Hi, Brice Waegeneire <[email protected]> skribis:
> The CVE checker of “guix lint” returns false positives: > ┌──── > │ LANGUAGE=C guix lint git 2>&1 > ├─── > │ gnu/packages/version-control.scm:149:2: [email protected]: probably > vulnerable to CVE-2020-2136, CVE-2019-1003010, CVE-2018-1000110, > CVE-2018-1000182 [...] > • [CVE-2020-2136]: “Jenkins Git Plugin 4.2.0 and earlier […]” > • [CVE-2019-1003010]: “[…] Jenkins Git Plugin 3.9.1 and earlier […]” > • [CVE-2018-1000110]: “[…] Jenkins Git Plugin version 3.7.0 and earlier > […]” > • [CVE-2018-1000182]: “[…] Jenkins Git Plugin 3.9.0 and older […]” (guix cve) reports it as applying to “git”: --8<---------------cut here---------------start------------->8--- scheme@(guix cve)> (define items (call-with-decompressed-port 'gzip (http-fetch (yearly-feed-uri 2020)) json->cve-items)) scheme@(guix cve)> (find (lambda (item) (string=? (cve-id (cve-item-cve item)) "CVE-2020-2136")) items) $130 = #<<cve-item> cve: #<<cve> id: "CVE-2020-2136" data-type: CVE data-format: MITRE references: (#<<cve-reference> url: "http://www.openwall.com/lists/oss-security/2020/03/09/1"; tags: ("Third Party Advisory")> #<<cve-reference> url: "https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1723"; tags: ("Vendor Advisory")>)> configurations: (("git" (<= "4.2.0"))) published-date: #<date nanosecond: 0 second: 0 minute: 15 hour: 16 day: 9 month: 3 year: 2020 zone-offset: 0> last-modified-date: #<date nanosecond: 0 second: 0 minute: 4 hour: 20 day: 9 month: 3 year: 2020 zone-offset: 0>> --8<---------------cut here---------------end--------------->8--- I think the problem stems from the fact that the CVE configuration specify “jenkins:git” (where “jenkins” is the “vendor” and “git” is the “product”), but we just strip the vendor part: --8<---------------cut here---------------start------------->8--- $ wget -O - -q https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2020.json.gz| gunzip | jq […] "configurations": { "CVE_data_version": "4.0", "nodes": [ { "operator": "OR", "cpe_match": [ { "vulnerable": true, "cpe23Uri": "cpe:2.3:a:jenkins:git:*:*:*:*:*:jenkins:*:*", "versionEndIncluding": "4.2.0" } ] } ] --8<---------------cut here---------------end--------------->8--- It’s usually the case that the vendor part has little relevance for free software packages, but in this case it does make a difference. Probably the fix would be to preserve the vendor part in the API and to somehow use it meaningfully. Ideas & patches welcome! > Also note the missing / on the first line and it output on `stderr' > instead of `stdout'. What do you mean? Thanks, Ludo’.
