[bug#74034] [Nicolas Graves] [PATCH v3 02/17] cve: Separate vendor and string.

[Nicolas Graves]

On 2024-11-13 11:53, Maxim Cournoyer wrote:

> Hi Nicolas,
>
> I think this one looks nicer without the parsing of colons every time we
> need to extract the vendor/package name, thanks for having taken the
> time to adjust it based on Ludovic's feedback.

Ok, will squash both commits then. 
>
> [...]
>
>>  (define (configuration-data->cve-configurations alist)
>>    "Given ALIST, a JSON dictionary for the baroque \"configurations\"
>> @@ -232,18 +234,12 @@ (define (vulnerability-matches? vuln vendor 
>> hidden-vendors)
>>    "Checks if a VENDOR matches at least one of <vulnerability> VULN
>>  packages.  When VENDOR is #f, ignore packages that have a vendor among
>>  HIDDEN-VENDORS."
>> -  (define (vendor-matches? vendor+name)
>> -    (if vendor
>> -        (string-prefix? (string-append vendor ":") vendor+name)
>> -        (or (null? hidden-vendors)
>> -            (not (any (cut string-prefix? (string-append <> ":") 
>> vendor+name)
>> -                  hidden-vendors)))))
>> -
>>    (match vuln
>>      (($ <vulnerability> id packages)
>>       (any (match-lambda
>> -            (((? vendor-matches? vendor+name) . _)  #t)
>> -            (_                                      #f))
>> +            (((? (cut string=? <> vendor)) _)        #t)
>> +            (((? (cut member <> hidden-vendors)) _)  #t)
>
> We are comparing <vulnerability> packages to the vendor strings; is this
> correct?

Actually the first sexp element of <vulnerability> packages (hence the
_). 
>
> At least I'd expect a hidden-vendors match to return #f, since I assume
> we do not want to process these further?

Indeed it looks like a mistake / forgotten not.  Will check the logic.


> The rest looks good to me.
>
> Could you please address my questions/suggestions and squash this into
> the previous commit (with the accompanied changelog commit message
> adjustment) ?

Yep.

-- 
Best regards,
Nicolas Graves