[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#53721] [PATCH] lint: Perform fuzzy search on package names for CVE
|
From: |
Ludovic Courtès |
|
Subject: |
[bug#53721] [PATCH] lint: Perform fuzzy search on package names for CVE checker. |
|
Date: |
Fri, 04 Feb 2022 22:56:14 +0100 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) |
Hello,
Efraim Flashner <efraim@flashner.co.il> skribis:
> - (let ((name (or (assoc-ref (package-properties package)
> - 'cpe-name)
> - (package-name package)))
> - (version (or (assoc-ref (package-properties package)
> - 'cpe-version)
> - (package-version package))))
> + (let* ((pkg-name (package-name package))
> + (version (or (assoc-ref (package-properties package)
> + 'cpe-version)
> + (package-version package)))
> + (name
> + (or (assoc-ref (package-properties package)
> + 'cpe-name)
> + (false-if-exception
> + (first
> + (filter string?
> + (map (lambda (prefix)
> + (when (string-prefix? prefix pkg-name)
> + (string-drop pkg-name (string-length
> prefix))))
> + '("java-" "perl-" "python-" "python2-"
> "ruby-")))))
> + pkg-name)))
I agree with Maxime’s suggestions.
In addition, I’d suggest moving this code out in two procedures,
‘package-cpe-name’ and ‘package-cpe-version’, that would honor the
relevant property and fall back to stripping prefixes.
Then ‘package-vulnerabilities’ would simply call these two procedures.
How does that sound?
Longer-term, we should add a thing that proposes correct CPE names:
https://issues.guix.gnu.org/42299
Thanks,
Ludo’.