lint: Honor 'cpe-name' and 'cpe-version' package properties.

* guix/scripts/lint.scm (package-name->cpe-name): Remove.
(package-vulnerabilities): Honor 'cpe-name' and 'cpe-version'
properties.
* gnu/packages/grub.scm (grub)[properties]: New field.
* gnu/packages/gnuzilla.scm (icecat)[properties]: Add 'cpe-name' and
'cpe-version'.
* doc/guix.texi (Invoking guix lint): Mention 'cpe-name'.
This commit is contained in:
Ludovic Courtès 2016-05-17 18:04:13 +02:00
parent 1c29f3ef84
commit 99effc8faa
No known key found for this signature in database
GPG key ID: 090B11993D9AEBB5
4 changed files with 30 additions and 15 deletions

View file

@ -4961,6 +4961,19 @@ To view information about a particular vulnerability, visit pages such as:
where @code{CVE-YYYY-ABCD} is the CVE identifier---e.g.,
@code{CVE-2015-7554}.
Package developers can specify in package recipes the
@uref{https://nvd.nist.gov/cpe.cfm,Common Platform Enumeration (CPE)}
name and version of the package when they differ from the name that Guix
uses, as in this example:
@example
(package
(name "grub")
;; @dots{}
;; CPE calls this package "grub2".
(properties '((cpe-name . "grub2"))))
@end example
@item formatting
Warn about obvious source code formatting issues: trailing white space,
use of tabulations, etc.

View file

@ -517,4 +517,8 @@ (define-public icecat
software, which does not recommend non-free plugins and addons. It also
features built-in privacy-protecting features.")
(license license:mpl2.0) ;and others, see toolkit/content/license.html
(properties '((ftp-directory . "/gnu/gnuzilla")))))
(properties
`((ftp-directory . "/gnu/gnuzilla")
(cpe-name . "firefox_esr")
(cpe-version . ,(string-drop-right version
(string-length "-gnu1")))))))

View file

@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2015 Leo Famulari <leo@famulari.name>
;;;
@ -132,4 +132,5 @@ (define-public grub
bootloader, GRUB handles the presence of multiple operating systems installed
on the same computer; upon booting the computer, the user is presented with a
menu to select one of the installed operating systems.")
(license gpl3+)))
(license gpl3+)
(properties '((cpe-name . "grub2")))))

View file

@ -600,15 +600,6 @@ (define (patch-file-name patch)
((? origin?)
(and=> (origin-actual-file-name patch) basename))))
(define (package-name->cpe-name name)
"Do a basic conversion of NAME, a Guix package name, to the corresponding
Common Platform Enumeration (CPE) name."
(match name
("icecat" "firefox") ;or "firefox_esr"
("grub" "grub2")
;; TODO: Add more.
(_ name)))
(define (current-vulnerabilities*)
"Like 'current-vulnerabilities', but return the empty list upon networking
or HTTP errors. This allows network-less operation and makes problems with
@ -635,9 +626,15 @@ (define package-vulnerabilities
(current-vulnerabilities*)))))
(lambda (package)
"Return a list of vulnerabilities affecting PACKAGE."
((force lookup)
(package-name->cpe-name (package-name package))
(package-version package)))))
;; First we retrieve the Common Platform Enumeration (CPE) name and
;; version for PACKAGE, then we can pass them to LOOKUP.
(let ((name (or (assoc-ref (package-properties package)
'cpe-name)
(package-name package)))
(version (or (assoc-ref (package-properties package)
'cpe-version)
(package-version package))))
((force lookup) name version)))))
(define (check-vulnerabilities package)
"Check for known vulnerabilities for PACKAGE."