lint: 'check-vulnerabilities' also checks package properties.

* guix/scripts/lint.scm (check-vulnerabilities): Also check for CVEs
listed as mitigated in the package properties.
* tests/lint.scm ("cve: known safe from vulnerability"): New test.
This commit is contained in:
Efraim Flashner 2017-11-30 23:41:29 +02:00
parent 308b8f79c5
commit f4007b2547
No known key found for this signature in database
GPG key ID: 41AAE7DCCA3D8351
2 changed files with 25 additions and 3 deletions

View file

@ -7,6 +7,7 @@
;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com> ;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
;;; Copyright © 2017 Alex Kost <alezost@gmail.com> ;;; Copyright © 2017 Alex Kost <alezost@gmail.com>
;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr> ;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
;;; ;;;
;;; This file is part of GNU Guix. ;;; This file is part of GNU Guix.
;;; ;;;
@ -881,10 +882,16 @@ (define (check-vulnerabilities package)
(or (and=> (package-source package) (or (and=> (package-source package)
origin-patches) origin-patches)
'()))) '())))
(known-safe (or (assq-ref (package-properties package)
'lint-hidden-cve)
'()))
(unpatched (remove (lambda (vuln) (unpatched (remove (lambda (vuln)
(let ((id (vulnerability-id vuln)))
(or
(find (cute string-contains (find (cute string-contains
<> (vulnerability-id vuln)) <> id)
patches)) patches)
(member id known-safe))))
vulnerabilities))) vulnerabilities)))
(unless (null? unpatched) (unless (null? unpatched)
(emit-warning package (emit-warning package

View file

@ -5,6 +5,7 @@
;;; Copyright © 2015, 2016 Mathieu Lirzin <mthl@gnu.org> ;;; Copyright © 2015, 2016 Mathieu Lirzin <mthl@gnu.org>
;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com> ;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
;;; Copyright © 2017 Alex Kost <alezost@gmail.com> ;;; Copyright © 2017 Alex Kost <alezost@gmail.com>
;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
;;; ;;;
;;; This file is part of GNU Guix. ;;; This file is part of GNU Guix.
;;; ;;;
@ -702,6 +703,20 @@ (define-syntax-rule (with-warnings body ...)
(patches (patches
(list "/a/b/pi-CVE-2015-1234.patch")))))))))) (list "/a/b/pi-CVE-2015-1234.patch"))))))))))
(test-assert "cve: known safe from vulnerability"
(mock ((guix scripts lint) package-vulnerabilities
(lambda (package)
(list (make-struct (@@ (guix cve) <vulnerability>) 0
"CVE-2015-1234"
(list (cons (package-name package)
(package-version package)))))))
(string-null?
(with-warnings
(check-vulnerabilities
(dummy-package "pi"
(version "3.14")
(properties `((lint-hidden-cve . ("CVE-2015-1234"))))))))))
(test-assert "cve: vulnerability fixed in replacement version" (test-assert "cve: vulnerability fixed in replacement version"
(mock ((guix scripts lint) package-vulnerabilities (mock ((guix scripts lint) package-vulnerabilities
(lambda (package) (lambda (package)