mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-11-07 07:26:13 -05:00
cve: Gracefully handle bogus CVE entries.
Fixes <https://bugs.gnu.org/47941>. Reported by Jack Hill <jackhill@jackhill.us>. * guix/cve.scm (reference-data->cve-references): Gracefully handle lack of "reference_data". (cpe-match->cve-configuration): Gracefully handle lack of "cpe23Uri".
This commit is contained in:
parent
50616a7dfb
commit
7dbc2fcb45
1 changed files with 18 additions and 13 deletions
31
guix/cve.scm
31
guix/cve.scm
|
@ -1,5 +1,5 @@
|
|||
;;; GNU Guix --- Functional package management for GNU
|
||||
;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
|
||||
;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020, 2021 Ludovic Courtès <ludo@gnu.org>
|
||||
;;;
|
||||
;;; This file is part of GNU Guix.
|
||||
;;;
|
||||
|
@ -99,7 +99,9 @@ (define-json-mapping <cve-reference> cve-reference cve-reference?
|
|||
|
||||
(define (reference-data->cve-references alist)
|
||||
(map json->cve-reference
|
||||
(vector->list (assoc-ref alist "reference_data"))))
|
||||
;; Normally "reference_data" is always present but rejected CVEs such
|
||||
;; as CVE-2020-10020 can lack it.
|
||||
(vector->list (or (assoc-ref alist "reference_data") '#()))))
|
||||
|
||||
(define %cpe-package-rx
|
||||
;; For applications: "cpe:2.3:a:VENDOR:PACKAGE:VERSION", or sometimes
|
||||
|
@ -137,17 +139,20 @@ (define (cpe-match->cve-configuration alist)
|
|||
(starte (assoc-ref alist "versionStartExcluding"))
|
||||
(endi (assoc-ref alist "versionEndIncluding"))
|
||||
(ende (assoc-ref alist "versionEndExcluding")))
|
||||
(let-values (((package version) (cpe->package-name cpe)))
|
||||
(and package
|
||||
`(,package
|
||||
,(cond ((and (or starti starte) (or endi ende))
|
||||
`(and ,(if starti `(>= ,starti) `(> ,starte))
|
||||
,(if endi `(<= ,endi) `(< ,ende))))
|
||||
(starti `(>= ,starti))
|
||||
(starte `(> ,starte))
|
||||
(endi `(<= ,endi))
|
||||
(ende `(< ,ende))
|
||||
(else version)))))))
|
||||
;; Normally "cpe23Uri" is here in each "cpe_match" item, but CVE-2020-0534
|
||||
;; has a configuration that lacks it.
|
||||
(and cpe
|
||||
(let-values (((package version) (cpe->package-name cpe)))
|
||||
(and package
|
||||
`(,package
|
||||
,(cond ((and (or starti starte) (or endi ende))
|
||||
`(and ,(if starti `(>= ,starti) `(> ,starte))
|
||||
,(if endi `(<= ,endi) `(< ,ende))))
|
||||
(starti `(>= ,starti))
|
||||
(starte `(> ,starte))
|
||||
(endi `(<= ,endi))
|
||||
(ende `(< ,ende))
|
||||
(else version))))))))
|
||||
|
||||
(define (configuration-data->cve-configurations alist)
|
||||
"Given ALIST, a JSON dictionary for the baroque \"configurations\"
|
||||
|
|
Loading…
Reference in a new issue