summary refs log tree commit diff
path: root/doc
diff options
context:
space:
mode:
authorLudovic Courtès <ludo@gnu.org>2019-10-20 22:10:00 +0200
committerLudovic Courtès <ludo@gnu.org>2019-10-23 16:40:17 +0200
commit74afaa37d5dec1a9d1b83951529ba69d8947fb07 (patch)
tree782fc4b5e0cd48fb90d69d97b998a37d29a1c2d6 /doc
parent59d452da401c375e7bd18d2260c2e42ee0d05b72 (diff)
downloadguix-74afaa37d5dec1a9d1b83951529ba69d8947fb07.tar.gz
cve: Rewrite to read the JSON feed instead of the XML feed.
The XML feed was discontinued on Oct. 16th, 2019:

  <https://nvd.nist.gov/General/News/XML-Vulnerability-Feed-Retirement-Phase-3>

* guix/cve.scm (string->date*): New procedure.
(<cve-item>, <cve>, <cve-reference>): New record types.
(cpe-match->cve-configuration, configuration-data->cve-configurations)
(json->cve-items, version-matches?): New procedures.
(yearly-feed-uri): Change URL to refer to JSON feed.
(cpe->product-alist, %parse-vulnerability-feed)
(xml->vulnerabilities): Remove.
(cve-configuration->package-list, merge-package-lists)
(cve-item->vulnerability, json->vulnerabilities): New procedures.
(write-cache): Use 'json->vulnerabilities' instead of
'xml->vulnerabilities', and remove 'parameterize'.
(vulnerabilities->lookup-proc): Use 'version-matches?' when VERSION is
true.
* tests/cve.scm (%sample): Use 'tests/cve-sample.json'.
(%expected-vulnerabilities): Rewrite accordingly.
("json->cve-items", "cve-item-published-date")
("json->vulnerabilities"): New tests.
("xml->vulnerabilities"): Remove.
("vulnerabilities->lookup-proc"): Adjust to new vulnerabilities.
* tests/cve-sample.json: New file.
* tests/cve-sample.xml: Remove.
* Makefile.am (EXTRA_DIST): Adjust accordingly.
* doc/guix.texi (Invoking guix lint): Update nist.gov URLs.
Diffstat (limited to 'doc')
-rw-r--r--doc/guix.texi4
1 files changed, 2 insertions, 2 deletions
diff --git a/doc/guix.texi b/doc/guix.texi
index cb004d034d..746561ed97 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -9484,7 +9484,7 @@ that limit has been reset.
 @cindex CVE, Common Vulnerabilities and Exposures
 Report known vulnerabilities found in the Common Vulnerabilities and
 Exposures (CVE) databases of the current and past year
-@uref{https://nvd.nist.gov/download.cfm#CVE_FEED, published by the US
+@uref{https://nvd.nist.gov/vuln/data-feeds, published by the US
 NIST}.
 
 To view information about a particular vulnerability, visit pages such as:
@@ -9501,7 +9501,7 @@ where @code{CVE-YYYY-ABCD} is the CVE identifier---e.g.,
 @code{CVE-2015-7554}.
 
 Package developers can specify in package recipes the
-@uref{https://nvd.nist.gov/cpe.cfm,Common Platform Enumeration (CPE)}
+@uref{https://nvd.nist.gov/products/cpe,Common Platform Enumeration (CPE)}
 name and version of the package when they differ from the name or version
 that Guix uses, as in this example: