From 99effc8faa43d478371eb06aee5df8ae1383c51a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= Date: Tue, 17 May 2016 18:04:13 +0200 Subject: [PATCH] lint: Honor 'cpe-name' and 'cpe-version' package properties. * guix/scripts/lint.scm (package-name->cpe-name): Remove. (package-vulnerabilities): Honor 'cpe-name' and 'cpe-version' properties. * gnu/packages/grub.scm (grub)[properties]: New field. * gnu/packages/gnuzilla.scm (icecat)[properties]: Add 'cpe-name' and 'cpe-version'. * doc/guix.texi (Invoking guix lint): Mention 'cpe-name'. --- doc/guix.texi | 13 +++++++++++++ gnu/packages/gnuzilla.scm | 6 +++++- gnu/packages/grub.scm | 5 +++-- guix/scripts/lint.scm | 21 +++++++++------------ 4 files changed, 30 insertions(+), 15 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 0e63ecadfd..3f0106be02 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -4961,6 +4961,19 @@ To view information about a particular vulnerability, visit pages such as: where @code{CVE-YYYY-ABCD} is the CVE identifier---e.g., @code{CVE-2015-7554}. +Package developers can specify in package recipes the +@uref{https://nvd.nist.gov/cpe.cfm,Common Platform Enumeration (CPE)} +name and version of the package when they differ from the name that Guix +uses, as in this example: + +@example +(package + (name "grub") + ;; @dots{} + ;; CPE calls this package "grub2". + (properties '((cpe-name . "grub2")))) +@end example + @item formatting Warn about obvious source code formatting issues: trailing white space, use of tabulations, etc. diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm index df1075c370..7e52534b8f 100644 --- a/gnu/packages/gnuzilla.scm +++ b/gnu/packages/gnuzilla.scm @@ -517,4 +517,8 @@ standards.") software, which does not recommend non-free plugins and addons. It also features built-in privacy-protecting features.") (license license:mpl2.0) ;and others, see toolkit/content/license.html - (properties '((ftp-directory . "/gnu/gnuzilla"))))) + (properties + `((ftp-directory . "/gnu/gnuzilla") + (cpe-name . "firefox_esr") + (cpe-version . ,(string-drop-right version + (string-length "-gnu1"))))))) diff --git a/gnu/packages/grub.scm b/gnu/packages/grub.scm index 5fc7ee8386..ec2feebbf4 100644 --- a/gnu/packages/grub.scm +++ b/gnu/packages/grub.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2013, 2014, 2015 Ludovic Courtès +;;; Copyright © 2013, 2014, 2015, 2016 Ludovic Courtès ;;; Copyright © 2015 Mark H Weaver ;;; Copyright © 2015 Leo Famulari ;;; @@ -132,4 +132,5 @@ then goes on to load the rest of the operating system. As a multiboot bootloader, GRUB handles the presence of multiple operating systems installed on the same computer; upon booting the computer, the user is presented with a menu to select one of the installed operating systems.") - (license gpl3+))) + (license gpl3+) + (properties '((cpe-name . "grub2"))))) diff --git a/guix/scripts/lint.scm b/guix/scripts/lint.scm index 06001d3eae..b4fdb6f905 100644 --- a/guix/scripts/lint.scm +++ b/guix/scripts/lint.scm @@ -600,15 +600,6 @@ be determined." ((? origin?) (and=> (origin-actual-file-name patch) basename)))) -(define (package-name->cpe-name name) - "Do a basic conversion of NAME, a Guix package name, to the corresponding -Common Platform Enumeration (CPE) name." - (match name - ("icecat" "firefox") ;or "firefox_esr" - ("grub" "grub2") - ;; TODO: Add more. - (_ name))) - (define (current-vulnerabilities*) "Like 'current-vulnerabilities', but return the empty list upon networking or HTTP errors. This allows network-less operation and makes problems with @@ -635,9 +626,15 @@ from ~s: ~a (~s)~%") (current-vulnerabilities*))))) (lambda (package) "Return a list of vulnerabilities affecting PACKAGE." - ((force lookup) - (package-name->cpe-name (package-name package)) - (package-version package))))) + ;; First we retrieve the Common Platform Enumeration (CPE) name and + ;; version for PACKAGE, then we can pass them to LOOKUP. + (let ((name (or (assoc-ref (package-properties package) + 'cpe-name) + (package-name package))) + (version (or (assoc-ref (package-properties package) + 'cpe-version) + (package-version package)))) + ((force lookup) name version))))) (define (check-vulnerabilities package) "Check for known vulnerabilities for PACKAGE."