diff options
| author | Efraim Flashner <efraim@flashner.co.il> | 2017-11-30 23:41:29 +0200 |
|---|---|---|
| committer | Efraim Flashner <efraim@flashner.co.il> | 2017-12-10 21:59:07 +0200 |
| commit | f4007b25476dfd97885f358d2dabbd463f6f6017 (patch) | |
| tree | cc50563d23c77d455fc5e03cc7cb8cc0a61c7ac5 | |
| parent | 308b8f79c5267ae442e4a8874cfed80f3c5a8831 (diff) | |
| download | guix-patches-f4007b25476dfd97885f358d2dabbd463f6f6017.tar guix-patches-f4007b25476dfd97885f358d2dabbd463f6f6017.tar.gz | |
lint: 'check-vulnerabilities' also checks package properties.
* guix/scripts/lint.scm (check-vulnerabilities): Also check for CVEs
listed as mitigated in the package properties.
* tests/lint.scm ("cve: known safe from vulnerability"): New test.
| -rw-r--r-- | guix/scripts/lint.scm | 13 | ||||
| -rw-r--r-- | tests/lint.scm | 15 |
2 files changed, 25 insertions, 3 deletions
diff --git a/guix/scripts/lint.scm b/guix/scripts/lint.scm index 1b43b0a63c..4ec3267007 100644 --- a/guix/scripts/lint.scm +++ b/guix/scripts/lint.scm @@ -7,6 +7,7 @@ ;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com> ;;; Copyright © 2017 Alex Kost <alezost@gmail.com> ;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr> +;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il> ;;; ;;; This file is part of GNU Guix. ;;; @@ -881,10 +882,16 @@ the NIST server non-fatal." (or (and=> (package-source package) origin-patches) '()))) + (known-safe (or (assq-ref (package-properties package) + 'lint-hidden-cve) + '())) (unpatched (remove (lambda (vuln) - (find (cute string-contains - <> (vulnerability-id vuln)) - patches)) + (let ((id (vulnerability-id vuln))) + (or + (find (cute string-contains + <> id) + patches) + (member id known-safe)))) vulnerabilities))) (unless (null? unpatched) (emit-warning package diff --git a/tests/lint.scm b/tests/lint.scm index 064f3d177e..ab0e8b9a8c 100644 --- a/tests/lint.scm +++ b/tests/lint.scm @@ -5,6 +5,7 @@ ;;; Copyright © 2015, 2016 Mathieu Lirzin <mthl@gnu.org> ;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com> ;;; Copyright © 2017 Alex Kost <alezost@gmail.com> +;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il> ;;; ;;; This file is part of GNU Guix. ;;; @@ -702,6 +703,20 @@ (patches (list "/a/b/pi-CVE-2015-1234.patch")))))))))) +(test-assert "cve: known safe from vulnerability" + (mock ((guix scripts lint) package-vulnerabilities + (lambda (package) + (list (make-struct (@@ (guix cve) <vulnerability>) 0 + "CVE-2015-1234" + (list (cons (package-name package) + (package-version package))))))) + (string-null? + (with-warnings + (check-vulnerabilities + (dummy-package "pi" + (version "3.14") + (properties `((lint-hidden-cve . ("CVE-2015-1234")))))))))) + (test-assert "cve: vulnerability fixed in replacement version" (mock ((guix scripts lint) package-vulnerabilities (lambda (package) |