mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-12-24 21:38:07 -05:00
lint: Honor 'cpe-name' and 'cpe-version' package properties.
* guix/scripts/lint.scm (package-name->cpe-name): Remove. (package-vulnerabilities): Honor 'cpe-name' and 'cpe-version' properties. * gnu/packages/grub.scm (grub)[properties]: New field. * gnu/packages/gnuzilla.scm (icecat)[properties]: Add 'cpe-name' and 'cpe-version'. * doc/guix.texi (Invoking guix lint): Mention 'cpe-name'.
This commit is contained in:
parent
1c29f3ef84
commit
99effc8faa
4 changed files with 30 additions and 15 deletions
|
@ -4961,6 +4961,19 @@ To view information about a particular vulnerability, visit pages such as:
|
|||
where @code{CVE-YYYY-ABCD} is the CVE identifier---e.g.,
|
||||
@code{CVE-2015-7554}.
|
||||
|
||||
Package developers can specify in package recipes the
|
||||
@uref{https://nvd.nist.gov/cpe.cfm,Common Platform Enumeration (CPE)}
|
||||
name and version of the package when they differ from the name that Guix
|
||||
uses, as in this example:
|
||||
|
||||
@example
|
||||
(package
|
||||
(name "grub")
|
||||
;; @dots{}
|
||||
;; CPE calls this package "grub2".
|
||||
(properties '((cpe-name . "grub2"))))
|
||||
@end example
|
||||
|
||||
@item formatting
|
||||
Warn about obvious source code formatting issues: trailing white space,
|
||||
use of tabulations, etc.
|
||||
|
|
|
@ -517,4 +517,8 @@ (define-public icecat
|
|||
software, which does not recommend non-free plugins and addons. It also
|
||||
features built-in privacy-protecting features.")
|
||||
(license license:mpl2.0) ;and others, see toolkit/content/license.html
|
||||
(properties '((ftp-directory . "/gnu/gnuzilla")))))
|
||||
(properties
|
||||
`((ftp-directory . "/gnu/gnuzilla")
|
||||
(cpe-name . "firefox_esr")
|
||||
(cpe-version . ,(string-drop-right version
|
||||
(string-length "-gnu1")))))))
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
;;; GNU Guix --- Functional package management for GNU
|
||||
;;; Copyright © 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
|
||||
;;; Copyright © 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
|
||||
;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
|
||||
;;; Copyright © 2015 Leo Famulari <leo@famulari.name>
|
||||
;;;
|
||||
|
@ -132,4 +132,5 @@ (define-public grub
|
|||
bootloader, GRUB handles the presence of multiple operating systems installed
|
||||
on the same computer; upon booting the computer, the user is presented with a
|
||||
menu to select one of the installed operating systems.")
|
||||
(license gpl3+)))
|
||||
(license gpl3+)
|
||||
(properties '((cpe-name . "grub2")))))
|
||||
|
|
|
@ -600,15 +600,6 @@ (define (patch-file-name patch)
|
|||
((? origin?)
|
||||
(and=> (origin-actual-file-name patch) basename))))
|
||||
|
||||
(define (package-name->cpe-name name)
|
||||
"Do a basic conversion of NAME, a Guix package name, to the corresponding
|
||||
Common Platform Enumeration (CPE) name."
|
||||
(match name
|
||||
("icecat" "firefox") ;or "firefox_esr"
|
||||
("grub" "grub2")
|
||||
;; TODO: Add more.
|
||||
(_ name)))
|
||||
|
||||
(define (current-vulnerabilities*)
|
||||
"Like 'current-vulnerabilities', but return the empty list upon networking
|
||||
or HTTP errors. This allows network-less operation and makes problems with
|
||||
|
@ -635,9 +626,15 @@ (define package-vulnerabilities
|
|||
(current-vulnerabilities*)))))
|
||||
(lambda (package)
|
||||
"Return a list of vulnerabilities affecting PACKAGE."
|
||||
((force lookup)
|
||||
(package-name->cpe-name (package-name package))
|
||||
(package-version package)))))
|
||||
;; First we retrieve the Common Platform Enumeration (CPE) name and
|
||||
;; version for PACKAGE, then we can pass them to LOOKUP.
|
||||
(let ((name (or (assoc-ref (package-properties package)
|
||||
'cpe-name)
|
||||
(package-name package)))
|
||||
(version (or (assoc-ref (package-properties package)
|
||||
'cpe-version)
|
||||
(package-version package))))
|
||||
((force lookup) name version)))))
|
||||
|
||||
(define (check-vulnerabilities package)
|
||||
"Check for known vulnerabilities for PACKAGE."
|
||||
|
|
Loading…
Reference in a new issue