From 5432734b00ae14c3a93af358fc7bbf80e3db5ee8 Mon Sep 17 00:00:00 2001
From: Ludovic Courtès <ludo@gnu.org>
Date: Thu, 26 Nov 2015 22:59:06 +0100
Subject: lint: Add "cve" checker.

Fixes <http://bugs.gnu.org/21289>.

* guix/scripts/lint.scm (package-name->cpe-name, package-vulnerabilities)
(check-vulnerabilities): New procedures.
* guix/scripts/lint.scm (%checkers): Add "cve" checker.
* tests/lint.scm ("cve", "cve: one vulnerability"): New tests.
* doc/guix.texi (Invoking guix lint): Mention it.
---
 guix/scripts/lint.scm | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

(limited to 'guix')

diff --git a/guix/scripts/lint.scm b/guix/scripts/lint.scm
index 034f0f95ee..1da4790f2d 100644
--- a/guix/scripts/lint.scm
+++ b/guix/scripts/lint.scm
@@ -32,6 +32,7 @@
   #:use-module (guix scripts)
   #:use-module (guix gnu-maintenance)
   #:use-module (guix monads)
+  #:use-module (guix cve)
   #:use-module (gnu packages)
   #:use-module (ice-9 match)
   #:use-module (ice-9 regex)
@@ -61,6 +62,7 @@
             check-source
             check-source-file-name
             check-license
+            check-vulnerabilities
             check-formatting
             run-checkers
 
@@ -571,6 +573,34 @@ descriptions maintained upstream."
      (emit-warning package (_ "invalid license field")
                    'license))))
 
+(define (package-name->cpe-name name)
+  "Do a basic conversion of NAME, a Guix package name, to the corresponding
+Common Platform Enumeration (CPE) name."
+  (match name
+    ("icecat"   "firefox")                        ;or "firefox_esr"
+    ;; TODO: Add more.
+    (_          name)))
+
+(define package-vulnerabilities
+  (let ((lookup (delay (vulnerabilities->lookup-proc
+                        (current-vulnerabilities)))))
+    (lambda (package)
+      "Return a list of vulnerabilities affecting PACKAGE."
+      ((force lookup)
+       (package-name->cpe-name (package-name package))
+       (package-version package)))))
+
+(define (check-vulnerabilities package)
+  "Check for known vulnerabilities for PACKAGE."
+  (match (package-vulnerabilities package)
+    (()
+     #t)
+    ((vulnerabilities ...)
+     (emit-warning package
+                   (format #f (_ "probably vulnerable to ~a")
+                           (string-join (map vulnerability-id vulnerabilities)
+                                        ", "))))))
+
 
 ;;;
 ;;; Source code formatting.
@@ -708,6 +738,11 @@ or a list thereof")
      (name        'synopsis)
      (description "Validate package synopses")
      (check       check-synopsis-style))
+   (lint-checker
+     (name        'cve)
+     (description "Check the Common Vulnerabilities and Exposures\
+ (CVE) database")
+     (check       check-vulnerabilities))
    (lint-checker
      (name        'formatting)
      (description "Look for formatting issues in the source")
-- 
cgit v1.2.3