Age | Commit message (Expand) | Author |
2021-04-21 | cve: Gracefully handle bogus CVE entries....Fixes <https://bugs.gnu.org/47941>.
Reported by Jack Hill <jackhill@jackhill.us>.
* guix/cve.scm (reference-data->cve-references): Gracefully handle lack
of "reference_data".
(cpe-match->cve-configuration): Gracefully handle lack of "cpe23Uri".
| Ludovic Courtès |
2020-10-12 | lint: cve: Set a connection timeout....This (notably) works around the fact that nvd.nist.gov is currently
inaccessible over IPv6.
* guix/cve.scm (fetch-vulnerabilities): Add #:timeout and pass it to
'http-fetch/cached'.
(current-vulnerabilities): Add #:timeout and pass it to
'fetch-vulnerabilities'.
* guix/lint.scm (current-vulnerabilities*): Pass #:timeout to
'current-vulnerabilities'.
| Ludovic Courtès |
2020-09-08 | Remove (guix json) and require Guile-JSON 4.3.0+....This is a followup to 4071879c86d059ee087c8986915ea72b8c742b72.
* guix/json.scm: Remove.
* Makefile.am (MODULES): Adjust accordingly.
* m4/guix.m4 (GUIX_CHECK_GUILE_JSON): Check for 'define-json-mapping'.
* doc/guix.texi (Requirements): Require Guile-JSON 4.3.0+.
* guix/ci.scm, guix/cve.scm, guix/import/cpan.scm,
guix/import/crate.scm, guix/swh.scm: Remove (guix json) import.
* guix/import/gem.scm, guix/import/pypi.scm: Likewise, and import (json).
* guix/self.scm (specification->package): Switch to GUILE-JSON-4.
* guix/git-download.scm (git-fetch): Likewise.
| Ludovic Courtès |
2020-07-25 | Use 'formatted-message' instead of '&message' where appropriate....* gnu.scm (%try-use-modules): Use 'formatted-message' instead of
'&message'.
* gnu/machine/digital-ocean.scm (maybe-raise-unsupported-configuration-error):
Likewise.
* gnu/machine/ssh.scm (machine-check-file-system-availability): Likewise.
(machine-check-building-for-appropriate-system): Likewise.
(deploy-managed-host): Likewise.
(maybe-raise-unsupported-configuration-error): Likewise.
* gnu/packages.scm (search-patch): Likewise.
* gnu/services.scm (%service-with-default-value): Likewise.
(files->etc-directory): Likewise.
(fold-services): Likewise.
* gnu/system.scm (locale-name->definition*): Likewise.
* gnu/system/mapped-devices.scm (check-device-initrd-modules): Likewise.
(check-luks-device): Likewise.
* guix/channels.scm (latest-channel-instance): Likewise.
* guix/cve.scm (json->cve-items): Likewise.
* guix/git-authenticate.scm (commit-signing-key): Likewise.
(commit-authorized-keys): Likewise.
(authenticate-commit): Likewise.
(verify-introductory-commit): Likewise.
* guix/remote.scm (remote-pipe-for-gexp): Likewise.
* guix/scripts/graph.scm (assert-package): Likewise.
* guix/scripts/offload.scm (private-key-from-file*): Likewise.
* guix/ssh.scm (authenticate-server*): Likewise.
(open-ssh-session): Likewise.
(remote-inferior): Likewise.
* guix/ui.scm (matching-generations): Likewise.
* guix/upstream.scm (package-update): Likewise.
* tests/channels.scm ("latest-channel-instances, missing introduction for 'guix'"):
Catch 'formatted-message?'.
("authenticate-channel, wrong first commit signer"): Likewise.
* tests/lint.scm ("patches: not found"): Adjust message string.
* tests/packages.scm ("patch not found yields a run-time error"): Catch
'formatted-message?'.
* guix/lint.scm (check-patch-file-names): Handle 'formatted-message?'.
(check-derivation): Ditto.
| Ludovic Courtès |
2020-07-10 | cve: Fix typos in <cve> accessor....* guix/cve.scm (<cve>)[references]: Rename accessor to 'cve-references'
and fix adjust exported name accordingly.
| Ludovic Courtès |
2019-10-23 | cve: Rewrite to read the JSON feed instead of the XML feed....The XML feed was discontinued on Oct. 16th, 2019:
<https://nvd.nist.gov/General/News/XML-Vulnerability-Feed-Retirement-Phase-3>
* guix/cve.scm (string->date*): New procedure.
(<cve-item>, <cve>, <cve-reference>): New record types.
(cpe-match->cve-configuration, configuration-data->cve-configurations)
(json->cve-items, version-matches?): New procedures.
(yearly-feed-uri): Change URL to refer to JSON feed.
(cpe->product-alist, %parse-vulnerability-feed)
(xml->vulnerabilities): Remove.
(cve-configuration->package-list, merge-package-lists)
(cve-item->vulnerability, json->vulnerabilities): New procedures.
(write-cache): Use 'json->vulnerabilities' instead of
'xml->vulnerabilities', and remove 'parameterize'.
(vulnerabilities->lookup-proc): Use 'version-matches?' when VERSION is
true.
* tests/cve.scm (%sample): Use 'tests/cve-sample.json'.
(%expected-vulnerabilities): Rewrite accordingly.
("json->cve-items", "cve-item-published-date")
("json->vulnerabilities"): New tests.
("xml->vulnerabilities"): Remove.
("vulnerabilities->lookup-proc"): Adjust to new vulnerabilities.
* tests/cve-sample.json: New file.
* tests/cve-sample.xml: Remove.
* Makefile.am (EXTRA_DIST): Adjust accordingly.
* doc/guix.texi (Invoking guix lint): Update nist.gov URLs.
| Ludovic Courtès |
2018-08-26 | cve: Update feed URL....* guix/cve.scm (yearly-feed-uri): Remove "static." from the URL since
the web site now redirects to the URL without "static.".
| Ludovic Courtès |
2017-11-16 | cve: Use 'http-fetch/cached' instead of having custom caching....That way CVE fetching benefits from 'If-Modified-Since' handling.
* guix/http-client.scm (http-fetch/cached): Add #:write-cache and
#:cache-miss parameters and honor them.
* guix/cve.scm (%current-year-ttl, %past-year-ttl): Reduce.
(call-with-cve-port): Remove.
(write-cache): New procedure.
(fetch-vulnerabilities): Rewrite in terms of 'http-fetch/cached'.
| Ludovic Courtès |
2017-09-19 | cve: Disable position recording while reading the CVE list....* guix/cve.scm (fetch-vulnerabilities)[read*]: New procedure.
Use it in lieu of 'read'.
| Ludovic Courtès |
2016-05-28 | cve: Use a more compact format for the list of package/versions....On a warm cache, "guix lint -c cve vorbis-tools" goes down
from 6.5s to 2.4s.
* guix/cve.scm (cpe->package-name): Change to return two values instead
of a pair.
(cpe->product-alist): New procedure.
(%parse-vulnerability-feed): Use it instead of 'filter-map'.
(fetch-vulnerabilities): Bump sexp format version to 1.
(vulnerabilities->lookup-proc): Adjust accordingly. When #:version is
omitted, return a list of vulnerabilities instead of a list of
version/vulnerability pairs.
* tests/cve.scm (%expected-vulnerabilities)
("vulnerabilities->lookup-proc): Adjust accordingly.
| Ludovic Courtès |
2016-05-26 | cve: Include the 3 previous years of vulnerabilities....* guix/cve.scm (fetch-vulnerabilities): Add 'format' call.
(current-vulnerabilities): Include the 3 previous years.
| Ludovic Courtès |
2016-05-23 | cve: Remove now unnecessary HTTP caching....* guix/cve.scm (call-with-cve-port): Use 'http-fetch' instead of
'http-fetch/cached'.
| Ludovic Courtès |
2016-05-23 | cve: Keep a summarized sexp in cache instead of the full XML....This avoids ~20s of XML parsing when running 'guix lint -c cve'.
* guix/cve.scm (vulnerability->sexp, sexp->vulnerability)
(fetch-vulnerabilities): New procedures.
(current-vulnerabilities): Use 'fetch-vulnerabilities'.
| Ludovic Courtès |
2016-03-11 | cve: Read entire CVE databases for the current year and the past year....The "Modified" database that we were reading is much smaller, but it
only shows CVEs modified over the past week.
* guix/cve.scm (%now, %current-year, %past-year): New variables.
(yearly-feed-uri): New procedure.
(%cve-feed-uri, %ttl): Remove.
(%current-year-ttl, %past-year-ttl): New variables.
(call-with-cve-port): Add 'uri' and 'ttl' parameters and honor them.
Add 'setvbuf' call.
(current-vulnerabilities)[read-vulnerabilities]: New procedure.
Read from both %LAST-YEAR and %CURRENT-YEAR.
| Ludovic Courtès |
2016-03-11 | cve: Make CPE patch level part of the version string....* guix/cve.scm (%cpe-package-rx): Adjust to account for :PATCH-LEVEL.
(cpe->package-name): Likewise.
| Ludovic Courtès |
2015-11-26 | Add (guix cve)....* guix/cve.scm, tests/cve-sample.xml, tests/cve.scm: New files.
* Makefile.am (MODULES): Add guix/cve.scm.
(SCM_TESTS): Add tests/cve.scm.
(EXTRA_DIST): Add tests/cve-sample.scm.
| Ludovic Courtès |