aboutsummaryrefslogtreecommitdiff
path: root/tests/cve.scm
blob: 3fbb22d3c666675659d284a45129b42da5f9e6e5 (about) (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2015, 2016 Ludovic Courtès <ludo@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

(define-module (test-cve)
  #:use-module (guix cve)
  #:use-module (srfi srfi-1)
  #:use-module (srfi srfi-64))

(define %sample
  (search-path %load-path "tests/cve-sample.xml"))

(define (vulnerability id packages)
  (make-struct (@@ (guix cve) <vulnerability>) 0 id packages))

(define %expected-vulnerabilities
  ;; What we should get when reading %SAMPLE.
  (list
   ;; CVE-2003-0001 has no "/a" in its product list so it is omitted.
   ;; CVE-2004-0230 lists "tcp" as an application, but lacks a version number.
   (vulnerability "CVE-2008-2335" '(("phpvid" "1.2" "1.1")))
   (vulnerability "CVE-2008-3522" '(("enterprise_virtualization" "3.5")
                                    ("jasper" "1.900.1")))
   (vulnerability "CVE-2009-3301" '(("openoffice.org" "2.3.0" "2.2.1" "2.1.0")))
   ;; CVE-2015-8330 has no software list.
   ))


(test-begin "cve")

(test-equal "xml->vulnerabilities"
  %expected-vulnerabilities
  (call-with-input-file %sample xml->vulnerabilities))

(test-equal "vulnerabilities->lookup-proc"
  (list (list (first %expected-vulnerabilities))
        '()
        '()
        (list (second %expected-vulnerabilities))
        (list (third %expected-vulnerabilities)))
  (let* ((vulns  (call-with-input-file %sample xml->vulnerabilities))
         (lookup (vulnerabilities->lookup-proc vulns)))
    (list (lookup "phpvid")
          (lookup "jasper" "2.0")
          (lookup "foobar")
          (lookup "jasper" "1.900.1")
          (lookup "openoffice.org" "2.3.0"))))

(test-end "cve")
PDIR set.Ludovic Courtès Fixes <http://bugs.gnu.org/25242>. Reported by Leo Famulari <leo@famulari.name>. The regression was introduced in 94d92c7796a3dd50c27d532315f7d497ac99f08e. * nix/libstore/build.cc (DerivationGoal::startBuilder): Set 'useChroot' as a function 'of isBuiltin(drv)'. (DerivationGoal::runChild): Use 'useChroot' instead of 'useChroot && !isBuiltin(drv)'. 2016-12-20build: Delete all the .service and .conf files upon 'make clean'.Ludovic Courtès * nix/local.mk (CLEANFILES): Define to add $(nodist_systemdservice_DATA) and $(nodist_upstartjob_DATA). 2016-12-18build: Fix .service and .conf targets for VPATH builds.Ludovic Courtès * nix/local.mk (etc/guix-%.service, etc/guix-%.conf): Use "$<", not "$(srcdir)/$<". 2016-12-18build: Add 'guix-publish.*.in' to the distribution.Ludovic Courtès This is a followup to 332d7903f52c2bf3741b04ac2d01cd9018b70800. * nix/local.mk (EXTRA_DIST): Add 'guix-service.publish.in' and 'guix-publish.conf.in'. 2016-12-09daemon: Set ownership of kept build directories to the calling user.Hartmut Goebel Fixes <http://bugs.gnu.org/15890>. * nix/libstore/globals.hh (Settings) Add clientUid and clientGid. * nix/nix-daemon/nix-daemon.cc (daemonLoop] Store UID and GID of the caller in settings. * nix/libstore/build.cc (_chown): New function. (DerivationGoal::deleteTmpDir): Use it, change ownership of build directory if it is kept and the new owner is not root. 2016-12-05daemon: Fix invalid Boost format string.Ludovic Courtès * nix/libstore/optimise-store.cc (LocalStore::optimisePath_): Use %3% instead of %m, the latter being an invalid Boost format specifier. 2016-12-01daemon: Buffer data sent to clients by the 'export-path' RPC.Ludovic Courtès Before that we'd have STDERR_WRITE round trips for very small amounts of data, ranging from a few bytes for the metadata of nars to the size of one file being exported. With this change, something like: guix archive --export /gnu/store/5rrsbaghh5ix1vjcicsl60gsxilhjnf2-coreutils-8.25 | dd of=/dev/null reports a throughput of 35 MB/s instead of 25 MB/s before. * nix/nix-daemon/nix-daemon.cc (TunnelSink): Inherit from 'BufferedSink' rather than 'Sink'. Rename 'operator ()' to 'write'. (performOp) <wopExportPath>: Add 'sink.flush' call. 2016-11-24Add system start-up files for "guix publish".Hartmut Goebel * .gitignore: add etc/guix-publish.conf and /etc/guix-publish.service. * etc/guix-publish.conf.in: New file. * etc/guix-publish.service.in: New file. * nix/local.mk (etc/guix-%.service, etc/guix-%.conf): Generalized former build-rules for by using patterns. (nodist_systemdservice_DATA): Add etc/guix-publish.service, update comment. (nodist_upstartjob_DATA): Add etc/guix-publish.conf, update comment. * doc/guix.texi (Invoking guix publish): Add description for enabling "guix publish" on host distros using the new files. 2016-11-16daemon: Add 'built-in-builders' RPC.Ludovic Courtès * nix/libstore/builtins.cc (builtinBuilderNames): New function. * nix/libstore/builtins.hh (builtinBuilderNames): New declaration. * nix/libstore/worker-protocol.hh (PROTOCOL_VERSION): Bump to 0x160. (WorkerOp)[wopBuiltinBuilders]: New value. * nix/nix-daemon/nix-daemon.cc (performOp): Handle it. * guix/store.scm (operation-id)[built-in-builders]: New value. * guix/store.scm (read-arg): Add 'string-list'. (built-in-builders): New procedure. * tests/derivations.scm ("built-in-builders"): New test. 2016-11-16daemon: Add "builtin:download" derivation builder.Ludovic Courtès This ensures that 1) the derivation doesn't change when Guix changes; 2) the derivation closure doesn't contain Guix and its dependencies; 3) we don't have to rely on ugly chroot hacks. Adapted from Nix commit 0a2bee307b20411f5b0dda0c662b1f9bb9e0e131. * nix/libstore/build.cc (DerivationGoal::runChild): Add special case for 'isBuiltin(drv)'. Disable chroot when 'isBuiltin(drv)'. * nix/libstore/builtins.cc, nix/libstore/builtins.hh, nix/scripts/download.in, guix/scripts/perform-download.scm: New files. * guix/ui.scm (show-guix-help)[internal?]: Add 'perform-download'. * nix/local.mk (libstore_a_SOURCES): Add builtins.cc. (libstore_headers): Add builtins.hh. (nodist_pkglibexec_SCRIPTS): Add 'scripts/download'. * config-daemon.ac: Emit 'scripts/download'. * Makefile.am (MODULES): Add 'guix/scripts/perform-download.scm'. * tests/derivations.scm ("unknown built-in builder") ("'download' built-in builder") ("'download' built-in builder, invalid hash") ("'download' built-in builder, not found") ("'download' built-in builder, not fixed-output"): New tests. Co-authored-by: Eelco Dolstra <eelco.dolstra@logicblox.com> 2016-10-28daemon: Do not error out when deduplication fails due to ENOSPC.Ludovic Courtès This solves a problem whereby if /gnu/store/.links had enough entries, ext4's directory index would be full, leading to link(2) returning ENOSPC. * nix/libstore/optimise-store.cc (LocalStore::optimisePath_): Upon ENOSPC from link(2), print a message and return instead of throwing a 'SysError'. 2016-10-28daemon: Improve the SQLite wrapper API.Eelco Dolstra In particular, this eliminates a bunch of boilerplate code. Also integrates these Nix commits: 80da7a6 Probably fix SQLITE_BUSY errors 37a337b throwSQLiteError(): Check for SIGINT so we don't loop forever Co-authored-by: Ludovic Courtès <ludo@gnu.org> 2016-10-28daemon: Factor out SQLite handling.Eelco Dolstra * nix/libstore/local-store.cc: Move SQLite code to... * nix/libstore/sqlite.cc, nix/libstore/sqlite.hh: ... here. New files. * nix/local.mk (libstore_a_SOURCES): Add sqlite.cc. (libstore_headers): Add sqlite.hh. Co-authored-by: Ludovic Courtès <ludo@gnu.org> 2016-10-28daemon: Turn retrying SQLite transactions into a higher-order function.Eelco Dolstra * nix/libstore/local-store.cc (retry_sqlite, end_retry_sqlite): Remove. (retrySQLite): New template. (LocalStore::registerFailedPath, LocalStore::hasPathFailed) (LocalStore::queryFailedPaths, LocalStore::clearFailedPaths) (LocalStore::queryPathInfo, LocalStore::isValidPath_) (LocalStore::queryValidPaths, LocalStore::queryAllValidPaths) (LocalStore::queryReferrers, LocalStore::queryValidDerivers) (LocalStore::queryDerivationOutputs) (LocalStore::queryDerivationOutputNames) (LocalStore::queryPathFromHashPart, LocalStore::registerValidPaths) (LocalStore::invalidatePathChecked): Use it. Co-authored-by: Ludovic Courtès <ludo@gnu.org> 2016-06-26daemon: Rename 'NIX_CONF_DIR' to 'GUIX_CONFIGURATION_DIRECTORY'.David Craven Partly fixes <http://bugs.gnu.org/22459>. Reported by Jeff Mickey <j@codemac.net> and David Craven <david@craven.ch>. * nix/libstore/globals.cc (Settings::processEnvironment()): Change 'NIX_CONF_DIR' to 'GUIX_CONFIGURATION_DIRECTORY'. * nix/local.mk (libstore_a_CPPFLAGS): Likewise. * guix/config.scm.in (%config-directory): Likewise. * build-aux/test-env.in: Likewise. * gnu/packages/patches/hydra-automake-1.15.patch: Likewise. Signed-off-by: Ludovic Courtès <ludo@gnu.org> 2016-05-31daemon: Substitute queries return immediately when substitutes are disabled.Ludovic Courtès Reported by Federico Beffa <beffa@ieee.org> at <https://lists.gnu.org/archive/html/guix-devel/2016-05/msg00928.html>. * nix/libstore/local-store.cc (LocalStore::querySubstitutablePaths) (LocalStore::querySubstitutablePathInfos): Return when 'settings.useSubstitutes' is false. * tests/store.scm ("references/substitutes missing reference info"): Make sure to return #f on failure. * tests/store.scm ("substitutable-path-info when substitutes are turned off"): ("substitutable-paths when substitutes are turned off"): New tests. 2016-05-31daemon: Fix typo.Ludovic Courtès Fixes a regression/typo introduced in e08380fb6cefd3fd67c3c220a3ddaf385e6413cf. * nix/libstore/build.cc (DerivationGoal::startBuilder): Canonicalize "/tmp", not "/tmp/guix-build". 2016-05-31daemon: Remove unused XML output code.Ludovic Courtès * nix/local.mk (libutil_a_SOURCES): Remove libutil/xml-writer.cc. (libutil_headers): Remove libutil/xml-writer.hh. * nix/libutil/xml-writer.hh, nix/libutil/xml-writer.cc: Remove. 2016-05-31daemon: rounds: Keep the differing output if -K is given.Eelco Dolstra Regardless of -K, we now also print which output differs. 2016-05-31daemon: Canonicalize gids to 0.Eelco Dolstra Previously files in the Nix store were owned by root or by nixbld, depending on whether they were created by a substituter or by a builder. This doesn't matter much, but causes spurious diffoscope differences. So use root everywhere. 2016-05-31daemon: check: Keep the differing output if -K is given.Eelco Dolstra This makes it easier to investigate the non-determinism, e.g. $ nix-build pkgs/stdenv/linux -A stage1.pkgs.zlib --check -K error: derivation ‘/nix/store/l54i8wlw22656i4pk05c52ngv9rpl39q-zlib-1.2.8.drv’ may not be deterministic: output ‘/nix/store/11a27shh6n2ivi4a7s964i65ql80cf27-zlib-1.2.8’ differs from ‘/nix/store/11a27shh6n2ivi4a7s964i65ql80cf27-zlib-1.2.8-check’ $ diffoscope /nix/store/11a27shh6n2ivi4a7s964i65ql80cf27-zlib-1.2.8 /nix/store/11a27shh6n2ivi4a7s964i65ql80cf27-zlib-1.2.8-check ... ├── lib/libz.a │ ├── metadata │ │ @@ -1,15 +1,15 @@ │ │ -rw-r--r-- 30001/30000 3096 Jan 12 15:20 2016 adler32.o ... │ │ +rw-r--r-- 30001/30000 3096 Jan 12 15:28 2016 adler32.o ... Co-authored-by: Ludovic Courtès <ludo@gnu.org> 2016-05-31daemon: check: Fix "failed to produce output path".Eelco Dolstra This occured when sandbox building is disabled, at least one output exists, and at least one other output does not. 2016-05-31daemon: check: Fix assertion failure when some outputs are missing.Eelco Dolstra E.g. $ nix-build pkgs/stdenv/linux/ -A stage1.pkgs.perl --check nix-store: src/libstore/build.cc:1323: void nix::DerivationGoal::tryToBuild(): Assertion `buildMode != bmCheck || validPaths.size() == drv->outputs.size()' failed. when perl.out exists but perl.man doesn't. The fix is to only check the outputs that exist. Note that "nix-build -A stage1.pkgs.all --check" will still give a (proper) error in this case. 2016-05-31daemon: When repairing, rebuild if there is no substituter.Eelco Dolstra 2016-05-31daemon: Fix --repair failure on multiple-output derivations.Eelco Dolstra If repair found a corrupted/missing path that depended on a multiple-output derivation, and some of the outputs of the latter were not present, it failed with a message like error: path ‘/nix/store/cnfn9d5fjys1y93cz9shld2xwaibd7nn-bash-4.3-p42-doc’ is not valid Co-authored-by: Ludovic Courtès <ludo@gnu.org> 2016-05-31daemon: ~PathLocks(): Handle exceptions.Eelco Dolstra Otherwise, since the call to write a "d" character to the lock file can fail with ENOSPC, we can get an unhandled exception resulting in a call to terminate(). 2016-05-31daemon: Handle /tmp being a symlink.Eelco Dolstra * nix/libstore/build.cc (DerivationGoal::startBuilder): Call 'canonPath' on "/tmp". 2016-05-24build: Use "%D%" in Makefile fragments.Mathieu Lirzin * doc/local.mk: Use "%D%" for the directory of the fragment relative to the base 'Makefile.am'. * emacs/local.mk: Likewise. * gnu/local.mk: Likewise. * nix/local.mk: Likewise. 2016-04-21build: Move 'Makefile' fragments to subdirectories.Mathieu Lirzin This follows a convention used by some other GNU packages like Autoconf, Bison, Coreutils, and Gnulib. * doc.am: Rename to ... * doc/local.mk: ... this. * emacs.am: Rename to ... * emacs/local.mk: ... this. * gnu-system.am: Rename to ... * gnu/local.mk: ... this. * daemon.am: Rename to ... * nix/local.mk: ... this. * Makefile.am: Adapt to them. * doc/guix.texi (Porting to a New Platform): Adapt documentation. * guix/config.scm.in (%state-directory, %config-directory): Adapt comments. * emacs/guix-config.el.in (guix-config-state-directory): Likewise. 2016-03-16build: Default to "https://mirror.hydra.gnu.org/" for substitutes.Ludovic Courtès * config-daemon.ac: Check for (gnutls) and define 'GUIX_SUBSTITUTE_URLS'. * nix/nix-daemon/guix-daemon.cc (main): Use GUIX_SUBSTITUTE_URLS. * guix/store.scm (%default-substitute-urls): Use 'https' when (gnutls) is available. * doc/guix.texi (Binary Installation): Mention mirrors (Invoking guix-daemon): Mention mirror.hydra.gnu.org. (Substitutes): Mention mirrors. (Invoking guix archive): Show https URLs. 2015-12-30daemon: Build in /tmp/guix-build-*.Ludovic Courtès * nix/libstore/build.cc (DerivationGoal::startBuilder): Use "guix-build" instead of "nix-build" for TMPDIR. * doc/guix.texi (Build Environment Setup): Adjust accordingly. 2015-12-30daemon: Remove unused 'RemoteStore' class.Ludovic Courtès * nix/libstore/remote-store.cc, nix/libstore/remote-store.hh: Remove. * nix/libstore/store-api.cc (readStorePath, readStorePaths): New functions, formerly in remote-store.cc. (openStore): Remove reference to 'RemoteStore'. * daemon.am (libstore_a_SOURCES): Remove remote-store.cc. (libstore_headers): Remote remote-store.hh. 2015-12-13daemon: Add '--rounds'.Ludovic Courtès * nix/nix-daemon/guix-daemon.cc (GUIX_OPT_BUILD_ROUNDS): New macro. (options): Add --rounds. (parse_opt): Honor it. * doc/guix.texi (Invoking guix-daemon): Document it. 2015-12-13daemon: Better distinguish build statuses.Eelco Dolstra In Nix itself, the new 'BuildResult' type is returned by the new 'buildDerivation' method, which we don't have and need. * nix/libstore/build.cc (Goal)[cancel]: Remove. [timeOut]: New pure virtual method. (DerivationGoal)[result]: New field. [cancel]: Remove. [timedOut, getResult, done]: New methods. (DerivationGoal::cancel): Remove. (DerivationGoal::timedOut): New method. (DerivationGoal::haveDerivation): Call 'done' instead of 'amDone'. (DerivationGoal::outputsSubstituted): Ditto. (DerivationGoal::inputsRealised): Ditto. (DerivationGoal::buildDone): Ditto. (DerivationGoal::handleChildOutput): Call 'timedOut' instead of 'cancel'. (DerivationGoal::done): New method. (SubstitutionGoal)[cancel]: Remove. [timedOut]: New method. (SubstitutionGoal::cancel): Remove. (SubstitutionGoal::timedOut): New method. (Worker::waitForInput): Use it. * nix/libstore/store-api.hh (BuildResult): New struct. Co-authored-by: Ludovic Courtès <ludo@gnu.org> 2015-12-09daemon: Use deterministic $TMPDIR in chroot.Eelco Dolstra Rather than using $<host-TMPDIR>/nix-build-<drvname>-<number>, the temporary directory is now always /tmp/nix-build-<drvname>-0. This improves bitwise-exact reproducibility for builds that store $TMPDIR in their build output. (Of course, those should still be fixed...) * nix/libstore/build.cc (DerivationGoal)[tmpDirInSandbox]: New field. (DerivationGoal::startBuilder): Initialize 'useChroot' earlier. Compute 'tmpDirInSandbox', and use it when populating 'dirsInChroot'. * doc/guix.texi (Build Environment Setup): Document it. Co-authored-by: Ludovic Courtès <ludo@gnu.org> 2015-12-08daemon: Allow builds to be repeated.Eelco Dolstra This makes it easy to detect non-deterministic builds. * nix/libstore/build.cc (DerivationGoal): Remove 'InodesSeen'; add 'curRound', 'nrRound', and 'prevInfos'. (DerivationGoal::inputsRealised): Initialize 'nrRound'. (NotDeterministic): New error type. (DerivationGoal::buildDone): Check whether we need to repeat. (DerivationGoal::startBuilder): Adjust message. (DerivationGoal::registerOutputs): Check whether we get the same result. * nix/libstore/globals.cc (Settings::get(const string & name, int def)): New method. * nix/libstore/globals.hh (Settings): Add it. * nix/libstore/store-api.hh (ValidPathInfo): Add operator ==. * nix/nix-daemon/nix-daemon.cc (performOp): Allow "build-repeat" for "untrusted" users. Co-authored-by: Ludovic Courtès <ludo@gnu.org> 2015-12-02daemon: Add 'buildMode' parameter to 'buildPaths' RPC.Ludovic Courtès * nix/libstore/worker-protocol.hh (PROTOCOL_VERSION): Bump to 0x10f. * nix/libstore/remote-store.cc (RemoteStore::buildPaths): Send the BUILDMODE when the daemon supports it. Reject invalid values of BUILDMODE for old daemons. * nix/nix-daemon/nix-daemon.cc (performOp) <wopBuildPaths>: Read the build mode when the client supports it. 2015-12-02daemon: optimizePath: Detect some .links corruptions.Eelco Dolstra If automatic store optimisation is enabled, and a hard-linked file in the store gets corrupted, then the corresponding .links entry will also be corrupted. In that case, trying to repair with --repair or --repair-path won't work, because the new "good" file will be replaced by a hard link to the corrupted file. We can catch most of these cases by doing a sanity-check on the file sizes. 2015-12-02daemon: Fix namespace issue.Eelco Dolstra 2015-12-02daemon: Support SHA-512 hashes.Eelco Dolstra Fixes #679. Note: on x86_64, SHA-512 is considerably faster than SHA-256 (198 MB/s versus 131 MB/s). Co-authored-by: Ludovic Courtès <ludo@gnu.org> 2015-12-02daemon: int2String -> std::to_string.Eelco Dolstra 2015-12-02daemon: Filter build-chroot-dirs entries that conflict with derivation outputs.Eelco Dolstra Fixes https://github.com/NixOS/nixpkgs/issues/9504. Note that this means we may have a non-functional /bin/sh in the chroot while rebuilding Bash or one of its dependencies. Ideally those packages don't rely on /bin/sh though. 2015-12-02daemon: Prevent .chroot from being GC'ed when using ↵Eelco Dolstra LocalStore::buildDerivation() Fixes #616.