‘guix lint’ should suggest CPE name

  • Open
  • quality assurance status badge
Details
One participant
  • Ludovic Courtès
Owner
unassigned
Submitted by
Ludovic Courtès
Severity
normal
L
L
Ludovic Courtès wrote on 10 Jul 2020 00:10
‘guix lint’ should suggest CPE name
(address . bug-guix@gnu.org)
87sge09w6q.fsf@gnu.org
Hello!

On IRC earlier today we were looking at
the CPE suggestions (which are nice!).

I tried the attached hack, which produces a few useless and sometimes
erroneous suggestions, by comparing the “references” of each CVE
(usually URLs of a security advisory or bug report) to the home page of
the package:

Toggle snippet (37 lines)
$ ./pre-inst-env guix lint -c cpe
gnu/packages/admin.scm:1103:2: tcpdump@4.9.3: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1103:2: tcpdump@4.9.3: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1103:2: tcpdump@4.9.3: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1103:2: tcpdump@4.9.3: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1103:2: tcpdump@4.9.3: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:2866:2: pam-krb5@4.8: suggested CPE name: 'pam-krb5'
gnu/packages/admin.scm:1075:2: libpcap@1.9.1: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1075:2: libpcap@1.9.1: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1075:2: libpcap@1.9.1: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1075:2: libpcap@1.9.1: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1075:2: libpcap@1.9.1: suggested CPE name: 'libpcap'
gnu/packages/admin.scm:1367:2: sudo@1.9.1: suggested CPE name: 'element_software_management_node'
gnu/packages/admin.scm:1367:2: sudo@1.9.1: suggested CPE name: 'sudo'
gnu/packages/admin.scm:1367:2: sudo@1.9.1: suggested CPE name: 'sudo'
gnu/packages/admin.scm:1367:2: sudo@1.9.1: suggested CPE name: 'sudo'
gnu/packages/admin.scm:614:2: shadow@4.8.1: suggested CPE name: 'shadow'
gnu/packages/aspell.scm:99:2: aspell-dict-ar@1.2-0: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-mi@0.50-0: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-pl@0.51-0: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-ru@0.99f7-1: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-sv@0.51-0: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-fr@0.50-3: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-pt-br@20131030-12-0: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-el@0.08-0: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-hi@0.02-0: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-de@20161207-7-0: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-be@0.01: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-es@1.11-2: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-grc@0.02-0: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-fi@0.7-0: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-da@1.6.36-11-0: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:99:2: aspell-dict-nl@0.50-2: suggested CPE name: 'aspell'
gnu/packages/aspell.scm:41:2: aspell@0.60.8: suggested CPE name: 'aspell'
[…]

The conclusion is that, to make good suggestions, we need to parse the
CPE dictionary as well:


This one is still XML (not JSON) and we’d have to merge duplicates, as
in this example:

Toggle snippet (53 lines)
<cpe-item name="cpe:/a:gnu:cpio:-">
<title xml:lang="en-US">GNU cpio</title>
<cpe-23:cpe23-item name="cpe:2.3:a:gnu:cpio:-:*:*:*:*:*:*:*"/>
</cpe-item>
<cpe-item name="cpe:/a:gnu:cpio:1.0">
<title xml:lang="en-US">GNU cpio 1.0</title>
<cpe-23:cpe23-item name="cpe:2.3:a:gnu:cpio:1.0:*:*:*:*:*:*:*"/>
</cpe-item>
<cpe-item name="cpe:/a:gnu:cpio:1.1">
<title xml:lang="en-US">GNU cpio 1.1</title>
<cpe-23:cpe23-item name="cpe:2.3:a:gnu:cpio:1.1:*:*:*:*:*:*:*"/>
</cpe-item>
<cpe-item name="cpe:/a:gnu:cpio:1.2">
<title xml:lang="en-US">GNU cpio 1.2</title>
<cpe-23:cpe23-item name="cpe:2.3:a:gnu:cpio:1.2:*:*:*:*:*:*:*"/>
</cpe-item>
<cpe-item name="cpe:/a:gnu:cpio:1.3">
<title xml:lang="en-US">GNU cpio 1.3</title>
<cpe-23:cpe23-item name="cpe:2.3:a:gnu:cpio:1.3:*:*:*:*:*:*:*"/>
</cpe-item>
<cpe-item name="cpe:/a:gnu:cpio:2.4-2">
<title xml:lang="en-US">GNU cpio 2.4.2</title>
<cpe-23:cpe23-item name="cpe:2.3:a:gnu:cpio:2.4-2:*:*:*:*:*:*:*"/>
</cpe-item>
<cpe-item name="cpe:/a:gnu:cpio:2.5">
<title xml:lang="en-US">GNU cpio 2.5</title>
<cpe-23:cpe23-item name="cpe:2.3:a:gnu:cpio:2.5:*:*:*:*:*:*:*"/>
</cpe-item>
<cpe-item name="cpe:/a:gnu:cpio:2.5.90">
<title xml:lang="en-US">GNU cpio 2.5.90</title>
<cpe-23:cpe23-item name="cpe:2.3:a:gnu:cpio:2.5.90:*:*:*:*:*:*:*"/>
</cpe-item>
<cpe-item name="cpe:/a:gnu:cpio:2.6">
<title xml:lang="en-US">GNU cpio 2.6</title>
<cpe-23:cpe23-item name="cpe:2.3:a:gnu:cpio:2.6:*:*:*:*:*:*:*"/>
</cpe-item>
<cpe-item name="cpe:/a:gnu:cpio:2.7">
<title xml:lang="en-US">GNU cpio 2.7</title>
<references>
<reference href="https://ftp.gnu.org/gnu/cpio/">Change Log</reference>
</references>
<cpe-23:cpe23-item name="cpe:2.3:a:gnu:cpio:2.7:*:*:*:*:*:*:*"/>
</cpe-item>
--8<---------------cut here---------------end--------------->8---

The references are not always useful, as above, but sometimes there’s a
“Product” reference that is the package home page.

Anyway, would be nice to add that to (guix cve) instead of succumbing to
the convenience of SaaSS!

Ludo’.
Attachment: file
L
L
Ludovic Courtès wrote on 18 Mar 2021 14:26
control message for bug #42299
(address . control@debbugs.gnu.org)
878s6kr3se.fsf@gnu.org
tags 42299 + security
quit
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 42299@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 42299
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch