1 ;;; GNU Guix --- Functional package management for GNU
2 ;;; Copyright © 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
4 ;;; This file is part of GNU Guix.
6 ;;; GNU Guix is free software; you can redistribute it and/or modify it
7 ;;; under the terms of the GNU General Public License as published by
8 ;;; the Free Software Foundation; either version 3 of the License, or (at
9 ;;; your option) any later version.
11 ;;; GNU Guix is distributed in the hope that it will be useful, but
12 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
13 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 ;;; GNU General Public License for more details.
16 ;;; You should have received a copy of the GNU General Public License
17 ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
19 (define-module (guix cve)
20 #:use-module (guix utils)
21 #:use-module (guix http-client)
22 #:use-module ((guix build utils) #:select (mkdir-p))
23 #:use-module (sxml ssax)
24 #:use-module (web uri)
25 #:use-module (srfi srfi-1)
26 #:use-module (srfi srfi-9)
27 #:use-module (srfi srfi-11)
28 #:use-module (srfi srfi-19)
29 #:use-module (srfi srfi-26)
30 #:use-module (ice-9 match)
31 #:use-module (ice-9 regex)
32 #:use-module (ice-9 vlist)
33 #:export (vulnerability?
35 vulnerability-packages
38 current-vulnerabilities
39 vulnerabilities->lookup-proc))
43 ;;; This modules provides the tools to fetch, parse, and digest part of the
44 ;;; Common Vulnerabilities and Exposures (CVE) feeds provided by the US NIST
45 ;;; at <https://nvd.nist.gov/download.cfm#CVE_FEED>.
49 (define-record-type <vulnerability>
50 (vulnerability id packages)
52 (id vulnerability-id) ;string
53 (packages vulnerability-packages)) ;((p1 v1 v2 v3) (p2 v1) ...)
62 (define (yearly-feed-uri year)
63 "Return the URI for the CVE feed for YEAR."
65 (string-append "https://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-"
66 (number->string year) ".xml.gz")))
68 (define %current-year-ttl
69 ;; According to <https://nvd.nist.gov/download.cfm#CVE_FEED>, feeds are
70 ;; updated "approximately every two hours."
73 (define %past-year-ttl
74 ;; Update the previous year's database more and more infrequently.
75 (* 3600 24 2 (date-month %now)))
77 (define (call-with-cve-port uri ttl proc)
78 "Pass PROC an input port from which to read the CVE stream."
79 (let ((port (http-fetch uri)))
83 (call-with-decompressed-port 'gzip port
85 (setvbuf port _IOFBF 65536)
90 (define %cpe-package-rx
91 ;; For applications: "cpe:/a:VENDOR:PACKAGE:VERSION", or sometimes
92 ;; "cpe/a:VENDOR:PACKAGE:VERSION:PATCH-LEVEL".
93 (make-regexp "^cpe:/a:([^:]+):([^:]+):([^:]+)((:.+)?)"))
95 (define (cpe->package-name cpe)
96 "Converts the Common Platform Enumeration (CPE) string CPE to a package
97 name, in a very naive way. Return two values: the package name, and its
98 version string. Return #f and #f if CPE does not look like an application CPE
100 (cond ((regexp-exec %cpe-package-rx (string-trim-both cpe))
103 (values (match:substring matches 2)
104 (string-append (match:substring matches 3)
105 (match (match:substring matches 4)
108 ;; Drop the colon from things like
109 ;; "cpe:/a:openbsd:openssh:6.8:p1".
110 (string-drop patch-level 1)))))))
114 (define (cpe->product-alist products)
115 "Given PRODUCTS, a list of CPE names, return the subset limited to the
116 applications listed in PRODUCTS, with names converted to package names:
119 '(\"cpe:/a:gnu:libtasn1:4.7\" \"cpe:/a:gnu:libtasn1:4.6\" \"cpe:/a:gnu:cpio:2.11\"))
120 => ((\"libtasn1\" \"4.7\" \"4.6\") (\"cpio\" \"2.11\"))
122 (fold (lambda (product result)
123 (let-values (((name version) (cpe->package-name product)))
126 (((previous . versions) . tail)
127 ;; Attempt to coalesce NAME and PREVIOUS.
128 (if (string=? name previous)
129 (alist-cons name (cons version versions) tail)
130 (alist-cons name (list version) result)))
132 (alist-cons name (list version) result)))
135 (sort products string<?)))
137 (define %parse-vulnerability-feed
138 ;; Parse the XML vulnerability feed from
139 ;; <https://nvd.nist.gov/download.cfm#CVE_FEED> and return a list of
140 ;; vulnerability objects.
141 (ssax:make-parser NEW-LEVEL-SEED
142 (lambda (elem-gi attributes namespaces expected-content
145 ((name-space . 'entry)
146 (cons (assoc-ref attributes 'id) seed))
147 ((name-space . 'vulnerable-software-list)
149 ((name-space . 'product)
150 (cons 'product seed))
154 (lambda (elem-gi attributes namespaces parent-seed
157 ((name-space . 'entry)
159 (((? string? id) . rest)
160 ;; Some entries have no vulnerable-software-list.
162 ((products id . rest)
163 (match (cpe->product-alist products)
165 ;; No application among PRODUCTS.
168 (cons (vulnerability id packages)
176 (('product software-list . rest)
177 ;; Add STR to the vulnerable software list this
178 ;; <product> tag is part of.
179 (cons (cons str software-list) rest))
182 (define (xml->vulnerabilities port)
183 "Read from PORT an XML feed of vulnerabilities and return a list of
184 vulnerability objects."
185 (reverse (%parse-vulnerability-feed port '())))
187 (define vulnerability->sexp
189 (($ <vulnerability> id packages)
190 `(v ,id ,packages))))
192 (define sexp->vulnerability
194 (('v id (packages ...))
195 (vulnerability id packages))))
197 (define (fetch-vulnerabilities year ttl)
198 "Return the list of <vulnerability> for YEAR, assuming the on-disk cache has
199 the given TTL (fetch from the NIST web site when TTL has expired)."
200 ;; Note: We used to keep the original XML files in cache but parsing it
201 ;; would take typically ~15s for a year of data. Thus, we instead store a
202 ;; summarized version thereof as an sexp, which can be parsed in 1s or so.
204 (string-append (cache-directory) "/cve/" (number->string year)))
207 (call-with-cve-port (yearly-feed-uri year) ttl
209 ;; XXX: The SSAX "error port" is used to send pointless warnings such as
210 ;; "warning: Skipping PI". Turn that off.
211 (format (current-error-port) "fetching CVE database for ~a...~%" year)
212 (parameterize ((current-ssax-error-port (%make-void-port "w")))
213 (xml->vulnerabilities port)))))
215 (define (update-cache)
216 (mkdir-p (dirname cache))
217 (let ((vulns (do-fetch)))
218 (with-atomic-file-output cache
220 (write `(vulnerabilities
222 ,(map vulnerability->sexp vulns))
227 ;; Return true if PORT has passed TTL.
228 (let* ((s (stat file))
229 (now (current-time time-utc)))
230 (< (+ (stat:mtime s) ttl) (time-second now))))
233 ;; Disable read options to avoid populating the source property weak
234 ;; table, which speeds things up, saves memory, and works around
235 ;; <https://lists.gnu.org/archive/html/guile-devel/2017-09/msg00031.html>.
236 (let ((options (read-options)))
239 (read-disable 'positions))
243 (read-options options)))))
249 (match (call-with-input-file cache read*)
250 (('vulnerabilities 1 vulns)
251 (map sexp->vulnerability vulns))
257 (define (current-vulnerabilities)
258 "Return the current list of Common Vulnerabilities and Exposures (CVE) as
259 published by the US NIST."
260 (let ((past-years (unfold (cut > <> 3)
265 (past-ttls (unfold (cut > <> 3)
267 (* n %past-year-ttl))
270 (append-map fetch-vulnerabilities
271 (cons %current-year past-years)
272 (cons %current-year-ttl past-ttls))))
274 (define (vulnerabilities->lookup-proc vulnerabilities)
275 "Return a lookup procedure built from VULNERABILITIES that takes a package
276 name and optionally a version number. When the version is omitted, the lookup
277 procedure returns a list of vulnerabilities; otherwise, it returns a list of
278 vulnerabilities affecting the given package version."
280 ;; Map package names to lists of version/vulnerability pairs.
281 (fold (lambda (vuln table)
283 (($ <vulnerability> id packages)
284 (fold (lambda (package table)
287 (vhash-cons name (cons vuln versions)
294 (lambda* (package #:optional version)
295 (vhash-fold* (if version
296 (lambda (pair result)
299 (if (member version versions)
302 (lambda (pair result)
305 (cons vuln result)))))
311 ;;; eval: (put 'call-with-cve-port 'scheme-indent-function 2)
314 ;;; cve.scm ends here