summaryrefslogtreecommitdiff
path: root/guix
diff options
context:
space:
mode:
Diffstat (limited to 'guix')
-rw-r--r--guix/cve.scm51
1 files changed, 39 insertions, 12 deletions
diff --git a/guix/cve.scm b/guix/cve.scm
index 663097b483..8e76f42f0d 100644
--- a/guix/cve.scm
+++ b/guix/cve.scm
@@ -49,23 +49,38 @@
(id vulnerability-id)
(packages vulnerability-packages))
-(define %cve-feed-uri
+(define %now
+ (current-date))
+(define %current-year
+ (date-year %now))
+(define %past-year
+ (- %current-year 1))
+
+(define (yearly-feed-uri year)
+ "Return the URI for the CVE feed for YEAR."
(string->uri
- "https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz"))
+ (string-append "https://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-"
+ (number->string year) ".xml.gz")))
-(define %ttl
+(define %current-year-ttl
;; According to <https://nvd.nist.gov/download.cfm#CVE_FEED>, feeds are
;; updated "approximately every two hours."
(* 3600 3))
-(define (call-with-cve-port proc)
+(define %past-year-ttl
+ ;; Update the previous year's database more and more infrequently.
+ (* 3600 24 2 (date-month %now)))
+
+(define (call-with-cve-port uri ttl proc)
"Pass PROC an input port from which to read the CVE stream."
- (let ((port (http-fetch/cached %cve-feed-uri #:ttl %ttl)))
+ (let ((port (http-fetch/cached uri #:ttl ttl)))
(dynamic-wind
(const #t)
(lambda ()
(call-with-decompressed-port 'gzip port
- proc))
+ (lambda (port)
+ (setvbuf port _IOFBF 65536)
+ (proc port))))
(lambda ()
(close-port port)))))
@@ -142,12 +157,19 @@ vulnerability objects."
(define (current-vulnerabilities)
"Return the current list of Common Vulnerabilities and Exposures (CVE) as
published by the US NIST."
- (call-with-cve-port
- (lambda (port)
- ;; XXX: The SSAX "error port" is used to send pointless warnings such as
- ;; "warning: Skipping PI". Turn that off.
- (parameterize ((current-ssax-error-port (%make-void-port "w")))
- (xml->vulnerabilities port)))))
+ (define (read-vulnerabilities uri ttl)
+ (call-with-cve-port uri ttl
+ (lambda (port)
+ ;; XXX: The SSAX "error port" is used to send pointless warnings such as
+ ;; "warning: Skipping PI". Turn that off.
+ (parameterize ((current-ssax-error-port (%make-void-port "w")))
+ (xml->vulnerabilities port)))))
+
+ (append-map read-vulnerabilities
+ (list (yearly-feed-uri %past-year)
+ (yearly-feed-uri %current-year))
+ (list %past-year-ttl
+ %current-year-ttl)))
(define (vulnerabilities->lookup-proc vulnerabilities)
"Return a lookup procedure built from VULNERABILITIES that takes a package
@@ -181,4 +203,9 @@ a list of vulnerabilities affection the given package version."
'()
package table)))
+
+;;; Local Variables:
+;;; eval: (put 'call-with-cve-port 'scheme-indent-function 2)
+;;; End:
+
;;; cve.scm ends here