulnerability "CVE-2019-0001"
;; Only the "a" CPE configurations are kept; the "o"
;; configurations are discarded.
- '(("juniper:junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
+ '(("juniper" "junos" (or "18.2" (or "18.21-s3" "18.21-s4")))))
(vulnerability "CVE-2019-0005"
- '(("juniper:junos" (or "18.11" "18.1"))))
+ '(("juniper" "junos" (or "18.1" "18.11"))))
;; CVE-2019-0005 has no "a" configurations.
(vulnerability "CVE-2019-14811"
- '(("artifex:ghostscript" (< "9.28"))))
+ '(("artifex" "ghostscript" (< "9.28"))))
(vulnerability "CVE-2019-17365"
- '(("nixos:nix" (<= "2.3"))))
+ '(("nixos" "nix" (<= "2.3"))))
(vulnerability "CVE-2019-1010180"
- '(("gnu:gdb" _))) ;any version
+ '(("gnu" "gdb" _))) ;any version
(vulnerability "CVE-2019-1010204"
- '(("gnu:binutils" (and (>= "2.21") (<= "2.31.1")))
- ("gnu:binutils_gold" (and (>= "1.11") (<= "1.16")))))
+ '(("gnu" "binutils" (and (>= "2.21") (<= "2.31.1")))
+ ("gnu" "binutils_gold" (and (>= "1.11") (<= "1.16")))))
;; CVE-2019-18192 has no associated configurations.
))
--
2.46.0
N
N
Nicolas Graves wrote on 8 Nov 19:02 +0100
[PATCH v3 04/17] gnu: portfolio: Update to 1.0.1.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241108180330.18126-4-ngraves@ngraves.fr
* gnu/packages/gnome-xyz.scm (portfolio): Update to 1.0.1.
[properties]: Add lint-hidden-cpe-vendors property.
---
gnu/packages/gnome-xyz.scm | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

Toggle diff (32 lines)
diff --git a/gnu/packages/gnome-xyz.scm b/gnu/packages/gnome-xyz.scm
index a09c0befb0..74c2600b60 100644
--- a/gnu/packages/gnome-xyz.scm
+++ b/gnu/packages/gnome-xyz.scm
@@ -485,7 +485,7 @@ (define-public gnome-plots
(define-public portfolio
(package
(name "portfolio")
- (version "1.0.0")
+ (version "1.0.1")
(source (origin
(method git-fetch)
(uri (git-reference
@@ -494,7 +494,7 @@ (define-public portfolio
(file-name (git-file-name name version))
(sha256
(base32
- "1ai9mx801m5lngkljg42vrpvhbvc3071sp4jypsvbzw55hxnn5ba"))))
+ "1s06kd2dhsb143piw89yzwfck7qwzlh4nlgjj2bxpsa3g68c1g11"))))
(arguments
(list #:glib-or-gtk? #t
#:imported-modules `(,@%meson-build-system-modules
@@ -537,6 +537,7 @@ (define-public portfolio
"Portfolio is a minimalist file manager for those who want to use Linux
mobile devices. Tap to activate and long press to select, to browse, open,
copy, move, delete, or edit your files.")
+ (properties `((lint-hidden-cpe-vendors . ("radiustheme"))))
(license license:gpl3+)))
(define-public gnome-shell-extension-unite-shell
--
2.46.0
N
N
Nicolas Graves wrote on 8 Nov 19:02 +0100
[PATCH v3 05/17] gnu: folders: Add lint-hidden-cpe-vendors property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241108180330.18126-5-ngraves@ngraves.fr
* gnu/packages/esolangs.scm (folders):
[properties]: Add lint-hindden-cpe-vendors property.
---
gnu/packages/esolangs.scm | 1 +
1 file changed, 1 insertion(+)

Toggle diff (14 lines)
diff --git a/gnu/packages/esolangs.scm b/gnu/packages/esolangs.scm
index 796f8d3f23..58c5307fdc 100644
--- a/gnu/packages/esolangs.scm
+++ b/gnu/packages/esolangs.scm
@@ -117,6 +117,7 @@ (define-public folders
(description "Folders is a programming language, in which programs
are encoded as (nested) directories. Note that the switches you pass to
@command{du} may affect your score when code golfing.")
+ (properties `((lint-hidden-cpe-vendors . ("premio" "jenkins"))))
(license license:expat)))
(define-public shakespeare-spl
--
2.46.0
N
N
Nicolas Graves wrote on 8 Nov 19:02 +0100
[PATCH v3 06/17] gnu: spectra: Add lint-hidden-cpe-vendors property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241108180330.18126-6-ngraves@ngraves.fr
* gnu/packages/algebra.scm (spectra)[properties]: Add
lint-hidden-cpe-vendors property.
---
gnu/packages/algebra.scm | 1 +
1 file changed, 1 insertion(+)

Toggle diff (14 lines)
diff --git a/gnu/packages/algebra.scm b/gnu/packages/algebra.scm
index 2187cd062d..5822431373 100644
--- a/gnu/packages/algebra.scm
+++ b/gnu/packages/algebra.scm
@@ -1317,6 +1317,7 @@ (define-public spectra
built on top of Eigen. It is implemented as a header-only C++ library and can
be easily embedded in C++ projects that require calculating eigenvalues of
large matrices.")
+ (properties `((lint-hidden-cpe-vendors . ("brainstormforce"))))
(license license:mpl2.0)))
(define-public gappa
--
2.46.0
N
N
Nicolas Graves wrote on 8 Nov 19:02 +0100
[PATCH v3 07/17] gnu: express: Add lint-hidden-cpe-vendors property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241108180330.18126-7-ngraves@ngraves.fr
* gnu/packages/bioinformatics.scm (express)[properties]: Add
lint-hidden-cpe-vendors property.
---
gnu/packages/bioinformatics.scm | 1 +
1 file changed, 1 insertion(+)

Toggle diff (14 lines)
diff --git a/gnu/packages/bioinformatics.scm b/gnu/packages/bioinformatics.scm
index 35ff96ce42..34b58a5511 100644
--- a/gnu/packages/bioinformatics.scm
+++ b/gnu/packages/bioinformatics.scm
@@ -7047,6 +7047,7 @@ (define-public express
transcript-level RNA-Seq quantification, allele-specific/haplotype expression
analysis (from RNA-Seq), transcription factor binding quantification in
ChIP-Seq, and analysis of metagenomic data.")
+ (properties `((lint-hidden-cpe-vendors . ("openjsf"))))
(license license:artistic2.0)))
(define-public express-beta-diversity
--
2.46.0
N
N
Nicolas Graves wrote on 8 Nov 19:02 +0100
[PATCH v3 08/17] gnu: cli: Add lint-hidden-cpe-vendors property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241108180330.18126-8-ngraves@ngraves.fr
* gnu/packages/cpp.scm (cli)[properties]: Add lint-hidden-cpe-vendors
property.
---
gnu/packages/cpp.scm | 1 +
1 file changed, 1 insertion(+)

Toggle diff (14 lines)
diff --git a/gnu/packages/cpp.scm b/gnu/packages/cpp.scm
index f8e8557ef1..bb6872d7e3 100644
--- a/gnu/packages/cpp.scm
+++ b/gnu/packages/cpp.scm
@@ -2327,6 +2327,7 @@ (define-public cli
options that your program supports, their types, default values, and
documentation.")
(home-page "https://codesynthesis.com/projects/cli/")
+ (properties `((lint-hidden-cpe-vendors . ("snyk"))))
(license license:expat)))
(define-public xsd
--
2.46.0
N
N
Nicolas Graves wrote on 8 Nov 19:02 +0100
[PATCH v3 09/17] gnu: h2c: Add lint-hidden-cpe-vendors property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241108180330.18126-9-ngraves@ngraves.fr
* gnu/packages/curl.scm (h2c)[property]: Add lint-hidden-cpe-vendors property.
---
gnu/packages/curl.scm | 1 +
1 file changed, 1 insertion(+)

Toggle diff (14 lines)
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 9f74018205..2b4b7ebdd8 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -366,6 +366,7 @@ (define-public h2c
(description
"Provided a set of HTTP request headers, h2c outputs how to invoke
curl to obtain exactly that HTTP request.")
+ (properties `((lint-hidden-cpe-vendors . ("golang"))))
(license license:expat)))
(define-public coeurl
--
2.46.0
N
N
Nicolas Graves wrote on 8 Nov 19:02 +0100
[PATCH v3 10/17] gnu: xenon: Update to 0.9.3.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241108180330.18126-10-ngraves@ngraves.fr
* gnu/packages/code.scm (xenon): Update to 0.9.3.
[properties]: Add lint-hidden-cpe-vendors property.
---
gnu/packages/code.scm | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

Toggle diff (31 lines)
diff --git a/gnu/packages/code.scm b/gnu/packages/code.scm
index 04ca4dfd6b..5ed2126225 100644
--- a/gnu/packages/code.scm
+++ b/gnu/packages/code.scm
@@ -1054,14 +1054,14 @@ (define-public cscope
(define-public xenon
(package
(name "xenon")
- (version "0.9.0")
+ (version "0.9.3")
(source
(origin
(method url-fetch)
(uri (pypi-uri "xenon" version))
(sha256
(base32
- "1f4gynjzfckm3rjfywwgz1c7icfx3zjqirf16aj73xv0c9ncpffj"))))
+ "1yj31bqz2bphvvyb0jkas7bxc2rw76rf1csz0mwmvah8pbc3hxaa"))))
(build-system python-build-system)
(arguments (list #:tests? #f)) ;test suite not shipped with the PyPI archive
(inputs (list python-pyyaml python-radon python-requests))
@@ -1073,6 +1073,7 @@ (define-public xenon
line options, various thresholds can be set for the complexity of code. It
will fail (i.e., it will exit with a non-zero exit code) when any of these
requirements is not met.")
+ (properties '((lint-hidden-cpe-vendors . ("ashlar"))))
(license license:expat)))
(define-public python-xenon
--
2.46.0
N
N
Nicolas Graves wrote on 8 Nov 19:02 +0100
[PATCH v3 11/17] gnu: bolt: Update to 0.9.8.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241108180330.18126-11-ngraves@ngraves.fr
* gnu/packages/linux.scm (bolt): Update to 0.9.8.
[arguments]<#:phases>: Update phase 'replace-directories.
[properties]: Add lint-hidden-cpe-vendors property.
---
gnu/packages/linux.scm | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)

Toggle diff (50 lines)
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 992790188a..6b79efa91f 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -3366,7 +3366,7 @@ (define-public iptables-nft
(define-public bolt
(package
(name "bolt")
- (version "0.9.5")
+ (version "0.9.8")
(source (origin
(method git-fetch)
(uri (git-reference
@@ -3375,7 +3375,7 @@ (define-public bolt
(file-name (git-file-name name version))
(sha256
(base32
- "1b9z0sfrz6bj0mddng9s0dx59g9239zmrl03hxx2x88mb7r0wmcg"))))
+ "1i9nyvx3qcf4m607qmpklpl9xqzsh423k8y3fr6c5n0k4ajy4cxh"))))
(build-system meson-build-system)
(arguments
(list #:configure-flags '(list "--localstatedir=/var")
@@ -3384,12 +3384,11 @@ (define-public bolt
(add-after 'unpack 'replace-directories
(lambda* (#:key outputs #:allow-other-keys)
(substitute* "meson.build"
- (("udev.get_pkgconfig_variable..udevdir..")
- (string-append "'"
- #$output "/lib/udev'")))
- (substitute* "scripts/meson-install.sh"
- (("mkdir.*")
- ""))))
+ (("udev.get_variable\\(pkgconfig: 'udevdir'\\)")
+ (string-append "'" #$output "/lib/udev'"))
+ ;; Don't install in /var
+ (("not systemd\\.found\\(\\)")
+ "false"))))
(add-before 'install 'no-polkit-magic
(lambda* (#:key outputs #:allow-other-keys)
(setenv "PKEXEC_UID" "something"))))))
@@ -3411,6 +3410,7 @@ (define-public bolt
@command{boltd}. It can list devices, monitor changes, and initiate
authorization of devices.")
(home-page "https://gitlab.freedesktop.org/bolt/bolt")
+ (properties `((lint-hidden-cpe-vendors . ("boltcms" "puppet"))))
(license license:gpl2+)))
(define-public jitterentropy-rngd
--
2.46.0
N
N
Nicolas Graves wrote on 8 Nov 19:02 +0100
[PATCH v3 12/17] gnu: bwm-ng: Add lint-hidden-cpe-vendors property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241108180330.18126-12-ngraves@ngraves.fr
* gnu/packages/networking.scm (bwm-ng)[properties]: Add
lint-hidden-cpe-vendors property.
---
gnu/packages/networking.scm | 1 +
1 file changed, 1 insertion(+)

Toggle diff (14 lines)
diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index 6e3a355bd4..2bdf011f34 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -2157,6 +2157,7 @@ (define-public bwm-ng
(description "Bandwidth Monitor NG is a small and simple console based
live network and disk I/O bandwidth monitor.")
(home-page "https://www.gropp.org/?id=projects&sub=bwm-ng")
+ (properties '((lint-hidden-cpe-vendors . ("bwm-ng_project"))))
(license license:gpl2)))
(define-public aircrack-ng
--
2.46.0
N
N
Nicolas Graves wrote on 8 Nov 19:02 +0100
[PATCH v3 13/17] gnu: onedrive: Update to 2.5.2.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241108180330.18126-13-ngraves@ngraves.fr
* gnu/packages/sync.scm (onedrive): Update to 2.5.2.
[properties]: Add lint-hidden-cpe-vendors.
---
gnu/packages/sync.scm | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

Toggle diff (32 lines)
diff --git a/gnu/packages/sync.scm b/gnu/packages/sync.scm
index af736d0c28..b21993a639 100644
--- a/gnu/packages/sync.scm
+++ b/gnu/packages/sync.scm
@@ -374,7 +374,7 @@ (define-public owncloud-client
(define-public onedrive
(package
(name "onedrive")
- (version "2.4.25")
+ (version "2.5.2")
(source
(origin
(method git-fetch)
@@ -383,7 +383,7 @@ (define-public onedrive
(commit (string-append "v" version))))
(file-name (git-file-name name version))
(sha256
- (base32 "1i93mq4r9w8cqrdfsfv8wparfd3dbrppc5z04ab056545hk0x89k"))))
+ (base32 "0307qa3nncarn6r5837nn9z5nv8j60ycykq6pfn93qriabk65qlx"))))
(build-system gnu-build-system)
(arguments
(list
@@ -420,6 +420,7 @@ (define-public onedrive
Business, OneDrive for Office365 and SharePoint and fully supports Azure
National Cloud Deployments. It supports one-way and two-way sync capabilities
and securely connects to Microsoft OneDrive services.")
+ (properties '((lint-hidden-cpe-vendors . ("microsoft"))))
(license license:gpl3)))
(define-public lsyncd
--
2.46.0
N
N
Nicolas Graves wrote on 8 Nov 19:02 +0100
[PATCH v3 14/17] gnu: got: Update to 0.104.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241108180330.18126-14-ngraves@ngraves.fr
* gnu/packages/version-control.scm (got): Update to 0.104.
[properties]: Add release-monitoring-url and lint-hidden-cpe-vendors
properties.
---
gnu/packages/version-control.scm | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)

Toggle diff (37 lines)
diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index a15f274c37..f323766579 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -975,7 +975,7 @@ (define-public git-tools
(define-public got
(package
(name "got")
- (version "0.103")
+ (version "0.104")
(source (origin
(method url-fetch)
(uri
@@ -984,7 +984,7 @@ (define-public got
version ".tar.gz"))
(sha256
(base32
- "0y18961xrj4rja850i31gadiaps2qnkfb4jlramlz9akyf9mwh1j"))))
+ "1jf8d7bd6jb09ci66n3rjfv94kvzgnqbw1js74hpajdw41wphbdk"))))
(inputs
(list libevent
`(,util-linux "lib")
@@ -1020,7 +1020,11 @@ (define-public got
"Game of Trees (Got) is a version control system which prioritizes ease of use
and simplicity over flexibility.")
(license license:isc)
- (home-page "https://gameoftrees.org/")))
+ (home-page "https://gameoftrees.org/")
+ (properties
+ ;; Can lint for updates, but not update in place.
+ '((release-monitoring-url . "https://gameoftrees.org/releases/")
+ (lint-hidden-cpe-vendors . ("got_project"))))))
(define-public xdiff
(let ((revision "0")
--
2.46.0
N
N
Nicolas Graves wrote on 8 Nov 19:02 +0100
[PATCH v3 15/17] gnu: dex: Update to 0.10.1.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241108180330.18126-15-ngraves@ngraves.fr
* gnu/packages/xdisorg.scm (dex): Update to 0.10.1.
[arguments]: Improve style.
[properties]: Add lint-hidden-cpe-vendors property.
---
gnu/packages/xdisorg.scm | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)

Toggle diff (47 lines)
diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm
index a75e9cd6ba..859d37d4b7 100644
--- a/gnu/packages/xdisorg.scm
+++ b/gnu/packages/xdisorg.scm
@@ -3536,7 +3536,7 @@ (define-public nwg-launchers
(define-public dex
(package
(name "dex")
- (version "0.9.0")
+ (version "0.10.1")
(source (origin
(method git-fetch)
(uri (git-reference
@@ -3544,15 +3544,16 @@ (define-public dex
(commit (string-append "v" version))))
(sha256
(base32
- "03aapcywnz4kl548cygpi25m8adwbmqlmwgxa66v4156ax9dqs86"))
+ "1d7fqy63i4q0mw316i5ws1sgdq3f7h3bsf3avvmy0nzshz7i5y6m"))
(file-name (git-file-name name version))))
(build-system gnu-build-system)
(arguments
- `(#:make-flags (list (string-append "PREFIX=" (assoc-ref %outputs "out")))
- #:phases
- (modify-phases %standard-phases
- (delete 'configure))
- #:tests? #f))
+ (list
+ #:make-flags #~(list (string-append "PREFIX=" #$output))
+ #:phases
+ #~(modify-phases %standard-phases
+ (delete 'configure))
+ #:tests? #f)) ; No tests.
(inputs
(list python))
(native-inputs
@@ -3562,6 +3563,8 @@ (define-public dex
(description
"@command{dex}, @dfn{DesktopEntry Execution}, is a program to generate
and execute @file{.desktop} files of the Application type.")
+ (properties
+ '((lint-hidden-cpe-vendors . ("samsung" "linuxfoundation"))))
(license license:gpl3+)))
(define-public sx
--
2.46.0
N
N
Nicolas Graves wrote on 8 Nov 19:02 +0100
[PATCH v3 16/17] gnu: immer: Add lint-hidden-cpe-vendors property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241108180330.18126-16-ngraves@ngraves.fr
* gnu/packages/cpp.scm (immer)[properties]: Add
lint-hidden-cpe-vendors property.
---
gnu/packages/cpp.scm | 1 +
1 file changed, 1 insertion(+)

Toggle diff (14 lines)
diff --git a/gnu/packages/cpp.scm b/gnu/packages/cpp.scm
index bb6872d7e3..5c686db532 100644
--- a/gnu/packages/cpp.scm
+++ b/gnu/packages/cpp.scm
@@ -1887,6 +1887,7 @@ (define-public immer
(synopsis "Immutable data structures")
(description "Immer is a library of persistent and immutable data structures
written in C++.")
+ (properties '((lint-hidden-cpe-vendors . ("immer_project"))))
(license license:boost1.0)))
(define-public zug
--
2.46.0
N
N
Nicolas Graves wrote on 8 Nov 19:02 +0100
[PATCH v3 17/17] gnu: cvs: Add lint-hidden-cpe-vendors property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241108180330.18126-17-ngraves@ngraves.fr
* gnu/packages/version-control.scm (cvs)[properties]: Add
lint-hidden-cpe-vendors property.
---
gnu/packages/version-control.scm | 1 +
1 file changed, 1 insertion(+)

Toggle diff (14 lines)
diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index f323766579..505be48d17 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -2774,6 +2774,7 @@ (define-public cvs
Configuration Management (SCM). Using it, you can record the history of
sources files, and documents. It fills a similar role to the free software
RCS, PRCS, and Aegis packages.")
+ (properties '((lint-hidden-cpe-vendors . ("jenkins"))))
(license license:gpl1+)))
(define-public cvs-fast-export
--
2.46.0
N
N
Nicolas Graves wrote on 8 Nov 19:13 +0100
[Nicolas Graves] [PATCH v3 02/17] cve: Separate vendor and string.
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 74034@debbugs.gnu.org)
87wmhd4mrk.fsf@ngraves.fr
This commit has currently no proper commit message, but it's because it
should probably be squashed if we want to go this way.

In the end, I've done it, quite tedious (for me at least!) but done.
I'm not super sure however that it's clearer (vulnerability-matches?
definitely is, but the whole, I doubt that). Just pick your preference
I guess!

Nicolas

-------------------- Start of forwarded message --------------------
From: Nicolas Graves <ngraves@ngraves.fr>
To: 74034@debbugs.gnu.org
Cc: Nicolas Graves <ngraves@ngraves.fr>
Subject: [PATCH v3 02/17] cve: Separate vendor and string.
Date: Fri, 8 Nov 2024 19:02:25 +0100

---
guix/cve.scm | 111 +++++++++++++++++++++++++-------------------------
tests/cve.scm | 14 +++----
2 files changed, 63 insertions(+), 62 deletions(-)

Toggle diff (227 lines)
diff --git a/guix/cve.scm b/guix/cve.scm
index f7984be0ad..4f410ccc5e 100644
--- a/guix/cve.scm
+++ b/guix/cve.scm
@@ -25,11 +25,11 @@ (define-module (guix cve)
#:use-module (web uri)
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-9)
- #:use-module (srfi srfi-11)
#:use-module (srfi srfi-19)
#:use-module (srfi srfi-26)
#:use-module (srfi srfi-34)
#:use-module (srfi srfi-35)
+ #:use-module (srfi srfi-71)
#:use-module (ice-9 match)
#:use-module (ice-9 regex)
#:use-module (ice-9 vlist)
@@ -106,7 +106,7 @@ (define (reference-data->cve-references alist)
(define %cpe-package-rx
;; For applications: "cpe:2.3:a:VENDOR:PACKAGE:VERSION", or sometimes
;; "cpe:2.3:a:VENDOR:PACKAGE:VERSION:PATCH-LEVEL".
- (make-regexp "^cpe:2\\.3:a:([^:]+:[^:]+):([^:]+):([^:]+):"))
+ (make-regexp "^cpe:2\\.3:a:([^:]+):([^:]+):([^:]+):([^:]+):"))
(define (cpe->package-identifier cpe)
"Converts the Common Platform Enumeration (CPE) string CPE to a package
@@ -117,18 +117,19 @@ (define (cpe->package-identifier cpe)
=>
(lambda (matches)
(values (match:substring matches 1)
- (match (match:substring matches 2)
+ (match:substring matches 2)
+ (match (match:substring matches 3)
("*" '_)
(version
(string-append version
- (match (match:substring matches 3)
+ (match (match:substring matches 4)
("" "")
(patch-level
;; Drop the colon from things like
;; "cpe:2.3:a:openbsd:openssh:6.8:p1".
(string-drop patch-level 1)))))))))
(else
- (values #f #f))))
+ (values #f #f #f))))
(define (cpe-match->cve-configuration alist)
"Convert ALIST, a \"cpe_match\" alist, into an sexp representing the package
@@ -142,17 +143,18 @@ (define (cpe-match->cve-configuration alist)
;; Normally "cpe23Uri" is here in each "cpe_match" item, but CVE-2020-0534
;; has a configuration that lacks it.
(and cpe
- (let-values (((package version) (cpe->package-identifier cpe)))
+ (let ((vendor package version (cpe->package-identifier cpe)))
(and package
- `(,package
- ,(cond ((and (or starti starte) (or endi ende))
- `(and ,(if starti `(>= ,starti) `(> ,starte))
- ,(if endi `(<= ,endi) `(< ,ende))))
- (starti `(>= ,starti))
- (starte `(> ,starte))
- (endi `(<= ,endi))
- (ende `(< ,ende))
- (else version))))))))
+ `(,vendor
+ ,package
+ ,(cond ((and (or starti starte) (or endi ende))
+ `(and ,(if starti `(>= ,starti) `(> ,starte))
+ ,(if endi `(<= ,endi) `(< ,ende))))
+ (starti `(>= ,starti))
+ (starte `(> ,starte))
+ (endi `(<= ,endi))
+ (ende `(< ,ende))
+ (else version))))))))
(define (configuration-data->cve-configurations alist)
"Given ALIST, a JSON dictionary for the baroque \"configurations\"
@@ -232,18 +234,12 @@ (define (vulnerability-matches? vuln vendor hidden-vendors)
"Checks if a VENDOR matches at least one of <vulnerability> VULN
packages. When VENDOR is #f, ignore packages that have a vendor among
HIDDEN-VENDORS."
- (define (vendor-matches? vendor+name)
- (if vendor
- (string-prefix? (string-append vendor ":") vendor+name)
- (or (null? hidden-vendors)
- (not (any (cut string-prefix? (string-append <> ":") vendor+name)
- hidden-vendors)))))
-
(match vuln
(($ <vulnerability> id packages)
(any (match-lambda
- (((? vendor-matches? vendor+name) . _) #t)
- (_ #f))
+ (((? (cut string=? <> vendor)) _) #t)
+ (((? (cut member <> hidden-vendors)) _) #t)
+ (_ #f))
packages))))
@@ -290,39 +286,47 @@ (define sexp->vulnerability
(vulnerability id packages))))
(define (cve-configuration->package-list config)
- "Parse CONFIG, a config sexp, and return a list of the form (P SEXP)
-where P is a package name and SEXP expresses constraints on the matching
-versions."
+ "Parse CONFIG, a config sexp, and return a list of the form (V P SEXP)
+where V is a CPE vendor, P is a package name and SEXP expresses constraints on
+the matching versions."
(let loop ((config config)
- (packages '()))
+ (vendor+package-list '()))
(match config
(('or configs ...)
- (fold loop packages configs))
- (('and config _ ...) ;XXX
- (loop config packages))
- (((? string? package) '_) ;any version
- (cons `(,package _)
- (alist-delete package packages)))
- (((? string? package) sexp)
- (let ((previous (assoc-ref packages package)))
- (if previous
- (cons `(,package (or ,sexp ,@previous))
- (alist-delete package packages))
- (cons `(,package ,sexp) packages)))))))
+ (fold loop vendor+package-list configs))
+ (('and config _ ...) ;XXX
+ (loop config vendor+package-list))
+ (((? string? vendor) (? string? package) sexp)
+ (let ((filtered-list (filter (match-lambda
+ ((vendor package _) #f)
+ (otherwise otherwise))
+ vendor+package-list)))
+ (match sexp
+ ('_ ;any version
+ (cons `(,vendor ,package _) filtered-list))
+ (_
+ (match (assoc-ref (assoc-ref vendor+package-list vendor) package)
+ ((previous)
+ (cons `(,vendor ,package (or ,sexp ,previous)) filtered-list))
+ (_
+ (cons `(,vendor ,package ,sexp) vendor+package-list))))))))))
(define (merge-package-lists lst)
- "Merge the list in LST, each of which has the form (p sexp), where P
-is the name of a package and SEXP is an sexp that constrains matching
-versions."
+ "Merge the list in LST, each of which has the form (V P SEXP), where V is a
+CPE vendor, P is the name of a package and SEXP is an sexp that constrains
+matching versions."
(fold (lambda (plist result) ;XXX: quadratic
(fold (match-lambda*
- (((package version) result)
- (match (assoc-ref result package)
- (#f
- (cons `(,package ,version) result))
- ((previous)
- (cons `(,package (or ,version ,previous))
- (alist-delete package result))))))
+ (((vendor package version) result)
+ (match (assoc-ref result vendor)
+ (((? (cut string=? package <>)) previous)
+ (cons `(,vendor ,package (or ,version ,previous))
+ (filter (match-lambda
+ ((vendor package _) #f)
+ (otherwise otherwise))
+ result)))
+ (_
+ (cons `(,vendor ,package ,version) result)))))
result
plist))
'()
@@ -422,11 +426,8 @@ (define table
(($ <vulnerability> id packages)
(fold (lambda (package table)
(match package
- ((vendor+name . versions)
- (vhash-cons (match (string-split vendor+name #\:)
- ((vendor name) name)
- ((name) name))
- (cons vuln versions)
+ ((vendor name versions)
+ (vhash-cons name (cons vuln `(,versions))
table))))
table
packages))))
diff --git a/tests/cve.scm b/tests/cve.scm
index 6567d73c69..90ada2b647 100644
--- a/tests/cve.scm
+++ b/tests/cve.scm
@@ -34,19 +34,19 @@ (define %expected-vulnerabilities
(vulnerability "CVE-2019-0001"
;; Only the "a" CPE configurations are kept; the "o"
;; configurations are discarded.
- '(("juniper:junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
+ '(("juniper" "junos" (or "18.2" (or "18.21-s3" "18.21-s4")))))
(vulnerability "CVE-2019-0005"
- '(("juniper:junos" (or "18.11" "18.1"))))
+ '(("juniper" "junos" (or "18.1" "18.11"))))
;; CVE-2019-0005 has no "a" configurations.
(vulnerability "CVE-2019-14811"
- '(("artifex:ghostscript" (< "9.28"))))
+ '(("artifex" "ghostscript" (< "9.28"))))
(vulnerability "CVE-2019-17365"
- '(("nixos:nix" (<= "2.3"))))
+ '(("nixos" "nix" (<= "2.3"))))
(vulnerability "CVE-2019-1010180"
- '(("gnu:gdb" _))) ;any version
+ '(("gnu" "gdb" _))) ;any version
(vulnerability "CVE-2019-1010204"
- '(("gnu:binutils" (and (>= "2.21") (<= "2.31.1")))
- ("gnu:binutils_gold" (and (>= "1.11") (<= "1.16")))))
+ '(("gnu" "binutils" (and (>= "2.21") (<= "2.31.1")))
+ ("gnu" "binutils_gold" (and (>= "1.11") (<= "1.16")))))
;; CVE-2019-18192 has no associated configurations.
))
--
2.46.0

-------------------- End of forwarded message --------------------

--
Best regards,
Nicolas Graves
M
M
Maxim Cournoyer wrote on 13 Nov 03:53 +0100
(name . Nicolas Graves)(address . ngraves@ngraves.fr)
878qtn26as.fsf@gmail.com
Hi Nicolas,

Nicolas Graves <ngraves@ngraves.fr> writes:

Toggle quote (8 lines)
> This commit has currently no proper commit message, but it's because it
> should probably be squashed if we want to go this way.
>
> In the end, I've done it, quite tedious (for me at least!) but done.
> I'm not super sure however that it's clearer (vulnerability-matches?
> definitely is, but the whole, I doubt that). Just pick your preference
> I guess!

I think this one looks nicer without the parsing of colons every time we
need to extract the vendor/package name, thanks for having taken the
time to adjust it based on Ludovic's feedback.

[...]

Toggle quote (21 lines)
> (define (configuration-data->cve-configurations alist)
> "Given ALIST, a JSON dictionary for the baroque \"configurations\"
> @@ -232,18 +234,12 @@ (define (vulnerability-matches? vuln vendor hidden-vendors)
> "Checks if a VENDOR matches at least one of <vulnerability> VULN
> packages. When VENDOR is #f, ignore packages that have a vendor among
> HIDDEN-VENDORS."
> - (define (vendor-matches? vendor+name)
> - (if vendor
> - (string-prefix? (string-append vendor ":") vendor+name)
> - (or (null? hidden-vendors)
> - (not (any (cut string-prefix? (string-append <> ":") vendor+name)
> - hidden-vendors)))))
> -
> (match vuln
> (($ <vulnerability> id packages)
> (any (match-lambda
> - (((? vendor-matches? vendor+name) . _) #t)
> - (_ #f))
> + (((? (cut string=? <> vendor)) _) #t)
> + (((? (cut member <> hidden-vendors)) _) #t)

We are comparing <vulnerability> packages to the vendor strings; is this
correct?

At least I'd expect a hidden-vendors match to return #f, since I assume
we do not want to process these further?

Toggle quote (18 lines)
> + (_ #f))
> packages))))
>
>
> @@ -290,39 +286,47 @@ (define sexp->vulnerability
> (vulnerability id packages))))
>
> (define (cve-configuration->package-list config)
> - "Parse CONFIG, a config sexp, and return a list of the form (P SEXP)
> -where P is a package name and SEXP expresses constraints on the matching
> -versions."
> + "Parse CONFIG, a config sexp, and return a list of the form (V P SEXP)
> +where V is a CPE vendor, P is a package name and SEXP expresses constraints on
> +the matching versions."
> (let loop ((config config)
> - (packages '()))
> + (vendor+package-list '()))

nitpick: I'm not too found of using the variable type in its name (here,
'list'). Perhaps just 'results' could do (plural to denote it's a
list).

Toggle quote (21 lines)
> (match config
> (('or configs ...)
> - (fold loop packages configs))
> - (('and config _ ...) ;XXX
> - (loop config packages))
> - (((? string? package) '_) ;any version
> - (cons `(,package _)
> - (alist-delete package packages)))
> - (((? string? package) sexp)
> - (let ((previous (assoc-ref packages package)))
> - (if previous
> - (cons `(,package (or ,sexp ,@previous))
> - (alist-delete package packages))
> - (cons `(,package ,sexp) packages)))))))
> + (fold loop vendor+package-list configs))
> + (('and config _ ...) ;XXX
> + (loop config vendor+package-list))
> + (((? string? vendor) (? string? package) sexp)
> + (let ((filtered-list (filter (match-lambda
> + ((vendor package _) #f)

I'd use 'remove' to inverse the negative logic. Assuming
'vendor+package-list' becomes 'results', the let-bound variable could
be named (let ((pruned-results (remove ...))) ...)). Also,
shouldn't the '_' in the match-lambda be quoted to denote it's a literal
underscore character, not a "don't-care" pattern?

Toggle quote (12 lines)
> + (otherwise otherwise))
> + vendor+package-list)))
> + (match sexp
> + ('_ ;any version
> + (cons `(,vendor ,package _) filtered-list))
> + (_
> + (match (assoc-ref (assoc-ref vendor+package-list vendor) package)
> + ((previous)
> + (cons `(,vendor ,package (or ,sexp ,previous)) filtered-list))
> + (_
> + (cons `(,vendor ,package ,sexp) vendor+package-list))))))))))

I find the logic expressed in this procedure a bit hard to follow, but
that's been inherited from the previous code, so OK.

Toggle quote (25 lines)
> (define (merge-package-lists lst)
> - "Merge the list in LST, each of which has the form (p sexp), where P
> -is the name of a package and SEXP is an sexp that constrains matching
> -versions."
> + "Merge the list in LST, each of which has the form (V P SEXP), where V is a
> +CPE vendor, P is the name of a package and SEXP is an sexp that constrains
> +matching versions."
> (fold (lambda (plist result) ;XXX: quadratic
> (fold (match-lambda*
> - (((package version) result)
> - (match (assoc-ref result package)
> - (#f
> - (cons `(,package ,version) result))
> - ((previous)
> - (cons `(,package (or ,version ,previous))
> - (alist-delete package result))))))
> + (((vendor package version) result)
> + (match (assoc-ref result vendor)
> + (((? (cut string=? package <>)) previous)
> + (cons `(,vendor ,package (or ,version ,previous))
> + (filter (match-lambda
> + ((vendor package _) #f)
> + (otherwise otherwise))
> + result)))

This should use SRFI 1's 'remove' instead of 'filter'.

The rest looks good to me.

Could you please address my questions/suggestions and squash this into
the previous commit (with the accompanied changelog commit message
adjustment) ?

--
Thanks,
Maxim
N
N
Nicolas Graves wrote on 13 Nov 09:08 +0100
(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)
875xor4kut.fsf@ngraves.fr
On 2024-11-13 11:53, Maxim Cournoyer wrote:

Toggle quote (6 lines)
> Hi Nicolas,
>
> I think this one looks nicer without the parsing of colons every time we
> need to extract the vendor/package name, thanks for having taken the
> time to adjust it based on Ludovic's feedback.

Ok, will squash both commits then.
Toggle quote (27 lines)
>
> [...]
>
>> (define (configuration-data->cve-configurations alist)
>> "Given ALIST, a JSON dictionary for the baroque \"configurations\"
>> @@ -232,18 +234,12 @@ (define (vulnerability-matches? vuln vendor hidden-vendors)
>> "Checks if a VENDOR matches at least one of <vulnerability> VULN
>> packages. When VENDOR is #f, ignore packages that have a vendor among
>> HIDDEN-VENDORS."
>> - (define (vendor-matches? vendor+name)
>> - (if vendor
>> - (string-prefix? (string-append vendor ":") vendor+name)
>> - (or (null? hidden-vendors)
>> - (not (any (cut string-prefix? (string-append <> ":") vendor+name)
>> - hidden-vendors)))))
>> -
>> (match vuln
>> (($ <vulnerability> id packages)
>> (any (match-lambda
>> - (((? vendor-matches? vendor+name) . _) #t)
>> - (_ #f))
>> + (((? (cut string=? <> vendor)) _) #t)
>> + (((? (cut member <> hidden-vendors)) _) #t)
>
> We are comparing <vulnerability> packages to the vendor strings; is this
> correct?

Actually the first sexp element of <vulnerability> packages (hence the
_).
Toggle quote (4 lines)
>
> At least I'd expect a hidden-vendors match to return #f, since I assume
> we do not want to process these further?

Indeed it looks like a mistake / forgotten not. Will check the logic.


Toggle quote (6 lines)
> The rest looks good to me.
>
> Could you please address my questions/suggestions and squash this into
> the previous commit (with the accompanied changelog commit message
> adjustment) ?

Yep.

--
Best regards,
Nicolas Graves
N
N
Nicolas Graves wrote on 13 Nov 11:23 +0100
[PATCH v4 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241113102414.1348-1-ngraves@ngraves.fr
* guix/cve.scm: Exploit cpe vendors information.
(cpe->package-name): Rename to...
(cpe->package-identifier): Renamed from cpe->package-name. Use
cpe_vendor:cpe_name in place or cpe_name.
(vulnerabily-matches?): Add helper function.
(vulnerabilities->lookup-proc): Extract cpe_name for table
hashes. Add vendor and hidden-vendor arguments. Adapt condition to
pass vulnerabilities to result in the fold.

* guix/lint.scm (package-vulnerabilities): Use additional arguments
from vulnerabilities->lookup-proc.

* tests/cve.scm (%expected-vulnerabilities): Adapt variable to changes
in guix/cve.scm.
---
guix/cve.scm | 143 +++++++++++++++++++++++++++++---------------------
guix/lint.scm | 10 +++-
tests/cve.scm | 14 ++---
3 files changed, 99 insertions(+), 68 deletions(-)

Toggle diff (272 lines)
diff --git a/guix/cve.scm b/guix/cve.scm
index 9e1cf5b587..ecf96e0659 100644
--- a/guix/cve.scm
+++ b/guix/cve.scm
@@ -25,11 +25,11 @@ (define-module (guix cve)
#:use-module (web uri)
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-9)
- #:use-module (srfi srfi-11)
#:use-module (srfi srfi-19)
#:use-module (srfi srfi-26)
#:use-module (srfi srfi-34)
#:use-module (srfi srfi-35)
+ #:use-module (srfi srfi-71)
#:use-module (ice-9 match)
#:use-module (ice-9 regex)
#:use-module (ice-9 vlist)
@@ -108,15 +108,16 @@ (define %cpe-package-rx
;; "cpe:2.3:a:VENDOR:PACKAGE:VERSION:PATCH-LEVEL".
(make-regexp "^cpe:2\\.3:a:([^:]+):([^:]+):([^:]+):([^:]+):"))
-(define (cpe->package-name cpe)
+(define (cpe->package-identifier cpe)
"Converts the Common Platform Enumeration (CPE) string CPE to a package
-name, in a very naive way. Return two values: the package name, and its
-version string. Return #f and #f if CPE does not look like an application CPE
-string."
+identifier, in a very naive way. Return two values: the package identifier
+(composed from the CPE vendor and the package name), and its version string.
+Return #f and #f if CPE does not look like an application CPE string."
(cond ((regexp-exec %cpe-package-rx cpe)
=>
(lambda (matches)
- (values (match:substring matches 2)
+ (values (match:substring matches 1)
+ (match:substring matches 2)
(match (match:substring matches 3)
("*" '_)
(version
@@ -128,7 +129,7 @@ (define (cpe->package-name cpe)
;; "cpe:2.3:a:openbsd:openssh:6.8:p1".
(string-drop patch-level 1)))))))))
(else
- (values #f #f))))
+ (values #f #f #f))))
(define (cpe-match->cve-configuration alist)
"Convert ALIST, a \"cpe_match\" alist, into an sexp representing the package
@@ -142,17 +143,18 @@ (define (cpe-match->cve-configuration alist)
;; Normally "cpe23Uri" is here in each "cpe_match" item, but CVE-2020-0534
;; has a configuration that lacks it.
(and cpe
- (let-values (((package version) (cpe->package-name cpe)))
+ (let ((vendor package version (cpe->package-identifier cpe)))
(and package
- `(,package
- ,(cond ((and (or starti starte) (or endi ende))
- `(and ,(if starti `(>= ,starti) `(> ,starte))
- ,(if endi `(<= ,endi) `(< ,ende))))
- (starti `(>= ,starti))
- (starte `(> ,starte))
- (endi `(<= ,endi))
- (ende `(< ,ende))
- (else version))))))))
+ `(,vendor
+ ,package
+ ,(cond ((and (or starti starte) (or endi ende))
+ `(and ,(if starti `(>= ,starti) `(> ,starte))
+ ,(if endi `(<= ,endi) `(< ,ende))))
+ (starti `(>= ,starti))
+ (starte `(> ,starte))
+ (endi `(<= ,endi))
+ (ende `(< ,ende))
+ (else version))))))))
(define (configuration-data->cve-configurations alist)
"Given ALIST, a JSON dictionary for the baroque \"configurations\"
@@ -228,6 +230,23 @@ (define (version-matches? version sexp)
(('>= min)
(version>=? version min))))
+(define (vulnerability-matches? vuln vendor hidden-vendors)
+ "Checks if a VENDOR matches at least one of <vulnerability> VULN
+packages. When VENDOR is #f, ignore packages that have a vendor among
+HIDDEN-VENDORS."
+ (define hidden-vendor?
+ (if (list? hidden-vendors)
+ (cut member <> hidden-vendors)
+ (const #f)))
+
+ (match vuln
+ (($ <vulnerability> id packages)
+ (any (match-lambda
+ ((? (cut string=? <> vendor)) #t)
+ ((? hidden-vendor?) #f)
+ (otherwise (not vendor)))
+ (map car packages))))) ;candidate vendors
+
;;;
;;; High-level interface.
@@ -272,39 +291,47 @@ (define sexp->vulnerability
(vulnerability id packages))))
(define (cve-configuration->package-list config)
- "Parse CONFIG, a config sexp, and return a list of the form (P SEXP)
-where P is a package name and SEXP expresses constraints on the matching
-versions."
+ "Parse CONFIG, a config sexp, and return a list of the form (V P SEXP)
+where V is a CPE vendor, P is a package name and SEXP expresses constraints on
+the matching versions."
(let loop ((config config)
- (packages '()))
+ (results '()))
(match config
(('or configs ...)
- (fold loop packages configs))
- (('and config _ ...) ;XXX
- (loop config packages))
- (((? string? package) '_) ;any version
- (cons `(,package _)
- (alist-delete package packages)))
- (((? string? package) sexp)
- (let ((previous (assoc-ref packages package)))
- (if previous
- (cons `(,package (or ,sexp ,@previous))
- (alist-delete package packages))
- (cons `(,package ,sexp) packages)))))))
+ (fold loop results configs))
+ (('and config _ ...) ;XXX
+ (loop config results))
+ (((? string? vendor) (? string? package) sexp)
+ (let ((pruned-results (remove (match-lambda
+ ((vendor package _) #t)
+ (otherwise #f))
+ results)))
+ (match sexp
+ ('_ ;any version
+ (cons `(,vendor ,package _) pruned-results))
+ (_
+ (match (assoc-ref (assoc-ref results vendor) package)
+ ((previous)
+ (cons `(,vendor ,package (or ,sexp ,previous)) pruned-results))
+ (_
+ (cons `(,vendor ,package ,sexp) results))))))))))
(define (merge-package-lists lst)
- "Merge the list in LST, each of which has the form (p sexp), where P
-is the name of a package and SEXP is an sexp that constrains matching
-versions."
+ "Merge the list in LST, each of which has the form (V P SEXP), where V is a
+CPE vendor, P is the name of a package and SEXP is an sexp that constrains
+matching versions."
(fold (lambda (plist result) ;XXX: quadratic
(fold (match-lambda*
- (((package version) result)
- (match (assoc-ref result package)
- (#f
- (cons `(,package ,version) result))
- ((previous)
- (cons `(,package (or ,version ,previous))
- (alist-delete package result))))))
+ (((vendor package version) result)
+ (match (assoc-ref result vendor)
+ (((? (cut string=? package <>)) previous)
+ (cons `(,vendor ,package (or ,version ,previous))
+ (remove (match-lambda
+ ((vendor package _) #t)
+ (otherwise #f))
+ result)))
+ (_
+ (cons `(,vendor ,package ,version) result)))))
result
plist))
'()
@@ -404,28 +431,26 @@ (define table
(($ <vulnerability> id packages)
(fold (lambda (package table)
(match package
- ((name . versions)
- (vhash-cons name (cons vuln versions)
+ ((vendor name versions)
+ (vhash-cons name (cons vuln `(,versions))
table))))
table
packages))))
vlist-null
vulnerabilities))
- (lambda* (package #:optional version)
- (vhash-fold* (if version
- (lambda (pair result)
- (match pair
- ((vuln sexp)
- (if (version-matches? version sexp)
- (cons vuln result)
- result))))
- (lambda (pair result)
- (match pair
- ((vuln . _)
- (cons vuln result)))))
- '()
- package table)))
+ (lambda* (package #:optional version #:key (vendor #f) (hidden-vendors '()))
+ (vhash-fold*
+ (lambda (pair result)
+ (match pair
+ ((vuln sexp)
+ (if (and (or (and (not vendor) (null? hidden-vendors))
+ (vulnerability-matches? vuln vendor hidden-vendors))
+ (or (not version) (version-matches? version sexp)))
+ (cons vuln result)
+ result))))
+ '()
+ package table)))
;;; cve.scm ends here
diff --git a/guix/lint.scm b/guix/lint.scm
index 8c6c20c723..bea6d0a194 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -1551,8 +1551,14 @@ (define package-vulnerabilities
(package-name package)))
(version (or (assoc-ref (package-properties package)
'cpe-version)
- (package-version package))))
- ((force lookup) name version)))))
+ (package-version package)))
+ (vendor (assoc-ref (package-properties package)
+ 'cpe-vendor))
+ (hidden-vendors (assoc-ref (package-properties package)
+ 'lint-hidden-cpe-vendors)))
+ ((force lookup) name version
+ #:vendor vendor
+ #:hidden-vendors hidden-vendors)))))
;; Prevent Guile 3 from inlining this procedure so we can mock it in tests.
(set! package-vulnerabilities package-vulnerabilities)
diff --git a/tests/cve.scm b/tests/cve.scm
index b69da0e120..90ada2b647 100644
--- a/tests/cve.scm
+++ b/tests/cve.scm
@@ -34,19 +34,19 @@ (define %expected-vulnerabilities
(vulnerability "CVE-2019-0001"
;; Only the "a" CPE configurations are kept; the "o"
;; configurations are discarded.
- '(("junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
+ '(("juniper" "junos" (or "18.2" (or "18.21-s3" "18.21-s4")))))
(vulnerability "CVE-2019-0005"
- '(("junos" (or "18.11" "18.1"))))
+ '(("juniper" "junos" (or "18.1" "18.11"))))
;; CVE-2019-0005 has no "a" configurations.
(vulnerability "CVE-2019-14811"
- '(("ghostscript" (< "9.28"))))
+ '(("artifex" "ghostscript" (< "9.28"))))
(vulnerability "CVE-2019-17365"
- '(("nix" (<= "2.3"))))
+ '(("nixos" "nix" (<= "2.3"))))
(vulnerability "CVE-2019-1010180"
- '(("gdb" _))) ;any version
+ '(("gnu" "gdb" _))) ;any version
(vulnerability "CVE-2019-1010204"
- '(("binutils" (and (>= "2.21") (<= "2.31.1")))
- ("binutils_gold" (and (>= "1.11") (<= "1.16")))))
+ '(("gnu" "binutils" (and (>= "2.21") (<= "2.31.1")))
+ ("gnu" "binutils_gold" (and (>= "1.11") (<= "1.16")))))
;; CVE-2019-18192 has no associated configurations.
))
--
2.46.0
N
N
Nicolas Graves wrote on 13 Nov 11:23 +0100
[PATCH v4 03/16] gnu: portfolio: Update to 1.0.1.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241113102414.1348-3-ngraves@ngraves.fr
* gnu/packages/gnome-xyz.scm (portfolio): Update to 1.0.1.
[properties]: Add lint-hidden-cpe-vendors property.
---
gnu/packages/gnome-xyz.scm | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

Toggle diff (32 lines)
diff --git a/gnu/packages/gnome-xyz.scm b/gnu/packages/gnome-xyz.scm
index a09c0befb0..74c2600b60 100644
--- a/gnu/packages/gnome-xyz.scm
+++ b/gnu/packages/gnome-xyz.scm
@@ -485,7 +485,7 @@ (define-public gnome-plots
(define-public portfolio
(package
(name "portfolio")
- (version "1.0.0")
+ (version "1.0.1")
(source (origin
(method git-fetch)
(uri (git-reference
@@ -494,7 +494,7 @@ (define-public portfolio
(file-name (git-file-name name version))
(sha256
(base32
- "1ai9mx801m5lngkljg42vrpvhbvc3071sp4jypsvbzw55hxnn5ba"))))
+ "1s06kd2dhsb143piw89yzwfck7qwzlh4nlgjj2bxpsa3g68c1g11"))))
(arguments
(list #:glib-or-gtk? #t
#:imported-modules `(,@%meson-build-system-modules
@@ -537,6 +537,7 @@ (define-public portfolio
"Portfolio is a minimalist file manager for those who want to use Linux
mobile devices. Tap to activate and long press to select, to browse, open,
copy, move, delete, or edit your files.")
+ (properties `((lint-hidden-cpe-vendors . ("radiustheme"))))
(license license:gpl3+)))
(define-public gnome-shell-extension-unite-shell
--
2.46.0
N
N
Nicolas Graves wrote on 13 Nov 11:23 +0100
[PATCH v4 05/16] gnu: spectra: Add lint-hidden-cpe-vendors property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241113102414.1348-5-ngraves@ngraves.fr
* gnu/packages/algebra.scm (spectra)[properties]: Add
lint-hidden-cpe-vendors property.
---
gnu/packages/algebra.scm | 1 +
1 file changed, 1 insertion(+)

Toggle diff (14 lines)
diff --git a/gnu/packages/algebra.scm b/gnu/packages/algebra.scm
index 2187cd062d..5822431373 100644
--- a/gnu/packages/algebra.scm
+++ b/gnu/packages/algebra.scm
@@ -1317,6 +1317,7 @@ (define-public spectra
built on top of Eigen. It is implemented as a header-only C++ library and can
be easily embedded in C++ projects that require calculating eigenvalues of
large matrices.")
+ (properties `((lint-hidden-cpe-vendors . ("brainstormforce"))))
(license license:mpl2.0)))
(define-public gappa
--
2.46.0
N
N
Nicolas Graves wrote on 13 Nov 11:23 +0100
[PATCH v4 06/16] gnu: express: Add lint-hidden-cpe-vendors property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241113102414.1348-6-ngraves@ngraves.fr
* gnu/packages/bioinformatics.scm (express)[properties]: Add
lint-hidden-cpe-vendors property.
---
gnu/packages/bioinformatics.scm | 1 +
1 file changed, 1 insertion(+)

Toggle diff (14 lines)
diff --git a/gnu/packages/bioinformatics.scm b/gnu/packages/bioinformatics.scm
index 599d22c51e..4174364a08 100644
--- a/gnu/packages/bioinformatics.scm
+++ b/gnu/packages/bioinformatics.scm
@@ -7265,6 +7265,7 @@ (define-public express
transcript-level RNA-Seq quantification, allele-specific/haplotype expression
analysis (from RNA-Seq), transcription factor binding quantification in
ChIP-Seq, and analysis of metagenomic data.")
+ (properties `((lint-hidden-cpe-vendors . ("openjsf"))))
(license license:artistic2.0)))
(define-public express-beta-diversity
--
2.46.0
N
N
Nicolas Graves wrote on 13 Nov 11:23 +0100
[PATCH v4 08/16] gnu: h2c: Add lint-hidden-cpe-vendors property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241113102414.1348-8-ngraves@ngraves.fr
* gnu/packages/curl.scm (h2c)[property]: Add lint-hidden-cpe-vendors property.
---
gnu/packages/curl.scm | 1 +
1 file changed, 1 insertion(+)

Toggle diff (14 lines)
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 96f993d99a..d238479769 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -377,6 +377,7 @@ (define-public h2c
(description
"Provided a set of HTTP request headers, h2c outputs how to invoke
curl to obtain exactly that HTTP request.")
+ (properties `((lint-hidden-cpe-vendors . ("golang"))))
(license license:expat)))
(define-public coeurl
--
2.46.0
N
N
Nicolas Graves wrote on 13 Nov 11:24 +0100
[PATCH v4 10/16] gnu: bolt: Update to 0.9.8.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241113102414.1348-10-ngraves@ngraves.fr
* gnu/packages/linux.scm (bolt): Update to 0.9.8.
[arguments]<#:phases>: Update phase 'replace-directories.
[properties]: Add lint-hidden-cpe-vendors property.
---
gnu/packages/linux.scm | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)

Toggle diff (50 lines)
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index a2a0359055..9c2cfa7ddf 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -3333,7 +3333,7 @@ (define-public iptables-nft
(define-public bolt
(package
(name "bolt")
- (version "0.9.5")
+ (version "0.9.8")
(source (origin
(method git-fetch)
(uri (git-reference
@@ -3342,7 +3342,7 @@ (define-public bolt
(file-name (git-file-name name version))
(sha256
(base32
- "1b9z0sfrz6bj0mddng9s0dx59g9239zmrl03hxx2x88mb7r0wmcg"))))
+ "1i9nyvx3qcf4m607qmpklpl9xqzsh423k8y3fr6c5n0k4ajy4cxh"))))
(build-system meson-build-system)
(arguments
(list #:configure-flags '(list "--localstatedir=/var")
@@ -3351,12 +3351,11 @@ (define-public bolt
(add-after 'unpack 'replace-directories
(lambda* (#:key outputs #:allow-other-keys)
(substitute* "meson.build"
- (("udev.get_pkgconfig_variable..udevdir..")
- (string-append "'"
- #$output "/lib/udev'")))
- (substitute* "scripts/meson-install.sh"
- (("mkdir.*")
- ""))))
+ (("udev.get_variable\\(pkgconfig: 'udevdir'\\)")
+ (string-append "'" #$output "/lib/udev'"))
+ ;; Don't install in /var
+ (("not systemd\\.found\\(\\)")
+ "false"))))
(add-before 'install 'no-polkit-magic
(lambda* (#:key outputs #:allow-other-keys)
(setenv "PKEXEC_UID" "something"))))))
@@ -3378,6 +3377,7 @@ (define-public bolt
@command{boltd}. It can list devices, monitor changes, and initiate
authorization of devices.")
(home-page "https://gitlab.freedesktop.org/bolt/bolt")
+ (properties `((lint-hidden-cpe-vendors . ("boltcms" "puppet"))))
(license license:gpl2+)))
(define-public jitterentropy-rngd
--
2.46.0
N
N
Nicolas Graves wrote on 13 Nov 11:24 +0100
[PATCH v4 11/16] gnu: bwm-ng: Add lint-hidden-cpe-vendors property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241113102414.1348-11-ngraves@ngraves.fr
* gnu/packages/networking.scm (bwm-ng)[properties]: Add
lint-hidden-cpe-vendors property.
---
gnu/packages/networking.scm | 1 +
1 file changed, 1 insertion(+)

Toggle diff (14 lines)
diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index f0f0619161..8115c989aa 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -2157,6 +2157,7 @@ (define-public bwm-ng
(description "Bandwidth Monitor NG is a small and simple console based
live network and disk I/O bandwidth monitor.")
(home-page "https://www.gropp.org/?id=projects&sub=bwm-ng")
+ (properties '((lint-hidden-cpe-vendors . ("bwm-ng_project"))))
(license license:gpl2)))
(define-public aircrack-ng
--
2.46.0
N
N
Nicolas Graves wrote on 13 Nov 11:24 +0100
[PATCH v4 12/16] gnu: onedrive: Update to 2.5.2.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241113102414.1348-12-ngraves@ngraves.fr
* gnu/packages/sync.scm (onedrive): Update to 2.5.2.
[properties]: Add lint-hidden-cpe-vendors.
---
gnu/packages/sync.scm | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

Toggle diff (32 lines)
diff --git a/gnu/packages/sync.scm b/gnu/packages/sync.scm
index af736d0c28..b21993a639 100644
--- a/gnu/packages/sync.scm
+++ b/gnu/packages/sync.scm
@@ -374,7 +374,7 @@ (define-public owncloud-client
(define-public onedrive
(package
(name "onedrive")
- (version "2.4.25")
+ (version "2.5.2")
(source
(origin
(method git-fetch)
@@ -383,7 +383,7 @@ (define-public onedrive
(commit (string-append "v" version))))
(file-name (git-file-name name version))
(sha256
- (base32 "1i93mq4r9w8cqrdfsfv8wparfd3dbrppc5z04ab056545hk0x89k"))))
+ (base32 "0307qa3nncarn6r5837nn9z5nv8j60ycykq6pfn93qriabk65qlx"))))
(build-system gnu-build-system)
(arguments
(list
@@ -420,6 +420,7 @@ (define-public onedrive
Business, OneDrive for Office365 and SharePoint and fully supports Azure
National Cloud Deployments. It supports one-way and two-way sync capabilities
and securely connects to Microsoft OneDrive services.")
+ (properties '((lint-hidden-cpe-vendors . ("microsoft"))))
(license license:gpl3)))
(define-public lsyncd
--
2.46.0
N
N
Nicolas Graves wrote on 13 Nov 11:24 +0100
[PATCH v4 13/16] gnu: got: Update to 0.104.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241113102414.1348-13-ngraves@ngraves.fr
* gnu/packages/version-control.scm (got): Update to 0.104.
[properties]: Add release-monitoring-url and lint-hidden-cpe-vendors
properties.
---
gnu/packages/version-control.scm | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)

Toggle diff (37 lines)
diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index c892a83a98..27c14422d1 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -975,7 +975,7 @@ (define-public git-tools
(define-public got
(package
(name "got")
- (version "0.103")
+ (version "0.104")
(source (origin
(method url-fetch)
(uri
@@ -984,7 +984,7 @@ (define-public got
version ".tar.gz"))
(sha256
(base32
- "0y18961xrj4rja850i31gadiaps2qnkfb4jlramlz9akyf9mwh1j"))))
+ "1jf8d7bd6jb09ci66n3rjfv94kvzgnqbw1js74hpajdw41wphbdk"))))
(inputs
(list libevent
`(,util-linux "lib")
@@ -1020,7 +1020,11 @@ (define-public got
"Game of Trees (Got) is a version control system which prioritizes ease of use
and simplicity over flexibility.")
(license license:isc)
- (home-page "https://gameoftrees.org/")))
+ (home-page "https://gameoftrees.org/")
+ (properties
+ ;; Can lint for updates, but not update in place.
+ '((release-monitoring-url . "https://gameoftrees.org/releases/")
+ (lint-hidden-cpe-vendors . ("got_project"))))))
(define-public xdiff
(let ((revision "0")
--
2.46.0
N
N
Nicolas Graves wrote on 13 Nov 11:24 +0100
[PATCH v4 14/16] gnu: dex: Update to 0.10.1.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241113102414.1348-14-ngraves@ngraves.fr
* gnu/packages/xdisorg.scm (dex): Update to 0.10.1.
[arguments]: Improve style.
[properties]: Add lint-hidden-cpe-vendors property.
---
gnu/packages/xdisorg.scm | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)

Toggle diff (47 lines)
diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm
index a75e9cd6ba..859d37d4b7 100644
--- a/gnu/packages/xdisorg.scm
+++ b/gnu/packages/xdisorg.scm
@@ -3536,7 +3536,7 @@ (define-public nwg-launchers
(define-public dex
(package
(name "dex")
- (version "0.9.0")
+ (version "0.10.1")
(source (origin
(method git-fetch)
(uri (git-reference
@@ -3544,15 +3544,16 @@ (define-public dex
(commit (string-append "v" version))))
(sha256
(base32
- "03aapcywnz4kl548cygpi25m8adwbmqlmwgxa66v4156ax9dqs86"))
+ "1d7fqy63i4q0mw316i5ws1sgdq3f7h3bsf3avvmy0nzshz7i5y6m"))
(file-name (git-file-name name version))))
(build-system gnu-build-system)
(arguments
- `(#:make-flags (list (string-append "PREFIX=" (assoc-ref %outputs "out")))
- #:phases
- (modify-phases %standard-phases
- (delete 'configure))
- #:tests? #f))
+ (list
+ #:make-flags #~(list (string-append "PREFIX=" #$output))
+ #:phases
+ #~(modify-phases %standard-phases
+ (delete 'configure))
+ #:tests? #f)) ; No tests.
(inputs
(list python))
(native-inputs
@@ -3562,6 +3563,8 @@ (define-public dex
(description
"@command{dex}, @dfn{DesktopEntry Execution}, is a program to generate
and execute @file{.desktop} files of the Application type.")
+ (properties
+ '((lint-hidden-cpe-vendors . ("samsung" "linuxfoundation"))))
(license license:gpl3+)))
(define-public sx
--
2.46.0
N
N
Nicolas Graves wrote on 13 Nov 11:24 +0100
[PATCH v4 15/16] gnu: immer: Add lint-hidden-cpe-vendors property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241113102414.1348-15-ngraves@ngraves.fr
* gnu/packages/cpp.scm (immer)[properties]: Add
lint-hidden-cpe-vendors property.
---
gnu/packages/cpp.scm | 1 +
1 file changed, 1 insertion(+)

Toggle diff (14 lines)
diff --git a/gnu/packages/cpp.scm b/gnu/packages/cpp.scm
index bb6872d7e3..5c686db532 100644
--- a/gnu/packages/cpp.scm
+++ b/gnu/packages/cpp.scm
@@ -1887,6 +1887,7 @@ (define-public immer
(synopsis "Immutable data structures")
(description "Immer is a library of persistent and immutable data structures
written in C++.")
+ (properties '((lint-hidden-cpe-vendors . ("immer_project"))))
(license license:boost1.0)))
(define-public zug
--
2.46.0
N
N
Nicolas Graves wrote on 13 Nov 11:24 +0100
[PATCH v4 16/16] gnu: cvs: Add lint-hidden-cpe-vendors property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241113102414.1348-16-ngraves@ngraves.fr
* gnu/packages/version-control.scm (cvs)[properties]: Add
lint-hidden-cpe-vendors property.
---
gnu/packages/version-control.scm | 1 +
1 file changed, 1 insertion(+)

Toggle diff (14 lines)
diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index 27c14422d1..a0eb9f32d2 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -2774,6 +2774,7 @@ (define-public cvs
Configuration Management (SCM). Using it, you can record the history of
sources files, and documents. It fills a similar role to the free software
RCS, PRCS, and Aegis packages.")
+ (properties '((lint-hidden-cpe-vendors . ("jenkins"))))
(license license:gpl1+)))
(define-public cvs-fast-export
--
2.46.0
A
A
ashish.is wrote on 15 Nov 13:58 +0100
[PATCH v2] gnu: got: Update to 0.105.
(address . 74034@debbugs.gnu.org)
8997bf904cc6ba11f693e51e9872e818f2ccb7c2.1731675499.git.ashish.is@lostca.se
From: Ashish SHUKLA <ashish.is@lostca.se>

* gnu/packages/version-control.scm (got): Update to 0.105.

Change-Id: I7846536927717b1a7cc79e8a3a70e9254eade22a
---
gnu/packages/version-control.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

Toggle diff (26 lines)
diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index 3e66163253..531d4827dc 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -975,7 +975,7 @@ (define-public git-tools
(define-public got
(package
(name "got")
- (version "0.104")
+ (version "0.105")
(source (origin
(method url-fetch)
(uri
@@ -984,7 +984,7 @@ (define-public got
version ".tar.gz"))
(sha256
(base32
- "1jf8d7bd6jb09ci66n3rjfv94kvzgnqbw1js74hpajdw41wphbdk"))))
+ "0i52bkyhs2v8h1b6045hybnzyhr8hvgw87y3pr0s4vyhvihf6wri"))))
(inputs
(list libevent
`(,util-linux "lib")

base-commit: b8d654f60a278790d0d65266b063b08c204ee15e
--
2.47.0
L
L
Ludovic Courtès wrote 5 days ago
Re: [bug#74034] [PATCH v4 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.
(name . Nicolas Graves)(address . ngraves@ngraves.fr)(address . 74034@debbugs.gnu.org)
87zflxixr1.fsf@gnu.org
Hi!

Nicolas Graves <ngraves@ngraves.fr> skribis:

Toggle quote (15 lines)
> * guix/cve.scm: Exploit cpe vendors information.
> (cpe->package-name): Rename to...
> (cpe->package-identifier): Renamed from cpe->package-name. Use
> cpe_vendor:cpe_name in place or cpe_name.
> (vulnerabily-matches?): Add helper function.
> (vulnerabilities->lookup-proc): Extract cpe_name for table
> hashes. Add vendor and hidden-vendor arguments. Adapt condition to
> pass vulnerabilities to result in the fold.
>
> * guix/lint.scm (package-vulnerabilities): Use additional arguments
> from vulnerabilities->lookup-proc.
>
> * tests/cve.scm (%expected-vulnerabilities): Adapt variable to changes
> in guix/cve.scm.

[...]

Toggle quote (10 lines)
> -(define (cpe->package-name cpe)
> +(define (cpe->package-identifier cpe)
> "Converts the Common Platform Enumeration (CPE) string CPE to a package
> -name, in a very naive way. Return two values: the package name, and its
> -version string. Return #f and #f if CPE does not look like an application CPE
> -string."
> +identifier, in a very naive way. Return two values: the package identifier
> +(composed from the CPE vendor and the package name), and its version string.
> +Return #f and #f if CPE does not look like an application CPE string."

It returns three values now. :-) (Nice!)

Toggle quote (8 lines)
> (define (merge-package-lists lst)
> - "Merge the list in LST, each of which has the form (p sexp), where P
> -is the name of a package and SEXP is an sexp that constrains matching
> -versions."
> + "Merge the list in LST, each of which has the form (V P SEXP), where V is a
> +CPE vendor, P is the name of a package and SEXP is an sexp that constrains
> +matching versions."

Am I right that ‘vulnerability->sexp’ now includes the vendor?

In that case, the format version in ‘write-cache’ should be bumped and
‘fetch-vulnerabilities’ should be adjusted accordingly (to support v1
sexps that lack vendor info).

Ludo’.
L
L
Ludovic Courtès wrote 5 days ago
(name . Nicolas Graves)(address . ngraves@ngraves.fr)(address . 74034@debbugs.gnu.org)
87v7wlixpu.fsf@gnu.org
The rest of this series LGTM! Almost there! :-)
N
N
Nicolas Graves wrote 4 days ago
[PATCH v5 02/16] gnu: halibut: Add cpe-vendor property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241119074612.19048-2-ngraves@ngraves.fr
* gnu/packages/documentation.scm (halibut)
[description]: Reformat field to match max chars.
[properties]: Add cpe-vendor property.
---
gnu/packages/documentation.scm | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)

Toggle diff (27 lines)
diff --git a/gnu/packages/documentation.scm b/gnu/packages/documentation.scm
index f0e37561f7..e1d563945a 100644
--- a/gnu/packages/documentation.scm
+++ b/gnu/packages/documentation.scm
@@ -264,12 +264,14 @@ (define-public halibut
(home-page "https://www.chiark.greenend.org.uk/~sgtatham/halibut/")
(synopsis "Documentation production system for software manuals")
(description
- "Halibut is a text formatting system designed primarily for writing software
-documentation. It accepts a single source format and outputs any combination of
-plain text, HTML, Unix man or info pages, PostScript or PDF. It has extensive
-support for indexing and cross-referencing, and generates hyperlinks within output
-documents wherever possible. It supports Unicode, with the ability to fall back to
-an alternative representation if Unicode output is not available.")
+ "Halibut is a text formatting system designed primarily for writing
+software documentation. It accepts a single source format and outputs any
+combination of plain text, HTML, Unix man or info pages, PostScript or PDF.
+It has extensive support for indexing and cross-referencing, and generates
+hyperlinks within output documents wherever possible. It supports Unicode,
+with the ability to fall back to an alternative representation if Unicode
+output is not available.")
+ (properties `((cpe-vendor . "halibut_project")))
(license license:expat)))
(define-public doc++
--
2.46.0
N
N
Nicolas Graves wrote 4 days ago
[PATCH v5 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241119074612.19048-1-ngraves@ngraves.fr
* guix/cve.scm: Exploit cpe vendors information.
(cpe->package-name): Rename to...
(cpe->package-identifier): Renamed from cpe->package-name. Use
cpe_vendor:cpe_name in place or cpe_name.
(vulnerabily-matches?): Add helper function.
(vulnerabilities->lookup-proc): Extract cpe_name for table
hashes. Add vendor and hidden-vendor arguments. Adapt condition to
pass vulnerabilities to result in the fold.
(write-cache): Update the format version.

* guix/lint.scm (package-vulnerabilities): Use additional arguments
from vulnerabilities->lookup-proc.

* tests/cve.scm (%expected-vulnerabilities): Adapt variable to changes
in guix/cve.scm.
---
guix/cve.scm | 147 +++++++++++++++++++++++++++++---------------------
guix/lint.scm | 10 +++-
tests/cve.scm | 14 ++---
3 files changed, 101 insertions(+), 70 deletions(-)

Toggle diff (290 lines)
diff --git a/guix/cve.scm b/guix/cve.scm
index 9e1cf5b587..ed4665d727 100644
--- a/guix/cve.scm
+++ b/guix/cve.scm
@@ -25,11 +25,11 @@ (define-module (guix cve)
#:use-module (web uri)
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-9)
- #:use-module (srfi srfi-11)
#:use-module (srfi srfi-19)
#:use-module (srfi srfi-26)
#:use-module (srfi srfi-34)
#:use-module (srfi srfi-35)
+ #:use-module (srfi srfi-71)
#:use-module (ice-9 match)
#:use-module (ice-9 regex)
#:use-module (ice-9 vlist)
@@ -108,15 +108,16 @@ (define %cpe-package-rx
;; "cpe:2.3:a:VENDOR:PACKAGE:VERSION:PATCH-LEVEL".
(make-regexp "^cpe:2\\.3:a:([^:]+):([^:]+):([^:]+):([^:]+):"))
-(define (cpe->package-name cpe)
+(define (cpe->package-identifier cpe)
"Converts the Common Platform Enumeration (CPE) string CPE to a package
-name, in a very naive way. Return two values: the package name, and its
-version string. Return #f and #f if CPE does not look like an application CPE
-string."
+identifier, in a very naive way. Return three values: the CPE vendor, the
+package name, and its version string.
+Return three #f values if CPE does not look like an application CPE string."
(cond ((regexp-exec %cpe-package-rx cpe)
=>
(lambda (matches)
- (values (match:substring matches 2)
+ (values (match:substring matches 1)
+ (match:substring matches 2)
(match (match:substring matches 3)
("*" '_)
(version
@@ -128,7 +129,7 @@ (define (cpe->package-name cpe)
;; "cpe:2.3:a:openbsd:openssh:6.8:p1".
(string-drop patch-level 1)))))))))
(else
- (values #f #f))))
+ (values #f #f #f))))
(define (cpe-match->cve-configuration alist)
"Convert ALIST, a \"cpe_match\" alist, into an sexp representing the package
@@ -142,17 +143,18 @@ (define (cpe-match->cve-configuration alist)
;; Normally "cpe23Uri" is here in each "cpe_match" item, but CVE-2020-0534
;; has a configuration that lacks it.
(and cpe
- (let-values (((package version) (cpe->package-name cpe)))
+ (let ((vendor package version (cpe->package-identifier cpe)))
(and package
- `(,package
- ,(cond ((and (or starti starte) (or endi ende))
- `(and ,(if starti `(>= ,starti) `(> ,starte))
- ,(if endi `(<= ,endi) `(< ,ende))))
- (starti `(>= ,starti))
- (starte `(> ,starte))
- (endi `(<= ,endi))
- (ende `(< ,ende))
- (else version))))))))
+ `(,vendor
+ ,package
+ ,(cond ((and (or starti starte) (or endi ende))
+ `(and ,(if starti `(>= ,starti) `(> ,starte))
+ ,(if endi `(<= ,endi) `(< ,ende))))
+ (starti `(>= ,starti))
+ (starte `(> ,starte))
+ (endi `(<= ,endi))
+ (ende `(< ,ende))
+ (else version))))))))
(define (configuration-data->cve-configurations alist)
"Given ALIST, a JSON dictionary for the baroque \"configurations\"
@@ -228,6 +230,23 @@ (define (version-matches? version sexp)
(('>= min)
(version>=? version min))))
+(define (vulnerability-matches? vuln vendor hidden-vendors)
+ "Checks if a VENDOR matches at least one of <vulnerability> VULN
+packages. When VENDOR is #f, ignore packages that have a vendor among
+HIDDEN-VENDORS."
+ (define hidden-vendor?
+ (if (list? hidden-vendors)
+ (cut member <> hidden-vendors)
+ (const #f)))
+
+ (match vuln
+ (($ <vulnerability> id packages)
+ (any (match-lambda
+ ((? (cut string=? <> vendor)) #t)
+ ((? hidden-vendor?) #f)
+ (otherwise (not vendor)))
+ (map car packages))))) ;candidate vendors
+
;;;
;;; High-level interface.
@@ -259,7 +278,7 @@ (define-record-type <vulnerability>
(vulnerability id packages)
vulnerability?
(id vulnerability-id) ;string
- (packages vulnerability-packages)) ;((p1 sexp1) (p2 sexp2) ...)
+ (packages vulnerability-packages)) ;((v1 p1 sexp1) (v2 p2 sexp2) ...)
(define vulnerability->sexp
(match-lambda
@@ -272,39 +291,47 @@ (define sexp->vulnerability
(vulnerability id packages))))
(define (cve-configuration->package-list config)
- "Parse CONFIG, a config sexp, and return a list of the form (P SEXP)
-where P is a package name and SEXP expresses constraints on the matching
-versions."
+ "Parse CONFIG, a config sexp, and return a list of the form (V P SEXP)
+where V is a CPE vendor, P is a package name and SEXP expresses constraints on
+the matching versions."
(let loop ((config config)
- (packages '()))
+ (results '()))
(match config
(('or configs ...)
- (fold loop packages configs))
- (('and config _ ...) ;XXX
- (loop config packages))
- (((? string? package) '_) ;any version
- (cons `(,package _)
- (alist-delete package packages)))
- (((? string? package) sexp)
- (let ((previous (assoc-ref packages package)))
- (if previous
- (cons `(,package (or ,sexp ,@previous))
- (alist-delete package packages))
- (cons `(,package ,sexp) packages)))))))
+ (fold loop results configs))
+ (('and config _ ...) ;XXX
+ (loop config results))
+ (((? string? vendor) (? string? package) sexp)
+ (let ((pruned-results (remove (match-lambda
+ ((vendor package _) #t)
+ (otherwise #f))
+ results)))
+ (match sexp
+ ('_ ;any version
+ (cons `(,vendor ,package _) pruned-results))
+ (_
+ (match (assoc-ref (assoc-ref results vendor) package)
+ ((previous)
+ (cons `(,vendor ,package (or ,sexp ,previous)) pruned-results))
+ (_
+ (cons `(,vendor ,package ,sexp) results))))))))))
(define (merge-package-lists lst)
- "Merge the list in LST, each of which has the form (p sexp), where P
-is the name of a package and SEXP is an sexp that constrains matching
-versions."
+ "Merge the list in LST, each of which has the form (V P SEXP), where V is a
+CPE vendor, P is the name of a package and SEXP is an sexp that constrains
+matching versions."
(fold (lambda (plist result) ;XXX: quadratic
(fold (match-lambda*
- (((package version) result)
- (match (assoc-ref result package)
- (#f
- (cons `(,package ,version) result))
- ((previous)
- (cons `(,package (or ,version ,previous))
- (alist-delete package result))))))
+ (((vendor package version) result)
+ (match (assoc-ref result vendor)
+ (((? (cut string=? package <>)) previous)
+ (cons `(,vendor ,package (or ,version ,previous))
+ (remove (match-lambda
+ ((vendor package _) #t)
+ (otherwise #f))
+ result)))
+ (_
+ (cons `(,vendor ,package ,version) result)))))
result
plist))
'()
@@ -337,7 +364,7 @@ (define vulns
(json->vulnerabilities input))
(write `(vulnerabilities
- 1 ;format version
+ 2 ;format version
,(map vulnerability->sexp vulns))
cache))))
@@ -404,28 +431,26 @@ (define table
(($ <vulnerability> id packages)
(fold (lambda (package table)
(match package
- ((name . versions)
- (vhash-cons name (cons vuln versions)
+ ((vendor name versions)
+ (vhash-cons name (cons vuln `(,versions))
table))))
table
packages))))
vlist-null
vulnerabilities))
- (lambda* (package #:optional version)
- (vhash-fold* (if version
- (lambda (pair result)
- (match pair
- ((vuln sexp)
- (if (version-matches? version sexp)
- (cons vuln result)
- result))))
- (lambda (pair result)
- (match pair
- ((vuln . _)
- (cons vuln result)))))
- '()
- package table)))
+ (lambda* (package #:optional version #:key (vendor #f) (hidden-vendors '()))
+ (vhash-fold*
+ (lambda (pair result)
+ (match pair
+ ((vuln sexp)
+ (if (and (or (and (not vendor) (null? hidden-vendors))
+ (vulnerability-matches? vuln vendor hidden-vendors))
+ (or (not version) (version-matches? version sexp)))
+ (cons vuln result)
+ result))))
+ '()
+ package table)))
;;; cve.scm ends here
diff --git a/guix/lint.scm b/guix/lint.scm
index 8c6c20c723..bea6d0a194 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -1551,8 +1551,14 @@ (define package-vulnerabilities
(package-name package)))
(version (or (assoc-ref (package-properties package)
'cpe-version)
- (package-version package))))
- ((force lookup) name version)))))
+ (package-version package)))
+ (vendor (assoc-ref (package-properties package)
+ 'cpe-vendor))
+ (hidden-vendors (assoc-ref (package-properties package)
+ 'lint-hidden-cpe-vendors)))
+ ((force lookup) name version
+ #:vendor vendor
+ #:hidden-vendors hidden-vendors)))))
;; Prevent Guile 3 from inlining this procedure so we can mock it in tests.
(set! package-vulnerabilities package-vulnerabilities)
diff --git a/tests/cve.scm b/tests/cve.scm
index b69da0e120..90ada2b647 100644
--- a/tests/cve.scm
+++ b/tests/cve.scm
@@ -34,19 +34,19 @@ (define %expected-vulnerabilities
(vulnerability "CVE-2019-0001"
;; Only the "a" CPE configurations are kept; the "o"
;; configurations are discarded.
- '(("junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
+ '(("juniper" "junos" (or "18.2" (or "18.21-s3" "18.21-s4")))))
(vulnerability "CVE-2019-0005"
- '(("junos" (or "18.11" "18.1"))))
+ '(("juniper" "junos" (or "18.1" "18.11"))))
;; CVE-2019-0005 has no "a" configurations.
(vulnerability "CVE-2019-14811"
- '(("ghostscript" (< "9.28"))))
+ '(("artifex" "ghostscript" (< "9.28"))))
(vulnerability "CVE-2019-17365"
- '(("nix" (<= "2.3"))))
+ '(("nixos" "nix" (<= "2.3"))))
(vulnerability "CVE-2019-1010180"
- '(("gdb" _))) ;any version
+ '(("gnu" "gdb" _))) ;any version
(vulnerability "CVE-2019-1010204"
- '(("binutils" (and (>= "2.21") (<= "2.31.1")))
- ("binutils_gold" (and (>= "1.11") (<= "1.16")))))
+ '(("gnu" "binutils" (and (>= "2.21") (<= "2.31.1")))
+ ("gnu" "binutils_gold" (and (>= "1.11") (<= "1.16")))))
;; CVE-2019-18192 has no associated configurations.
))
--
2.46.0
N
N
Nicolas Graves wrote 4 days ago
[PATCH v5 05/16] gnu: spectra: Add lint-hidden-cpe-vendors property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241119074612.19048-5-ngraves@ngraves.fr
* gnu/packages/algebra.scm (spectra)[properties]: Add
lint-hidden-cpe-vendors property.
---
gnu/packages/algebra.scm | 1 +
1 file changed, 1 insertion(+)

Toggle diff (14 lines)
diff --git a/gnu/packages/algebra.scm b/gnu/packages/algebra.scm
index 2187cd062d..5822431373 100644
--- a/gnu/packages/algebra.scm
+++ b/gnu/packages/algebra.scm
@@ -1317,6 +1317,7 @@ (define-public spectra
built on top of Eigen. It is implemented as a header-only C++ library and can
be easily embedded in C++ projects that require calculating eigenvalues of
large matrices.")
+ (properties `((lint-hidden-cpe-vendors . ("brainstormforce"))))
(license license:mpl2.0)))
(define-public gappa
--
2.46.0
N
N
Nicolas Graves wrote 4 days ago
[PATCH v5 04/16] gnu: folders: Add lint-hidden-cpe-vendors property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241119074612.19048-4-ngraves@ngraves.fr
* gnu/packages/esolangs.scm (folders):
[properties]: Add lint-hindden-cpe-vendors property.
---
gnu/packages/esolangs.scm | 1 +
1 file changed, 1 insertion(+)

Toggle diff (14 lines)
diff --git a/gnu/packages/esolangs.scm b/gnu/packages/esolangs.scm
index 796f8d3f23..58c5307fdc 100644
--- a/gnu/packages/esolangs.scm
+++ b/gnu/packages/esolangs.scm
@@ -117,6 +117,7 @@ (define-public folders
(description "Folders is a programming language, in which programs
are encoded as (nested) directories. Note that the switches you pass to
@command{du} may affect your score when code golfing.")
+ (properties `((lint-hidden-cpe-vendors . ("premio" "jenkins"))))
(license license:expat)))
(define-public shakespeare-spl
--
2.46.0
N
N
Nicolas Graves wrote 4 days ago
[PATCH v5 03/16] gnu: portfolio: Update to 1.0.1.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241119074612.19048-3-ngraves@ngraves.fr
* gnu/packages/gnome-xyz.scm (portfolio): Update to 1.0.1.
[properties]: Add lint-hidden-cpe-vendors property.
---
gnu/packages/gnome-xyz.scm | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

Toggle diff (32 lines)
diff --git a/gnu/packages/gnome-xyz.scm b/gnu/packages/gnome-xyz.scm
index a09c0befb0..74c2600b60 100644
--- a/gnu/packages/gnome-xyz.scm
+++ b/gnu/packages/gnome-xyz.scm
@@ -485,7 +485,7 @@ (define-public gnome-plots
(define-public portfolio
(package
(name "portfolio")
- (version "1.0.0")
+ (version "1.0.1")
(source (origin
(method git-fetch)
(uri (git-reference
@@ -494,7 +494,7 @@ (define-public portfolio
(file-name (git-file-name name version))
(sha256
(base32
- "1ai9mx801m5lngkljg42vrpvhbvc3071sp4jypsvbzw55hxnn5ba"))))
+ "1s06kd2dhsb143piw89yzwfck7qwzlh4nlgjj2bxpsa3g68c1g11"))))
(arguments
(list #:glib-or-gtk? #t
#:imported-modules `(,@%meson-build-system-modules
@@ -537,6 +537,7 @@ (define-public portfolio
"Portfolio is a minimalist file manager for those who want to use Linux
mobile devices. Tap to activate and long press to select, to browse, open,
copy, move, delete, or edit your files.")
+ (properties `((lint-hidden-cpe-vendors . ("radiustheme"))))
(license license:gpl3+)))
(define-public gnome-shell-extension-unite-shell
--
2.46.0
N
N
Nicolas Graves wrote 4 days ago
[PATCH v5 06/16] gnu: express: Add lint-hidden-cpe-vendors property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241119074612.19048-6-ngraves@ngraves.fr
* gnu/packages/bioinformatics.scm (express)[properties]: Add
lint-hidden-cpe-vendors property.
---
gnu/packages/bioinformatics.scm | 1 +
1 file changed, 1 insertion(+)

Toggle diff (14 lines)
diff --git a/gnu/packages/bioinformatics.scm b/gnu/packages/bioinformatics.scm
index f84306b6b9..5695ef12dd 100644
--- a/gnu/packages/bioinformatics.scm
+++ b/gnu/packages/bioinformatics.scm
@@ -7320,6 +7320,7 @@ (define-public express
transcript-level RNA-Seq quantification, allele-specific/haplotype expression
analysis (from RNA-Seq), transcription factor binding quantification in
ChIP-Seq, and analysis of metagenomic data.")
+ (properties `((lint-hidden-cpe-vendors . ("openjsf"))))
(license license:artistic2.0)))
(define-public express-beta-diversity
--
2.46.0
N
N
Nicolas Graves wrote 4 days ago
[PATCH v5 07/16] gnu: cli: Add lint-hidden-cpe-vendors property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241119074612.19048-7-ngraves@ngraves.fr
* gnu/packages/cpp.scm (cli)[properties]: Add lint-hidden-cpe-vendors
property.
---
gnu/packages/cpp.scm | 1 +
1 file changed, 1 insertion(+)

Toggle diff (14 lines)
diff --git a/gnu/packages/cpp.scm b/gnu/packages/cpp.scm
index 2c0b575a84..43ec57a970 100644
--- a/gnu/packages/cpp.scm
+++ b/gnu/packages/cpp.scm
@@ -2327,6 +2327,7 @@ (define-public cli
options that your program supports, their types, default values, and
documentation.")
(home-page "https://codesynthesis.com/projects/cli/")
+ (properties `((lint-hidden-cpe-vendors . ("snyk"))))
(license license:expat)))
(define-public xsd
--
2.46.0
N
N
Nicolas Graves wrote 4 days ago
[PATCH v5 08/16] gnu: h2c: Add lint-hidden-cpe-vendors property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241119074612.19048-8-ngraves@ngraves.fr
* gnu/packages/curl.scm (h2c)[property]: Add lint-hidden-cpe-vendors property.
---
gnu/packages/curl.scm | 1 +
1 file changed, 1 insertion(+)

Toggle diff (14 lines)
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index e5e3342b6d..d782f89d9f 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -378,6 +378,7 @@ (define-public h2c
(description
"Provided a set of HTTP request headers, h2c outputs how to invoke
curl to obtain exactly that HTTP request.")
+ (properties `((lint-hidden-cpe-vendors . ("golang"))))
(license license:expat)))
(define-public coeurl
--
2.46.0
N
N
Nicolas Graves wrote 4 days ago
[PATCH v5 09/16] gnu: xenon: Update to 0.9.3.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241119074612.19048-9-ngraves@ngraves.fr
* gnu/packages/code.scm (xenon): Update to 0.9.3.
[properties]: Add lint-hidden-cpe-vendors property.
---
gnu/packages/code.scm | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

Toggle diff (31 lines)
diff --git a/gnu/packages/code.scm b/gnu/packages/code.scm
index 04ca4dfd6b..5ed2126225 100644
--- a/gnu/packages/code.scm
+++ b/gnu/packages/code.scm
@@ -1054,14 +1054,14 @@ (define-public cscope
(define-public xenon
(package
(name "xenon")
- (version "0.9.0")
+ (version "0.9.3")
(source
(origin
(method url-fetch)
(uri (pypi-uri "xenon" version))
(sha256
(base32
- "1f4gynjzfckm3rjfywwgz1c7icfx3zjqirf16aj73xv0c9ncpffj"))))
+ "1yj31bqz2bphvvyb0jkas7bxc2rw76rf1csz0mwmvah8pbc3hxaa"))))
(build-system python-build-system)
(arguments (list #:tests? #f)) ;test suite not shipped with the PyPI archive
(inputs (list python-pyyaml python-radon python-requests))
@@ -1073,6 +1073,7 @@ (define-public xenon
line options, various thresholds can be set for the complexity of code. It
will fail (i.e., it will exit with a non-zero exit code) when any of these
requirements is not met.")
+ (properties '((lint-hidden-cpe-vendors . ("ashlar"))))
(license license:expat)))
(define-public python-xenon
--
2.46.0
N
N
Nicolas Graves wrote 4 days ago
[PATCH v5 10/16] gnu: bolt: Update to 0.9.8.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241119074612.19048-10-ngraves@ngraves.fr
* gnu/packages/linux.scm (bolt): Update to 0.9.8.
[arguments]<#:phases>: Update phase 'replace-directories.
[properties]: Add lint-hidden-cpe-vendors property.
---
gnu/packages/linux.scm | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)

Toggle diff (50 lines)
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 7a856c4721..3cd0f0381c 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -3333,7 +3333,7 @@ (define-public iptables-nft
(define-public bolt
(package
(name "bolt")
- (version "0.9.5")
+ (version "0.9.8")
(source (origin
(method git-fetch)
(uri (git-reference
@@ -3342,7 +3342,7 @@ (define-public bolt
(file-name (git-file-name name version))
(sha256
(base32
- "1b9z0sfrz6bj0mddng9s0dx59g9239zmrl03hxx2x88mb7r0wmcg"))))
+ "1i9nyvx3qcf4m607qmpklpl9xqzsh423k8y3fr6c5n0k4ajy4cxh"))))
(build-system meson-build-system)
(arguments
(list #:configure-flags '(list "--localstatedir=/var")
@@ -3351,12 +3351,11 @@ (define-public bolt
(add-after 'unpack 'replace-directories
(lambda* (#:key outputs #:allow-other-keys)
(substitute* "meson.build"
- (("udev.get_pkgconfig_variable..udevdir..")
- (string-append "'"
- #$output "/lib/udev'")))
- (substitute* "scripts/meson-install.sh"
- (("mkdir.*")
- ""))))
+ (("udev.get_variable\\(pkgconfig: 'udevdir'\\)")
+ (string-append "'" #$output "/lib/udev'"))
+ ;; Don't install in /var
+ (("not systemd\\.found\\(\\)")
+ "false"))))
(add-before 'install 'no-polkit-magic
(lambda* (#:key outputs #:allow-other-keys)
(setenv "PKEXEC_UID" "something"))))))
@@ -3378,6 +3377,7 @@ (define-public bolt
@command{boltd}. It can list devices, monitor changes, and initiate
authorization of devices.")
(home-page "https://gitlab.freedesktop.org/bolt/bolt")
+ (properties `((lint-hidden-cpe-vendors . ("boltcms" "puppet"))))
(license license:gpl2+)))
(define-public jitterentropy-rngd
--
2.46.0
N
N
Nicolas Graves wrote 4 days ago
[PATCH v5 11/16] gnu: bwm-ng: Add lint-hidden-cpe-vendors property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241119074612.19048-11-ngraves@ngraves.fr
* gnu/packages/networking.scm (bwm-ng)[properties]: Add
lint-hidden-cpe-vendors property.
---
gnu/packages/networking.scm | 1 +
1 file changed, 1 insertion(+)

Toggle diff (14 lines)
diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index f0f0619161..8115c989aa 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -2157,6 +2157,7 @@ (define-public bwm-ng
(description "Bandwidth Monitor NG is a small and simple console based
live network and disk I/O bandwidth monitor.")
(home-page "https://www.gropp.org/?id=projects&sub=bwm-ng")
+ (properties '((lint-hidden-cpe-vendors . ("bwm-ng_project"))))
(license license:gpl2)))
(define-public aircrack-ng
--
2.46.0
N
N
Nicolas Graves wrote 4 days ago
[PATCH v5 12/16] gnu: onedrive: Update to 2.5.2.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241119074612.19048-12-ngraves@ngraves.fr
* gnu/packages/sync.scm (onedrive): Update to 2.5.2.
[properties]: Add lint-hidden-cpe-vendors.
---
gnu/packages/sync.scm | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

Toggle diff (32 lines)
diff --git a/gnu/packages/sync.scm b/gnu/packages/sync.scm
index af736d0c28..b21993a639 100644
--- a/gnu/packages/sync.scm
+++ b/gnu/packages/sync.scm
@@ -374,7 +374,7 @@ (define-public owncloud-client
(define-public onedrive
(package
(name "onedrive")
- (version "2.4.25")
+ (version "2.5.2")
(source
(origin
(method git-fetch)
@@ -383,7 +383,7 @@ (define-public onedrive
(commit (string-append "v" version))))
(file-name (git-file-name name version))
(sha256
- (base32 "1i93mq4r9w8cqrdfsfv8wparfd3dbrppc5z04ab056545hk0x89k"))))
+ (base32 "0307qa3nncarn6r5837nn9z5nv8j60ycykq6pfn93qriabk65qlx"))))
(build-system gnu-build-system)
(arguments
(list
@@ -420,6 +420,7 @@ (define-public onedrive
Business, OneDrive for Office365 and SharePoint and fully supports Azure
National Cloud Deployments. It supports one-way and two-way sync capabilities
and securely connects to Microsoft OneDrive services.")
+ (properties '((lint-hidden-cpe-vendors . ("microsoft"))))
(license license:gpl3)))
(define-public lsyncd
--
2.46.0
N
N
Nicolas Graves wrote 4 days ago
[PATCH v5 13/16] gnu: got: Update to 0.104.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241119074612.19048-13-ngraves@ngraves.fr
* gnu/packages/version-control.scm (got): Update to 0.104.
[properties]: Add release-monitoring-url and lint-hidden-cpe-vendors
properties.
---
gnu/packages/version-control.scm | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)

Toggle diff (37 lines)
diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index c892a83a98..27c14422d1 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -975,7 +975,7 @@ (define-public git-tools
(define-public got
(package
(name "got")
- (version "0.103")
+ (version "0.104")
(source (origin
(method url-fetch)
(uri
@@ -984,7 +984,7 @@ (define-public got
version ".tar.gz"))
(sha256
(base32
- "0y18961xrj4rja850i31gadiaps2qnkfb4jlramlz9akyf9mwh1j"))))
+ "1jf8d7bd6jb09ci66n3rjfv94kvzgnqbw1js74hpajdw41wphbdk"))))
(inputs
(list libevent
`(,util-linux "lib")
@@ -1020,7 +1020,11 @@ (define-public got
"Game of Trees (Got) is a version control system which prioritizes ease of use
and simplicity over flexibility.")
(license license:isc)
- (home-page "https://gameoftrees.org/")))
+ (home-page "https://gameoftrees.org/")
+ (properties
+ ;; Can lint for updates, but not update in place.
+ '((release-monitoring-url . "https://gameoftrees.org/releases/")
+ (lint-hidden-cpe-vendors . ("got_project"))))))
(define-public xdiff
(let ((revision "0")
--
2.46.0
N
N
Nicolas Graves wrote 4 days ago
[PATCH v5 14/16] gnu: dex: Update to 0.10.1.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241119074612.19048-14-ngraves@ngraves.fr
* gnu/packages/xdisorg.scm (dex): Update to 0.10.1.
[arguments]: Improve style.
[properties]: Add lint-hidden-cpe-vendors property.
---
gnu/packages/xdisorg.scm | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)

Toggle diff (47 lines)
diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm
index a75e9cd6ba..859d37d4b7 100644
--- a/gnu/packages/xdisorg.scm
+++ b/gnu/packages/xdisorg.scm
@@ -3536,7 +3536,7 @@ (define-public nwg-launchers
(define-public dex
(package
(name "dex")
- (version "0.9.0")
+ (version "0.10.1")
(source (origin
(method git-fetch)
(uri (git-reference
@@ -3544,15 +3544,16 @@ (define-public dex
(commit (string-append "v" version))))
(sha256
(base32
- "03aapcywnz4kl548cygpi25m8adwbmqlmwgxa66v4156ax9dqs86"))
+ "1d7fqy63i4q0mw316i5ws1sgdq3f7h3bsf3avvmy0nzshz7i5y6m"))
(file-name (git-file-name name version))))
(build-system gnu-build-system)
(arguments
- `(#:make-flags (list (string-append "PREFIX=" (assoc-ref %outputs "out")))
- #:phases
- (modify-phases %standard-phases
- (delete 'configure))
- #:tests? #f))
+ (list
+ #:make-flags #~(list (string-append "PREFIX=" #$output))
+ #:phases
+ #~(modify-phases %standard-phases
+ (delete 'configure))
+ #:tests? #f)) ; No tests.
(inputs
(list python))
(native-inputs
@@ -3562,6 +3563,8 @@ (define-public dex
(description
"@command{dex}, @dfn{DesktopEntry Execution}, is a program to generate
and execute @file{.desktop} files of the Application type.")
+ (properties
+ '((lint-hidden-cpe-vendors . ("samsung" "linuxfoundation"))))
(license license:gpl3+)))
(define-public sx
--
2.46.0
N
N
Nicolas Graves wrote 4 days ago
[PATCH v5 15/16] gnu: immer: Add lint-hidden-cpe-vendors property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241119074612.19048-15-ngraves@ngraves.fr
* gnu/packages/cpp.scm (immer)[properties]: Add
lint-hidden-cpe-vendors property.
---
gnu/packages/cpp.scm | 1 +
1 file changed, 1 insertion(+)

Toggle diff (14 lines)
diff --git a/gnu/packages/cpp.scm b/gnu/packages/cpp.scm
index 43ec57a970..a3a89d3313 100644
--- a/gnu/packages/cpp.scm
+++ b/gnu/packages/cpp.scm
@@ -1887,6 +1887,7 @@ (define-public immer
(synopsis "Immutable data structures")
(description "Immer is a library of persistent and immutable data structures
written in C++.")
+ (properties '((lint-hidden-cpe-vendors . ("immer_project"))))
(license license:boost1.0)))
(define-public zug
--
2.46.0
N
N
Nicolas Graves wrote 4 days ago
[PATCH v5 16/16] gnu: cvs: Add lint-hidden-cpe-vendors property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241119074612.19048-16-ngraves@ngraves.fr
* gnu/packages/version-control.scm (cvs)[properties]: Add
lint-hidden-cpe-vendors property.
---
gnu/packages/version-control.scm | 1 +
1 file changed, 1 insertion(+)

Toggle diff (14 lines)
diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index 27c14422d1..a0eb9f32d2 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -2774,6 +2774,7 @@ (define-public cvs
Configuration Management (SCM). Using it, you can record the history of
sources files, and documents. It fills a similar role to the free software
RCS, PRCS, and Aegis packages.")
+ (properties '((lint-hidden-cpe-vendors . ("jenkins"))))
(license license:gpl1+)))
(define-public cvs-fast-export
--
2.46.0
L
L
Ludovic Courtès wrote 47 hours ago
Re: [bug#74034] [PATCH v5 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.
(name . Nicolas Graves)(address . ngraves@ngraves.fr)(address . 74034@debbugs.gnu.org)
87h681v9nj.fsf@gnu.org
Nicolas Graves <ngraves@ngraves.fr> skribis:

Toggle quote (16 lines)
> * guix/cve.scm: Exploit cpe vendors information.
> (cpe->package-name): Rename to...
> (cpe->package-identifier): Renamed from cpe->package-name. Use
> cpe_vendor:cpe_name in place or cpe_name.
> (vulnerabily-matches?): Add helper function.
> (vulnerabilities->lookup-proc): Extract cpe_name for table
> hashes. Add vendor and hidden-vendor arguments. Adapt condition to
> pass vulnerabilities to result in the fold.
> (write-cache): Update the format version.
>
> * guix/lint.scm (package-vulnerabilities): Use additional arguments
> from vulnerabilities->lookup-proc.
>
> * tests/cve.scm (%expected-vulnerabilities): Adapt variable to changes
> in guix/cve.scm.

[...]

Toggle quote (6 lines)
> (write `(vulnerabilities
> - 1 ;format version
> + 2 ;format version
> ,(map vulnerability->sexp vulns))
> cache))))

This is good, but like I wrote, ‘fetch-vulnerabilities’ must be update
symmetrically, ideally to recognize both v1 and v2 sexps:

(match sexp
(('vulnerabilities 2 vulns)
(map sexp->vulnerability vulns))
(('vulnerabilities 1 vulns) ;old format, lacks vendor info
(map sexp-v1->vulnerability vulns)))

(This is the format used in ~/.cache/guix/cve.)

That’s the only thing missing IMO.

Ludo’.
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 74034@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 74034
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch