me/guix
Archived
1
0
Fork 0
Code Activity

cve: Gracefully handle bogus CVE entries.

Browse source 
Fixes <https://bugs.gnu.org/47941>.
Reported by Jack Hill <jackhill@jackhill.us>.

* guix/cve.scm (reference-data->cve-references): Gracefully handle lack
of "reference_data".
(cpe-match->cve-configuration): Gracefully handle lack of "cpe23Uri".
This commit is contained in:
Ludovic Courtès 2021-04-21 23:49:59 +02:00
parent 50616a7dfb
commit 7dbc2fcb45
No known key found for this signature in database
GPG key ID: 090B11993D9AEBB5
1 changed files with 18 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
guix/cve.scm
View file

@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU ;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020, 2021 Ludovic Courtès <ludo@gnu.org>
;;; ;;;
;;; This file is part of GNU Guix. ;;; This file is part of GNU Guix.
;;; ;;;
@ -99,7 +99,9 @@
(define (reference-data->cve-references alist) (define (reference-data->cve-references alist)
(map json->cve-reference (map json->cve-reference
(vector->list (assoc-ref alist "reference_data")))) ;; Normally "reference_data" is always present but rejected CVEs such
;; as CVE-2020-10020 can lack it.
(vector->list (or (assoc-ref alist "reference_data") '#()))))
(define %cpe-package-rx (define %cpe-package-rx
;; For applications: "cpe:2.3:a:VENDOR:PACKAGE:VERSION", or sometimes ;; For applications: "cpe:2.3:a:VENDOR:PACKAGE:VERSION", or sometimes
@ -137,17 +139,20 @@ package."
(starte (assoc-ref alist "versionStartExcluding")) (starte (assoc-ref alist "versionStartExcluding"))
(endi (assoc-ref alist "versionEndIncluding")) (endi (assoc-ref alist "versionEndIncluding"))
(ende (assoc-ref alist "versionEndExcluding"))) (ende (assoc-ref alist "versionEndExcluding")))
(let-values (((package version) (cpe->package-name cpe))) ;; Normally "cpe23Uri" is here in each "cpe_match" item, but CVE-2020-0534
(and package ;; has a configuration that lacks it.
`(,package (and cpe
,(cond ((and (or starti starte) (or endi ende)) (let-values (((package version) (cpe->package-name cpe)))
`(and ,(if starti `(>= ,starti) `(> ,starte)) (and package
,(if endi `(<= ,endi) `(< ,ende)))) `(,package
(starti `(>= ,starti)) ,(cond ((and (or starti starte) (or endi ende))
(starte `(> ,starte)) `(and ,(if starti `(>= ,starti) `(> ,starte))
(endi `(<= ,endi)) ,(if endi `(<= ,endi) `(< ,ende))))
(ende `(< ,ende)) (starti `(>= ,starti))
(else version))))))) (starte `(> ,starte))
(endi `(<= ,endi))
(ende `(< ,ende))
(else version))))))))
(define (configuration-data->cve-configurations alist) (define (configuration-data->cve-configurations alist)
"Given ALIST, a JSON dictionary for the baroque \"configurations\" "Given ALIST, a JSON dictionary for the baroque \"configurations\"