[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#53721] [PATCH] lint: Perform fuzzy search on package names for CVE
|
From: |
Efraim Flashner |
|
Subject: |
[bug#53721] [PATCH] lint: Perform fuzzy search on package names for CVE checker. |
|
Date: |
Wed, 2 Feb 2022 17:13:25 +0200 |
On Wed, Feb 02, 2022 at 03:54:38PM +0100, Maxime Devos wrote:
> Efraim Flashner schreef op wo 02-02-2022 om 16:15 [+0200]:
> > + (false-if-exception
> > + (first
> > + (filter string?
> > + (map (lambda (prefix)
> > + (when (string-prefix? prefix
> > pkg-name)
> > + (string-drop pkg-name
> > (string-length prefix))))
> > + '("java-" "perl-" "python-" "python2-"
> > "ruby-")))))
> > + pkg-name)))
>
> When can an exception happen here?
I tossed in 'glibc' since I know that always has CVEs listed against it,
you can't take first from an empty list.
> Also, the following seems simpler and equivalent:
>
> (any (lambda (prefix)
> (and (string-prefix? prefix)
> (string-drop pkg-name (string-length prefix))))
> '("java-" "perl-" "python-" "python2-" "ruby-"))
That is much nicer.
> It would be nice to test the code for guessing the CPE name of a
> package in a few unit tests.
Definitely. Also I should check if we should try dropping any of the
other prefixes. rust might work, go probably needs some actual
transformation to happen.
> Greetings,
> Maxime
--
Efraim Flashner <efraim@flashner.co.il> רנשלפ םירפא
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
signature.asc
Description: PGP signature