From debbugs-submit-bounces@debbugs.gnu.org Thu Mar 18 09:26:30 2021 Received: (at 47188) by debbugs.gnu.org; 18 Mar 2021 13:26:31 +0000 Received: from localhost ([127.0.0.1]:45357 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lMsfW-0007rJ-HN for submit@debbugs.gnu.org; Thu, 18 Mar 2021 09:26:30 -0400 Received: from eggs.gnu.org ([209.51.188.92]:49102) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lMsfT-0007r0-RY for 47188@debbugs.gnu.org; Thu, 18 Mar 2021 09:26:28 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:54827) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lMsfO-0001Aa-Ci; Thu, 18 Mar 2021 09:26:22 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=53148 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1lMsfM-0002yH-To; Thu, 18 Mar 2021 09:26:21 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: =?utf-8?Q?L=C3=A9o?= Le Bouter Subject: Re: bug#47188: "guix lint -c cve" does not account for language prefixes (rust-,python-,go-,..) References: <706d51950b7545eefd43a54f738bc82df0d7f36c.camel@zaclys.net> Date: Thu, 18 Mar 2021 14:26:18 +0100 In-Reply-To: <706d51950b7545eefd43a54f738bc82df0d7f36c.camel@zaclys.net> (=?utf-8?Q?=22L=C3=A9o?= Le Bouter"'s message of "Tue, 16 Mar 2021 10:29:43 +0100") Message-ID: <87a6r0r3t1.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 47188 Cc: 47188@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Hi, L=C3=A9o Le Bouter skribis: > ./pre-inst-env guix lint -c cve python-urllib3@1.26.2 > Here this should return at least CVE-2021-28363 but it does not because > the CVE database contains urllib3 and not python-urllib3 (which AFAICT > the cve linter searches for). > > Annotating each and every python-, go-, and rust- package with cpe-name=20 > properties is going to be very annoying. I suggest we add some > heuristics that try both the full name and prefix-trimmed name. python- > urllib3's cpe name and vendor is python (vendor) urllib3 (name). > > Same story for CVE-2021-28305 and rust-diesel, though it doesnt even > have a CPE entry yet. Yes, that=E2=80=99s an issue. We can address these by adding a =E2=80=98cp= e-name=E2=80=99 property (info "(guix) Invoking guix lint"), but that=E2=80=99s going to be tedious. We can at least add it to high-profile packages for now. Tooling that suggests or deduces the CPE name would help a lot: https://issues.guix.gnu.org/42299 Ludo=E2=80=99.