From cf557afa2e679f73b93796460dee23d5c5c314c5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org>
Date: Fri, 11 Mar 2016 10:21:58 +0100
Subject: [PATCH] cve: Make CPE patch level part of the version string.
* guix/cve.scm (%cpe-package-rx): Adjust to account for :PATCH-LEVEL.
(cpe->package-name): Likewise.
---
guix/cve.scm | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/guix/cve.scm b/guix/cve.scm
index a7b0bde6dcc..663097b4837 100644
--- a/guix/cve.scm
+++ b/guix/cve.scm
@@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2015 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2015, 2016 Ludovic Courtès <ludo@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -70,8 +70,9 @@ (define (call-with-cve-port proc)
(close-port port)))))
(define %cpe-package-rx
- ;; For applications: "cpe:/a:VENDOR:PACKAGE:VERSION".
- (make-regexp "^cpe:/a:([^:]+):([^:]+):([^:]+)"))
+ ;; For applications: "cpe:/a:VENDOR:PACKAGE:VERSION", or sometimes
+ ;; "cpe/a:VENDOR:PACKAGE:VERSION:PATCH-LEVEL".
+ (make-regexp "^cpe:/a:([^:]+):([^:]+):([^:]+)((:.+)?)"))
(define (cpe->package-name cpe)
"Converts the Common Platform Enumeration (CPE) string CPE to a package
@@ -80,7 +81,13 @@ (define (cpe->package-name cpe)
(and=> (regexp-exec %cpe-package-rx (string-trim-both cpe))
(lambda (matches)
(cons (match:substring matches 2)
- (match:substring matches 3)))))
+ (string-append (match:substring matches 3)
+ (match (match:substring matches 4)
+ ("" "")
+ (patch-level
+ ;; Drop the colon from things like
+ ;; "cpe:/a:openbsd:openssh:6.8:p1".
+ (string-drop patch-level 1))))))))
(define %parse-vulnerability-feed
;; Parse the XML vulnerability feed from
--
GitLab