guix-patches
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#74034] [PATCH v5 01/16] cve: Add cpe-vendor and lint-hidden-cpe-ven

From: Ludovic Courtès
Subject: [bug#74034] [PATCH v5 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.
Date: Wed, 20 Nov 2024 23:10:40 +0100
User-agent: Gnus/5.13 (Gnus v5.13) 
Nicolas Graves <ngraves@ngraves.fr> skribis:

> * guix/cve.scm: Exploit cpe vendors information.
> (cpe->package-name): Rename to...
> (cpe->package-identifier): Renamed from cpe->package-name. Use
> cpe_vendor:cpe_name in place or cpe_name.
> (vulnerabily-matches?): Add helper function.
> (vulnerabilities->lookup-proc): Extract cpe_name for table
> hashes. Add vendor and hidden-vendor arguments. Adapt condition to
> pass vulnerabilities to result in the fold.
> (write-cache): Update the format version.
>
> * guix/lint.scm (package-vulnerabilities): Use additional arguments
> from vulnerabilities->lookup-proc.
>
> * tests/cve.scm (%expected-vulnerabilities): Adapt variable to changes
> in guix/cve.scm.

[...]

>        (write `(vulnerabilities
> -               1                                  ;format version
> +               2                                  ;format version
>                 ,(map vulnerability->sexp vulns))
>               cache))))

This is good, but like I wrote, ‘fetch-vulnerabilities’ must be update
symmetrically, ideally to recognize both v1 and v2 sexps:

    (match sexp
      (('vulnerabilities 2 vulns)
       (map sexp->vulnerability vulns))
      (('vulnerabilities 1 vulns)  ;old format, lacks vendor info
       (map sexp-v1->vulnerability vulns)))

(This is the format used in ~/.cache/guix/cve.)

That’s the only thing missing IMO.

Ludo’.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]