Hi! Commit 5432734 adds a ‘cve’ checker for ‘guix lint’. It fetches the CVE database from NIST, matches package names/versions against those found in CVEs, and reports CVE IDs:
--8<---------------cut here---------------start------------->8--- $ time GUIX_PACKAGE_PATH= ./pre-inst-env guix lint -c cve gnu/packages/gcc.scm:324:2: gcc-4.9.3: probably vulnerable to CVE-2015-5276 gnu/packages/image.scm:708:2: jasper-1.900.1: probably vulnerable to CVE-2008-3522 gnu/packages/pulseaudio.scm:44:2: libsndfile-1.0.25: probably vulnerable to CVE-2015-7805 gnu/packages/xml.scm:64:2: libxml2-2.9.2: probably vulnerable to CVE-2015-7941, CVE-2015-7942 gnu/packages/xml.scm:144:2: libxslt-1.1.28: probably vulnerable to CVE-2015-7995 real 0m2.669s user 0m2.248s sys 0m0.120s --8<---------------cut here---------------end--------------->8--- The libxml2/libxslt issues are actually patched, but since we didn’t change the version number, the tool assumes that our packages are vulnerable. We should change version numbers in the future when patching vulnerabilities. One limitation is that package names may differ between CVEs and what we have. There’s a tentative ‘package-name->cpe-name’ conversion procedure that currently handles one case, but we should augment it as we notice new cases. Thoughts? Ludo’.
