guix-commits
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

01/02: lint: 'check-vulnerabilities' also checks package properties.

From: Efraim Flashner
Subject: 01/02: lint: 'check-vulnerabilities' also checks package properties.
Date: Sun, 10 Dec 2017 14:59:32 -0500 (EST) 
efraim pushed a commit to branch master
in repository guix.

commit f4007b25476dfd97885f358d2dabbd463f6f6017
Author: Efraim Flashner <address@hidden>
Date:   Thu Nov 30 23:41:29 2017 +0200

    lint: 'check-vulnerabilities' also checks package properties.
    
    * guix/scripts/lint.scm (check-vulnerabilities): Also check for CVEs
    listed as mitigated in the package properties.
    * tests/lint.scm ("cve: known safe from vulnerability"): New test.
---
 guix/scripts/lint.scm | 13 ++++++++++---
 tests/lint.scm        | 15 +++++++++++++++
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/guix/scripts/lint.scm b/guix/scripts/lint.scm
index 1b43b0a..4ec3267 100644
--- a/guix/scripts/lint.scm
+++ b/guix/scripts/lint.scm
@@ -7,6 +7,7 @@
 ;;; Copyright © 2016 Hartmut Goebel <address@hidden>
 ;;; Copyright © 2017 Alex Kost <address@hidden>
 ;;; Copyright © 2017 Tobias Geerinckx-Rice <address@hidden>
+;;; Copyright © 2017 Efraim Flashner <address@hidden>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -881,10 +882,16 @@ the NIST server non-fatal."
                                      (or (and=> (package-source package)
                                                 origin-patches)
                                          '())))
+              (known-safe (or (assq-ref (package-properties package)
+                                        'lint-hidden-cve)
+                              '()))
               (unpatched (remove (lambda (vuln)
-                                   (find (cute string-contains
-                                           <> (vulnerability-id vuln))
-                                         patches))
+                                   (let ((id (vulnerability-id vuln)))
+                                     (or
+                                       (find (cute string-contains
+                                                   <> id)
+                                             patches)
+                                       (member id known-safe))))
                                  vulnerabilities)))
          (unless (null? unpatched)
            (emit-warning package
diff --git a/tests/lint.scm b/tests/lint.scm
index 064f3d1..ab0e8b9 100644
--- a/tests/lint.scm
+++ b/tests/lint.scm
@@ -5,6 +5,7 @@
 ;;; Copyright © 2015, 2016 Mathieu Lirzin <address@hidden>
 ;;; Copyright © 2016 Hartmut Goebel <address@hidden>
 ;;; Copyright © 2017 Alex Kost <address@hidden>
+;;; Copyright © 2017 Efraim Flashner <address@hidden>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -702,6 +703,20 @@
                              (patches
                               (list "/a/b/pi-CVE-2015-1234.patch"))))))))))
 
+(test-assert "cve: known safe from vulnerability"
+  (mock ((guix scripts lint) package-vulnerabilities
+         (lambda (package)
+           (list (make-struct (@@ (guix cve) <vulnerability>) 0
+                              "CVE-2015-1234"
+                              (list (cons (package-name package)
+                                          (package-version package)))))))
+        (string-null?
+         (with-warnings
+           (check-vulnerabilities
+            (dummy-package "pi"
+                           (version "3.14")
+                           (properties `((lint-hidden-cve . 
("CVE-2015-1234"))))))))))
+
 (test-assert "cve: vulnerability fixed in replacement version"
   (mock ((guix scripts lint) package-vulnerabilities
          (lambda (package)
reply via email to
[Prev in Thread] Current Thread [Next in Thread]