packages: Add 'package-patched-vulnerabilities'.

* guix/packages.scm (patch-file-name): New procedure.
(%vulnerability-regexp): New variable.
(package-patched-vulnerabilities): New procedure.
* guix/scripts/lint.scm (patch-file-name): Remove.
(check-vulnerabilities): Adjust to use
'package-patched-vulnerabilities'.
* tests/packages.scm ("package-patched-vulnerabilities"): New test.
This commit is contained in:
Ludovic Courtès 2018-05-13 18:46:13 +02:00
parent efcb4441f1
commit c423ae8918
No known key found for this signature in database
GPG key ID: 090B11993D9AEBB5
3 changed files with 47 additions and 19 deletions

View file

@ -35,6 +35,7 @@ (define-module (guix packages)
#:use-module (guix sets) #:use-module (guix sets)
#:use-module (ice-9 match) #:use-module (ice-9 match)
#:use-module (ice-9 vlist) #:use-module (ice-9 vlist)
#:use-module (ice-9 regex)
#:use-module (srfi srfi-1) #:use-module (srfi srfi-1)
#:use-module (srfi srfi-9 gnu) #:use-module (srfi srfi-9 gnu)
#:use-module (srfi srfi-11) #:use-module (srfi srfi-11)
@ -106,6 +107,7 @@ (define-module (guix packages)
package-cross-derivation package-cross-derivation
package-output package-output
package-grafts package-grafts
package-patched-vulnerabilities
package/inherit package/inherit
transitive-input-references transitive-input-references
@ -394,6 +396,32 @@ (define* (package-full-name package #:optional (delimiter "@"))
the version. By default, DELIMITER is \"@\"." the version. By default, DELIMITER is \"@\"."
(string-append (package-name package) delimiter (package-version package))) (string-append (package-name package) delimiter (package-version package)))
(define (patch-file-name patch)
"Return the basename of PATCH's file name, or #f if the file name could not
be determined."
(match patch
((? string?)
(basename patch))
((? origin?)
(and=> (origin-actual-file-name patch) basename))))
(define %vulnerability-regexp
;; Regexp matching a CVE identifier in patch file names.
(make-regexp "CVE-[0-9]{4}-[0-9]+"))
(define (package-patched-vulnerabilities package)
"Return the list of patched vulnerabilities of PACKAGE as a list of CVE
identifiers. The result is inferred from the file names of patches."
(define (patch-vulnerabilities patch)
(map (cut match:substring <> 0)
(list-matches %vulnerability-regexp patch)))
(let ((patches (filter-map patch-file-name
(or (and=> (package-source package)
origin-patches)
'()))))
(append-map patch-vulnerabilities patches)))
(define (%standard-patch-inputs) (define (%standard-patch-inputs)
(let* ((canonical (module-ref (resolve-interface '(gnu packages base)) (let* ((canonical (module-ref (resolve-interface '(gnu packages base))
'canonical-package)) 'canonical-package))

View file

@ -1,7 +1,7 @@
;;; GNU Guix --- Functional package management for GNU ;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2014 Cyril Roelandt <tipecaml@gmail.com> ;;; Copyright © 2014 Cyril Roelandt <tipecaml@gmail.com>
;;; Copyright © 2014, 2015 Eric Bavier <bavier@member.fsf.org> ;;; Copyright © 2014, 2015 Eric Bavier <bavier@member.fsf.org>
;;; Copyright © 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2018 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2015, 2016 Mathieu Lirzin <mthl@gnu.org> ;;; Copyright © 2015, 2016 Mathieu Lirzin <mthl@gnu.org>
;;; Copyright © 2016 Danny Milosavljevic <dannym+a@scratchpost.org> ;;; Copyright © 2016 Danny Milosavljevic <dannym+a@scratchpost.org>
;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com> ;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
@ -809,15 +809,6 @@ (define (check-license package)
(emit-warning package (G_ "invalid license field") (emit-warning package (G_ "invalid license field")
'license)))) 'license))))
(define (patch-file-name patch)
"Return the basename of PATCH's file name, or #f if the file name could not
be determined."
(match patch
((? string?)
(basename patch))
((? origin?)
(and=> (origin-actual-file-name patch) basename))))
(define (call-with-networking-fail-safe message error-value proc) (define (call-with-networking-fail-safe message error-value proc)
"Call PROC catching any network-related errors. Upon a networking error, "Call PROC catching any network-related errors. Upon a networking error,
display a message including MESSAGE and return ERROR-VALUE." display a message including MESSAGE and return ERROR-VALUE."
@ -878,20 +869,14 @@ (define (check-vulnerabilities package)
(() (()
#t) #t)
((vulnerabilities ...) ((vulnerabilities ...)
(let* ((patches (filter-map patch-file-name (let* ((patched (package-patched-vulnerabilities package))
(or (and=> (package-source package)
origin-patches)
'())))
(known-safe (or (assq-ref (package-properties package) (known-safe (or (assq-ref (package-properties package)
'lint-hidden-cve) 'lint-hidden-cve)
'())) '()))
(unpatched (remove (lambda (vuln) (unpatched (remove (lambda (vuln)
(let ((id (vulnerability-id vuln))) (let ((id (vulnerability-id vuln)))
(or (or (member id patched)
(find (cute string-contains (member id known-safe))))
<> id)
patches)
(member id known-safe))))
vulnerabilities))) vulnerabilities)))
(unless (null? unpatched) (unless (null? unpatched)
(emit-warning package (emit-warning package

View file

@ -959,6 +959,21 @@ (define read-at
((("x" dep)) ((("x" dep))
(eq? dep findutils))))))))) (eq? dep findutils)))))))))
(test-equal "package-patched-vulnerabilities"
'(("CVE-2015-1234")
("CVE-2016-1234" "CVE-2018-4567")
())
(let ((p1 (dummy-package "pi"
(source (dummy-origin
(patches (list "/a/b/pi-CVE-2015-1234.patch"))))))
(p2 (dummy-package "pi"
(source (dummy-origin
(patches (list
"/a/b/pi-CVE-2016-1234-CVE-2018-4567.patch"))))))
(p3 (dummy-package "pi" (source (dummy-origin)))))
(map package-patched-vulnerabilities
(list p1 p2 p3))))
(test-eq "fold-packages" hello (test-eq "fold-packages" hello
(fold-packages (lambda (p r) (fold-packages (lambda (p r)
(if (string=? (package-name p) "hello") (if (string=? (package-name p) "hello")