cve: Assume that ‘criteria’ is always defined.

"criteria" is now mandatory according to the json schema of API 2.0: <https://csrc.nist.gov/schema/nvd/api/2.0/cve_api_json_2.0.schema> * guix/cve.scm (cpe-match->cve-configuration): Remove the existence checking for "criteria". Change-Id: I278ba59fac5e3bd1a0033f4fa17e65fa067e6584 Signed-off-by: Ludovic Courtès <ludo@gnu.org>
2026-04-06 13:10:33 +02:00 · 2025-10-03 11:33:31 +08:00
parent 5da19d7eff
commit 3414e3d994
1 changed files with 18 additions and 21 deletions
--- a/guix/cve.scm
+++ b/guix/cve.scm
@@ -56,7 +56,7 @@

 ;;; Commentary:
 ;;;
-;;; This modules provides the tools to fetch, parse, and digest part of the
+;;; This module provides the tools to fetch, parse, and digest part of the
 ;;; Common Vulnerabilities and Exposures (CVE) feeds provided by the US NIST
 ;;; at <https://nvd.nist.gov/vuln/data-feeds>.
 ;;;
@@ -113,26 +113,23 @@ Return three #f values if CPE does not look like an application CPE string."
  "Convert ALIST, a \"cpeMatch\" alist, into an sexp representing the package
 and versions matched.  Return #f if ALIST doesn't correspond to an application
 package."
-  (let ((cpe    (assoc-ref alist "criteria"))
-        (starti (assoc-ref alist "versionStartIncluding"))
-        (starte (assoc-ref alist "versionStartExcluding"))
-        (endi   (assoc-ref alist "versionEndIncluding"))
-        (ende   (assoc-ref alist "versionEndExcluding")))
-    ;; Normally "criteria" is here in each "cpeMatch" item, but CVE-2020-0534
-    ;; has a configuration that lacks it.
-    (and cpe
-         (let ((vendor package version (cpe->package-identifier cpe)))
-           (and package
-                `(,vendor
-                  ,package
-                  ,(cond ((and (or starti starte) (or endi ende))
-                          `(and ,(if starti `(>= ,starti) `(> ,starte))
-                                ,(if endi `(<= ,endi) `(< ,ende))))
-                         (starti `(>= ,starti))
-                         (starte `(> ,starte))
-                         (endi   `(<= ,endi))
-                         (ende   `(< ,ende))
-                         (else   version))))))))
+  (let* ((cpe    (assoc-ref alist "criteria"))
+         (vendor package version (cpe->package-identifier cpe))
+         (starti (assoc-ref alist "versionStartIncluding"))
+         (starte (assoc-ref alist "versionStartExcluding"))
+         (endi   (assoc-ref alist "versionEndIncluding"))
+         (ende   (assoc-ref alist "versionEndExcluding")))
+    (and package
+         `(,vendor
+           ,package
+           ,(cond ((and (or starti starte) (or endi ende))
+                   `(and ,(if starti `(>= ,starti) `(> ,starte))
+                         ,(if endi `(<= ,endi) `(< ,ende))))
+                  (starti `(>= ,starti))
+                  (starte `(> ,starte))
+                  (endi   `(<= ,endi))
+                  (ende   `(< ,ende))
+                  (else   version))))))

 (define (configuration-data->cve-configurations vector)
  "Given ALIST, a JSON dictionary for the baroque \"configurations\"