summary refs log tree commit diff
diff options
context:
space:
mode:
authorLudovic Courtès <ludo@gnu.org>2016-03-11 15:55:57 +0100
committerLudovic Courtès <ludo@gnu.org>2016-03-11 16:33:50 +0100
commit6a25e59514f590aa541ec35ba36fd36b2a1dcbc3 (patch)
tree7dd44521aaa1a0597f1d2030abf9a119d98f6bd7
parentef0f0d5f971bf9c7a755b6b5c4bda34fc50e1987 (diff)
downloadguix-6a25e59514f590aa541ec35ba36fd36b2a1dcbc3.tar.gz
cve: Read entire CVE databases for the current year and the past year.
The "Modified" database that we were reading is much smaller, but it
only shows CVEs modified over the past week.

* guix/cve.scm (%now, %current-year, %past-year): New variables.
(yearly-feed-uri): New procedure.
(%cve-feed-uri, %ttl): Remove.
(%current-year-ttl, %past-year-ttl): New variables.
(call-with-cve-port): Add 'uri' and 'ttl' parameters and honor them.
Add 'setvbuf' call.
(current-vulnerabilities)[read-vulnerabilities]: New procedure.
Read from both %LAST-YEAR and %CURRENT-YEAR.
-rw-r--r--guix/cve.scm51
1 files changed, 39 insertions, 12 deletions
diff --git a/guix/cve.scm b/guix/cve.scm
index 663097b483..8e76f42f0d 100644
--- a/guix/cve.scm
+++ b/guix/cve.scm
@@ -49,23 +49,38 @@
   (id         vulnerability-id)
   (packages   vulnerability-packages))
 
-(define %cve-feed-uri
+(define %now
+  (current-date))
+(define %current-year
+  (date-year %now))
+(define %past-year
+  (- %current-year 1))
+
+(define (yearly-feed-uri year)
+  "Return the URI for the CVE feed for YEAR."
   (string->uri
-   "https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz"))
+   (string-append "https://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-"
+                  (number->string year) ".xml.gz")))
 
-(define %ttl
+(define %current-year-ttl
   ;; According to <https://nvd.nist.gov/download.cfm#CVE_FEED>, feeds are
   ;; updated "approximately every two hours."
   (* 3600 3))
 
-(define (call-with-cve-port proc)
+(define %past-year-ttl
+  ;; Update the previous year's database more and more infrequently.
+  (* 3600 24 2 (date-month %now)))
+
+(define (call-with-cve-port uri ttl proc)
   "Pass PROC an input port from which to read the CVE stream."
-  (let ((port (http-fetch/cached %cve-feed-uri #:ttl %ttl)))
+  (let ((port (http-fetch/cached uri #:ttl ttl)))
     (dynamic-wind
       (const #t)
       (lambda ()
         (call-with-decompressed-port 'gzip port
-          proc))
+          (lambda (port)
+            (setvbuf port _IOFBF 65536)
+            (proc port))))
       (lambda ()
         (close-port port)))))
 
@@ -142,12 +157,19 @@ vulnerability objects."
 (define (current-vulnerabilities)
   "Return the current list of Common Vulnerabilities and Exposures (CVE) as
 published by the US NIST."
-  (call-with-cve-port
-   (lambda (port)
-     ;; XXX: The SSAX "error port" is used to send pointless warnings such as
-     ;; "warning: Skipping PI".  Turn that off.
-     (parameterize ((current-ssax-error-port (%make-void-port "w")))
-       (xml->vulnerabilities port)))))
+  (define (read-vulnerabilities uri ttl)
+    (call-with-cve-port uri ttl
+      (lambda (port)
+        ;; XXX: The SSAX "error port" is used to send pointless warnings such as
+        ;; "warning: Skipping PI".  Turn that off.
+        (parameterize ((current-ssax-error-port (%make-void-port "w")))
+          (xml->vulnerabilities port)))))
+
+  (append-map read-vulnerabilities
+              (list (yearly-feed-uri %past-year)
+                    (yearly-feed-uri %current-year))
+              (list %past-year-ttl
+                    %current-year-ttl)))
 
 (define (vulnerabilities->lookup-proc vulnerabilities)
   "Return a lookup procedure built from VULNERABILITIES that takes a package
@@ -181,4 +203,9 @@ a list of vulnerabilities affection the given package version."
                  '()
                  package table)))
 
+
+;;; Local Variables:
+;;; eval: (put 'call-with-cve-port 'scheme-indent-function 2)
+;;; End:
+
 ;;; cve.scm ends here