"guix lint -c cve" does not account for language prefixes (rust-,python-,go-,..)

Open

Details

3 participants

Léo Le Bouter
Ludovic Courtès
zimoun

Owner: unassigned

Submitted by: Léo Le Bouter

Severity: normal

Léo Le Bouter wrote on 16 Mar 2021 10:29

Recipients:(address . bug-guix@gnu.org)

Message-ID:706d51950b7545eefd43a54f738bc82df0d7f36c.camel@zaclys.net

./pre-inst-env guix lint -c cve python-urllib3@1.26.2
Here this should return at least CVE-2021-28363 but it does not because
the CVE database contains urllib3 and not python-urllib3 (which AFAICT
the cve linter searches for).

Annotating each and every python-, go-, and rust- package with cpe-name 
properties is going to be very annoying. I suggest we add some
heuristics that try both the full name and prefix-trimmed name. python-
urllib3's cpe name and vendor is python (vendor) urllib3 (name).

Same story for CVE-2021-28305 and rust-diesel, though it doesnt even
have a CPE entry yet.

zimoun wrote on 16 Mar 2021 14:05

Re: bug#47188: "guix lint -c cve" does not account for language prefixes (rust-, python-, go-, ..)

Recipients:(name . Léo Le Bouter)(address . lle-bout@zaclys.net)(address . 47188@debbugs.gnu.org)

Message-ID:CAJ3okZ2yHtxtbi0vhskAJCCWT_NkQuOUnLof9cm7MRDwpeAkug@mail.gmail.com

Hi,

On Tue, 16 Mar 2021 at 10:30, Léo Le Bouter via Bug reports for GNU

Guix <bug-guix@gnu.org> wrote:

Toggle quote (5 lines)

> ./pre-inst-env guix lint -c cve python-urllib3@1.26.2

> Here this should return at least CVE-2021-28363 but it does not because

> the CVE database contains urllib3 and not python-urllib3 (which AFAICT

> the cve linter searches for).

Does the CVE use the upstream name? Or a normalized name?

I mean, in the R world, packages can have names as 'org.EcK12.eg.db'

which becomes "r-org-eck12-eg-db". To easy the mapping for updating

and co, the package definition contains:

(properties

`((upstream-name . "org.EcK12.eg.db")))

Maybe, it could be worth to have similar things. WDYT?

All the best,

simon

Ludovic Courtès wrote on 18 Mar 2021 14:26

Re: bug#47188: "guix lint -c cve" does not account for language prefixes (rust-,python-,go-,..)

Recipients:(name . Léo Le Bouter)(address . lle-bout@zaclys.net)(address . 47188@debbugs.gnu.org)

Message-ID:87a6r0r3t1.fsf@gnu.org

Hi,

Léo Le Bouter <lle-bout@zaclys.net> skribis:

Toggle quote (13 lines)> ./pre-inst-env guix lint -c cve python-urllib3@1.26.2
> Here this should return at least CVE-2021-28363 but it does not because
> the CVE database contains urllib3 and not python-urllib3 (which AFAICT
> the cve linter searches for).
>
> Annotating each and every python-, go-, and rust- package with cpe-name 
> properties is going to be very annoying. I suggest we add some
> heuristics that try both the full name and prefix-trimmed name. python-
> urllib3's cpe name and vendor is python (vendor) urllib3 (name).
>
> Same story for CVE-2021-28305 and rust-diesel, though it doesnt even
> have a CPE entry yet.

Yes, that’s an issue. We can address these by adding a ‘cpe-name’

property (info "(guix) Invoking guix lint"), but that’s going to be

tedious. We can at least add it to high-profile packages for now.

Tooling that suggests or deduces the CPE name would help a lot:

https://issues.guix.gnu.org/42299

Ludo’.

Ludovic Courtès wrote on 18 Mar 2021 14:38

control message for bug #47188

Recipients:(address . control@debbugs.gnu.org)

Message-ID:877dm4ponv.fsf@gnu.org

tags 47188 + security

quit

Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 47188@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 47188

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date