lint: Do not report already-patched vulnerabilities.

* guix/scripts/lint.scm (patch-file-name): New procedure. (check-vulnerabilities): Use it to filter out patched vulnerabilities. * tests/lint.scm ("cve: one patched vulnerability"): New test.
2015-11-28 16:15:31 +01:00 · 2015-11-28 16:15:31 +01:00 · 4e70fe4d0e
parent f6c9fb1b38
commit 4e70fe4d0e
2 changed files with 40 additions and 4 deletions
--- a/guix/scripts/lint.scm
+++ b/guix/scripts/lint.scm
@ -573,6 +573,15 @@ descriptions maintained upstream."
     (emit-warning package (_ "invalid license field")
                   'license))))

+(define (patch-file-name patch)
+  "Return the basename of PATCH's file name, or #f if the file name could not
+be determined."
+  (match patch
+    ((? string?)
+     (basename patch))
+    ((? origin?)
+     (and=> (origin-actual-file-name patch) basename))))
+
 (define (package-name->cpe-name name)
  "Do a basic conversion of NAME, a Guix package name, to the corresponding
 Common Platform Enumeration (CPE) name."
@ -596,10 +605,20 @@ Common Platform Enumeration (CPE) name."
    (()
     #t)
    ((vulnerabilities ...)
-     (emit-warning package
-                   (format #f (_ "probably vulnerable to ~a")
-                           (string-join (map vulnerability-id vulnerabilities)
-                                        ", "))))))
+     (let* ((patches   (filter-map patch-file-name
+                                   (or (and=> (package-source package)
+                                              origin-patches)
+                                       '())))
+            (unpatched (remove (lambda (vuln)
+                                 (find (cute string-contains
+                                         <> (vulnerability-id vuln))
+                                       patches))
+                               vulnerabilities)))
+       (unless (null? unpatched)
+         (emit-warning package
+                       (format #f (_ "probably vulnerable to ~a")
+                               (string-join (map vulnerability-id unpatched)
+                                            ", "))))))))


 ;;;
--- a/tests/lint.scm
+++ b/tests/lint.scm
@ -529,6 +529,23 @@ requests."
           (check-vulnerabilities (dummy-package "pi" (version "3.14"))))
         "vulnerable to CVE-2015-1234")))

+(test-assert "cve: one patched vulnerability"
+  (mock ((guix scripts lint) package-vulnerabilities
+         (lambda (package)
+           (list (make-struct (@@ (guix cve) <vulnerability>) 0
+                              "CVE-2015-1234"
+                              (list (cons (package-name package)
+                                          (package-version package)))))))
+        (string-null?
+         (with-warnings
+           (check-vulnerabilities
+            (dummy-package "pi"
+                           (version "3.14")
+                           (source
+                            (dummy-origin
+                             (patches
+                              (list "/a/b/pi-CVE-2015-1234.patch"))))))))))
+
 (test-assert "formatting: lonely parentheses"
  (string-contains
   (with-warnings