lint: 'check-vulnerabilities' also checks package properties.
* guix/scripts/lint.scm (check-vulnerabilities): Also check for CVEs listed as mitigated in the package properties. * tests/lint.scm ("cve: known safe from vulnerability"): New test.
This commit is contained in:
parent
308b8f79c5
commit
f4007b2547
|
@ -7,6 +7,7 @@
|
||||||
;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
|
;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
|
||||||
;;; Copyright © 2017 Alex Kost <alezost@gmail.com>
|
;;; Copyright © 2017 Alex Kost <alezost@gmail.com>
|
||||||
;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
|
;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
|
||||||
|
;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
|
||||||
;;;
|
;;;
|
||||||
;;; This file is part of GNU Guix.
|
;;; This file is part of GNU Guix.
|
||||||
;;;
|
;;;
|
||||||
|
@ -881,10 +882,16 @@ the NIST server non-fatal."
|
||||||
(or (and=> (package-source package)
|
(or (and=> (package-source package)
|
||||||
origin-patches)
|
origin-patches)
|
||||||
'())))
|
'())))
|
||||||
|
(known-safe (or (assq-ref (package-properties package)
|
||||||
|
'lint-hidden-cve)
|
||||||
|
'()))
|
||||||
(unpatched (remove (lambda (vuln)
|
(unpatched (remove (lambda (vuln)
|
||||||
(find (cute string-contains
|
(let ((id (vulnerability-id vuln)))
|
||||||
<> (vulnerability-id vuln))
|
(or
|
||||||
patches))
|
(find (cute string-contains
|
||||||
|
<> id)
|
||||||
|
patches)
|
||||||
|
(member id known-safe))))
|
||||||
vulnerabilities)))
|
vulnerabilities)))
|
||||||
(unless (null? unpatched)
|
(unless (null? unpatched)
|
||||||
(emit-warning package
|
(emit-warning package
|
||||||
|
|
|
@ -5,6 +5,7 @@
|
||||||
;;; Copyright © 2015, 2016 Mathieu Lirzin <mthl@gnu.org>
|
;;; Copyright © 2015, 2016 Mathieu Lirzin <mthl@gnu.org>
|
||||||
;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
|
;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
|
||||||
;;; Copyright © 2017 Alex Kost <alezost@gmail.com>
|
;;; Copyright © 2017 Alex Kost <alezost@gmail.com>
|
||||||
|
;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
|
||||||
;;;
|
;;;
|
||||||
;;; This file is part of GNU Guix.
|
;;; This file is part of GNU Guix.
|
||||||
;;;
|
;;;
|
||||||
|
@ -702,6 +703,20 @@
|
||||||
(patches
|
(patches
|
||||||
(list "/a/b/pi-CVE-2015-1234.patch"))))))))))
|
(list "/a/b/pi-CVE-2015-1234.patch"))))))))))
|
||||||
|
|
||||||
|
(test-assert "cve: known safe from vulnerability"
|
||||||
|
(mock ((guix scripts lint) package-vulnerabilities
|
||||||
|
(lambda (package)
|
||||||
|
(list (make-struct (@@ (guix cve) <vulnerability>) 0
|
||||||
|
"CVE-2015-1234"
|
||||||
|
(list (cons (package-name package)
|
||||||
|
(package-version package)))))))
|
||||||
|
(string-null?
|
||||||
|
(with-warnings
|
||||||
|
(check-vulnerabilities
|
||||||
|
(dummy-package "pi"
|
||||||
|
(version "3.14")
|
||||||
|
(properties `((lint-hidden-cve . ("CVE-2015-1234"))))))))))
|
||||||
|
|
||||||
(test-assert "cve: vulnerability fixed in replacement version"
|
(test-assert "cve: vulnerability fixed in replacement version"
|
||||||
(mock ((guix scripts lint) package-vulnerabilities
|
(mock ((guix scripts lint) package-vulnerabilities
|
||||||
(lambda (package)
|
(lambda (package)
|
||||||
|
|
Loading…
Reference in New Issue