summaryrefslogtreecommitdiff
path: root/guix/cve.scm
AgeCommit message (Collapse)Author
2021-04-21cve: Gracefully handle bogus CVE entries.Ludovic Courtès
Fixes <https://bugs.gnu.org/47941>. Reported by Jack Hill <jackhill@jackhill.us>. * guix/cve.scm (reference-data->cve-references): Gracefully handle lack of "reference_data". (cpe-match->cve-configuration): Gracefully handle lack of "cpe23Uri".
2020-10-12lint: cve: Set a connection timeout.Ludovic Courtès
This (notably) works around the fact that nvd.nist.gov is currently inaccessible over IPv6. * guix/cve.scm (fetch-vulnerabilities): Add #:timeout and pass it to 'http-fetch/cached'. (current-vulnerabilities): Add #:timeout and pass it to 'fetch-vulnerabilities'. * guix/lint.scm (current-vulnerabilities*): Pass #:timeout to 'current-vulnerabilities'.
2020-09-08Remove (guix json) and require Guile-JSON 4.3.0+.Ludovic Courtès
This is a followup to 4071879c86d059ee087c8986915ea72b8c742b72. * guix/json.scm: Remove. * Makefile.am (MODULES): Adjust accordingly. * m4/guix.m4 (GUIX_CHECK_GUILE_JSON): Check for 'define-json-mapping'. * doc/guix.texi (Requirements): Require Guile-JSON 4.3.0+. * guix/ci.scm, guix/cve.scm, guix/import/cpan.scm, guix/import/crate.scm, guix/swh.scm: Remove (guix json) import. * guix/import/gem.scm, guix/import/pypi.scm: Likewise, and import (json). * guix/self.scm (specification->package): Switch to GUILE-JSON-4. * guix/git-download.scm (git-fetch): Likewise.
2020-07-25Use 'formatted-message' instead of '&message' where appropriate.Ludovic Courtès
* gnu.scm (%try-use-modules): Use 'formatted-message' instead of '&message'. * gnu/machine/digital-ocean.scm (maybe-raise-unsupported-configuration-error): Likewise. * gnu/machine/ssh.scm (machine-check-file-system-availability): Likewise. (machine-check-building-for-appropriate-system): Likewise. (deploy-managed-host): Likewise. (maybe-raise-unsupported-configuration-error): Likewise. * gnu/packages.scm (search-patch): Likewise. * gnu/services.scm (%service-with-default-value): Likewise. (files->etc-directory): Likewise. (fold-services): Likewise. * gnu/system.scm (locale-name->definition*): Likewise. * gnu/system/mapped-devices.scm (check-device-initrd-modules): Likewise. (check-luks-device): Likewise. * guix/channels.scm (latest-channel-instance): Likewise. * guix/cve.scm (json->cve-items): Likewise. * guix/git-authenticate.scm (commit-signing-key): Likewise. (commit-authorized-keys): Likewise. (authenticate-commit): Likewise. (verify-introductory-commit): Likewise. * guix/remote.scm (remote-pipe-for-gexp): Likewise. * guix/scripts/graph.scm (assert-package): Likewise. * guix/scripts/offload.scm (private-key-from-file*): Likewise. * guix/ssh.scm (authenticate-server*): Likewise. (open-ssh-session): Likewise. (remote-inferior): Likewise. * guix/ui.scm (matching-generations): Likewise. * guix/upstream.scm (package-update): Likewise. * tests/channels.scm ("latest-channel-instances, missing introduction for 'guix'"): Catch 'formatted-message?'. ("authenticate-channel, wrong first commit signer"): Likewise. * tests/lint.scm ("patches: not found"): Adjust message string. * tests/packages.scm ("patch not found yields a run-time error"): Catch 'formatted-message?'. * guix/lint.scm (check-patch-file-names): Handle 'formatted-message?'. (check-derivation): Ditto.
2020-07-10cve: Fix typos in <cve> accessor.Ludovic Courtès
* guix/cve.scm (<cve>)[references]: Rename accessor to 'cve-references' and fix adjust exported name accordingly.
2019-10-23cve: Rewrite to read the JSON feed instead of the XML feed.Ludovic Courtès
The XML feed was discontinued on Oct. 16th, 2019: <https://nvd.nist.gov/General/News/XML-Vulnerability-Feed-Retirement-Phase-3> * guix/cve.scm (string->date*): New procedure. (<cve-item>, <cve>, <cve-reference>): New record types. (cpe-match->cve-configuration, configuration-data->cve-configurations) (json->cve-items, version-matches?): New procedures. (yearly-feed-uri): Change URL to refer to JSON feed. (cpe->product-alist, %parse-vulnerability-feed) (xml->vulnerabilities): Remove. (cve-configuration->package-list, merge-package-lists) (cve-item->vulnerability, json->vulnerabilities): New procedures. (write-cache): Use 'json->vulnerabilities' instead of 'xml->vulnerabilities', and remove 'parameterize'. (vulnerabilities->lookup-proc): Use 'version-matches?' when VERSION is true. * tests/cve.scm (%sample): Use 'tests/cve-sample.json'. (%expected-vulnerabilities): Rewrite accordingly. ("json->cve-items", "cve-item-published-date") ("json->vulnerabilities"): New tests. ("xml->vulnerabilities"): Remove. ("vulnerabilities->lookup-proc"): Adjust to new vulnerabilities. * tests/cve-sample.json: New file. * tests/cve-sample.xml: Remove. * Makefile.am (EXTRA_DIST): Adjust accordingly. * doc/guix.texi (Invoking guix lint): Update nist.gov URLs.
2018-08-26cve: Update feed URL.Ludovic Courtès
* guix/cve.scm (yearly-feed-uri): Remove "static." from the URL since the web site now redirects to the URL without "static.".
2017-11-16cve: Use 'http-fetch/cached' instead of having custom caching.Ludovic Courtès
That way CVE fetching benefits from 'If-Modified-Since' handling. * guix/http-client.scm (http-fetch/cached): Add #:write-cache and #:cache-miss parameters and honor them. * guix/cve.scm (%current-year-ttl, %past-year-ttl): Reduce. (call-with-cve-port): Remove. (write-cache): New procedure. (fetch-vulnerabilities): Rewrite in terms of 'http-fetch/cached'.
2017-09-19cve: Disable position recording while reading the CVE list.Ludovic Courtès
* guix/cve.scm (fetch-vulnerabilities)[read*]: New procedure. Use it in lieu of 'read'.
2016-05-28cve: Use a more compact format for the list of package/versions.Ludovic Courtès
On a warm cache, "guix lint -c cve vorbis-tools" goes down from 6.5s to 2.4s. * guix/cve.scm (cpe->package-name): Change to return two values instead of a pair. (cpe->product-alist): New procedure. (%parse-vulnerability-feed): Use it instead of 'filter-map'. (fetch-vulnerabilities): Bump sexp format version to 1. (vulnerabilities->lookup-proc): Adjust accordingly. When #:version is omitted, return a list of vulnerabilities instead of a list of version/vulnerability pairs. * tests/cve.scm (%expected-vulnerabilities) ("vulnerabilities->lookup-proc): Adjust accordingly.
2016-05-26cve: Include the 3 previous years of vulnerabilities.Ludovic Courtès
* guix/cve.scm (fetch-vulnerabilities): Add 'format' call. (current-vulnerabilities): Include the 3 previous years.
2016-05-23cve: Remove now unnecessary HTTP caching.Ludovic Courtès
* guix/cve.scm (call-with-cve-port): Use 'http-fetch' instead of 'http-fetch/cached'.
2016-05-23cve: Keep a summarized sexp in cache instead of the full XML.Ludovic Courtès
This avoids ~20s of XML parsing when running 'guix lint -c cve'. * guix/cve.scm (vulnerability->sexp, sexp->vulnerability) (fetch-vulnerabilities): New procedures. (current-vulnerabilities): Use 'fetch-vulnerabilities'.
2016-03-11cve: Read entire CVE databases for the current year and the past year.Ludovic Courtès
The "Modified" database that we were reading is much smaller, but it only shows CVEs modified over the past week. * guix/cve.scm (%now, %current-year, %past-year): New variables. (yearly-feed-uri): New procedure. (%cve-feed-uri, %ttl): Remove. (%current-year-ttl, %past-year-ttl): New variables. (call-with-cve-port): Add 'uri' and 'ttl' parameters and honor them. Add 'setvbuf' call. (current-vulnerabilities)[read-vulnerabilities]: New procedure. Read from both %LAST-YEAR and %CURRENT-YEAR.
2016-03-11cve: Make CPE patch level part of the version string.Ludovic Courtès
* guix/cve.scm (%cpe-package-rx): Adjust to account for :PATCH-LEVEL. (cpe->package-name): Likewise.
2015-11-26Add (guix cve).Ludovic Courtès
* guix/cve.scm, tests/cve-sample.xml, tests/cve.scm: New files. * Makefile.am (MODULES): Add guix/cve.scm. (SCM_TESTS): Add tests/cve.scm. (EXTRA_DIST): Add tests/cve-sample.scm.