[debbugs-tracker] bug#37838: closed ([PATCH 0/2] Rewrite (guix cve) to read NIST's JSON feed)

[GNU bug Tracking System]

Your message dated Wed, 23 Oct 2019 16:48:52 +0200
with message-id <address@hidden>
and subject line Re: [bug#37838] [PATCH 0/2] Rewrite (guix cve) to read NIST's 
JSON feed
has caused the debbugs.gnu.org bug report #37838,
regarding [PATCH 0/2] Rewrite (guix cve) to read NIST's JSON feed
to be marked as done.

(If you believe you have received this mail in error, please contact
address@hidden.)


-- 
37838: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=37838
GNU Bug Tracking System
Contact address@hidden with problems
> --- Begin Message ---
>
>
>
> Subject: 
>
> [PATCH 0/2] Rewrite (guix cve) to read NIST's JSON feed
>
>
>
>
> Date: 
>
> Sun, 20 Oct 2019 22:34:51 +0200
>
>
>
>
> Hello!
>
> Last Thursday I was surprised to see that ‘guix lint -c cve’
> would be redirected to:
>
>   https://nvd.nist.gov/General/News/XML-Vulnerability-Feed-Retirement-Phase-3
>
> … leading to a failure.
>
> And indeed, the XML CVE feed has now been replaced by a JSON feed
> (let’s hope they don’t switch to YAML next year :-)).  The JSON feed
> seems to be nicer in some ways; for instance, it can specify ranges
> of versions to which a given CVE applies.
>
> The patch that follows rewrites (guix cve) so it gets info from the
> JSON feed.  It does so by providing a one-to-one mapping between data
> structures in JSON and Scheme records, and then converting those to
> the higher-level <vulnerability> records that were already there before.
>
> If you look at the JSON-mapped record types, there are lots of
> low-hanging fruits; for instance, we could grab severity info from
> the JSON feeds and use them somehow.  I’m not sure if ‘guix lint’
> is the best place to display detailed CVE info, but we could/should
> use that info somehow.
>
> Feedback welcome!
>
> Ludo’.
>
> Ludovic Courtès (2):
>   cve: Rewrite to read the JSON feed instead of the XML feed.
>   lint: Re-enable CVE checker.
>
>  Makefile.am           |    2 +-
>  doc/guix.texi         |    4 +-
>  guix/cve.scm          |  376 ++++++++----
>  guix/lint.scm         |   16 +-
>  tests/cve-sample.json | 1279 +++++++++++++++++++++++++++++++++++++++++
>  tests/cve-sample.xml  |  616 --------------------
>  tests/cve.scm         |   83 ++-
>  7 files changed, 1610 insertions(+), 766 deletions(-)
>  create mode 100644 tests/cve-sample.json
>  delete mode 100644 tests/cve-sample.xml
>
> -- 
> 2.23.0
>
>
>
>
> --- End Message ---
> --- Begin Message ---
>
>
>
> Subject: 
>
> Re: [bug#37838] [PATCH 0/2] Rewrite (guix cve) to read NIST's JSON feed
>
>
>
>
> Date: 
>
> Wed, 23 Oct 2019 16:48:52 +0200
>
>
>
>
> User-agent: 
>
> Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)
>
>
>
>
> Hello,
>
> Ludovic Courtès <address@hidden> skribis:
>
> >   cve: Rewrite to read the JSON feed instead of the XML feed.
> >   lint: Re-enable CVE checker.
>
> Pushed as 9efa2c28a4f842b7ca1977e084299de441842856.
>
> Please let me know if you notice anything fishy with ‘guix lint -c cve’:
> CVEs not showing up, CVEs showing up that should not, etc.
>
> Ludo’.
>
>
> --- End Message ---