From f4007b25476dfd97885f358d2dabbd463f6f6017 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Thu, 30 Nov 2017 23:41:29 +0200 Subject: lint: 'check-vulnerabilities' also checks package properties. * guix/scripts/lint.scm (check-vulnerabilities): Also check for CVEs listed as mitigated in the package properties. * tests/lint.scm ("cve: known safe from vulnerability"): New test. --- guix/scripts/lint.scm | 13 ++++++++++--- tests/lint.scm | 15 +++++++++++++++ 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/guix/scripts/lint.scm b/guix/scripts/lint.scm index 1b43b0a63c..4ec3267007 100644 --- a/guix/scripts/lint.scm +++ b/guix/scripts/lint.scm @@ -7,6 +7,7 @@ ;;; Copyright © 2016 Hartmut Goebel ;;; Copyright © 2017 Alex Kost ;;; Copyright © 2017 Tobias Geerinckx-Rice +;;; Copyright © 2017 Efraim Flashner ;;; ;;; This file is part of GNU Guix. ;;; @@ -881,10 +882,16 @@ the NIST server non-fatal." (or (and=> (package-source package) origin-patches) '()))) + (known-safe (or (assq-ref (package-properties package) + 'lint-hidden-cve) + '())) (unpatched (remove (lambda (vuln) - (find (cute string-contains - <> (vulnerability-id vuln)) - patches)) + (let ((id (vulnerability-id vuln))) + (or + (find (cute string-contains + <> id) + patches) + (member id known-safe)))) vulnerabilities))) (unless (null? unpatched) (emit-warning package diff --git a/tests/lint.scm b/tests/lint.scm index 064f3d177e..ab0e8b9a8c 100644 --- a/tests/lint.scm +++ b/tests/lint.scm @@ -5,6 +5,7 @@ ;;; Copyright © 2015, 2016 Mathieu Lirzin ;;; Copyright © 2016 Hartmut Goebel ;;; Copyright © 2017 Alex Kost +;;; Copyright © 2017 Efraim Flashner ;;; ;;; This file is part of GNU Guix. ;;; @@ -702,6 +703,20 @@ (patches (list "/a/b/pi-CVE-2015-1234.patch")))))))))) +(test-assert "cve: known safe from vulnerability" + (mock ((guix scripts lint) package-vulnerabilities + (lambda (package) + (list (make-struct (@@ (guix cve) ) 0 + "CVE-2015-1234" + (list (cons (package-name package) + (package-version package))))))) + (string-null? + (with-warnings + (check-vulnerabilities + (dummy-package "pi" + (version "3.14") + (properties `((lint-hidden-cve . ("CVE-2015-1234")))))))))) + (test-assert "cve: vulnerability fixed in replacement version" (mock ((guix scripts lint) package-vulnerabilities (lambda (package) -- cgit v1.2.3