[bug#47193] Fancify guix lint -c cve output

guix-patches

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#47193] Fancify guix lint -c cve output

From:	Ludovic Courtès
Subject:	[bug#47193] Fancify guix lint -c cve output
Date:	Wed, 31 Mar 2021 15:03:42 +0200
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)

Hi,

Tobias Geerinckx-Rice <me@tobias.gr> skribis:

> * guix/cve.scm <cve-item>[cvss3-base-severity]: New field.
> (impact-data->cve-cvss3-base-severity): New procedure.
> <vulnerability>[severity]: New field.
> (vulnerability->sexp, sexp->vulnerability, cve-item->vulnerability)
> (write-cache): Bump the format version to 2.
> (vulnerabilities->lookup-proc): Adjust accordingly.
> * guix/lint.scm (check-vulnerabilities): Indicate CVE severity according
> to the output port's terminal capabilities.

I would move the lint.scm bit to a separate patch.

Please also add a short test for ‘vulnerability-severity’ in
tests/cve.scm.

[...]

> +  (cvssv3-base-severity cve-item-cvssv3-base-severity ;string
> +                        "impact" impact-data->cve-cvssv3-base-severity)
> +  (published-date       cve-item-published-date
> +                        "publishedDate" string->date*)
> +  (last-modified-date   cve-item-last-modified-date
> +                        "lastModifiedDate" string->date*))
>  
>  (define-json-mapping <cve> cve cve?
>    json->cve
> @@ -183,6 +188,15 @@ element found in CVEs, return an sexp such as 
> (\"binutils\" (<
>    (let ((nodes (vector->list (assoc-ref alist "nodes"))))
>      (filter-map node->configuration nodes)))
>  
> +(define (impact-data->cve-cvssv3-base-severity alist)
> +  "Given ALIST, a JSON dictionary for the \"impact\" element found in
> +CVEs, return a string indicating its CVSSv3 severity.  This should be
> +one of \"NONE\", \"LOW\", \"MEDIUM\", \"HIGH\", or \"CRITICAL\", but we
> +return whatever we find, or #F if the severity cannot be determined."
> +  (let* ((base-metric-v3 (assoc-ref alist "baseMetricV3"))
> +         (cvss-v3        (assoc-ref base-metric-v3 "cvssV3")))
> +    (assoc-ref cvss-v3 "baseSeverity")))

I would pass the result through (string->symbol (string-downcase …)).

For clarity, perhaps we can do:

  (define-json-mapping <cvss> cvss cvss?
    json->cvss
    (vector-string  cvss-vector-string “vector_String")
    (base-severity  cvss-severity "base_Severity"
                    (compose string->symbol string-downcase)))

… and use that instead of the last ‘assoc-ref’ call above.

The rest LGTM.

Thanks for this pleasant improvement!

Ludo’.

[Prev in Thread]

Current Thread

[Next in Thread]

[bug#47193] Fancify guix lint -c cve output, Tobias Geerinckx-Rice, 2021/03/16
- [bug#47193] [PATCH 1/2] lint: Sort possible vulnerabilities., Tobias Geerinckx-Rice, 2021/03/16
  - [bug#47193] [PATCH 2/2] lint: Indicate CVE severity., Tobias Geerinckx-Rice, 2021/03/16
    - [bug#47193] Fancify guix lint -c cve output, Ludovic Courtès <=
    - [bug#47193] Fancify guix lint -c cve output, Léo Le Bouter, 2021/03/31
    - [bug#47193] Fancify guix lint -c cve output, Ludovic Courtès, 2021/03/31
  - [bug#47193] Fancify guix lint -c cve output, Ludovic Courtès, 2021/03/31
- [bug#47193] Fancify guix lint -c cve output, Léo Le Bouter, 2021/03/16
  - [bug#47193] Fancify guix lint -c cve output, Tobias Geerinckx-Rice, 2021/03/16
    - [bug#47193] Fancify guix lint -c cve output, Léo Le Bouter, 2021/03/17
    - [bug#47193] Fancify guix lint -c cve output, Tobias Geerinckx-Rice, 2021/03/17

Prev by Date: [bug#47193] Fancify guix lint -c cve output
Next by Date: [bug#47193] Fancify guix lint -c cve output
Previous by thread: [bug#47193] [PATCH 2/2] lint: Indicate CVE severity.
Next by thread: [bug#47193] Fancify guix lint -c cve output
Index(es):
- Date
- Thread