mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-12-25 13:58:15 -05:00
cve: Read entire CVE databases for the current year and the past year.
The "Modified" database that we were reading is much smaller, but it only shows CVEs modified over the past week. * guix/cve.scm (%now, %current-year, %past-year): New variables. (yearly-feed-uri): New procedure. (%cve-feed-uri, %ttl): Remove. (%current-year-ttl, %past-year-ttl): New variables. (call-with-cve-port): Add 'uri' and 'ttl' parameters and honor them. Add 'setvbuf' call. (current-vulnerabilities)[read-vulnerabilities]: New procedure. Read from both %LAST-YEAR and %CURRENT-YEAR.
This commit is contained in:
parent
ef0f0d5f97
commit
6a25e59514
1 changed files with 40 additions and 13 deletions
53
guix/cve.scm
53
guix/cve.scm
|
@ -49,23 +49,38 @@ (define-record-type <vulnerability>
|
||||||
(id vulnerability-id)
|
(id vulnerability-id)
|
||||||
(packages vulnerability-packages))
|
(packages vulnerability-packages))
|
||||||
|
|
||||||
(define %cve-feed-uri
|
(define %now
|
||||||
(string->uri
|
(current-date))
|
||||||
"https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz"))
|
(define %current-year
|
||||||
|
(date-year %now))
|
||||||
|
(define %past-year
|
||||||
|
(- %current-year 1))
|
||||||
|
|
||||||
(define %ttl
|
(define (yearly-feed-uri year)
|
||||||
|
"Return the URI for the CVE feed for YEAR."
|
||||||
|
(string->uri
|
||||||
|
(string-append "https://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-"
|
||||||
|
(number->string year) ".xml.gz")))
|
||||||
|
|
||||||
|
(define %current-year-ttl
|
||||||
;; According to <https://nvd.nist.gov/download.cfm#CVE_FEED>, feeds are
|
;; According to <https://nvd.nist.gov/download.cfm#CVE_FEED>, feeds are
|
||||||
;; updated "approximately every two hours."
|
;; updated "approximately every two hours."
|
||||||
(* 3600 3))
|
(* 3600 3))
|
||||||
|
|
||||||
(define (call-with-cve-port proc)
|
(define %past-year-ttl
|
||||||
|
;; Update the previous year's database more and more infrequently.
|
||||||
|
(* 3600 24 2 (date-month %now)))
|
||||||
|
|
||||||
|
(define (call-with-cve-port uri ttl proc)
|
||||||
"Pass PROC an input port from which to read the CVE stream."
|
"Pass PROC an input port from which to read the CVE stream."
|
||||||
(let ((port (http-fetch/cached %cve-feed-uri #:ttl %ttl)))
|
(let ((port (http-fetch/cached uri #:ttl ttl)))
|
||||||
(dynamic-wind
|
(dynamic-wind
|
||||||
(const #t)
|
(const #t)
|
||||||
(lambda ()
|
(lambda ()
|
||||||
(call-with-decompressed-port 'gzip port
|
(call-with-decompressed-port 'gzip port
|
||||||
proc))
|
(lambda (port)
|
||||||
|
(setvbuf port _IOFBF 65536)
|
||||||
|
(proc port))))
|
||||||
(lambda ()
|
(lambda ()
|
||||||
(close-port port)))))
|
(close-port port)))))
|
||||||
|
|
||||||
|
@ -142,12 +157,19 @@ (define (xml->vulnerabilities port)
|
||||||
(define (current-vulnerabilities)
|
(define (current-vulnerabilities)
|
||||||
"Return the current list of Common Vulnerabilities and Exposures (CVE) as
|
"Return the current list of Common Vulnerabilities and Exposures (CVE) as
|
||||||
published by the US NIST."
|
published by the US NIST."
|
||||||
(call-with-cve-port
|
(define (read-vulnerabilities uri ttl)
|
||||||
(lambda (port)
|
(call-with-cve-port uri ttl
|
||||||
;; XXX: The SSAX "error port" is used to send pointless warnings such as
|
(lambda (port)
|
||||||
;; "warning: Skipping PI". Turn that off.
|
;; XXX: The SSAX "error port" is used to send pointless warnings such as
|
||||||
(parameterize ((current-ssax-error-port (%make-void-port "w")))
|
;; "warning: Skipping PI". Turn that off.
|
||||||
(xml->vulnerabilities port)))))
|
(parameterize ((current-ssax-error-port (%make-void-port "w")))
|
||||||
|
(xml->vulnerabilities port)))))
|
||||||
|
|
||||||
|
(append-map read-vulnerabilities
|
||||||
|
(list (yearly-feed-uri %past-year)
|
||||||
|
(yearly-feed-uri %current-year))
|
||||||
|
(list %past-year-ttl
|
||||||
|
%current-year-ttl)))
|
||||||
|
|
||||||
(define (vulnerabilities->lookup-proc vulnerabilities)
|
(define (vulnerabilities->lookup-proc vulnerabilities)
|
||||||
"Return a lookup procedure built from VULNERABILITIES that takes a package
|
"Return a lookup procedure built from VULNERABILITIES that takes a package
|
||||||
|
@ -181,4 +203,9 @@ (define table
|
||||||
'()
|
'()
|
||||||
package table)))
|
package table)))
|
||||||
|
|
||||||
|
|
||||||
|
;;; Local Variables:
|
||||||
|
;;; eval: (put 'call-with-cve-port 'scheme-indent-function 2)
|
||||||
|
;;; End:
|
||||||
|
|
||||||
;;; cve.scm ends here
|
;;; cve.scm ends here
|
||||||
|
|
Loading…
Reference in a new issue