From f4007b25476dfd97885f358d2dabbd463f6f6017 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Thu, 30 Nov 2017 23:41:29 +0200 Subject: lint: 'check-vulnerabilities' also checks package properties. * guix/scripts/lint.scm (check-vulnerabilities): Also check for CVEs listed as mitigated in the package properties. * tests/lint.scm ("cve: known safe from vulnerability"): New test. --- guix/scripts/lint.scm | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) (limited to 'guix/scripts/lint.scm') diff --git a/guix/scripts/lint.scm b/guix/scripts/lint.scm index 1b43b0a63c..4ec3267007 100644 --- a/guix/scripts/lint.scm +++ b/guix/scripts/lint.scm @@ -7,6 +7,7 @@ ;;; Copyright © 2016 Hartmut Goebel ;;; Copyright © 2017 Alex Kost ;;; Copyright © 2017 Tobias Geerinckx-Rice +;;; Copyright © 2017 Efraim Flashner ;;; ;;; This file is part of GNU Guix. ;;; @@ -881,10 +882,16 @@ the NIST server non-fatal." (or (and=> (package-source package) origin-patches) '()))) + (known-safe (or (assq-ref (package-properties package) + 'lint-hidden-cve) + '())) (unpatched (remove (lambda (vuln) - (find (cute string-contains - <> (vulnerability-id vuln)) - patches)) + (let ((id (vulnerability-id vuln))) + (or + (find (cute string-contains + <> id) + patches) + (member id known-safe)))) vulnerabilities))) (unless (null? unpatched) (emit-warning package -- cgit v1.2.3