Efraim Flashner <efr...@flashner.co.il> skribis:
> From ad48d84c8659985d706cfe2f8e07314d6017611a Mon Sep 17 00:00:00 2001
> From: Efraim Flashner <efr...@flashner.co.il>
> Date: Thu, 30 Nov 2017 23:41:29 +0200
> Subject: [PATCH 1/2] lint: 'check-vulnerabilities' also checks package
> properties.
>
> * guix/scripts/lint.scm (check-vulnerabilities): Also check for CVEs
> listed as mitigated in the package properties.
> ---
> guix/scripts/lint.scm | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/guix/scripts/lint.scm b/guix/scripts/lint.scm
> index 1b43b0a63..8112595c8 100644
> --- a/guix/scripts/lint.scm
> +++ b/guix/scripts/lint.scm
> @@ -7,6 +7,7 @@
> ;;; Copyright © 2016 Hartmut Goebel <h.goe...@crazy-compilers.com>
> ;;; Copyright © 2017 Alex Kost <alez...@gmail.com>
> ;;; Copyright © 2017 Tobias Geerinckx-Rice <m...@tobias.gr>
> +;;; Copyright © 2017 Efraim Flashner <efr...@flashner.co.il>
> ;;;
> ;;; This file is part of GNU Guix.
> ;;;
> @@ -881,10 +882,11 @@ the NIST server non-fatal."
> (or (and=> (package-source package)
> origin-patches)
> '())))
> + (known-safe (assq-ref (package-properties package)
> 'fixed-vulnerabilities))
Can you change that to ‘lint-hidden-cve’ as Leo suggested?
> (unpatched (remove (lambda (vuln)
> (find (cute string-contains
> <> (vulnerability-id vuln))
> - patches))
> + (append patches known-safe)))
> vulnerabilities)))
To be accurate, we’d rather do:
(remove (lambda (vuln)
(let ((id (vulnerability-id vuln)))
(or (find … patches)
(member id known-safe))))
…)
Also could you add a simple test in tests/lint.scm? You can start from
one of the existing CVE tests in there and just add a ‘properties’ field
to the test package.
Thank you!
Ludo’.
