[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#47193] Fancify guix lint -c cve output
From: |
Ludovic Courtès |
Subject: |
[bug#47193] Fancify guix lint -c cve output |
Date: |
Wed, 31 Mar 2021 15:03:42 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) |
Hi,
Tobias Geerinckx-Rice <me@tobias.gr> skribis:
> * guix/cve.scm <cve-item>[cvss3-base-severity]: New field.
> (impact-data->cve-cvss3-base-severity): New procedure.
> <vulnerability>[severity]: New field.
> (vulnerability->sexp, sexp->vulnerability, cve-item->vulnerability)
> (write-cache): Bump the format version to 2.
> (vulnerabilities->lookup-proc): Adjust accordingly.
> * guix/lint.scm (check-vulnerabilities): Indicate CVE severity according
> to the output port's terminal capabilities.
I would move the lint.scm bit to a separate patch.
Please also add a short test for ‘vulnerability-severity’ in
tests/cve.scm.
[...]
> + (cvssv3-base-severity cve-item-cvssv3-base-severity ;string
> + "impact" impact-data->cve-cvssv3-base-severity)
> + (published-date cve-item-published-date
> + "publishedDate" string->date*)
> + (last-modified-date cve-item-last-modified-date
> + "lastModifiedDate" string->date*))
>
> (define-json-mapping <cve> cve cve?
> json->cve
> @@ -183,6 +188,15 @@ element found in CVEs, return an sexp such as
> (\"binutils\" (<
> (let ((nodes (vector->list (assoc-ref alist "nodes"))))
> (filter-map node->configuration nodes)))
>
> +(define (impact-data->cve-cvssv3-base-severity alist)
> + "Given ALIST, a JSON dictionary for the \"impact\" element found in
> +CVEs, return a string indicating its CVSSv3 severity. This should be
> +one of \"NONE\", \"LOW\", \"MEDIUM\", \"HIGH\", or \"CRITICAL\", but we
> +return whatever we find, or #F if the severity cannot be determined."
> + (let* ((base-metric-v3 (assoc-ref alist "baseMetricV3"))
> + (cvss-v3 (assoc-ref base-metric-v3 "cvssV3")))
> + (assoc-ref cvss-v3 "baseSeverity")))
I would pass the result through (string->symbol (string-downcase …)).
For clarity, perhaps we can do:
(define-json-mapping <cvss> cvss cvss?
json->cvss
(vector-string cvss-vector-string “vector_String")
(base-severity cvss-severity "base_Severity"
(compose string->symbol string-downcase)))
… and use that instead of the last ‘assoc-ref’ call above.
The rest LGTM.
Thanks for this pleasant improvement!
Ludo’.
[bug#47193] Fancify guix lint -c cve output, Léo Le Bouter, 2021/03/16