diff options
author | Ludovic Courtès <ludo@gnu.org> | 2021-04-21 23:49:59 +0200 |
---|---|---|
committer | Ludovic Courtès <ludo@gnu.org> | 2021-04-25 14:35:42 +0200 |
commit | ff74e2a1bc7f3bf723760dbefc926fab261450b3 (patch) | |
tree | 5c13238e8de763f161ad8914fb08028f0b27321a | |
parent | 9a618ee199f4fbd591b48079d2f9cb2df07c7d01 (diff) |
cve: Gracefully handle bogus CVE entries.
Fixes <https://bugs.gnu.org/47941>.
Reported by Jack Hill <jackhill@jackhill.us>.
* guix/cve.scm (reference-data->cve-references): Gracefully handle lack
of "reference_data".
(cpe-match->cve-configuration): Gracefully handle lack of "cpe23Uri".
-rw-r--r-- | guix/cve.scm | 31 |
1 files changed, 18 insertions, 13 deletions
diff --git a/guix/cve.scm b/guix/cve.scm index b3a8b13a06..9e1cf5b587 100644 --- a/guix/cve.scm +++ b/guix/cve.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès <ludo@gnu.org> +;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020, 2021 Ludovic Courtès <ludo@gnu.org> ;;; ;;; This file is part of GNU Guix. ;;; @@ -99,7 +99,9 @@ (define (reference-data->cve-references alist) (map json->cve-reference - (vector->list (assoc-ref alist "reference_data")))) + ;; Normally "reference_data" is always present but rejected CVEs such + ;; as CVE-2020-10020 can lack it. + (vector->list (or (assoc-ref alist "reference_data") '#())))) (define %cpe-package-rx ;; For applications: "cpe:2.3:a:VENDOR:PACKAGE:VERSION", or sometimes @@ -137,17 +139,20 @@ package." (starte (assoc-ref alist "versionStartExcluding")) (endi (assoc-ref alist "versionEndIncluding")) (ende (assoc-ref alist "versionEndExcluding"))) - (let-values (((package version) (cpe->package-name cpe))) - (and package - `(,package - ,(cond ((and (or starti starte) (or endi ende)) - `(and ,(if starti `(>= ,starti) `(> ,starte)) - ,(if endi `(<= ,endi) `(< ,ende)))) - (starti `(>= ,starti)) - (starte `(> ,starte)) - (endi `(<= ,endi)) - (ende `(< ,ende)) - (else version))))))) + ;; Normally "cpe23Uri" is here in each "cpe_match" item, but CVE-2020-0534 + ;; has a configuration that lacks it. + (and cpe + (let-values (((package version) (cpe->package-name cpe))) + (and package + `(,package + ,(cond ((and (or starti starte) (or endi ende)) + `(and ,(if starti `(>= ,starti) `(> ,starte)) + ,(if endi `(<= ,endi) `(< ,ende)))) + (starti `(>= ,starti)) + (starte `(> ,starte)) + (endi `(<= ,endi)) + (ende `(< ,ende)) + (else version)))))))) (define (configuration-data->cve-configurations alist) "Given ALIST, a JSON dictionary for the baroque \"configurations\" |