2015-11-26 20:52:25 +00:00
|
|
|
|
;;; GNU Guix --- Functional package management for GNU
|
cve: Rewrite to read the JSON feed instead of the XML feed.
The XML feed was discontinued on Oct. 16th, 2019:
<https://nvd.nist.gov/General/News/XML-Vulnerability-Feed-Retirement-Phase-3>
* guix/cve.scm (string->date*): New procedure.
(<cve-item>, <cve>, <cve-reference>): New record types.
(cpe-match->cve-configuration, configuration-data->cve-configurations)
(json->cve-items, version-matches?): New procedures.
(yearly-feed-uri): Change URL to refer to JSON feed.
(cpe->product-alist, %parse-vulnerability-feed)
(xml->vulnerabilities): Remove.
(cve-configuration->package-list, merge-package-lists)
(cve-item->vulnerability, json->vulnerabilities): New procedures.
(write-cache): Use 'json->vulnerabilities' instead of
'xml->vulnerabilities', and remove 'parameterize'.
(vulnerabilities->lookup-proc): Use 'version-matches?' when VERSION is
true.
* tests/cve.scm (%sample): Use 'tests/cve-sample.json'.
(%expected-vulnerabilities): Rewrite accordingly.
("json->cve-items", "cve-item-published-date")
("json->vulnerabilities"): New tests.
("xml->vulnerabilities"): Remove.
("vulnerabilities->lookup-proc"): Adjust to new vulnerabilities.
* tests/cve-sample.json: New file.
* tests/cve-sample.xml: Remove.
* Makefile.am (EXTRA_DIST): Adjust accordingly.
* doc/guix.texi (Invoking guix lint): Update nist.gov URLs.
2019-10-20 20:10:00 +00:00
|
|
|
|
;;; Copyright © 2015, 2016, 2019 Ludovic Courtès <ludo@gnu.org>
|
2015-11-26 20:52:25 +00:00
|
|
|
|
;;;
|
|
|
|
|
|
;;; This file is part of GNU Guix.
|
|
|
|
|
|
;;;
|
|
|
|
|
|
;;; GNU Guix is free software; you can redistribute it and/or modify it
|
|
|
|
|
|
;;; under the terms of the GNU General Public License as published by
|
|
|
|
|
|
;;; the Free Software Foundation; either version 3 of the License, or (at
|
|
|
|
|
|
;;; your option) any later version.
|
|
|
|
|
|
;;;
|
|
|
|
|
|
;;; GNU Guix is distributed in the hope that it will be useful, but
|
|
|
|
|
|
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
|
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
|
;;; GNU General Public License for more details.
|
|
|
|
|
|
;;;
|
|
|
|
|
|
;;; You should have received a copy of the GNU General Public License
|
|
|
|
|
|
;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
|
|
|
|
|
|
|
(define-module (test-cve)
|
|
|
|
|
|
#:use-module (guix cve)
|
|
|
|
|
|
#:use-module (srfi srfi-1)
|
cve: Rewrite to read the JSON feed instead of the XML feed.
The XML feed was discontinued on Oct. 16th, 2019:
<https://nvd.nist.gov/General/News/XML-Vulnerability-Feed-Retirement-Phase-3>
* guix/cve.scm (string->date*): New procedure.
(<cve-item>, <cve>, <cve-reference>): New record types.
(cpe-match->cve-configuration, configuration-data->cve-configurations)
(json->cve-items, version-matches?): New procedures.
(yearly-feed-uri): Change URL to refer to JSON feed.
(cpe->product-alist, %parse-vulnerability-feed)
(xml->vulnerabilities): Remove.
(cve-configuration->package-list, merge-package-lists)
(cve-item->vulnerability, json->vulnerabilities): New procedures.
(write-cache): Use 'json->vulnerabilities' instead of
'xml->vulnerabilities', and remove 'parameterize'.
(vulnerabilities->lookup-proc): Use 'version-matches?' when VERSION is
true.
* tests/cve.scm (%sample): Use 'tests/cve-sample.json'.
(%expected-vulnerabilities): Rewrite accordingly.
("json->cve-items", "cve-item-published-date")
("json->vulnerabilities"): New tests.
("xml->vulnerabilities"): Remove.
("vulnerabilities->lookup-proc"): Adjust to new vulnerabilities.
* tests/cve-sample.json: New file.
* tests/cve-sample.xml: Remove.
* Makefile.am (EXTRA_DIST): Adjust accordingly.
* doc/guix.texi (Invoking guix lint): Update nist.gov URLs.
2019-10-20 20:10:00 +00:00
|
|
|
|
#:use-module (srfi srfi-19)
|
2015-11-26 20:52:25 +00:00
|
|
|
|
#:use-module (srfi srfi-64))
|
|
|
|
|
|
|
|
|
|
|
|
(define %sample
|
cve: Rewrite to read the JSON feed instead of the XML feed.
The XML feed was discontinued on Oct. 16th, 2019:
<https://nvd.nist.gov/General/News/XML-Vulnerability-Feed-Retirement-Phase-3>
* guix/cve.scm (string->date*): New procedure.
(<cve-item>, <cve>, <cve-reference>): New record types.
(cpe-match->cve-configuration, configuration-data->cve-configurations)
(json->cve-items, version-matches?): New procedures.
(yearly-feed-uri): Change URL to refer to JSON feed.
(cpe->product-alist, %parse-vulnerability-feed)
(xml->vulnerabilities): Remove.
(cve-configuration->package-list, merge-package-lists)
(cve-item->vulnerability, json->vulnerabilities): New procedures.
(write-cache): Use 'json->vulnerabilities' instead of
'xml->vulnerabilities', and remove 'parameterize'.
(vulnerabilities->lookup-proc): Use 'version-matches?' when VERSION is
true.
* tests/cve.scm (%sample): Use 'tests/cve-sample.json'.
(%expected-vulnerabilities): Rewrite accordingly.
("json->cve-items", "cve-item-published-date")
("json->vulnerabilities"): New tests.
("xml->vulnerabilities"): Remove.
("vulnerabilities->lookup-proc"): Adjust to new vulnerabilities.
* tests/cve-sample.json: New file.
* tests/cve-sample.xml: Remove.
* Makefile.am (EXTRA_DIST): Adjust accordingly.
* doc/guix.texi (Invoking guix lint): Update nist.gov URLs.
2019-10-20 20:10:00 +00:00
|
|
|
|
(search-path %load-path "tests/cve-sample.json"))
|
2015-11-26 20:52:25 +00:00
|
|
|
|
|
|
|
|
|
|
(define (vulnerability id packages)
|
2019-10-20 20:03:12 +00:00
|
|
|
|
(make-struct/no-tail (@@ (guix cve) <vulnerability>) id packages))
|
2015-11-26 20:52:25 +00:00
|
|
|
|
|
|
|
|
|
|
(define %expected-vulnerabilities
|
|
|
|
|
|
;; What we should get when reading %SAMPLE.
|
|
|
|
|
|
(list
|
cve: Rewrite to read the JSON feed instead of the XML feed.
The XML feed was discontinued on Oct. 16th, 2019:
<https://nvd.nist.gov/General/News/XML-Vulnerability-Feed-Retirement-Phase-3>
* guix/cve.scm (string->date*): New procedure.
(<cve-item>, <cve>, <cve-reference>): New record types.
(cpe-match->cve-configuration, configuration-data->cve-configurations)
(json->cve-items, version-matches?): New procedures.
(yearly-feed-uri): Change URL to refer to JSON feed.
(cpe->product-alist, %parse-vulnerability-feed)
(xml->vulnerabilities): Remove.
(cve-configuration->package-list, merge-package-lists)
(cve-item->vulnerability, json->vulnerabilities): New procedures.
(write-cache): Use 'json->vulnerabilities' instead of
'xml->vulnerabilities', and remove 'parameterize'.
(vulnerabilities->lookup-proc): Use 'version-matches?' when VERSION is
true.
* tests/cve.scm (%sample): Use 'tests/cve-sample.json'.
(%expected-vulnerabilities): Rewrite accordingly.
("json->cve-items", "cve-item-published-date")
("json->vulnerabilities"): New tests.
("xml->vulnerabilities"): Remove.
("vulnerabilities->lookup-proc"): Adjust to new vulnerabilities.
* tests/cve-sample.json: New file.
* tests/cve-sample.xml: Remove.
* Makefile.am (EXTRA_DIST): Adjust accordingly.
* doc/guix.texi (Invoking guix lint): Update nist.gov URLs.
2019-10-20 20:10:00 +00:00
|
|
|
|
(vulnerability "CVE-2019-0001"
|
|
|
|
|
|
;; Only the "a" CPE configurations are kept; the "o"
|
|
|
|
|
|
;; configurations are discarded.
|
|
|
|
|
|
'(("junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
|
|
|
|
|
|
(vulnerability "CVE-2019-0005"
|
|
|
|
|
|
'(("junos" (or "18.11" "18.1"))))
|
|
|
|
|
|
;; CVE-2019-0005 has no "a" configurations.
|
|
|
|
|
|
(vulnerability "CVE-2019-14811"
|
|
|
|
|
|
'(("ghostscript" (< "9.28"))))
|
|
|
|
|
|
(vulnerability "CVE-2019-17365"
|
|
|
|
|
|
'(("nix" (<= "2.3"))))
|
|
|
|
|
|
(vulnerability "CVE-2019-1010180"
|
|
|
|
|
|
'(("gdb" _))) ;any version
|
|
|
|
|
|
(vulnerability "CVE-2019-1010204"
|
|
|
|
|
|
'(("binutils" (and (>= "2.21") (<= "2.31.1")))
|
|
|
|
|
|
("binutils_gold" (and (>= "1.11") (<= "1.16")))))
|
|
|
|
|
|
;; CVE-2019-18192 has no associated configurations.
|
2015-11-26 20:52:25 +00:00
|
|
|
|
))
|
|
|
|
|
|
|
|
|
|
|
|
�
|
|
|
|
|
|
(test-begin "cve")
|
|
|
|
|
|
|
cve: Rewrite to read the JSON feed instead of the XML feed.
The XML feed was discontinued on Oct. 16th, 2019:
<https://nvd.nist.gov/General/News/XML-Vulnerability-Feed-Retirement-Phase-3>
* guix/cve.scm (string->date*): New procedure.
(<cve-item>, <cve>, <cve-reference>): New record types.
(cpe-match->cve-configuration, configuration-data->cve-configurations)
(json->cve-items, version-matches?): New procedures.
(yearly-feed-uri): Change URL to refer to JSON feed.
(cpe->product-alist, %parse-vulnerability-feed)
(xml->vulnerabilities): Remove.
(cve-configuration->package-list, merge-package-lists)
(cve-item->vulnerability, json->vulnerabilities): New procedures.
(write-cache): Use 'json->vulnerabilities' instead of
'xml->vulnerabilities', and remove 'parameterize'.
(vulnerabilities->lookup-proc): Use 'version-matches?' when VERSION is
true.
* tests/cve.scm (%sample): Use 'tests/cve-sample.json'.
(%expected-vulnerabilities): Rewrite accordingly.
("json->cve-items", "cve-item-published-date")
("json->vulnerabilities"): New tests.
("xml->vulnerabilities"): Remove.
("vulnerabilities->lookup-proc"): Adjust to new vulnerabilities.
* tests/cve-sample.json: New file.
* tests/cve-sample.xml: Remove.
* Makefile.am (EXTRA_DIST): Adjust accordingly.
* doc/guix.texi (Invoking guix lint): Update nist.gov URLs.
2019-10-20 20:10:00 +00:00
|
|
|
|
(test-equal "json->cve-items"
|
|
|
|
|
|
'("CVE-2019-0001"
|
|
|
|
|
|
"CVE-2019-0005"
|
|
|
|
|
|
"CVE-2019-14811"
|
|
|
|
|
|
"CVE-2019-17365"
|
|
|
|
|
|
"CVE-2019-1010180"
|
|
|
|
|
|
"CVE-2019-1010204"
|
|
|
|
|
|
"CVE-2019-18192")
|
|
|
|
|
|
(map (compose cve-id cve-item-cve)
|
|
|
|
|
|
(call-with-input-file %sample json->cve-items)))
|
|
|
|
|
|
|
|
|
|
|
|
(test-equal "cve-item-published-date"
|
|
|
|
|
|
'(2019)
|
|
|
|
|
|
(delete-duplicates
|
|
|
|
|
|
(map (compose date-year cve-item-published-date)
|
|
|
|
|
|
(call-with-input-file %sample json->cve-items))))
|
|
|
|
|
|
|
|
|
|
|
|
(test-equal "json->vulnerabilities"
|
2015-11-26 20:52:25 +00:00
|
|
|
|
%expected-vulnerabilities
|
cve: Rewrite to read the JSON feed instead of the XML feed.
The XML feed was discontinued on Oct. 16th, 2019:
<https://nvd.nist.gov/General/News/XML-Vulnerability-Feed-Retirement-Phase-3>
* guix/cve.scm (string->date*): New procedure.
(<cve-item>, <cve>, <cve-reference>): New record types.
(cpe-match->cve-configuration, configuration-data->cve-configurations)
(json->cve-items, version-matches?): New procedures.
(yearly-feed-uri): Change URL to refer to JSON feed.
(cpe->product-alist, %parse-vulnerability-feed)
(xml->vulnerabilities): Remove.
(cve-configuration->package-list, merge-package-lists)
(cve-item->vulnerability, json->vulnerabilities): New procedures.
(write-cache): Use 'json->vulnerabilities' instead of
'xml->vulnerabilities', and remove 'parameterize'.
(vulnerabilities->lookup-proc): Use 'version-matches?' when VERSION is
true.
* tests/cve.scm (%sample): Use 'tests/cve-sample.json'.
(%expected-vulnerabilities): Rewrite accordingly.
("json->cve-items", "cve-item-published-date")
("json->vulnerabilities"): New tests.
("xml->vulnerabilities"): Remove.
("vulnerabilities->lookup-proc"): Adjust to new vulnerabilities.
* tests/cve-sample.json: New file.
* tests/cve-sample.xml: Remove.
* Makefile.am (EXTRA_DIST): Adjust accordingly.
* doc/guix.texi (Invoking guix lint): Update nist.gov URLs.
2019-10-20 20:10:00 +00:00
|
|
|
|
(call-with-input-file %sample json->vulnerabilities))
|
2015-11-26 20:52:25 +00:00
|
|
|
|
|
2016-05-27 22:44:36 +00:00
|
|
|
|
(test-equal "vulnerabilities->lookup-proc"
|
cve: Rewrite to read the JSON feed instead of the XML feed.
The XML feed was discontinued on Oct. 16th, 2019:
<https://nvd.nist.gov/General/News/XML-Vulnerability-Feed-Retirement-Phase-3>
* guix/cve.scm (string->date*): New procedure.
(<cve-item>, <cve>, <cve-reference>): New record types.
(cpe-match->cve-configuration, configuration-data->cve-configurations)
(json->cve-items, version-matches?): New procedures.
(yearly-feed-uri): Change URL to refer to JSON feed.
(cpe->product-alist, %parse-vulnerability-feed)
(xml->vulnerabilities): Remove.
(cve-configuration->package-list, merge-package-lists)
(cve-item->vulnerability, json->vulnerabilities): New procedures.
(write-cache): Use 'json->vulnerabilities' instead of
'xml->vulnerabilities', and remove 'parameterize'.
(vulnerabilities->lookup-proc): Use 'version-matches?' when VERSION is
true.
* tests/cve.scm (%sample): Use 'tests/cve-sample.json'.
(%expected-vulnerabilities): Rewrite accordingly.
("json->cve-items", "cve-item-published-date")
("json->vulnerabilities"): New tests.
("xml->vulnerabilities"): Remove.
("vulnerabilities->lookup-proc"): Adjust to new vulnerabilities.
* tests/cve-sample.json: New file.
* tests/cve-sample.xml: Remove.
* Makefile.am (EXTRA_DIST): Adjust accordingly.
* doc/guix.texi (Invoking guix lint): Update nist.gov URLs.
2019-10-20 20:10:00 +00:00
|
|
|
|
(list (list (third %expected-vulnerabilities)) ;ghostscript
|
|
|
|
|
|
(list (third %expected-vulnerabilities))
|
|
|
|
|
|
'()
|
|
|
|
|
|
|
|
|
|
|
|
(list (fifth %expected-vulnerabilities)) ;gdb
|
|
|
|
|
|
(list (fifth %expected-vulnerabilities))
|
|
|
|
|
|
|
|
|
|
|
|
(list (fourth %expected-vulnerabilities)) ;nix
|
2015-11-26 20:52:25 +00:00
|
|
|
|
'()
|
cve: Rewrite to read the JSON feed instead of the XML feed.
The XML feed was discontinued on Oct. 16th, 2019:
<https://nvd.nist.gov/General/News/XML-Vulnerability-Feed-Retirement-Phase-3>
* guix/cve.scm (string->date*): New procedure.
(<cve-item>, <cve>, <cve-reference>): New record types.
(cpe-match->cve-configuration, configuration-data->cve-configurations)
(json->cve-items, version-matches?): New procedures.
(yearly-feed-uri): Change URL to refer to JSON feed.
(cpe->product-alist, %parse-vulnerability-feed)
(xml->vulnerabilities): Remove.
(cve-configuration->package-list, merge-package-lists)
(cve-item->vulnerability, json->vulnerabilities): New procedures.
(write-cache): Use 'json->vulnerabilities' instead of
'xml->vulnerabilities', and remove 'parameterize'.
(vulnerabilities->lookup-proc): Use 'version-matches?' when VERSION is
true.
* tests/cve.scm (%sample): Use 'tests/cve-sample.json'.
(%expected-vulnerabilities): Rewrite accordingly.
("json->cve-items", "cve-item-published-date")
("json->vulnerabilities"): New tests.
("xml->vulnerabilities"): Remove.
("vulnerabilities->lookup-proc"): Adjust to new vulnerabilities.
* tests/cve-sample.json: New file.
* tests/cve-sample.xml: Remove.
* Makefile.am (EXTRA_DIST): Adjust accordingly.
* doc/guix.texi (Invoking guix lint): Update nist.gov URLs.
2019-10-20 20:10:00 +00:00
|
|
|
|
|
|
|
|
|
|
(list (sixth %expected-vulnerabilities)) ;binutils
|
2015-11-26 20:52:25 +00:00
|
|
|
|
'()
|
cve: Rewrite to read the JSON feed instead of the XML feed.
The XML feed was discontinued on Oct. 16th, 2019:
<https://nvd.nist.gov/General/News/XML-Vulnerability-Feed-Retirement-Phase-3>
* guix/cve.scm (string->date*): New procedure.
(<cve-item>, <cve>, <cve-reference>): New record types.
(cpe-match->cve-configuration, configuration-data->cve-configurations)
(json->cve-items, version-matches?): New procedures.
(yearly-feed-uri): Change URL to refer to JSON feed.
(cpe->product-alist, %parse-vulnerability-feed)
(xml->vulnerabilities): Remove.
(cve-configuration->package-list, merge-package-lists)
(cve-item->vulnerability, json->vulnerabilities): New procedures.
(write-cache): Use 'json->vulnerabilities' instead of
'xml->vulnerabilities', and remove 'parameterize'.
(vulnerabilities->lookup-proc): Use 'version-matches?' when VERSION is
true.
* tests/cve.scm (%sample): Use 'tests/cve-sample.json'.
(%expected-vulnerabilities): Rewrite accordingly.
("json->cve-items", "cve-item-published-date")
("json->vulnerabilities"): New tests.
("xml->vulnerabilities"): Remove.
("vulnerabilities->lookup-proc"): Adjust to new vulnerabilities.
* tests/cve-sample.json: New file.
* tests/cve-sample.xml: Remove.
* Makefile.am (EXTRA_DIST): Adjust accordingly.
* doc/guix.texi (Invoking guix lint): Update nist.gov URLs.
2019-10-20 20:10:00 +00:00
|
|
|
|
(list (sixth %expected-vulnerabilities))
|
|
|
|
|
|
'())
|
|
|
|
|
|
(let* ((vulns (call-with-input-file %sample json->vulnerabilities))
|
2015-11-26 20:52:25 +00:00
|
|
|
|
(lookup (vulnerabilities->lookup-proc vulns)))
|
cve: Rewrite to read the JSON feed instead of the XML feed.
The XML feed was discontinued on Oct. 16th, 2019:
<https://nvd.nist.gov/General/News/XML-Vulnerability-Feed-Retirement-Phase-3>
* guix/cve.scm (string->date*): New procedure.
(<cve-item>, <cve>, <cve-reference>): New record types.
(cpe-match->cve-configuration, configuration-data->cve-configurations)
(json->cve-items, version-matches?): New procedures.
(yearly-feed-uri): Change URL to refer to JSON feed.
(cpe->product-alist, %parse-vulnerability-feed)
(xml->vulnerabilities): Remove.
(cve-configuration->package-list, merge-package-lists)
(cve-item->vulnerability, json->vulnerabilities): New procedures.
(write-cache): Use 'json->vulnerabilities' instead of
'xml->vulnerabilities', and remove 'parameterize'.
(vulnerabilities->lookup-proc): Use 'version-matches?' when VERSION is
true.
* tests/cve.scm (%sample): Use 'tests/cve-sample.json'.
(%expected-vulnerabilities): Rewrite accordingly.
("json->cve-items", "cve-item-published-date")
("json->vulnerabilities"): New tests.
("xml->vulnerabilities"): Remove.
("vulnerabilities->lookup-proc"): Adjust to new vulnerabilities.
* tests/cve-sample.json: New file.
* tests/cve-sample.xml: Remove.
* Makefile.am (EXTRA_DIST): Adjust accordingly.
* doc/guix.texi (Invoking guix lint): Update nist.gov URLs.
2019-10-20 20:10:00 +00:00
|
|
|
|
(list (lookup "ghostscript")
|
|
|
|
|
|
(lookup "ghostscript" "9.27")
|
|
|
|
|
|
(lookup "ghostscript" "9.28")
|
|
|
|
|
|
(lookup "gdb")
|
|
|
|
|
|
(lookup "gdb" "42.0")
|
|
|
|
|
|
(lookup "nix")
|
|
|
|
|
|
(lookup "nix" "2.4")
|
|
|
|
|
|
(lookup "binutils" "2.31.1")
|
|
|
|
|
|
(lookup "binutils" "2.10")
|
|
|
|
|
|
(lookup "binutils_gold" "1.11")
|
|
|
|
|
|
(lookup "binutils" "2.32"))))
|
2015-11-26 20:52:25 +00:00
|
|
|
|
|
|
|
|
|
|
(test-end "cve")
|