summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLudovic Courtès <ludo@gnu.org>2016-05-17 18:04:13 +0200
committerLudovic Courtès <ludo@gnu.org>2016-05-17 18:15:53 +0200
commit99effc8faa43d478371eb06aee5df8ae1383c51a (patch)
tree6e01a04c76f80f4707c56c12bdb6cad80d410b20
parent1c29f3ef8452860c4301d7ae57c89ac5956d1663 (diff)
downloadgnu-guix-99effc8faa43d478371eb06aee5df8ae1383c51a.tar
gnu-guix-99effc8faa43d478371eb06aee5df8ae1383c51a.tar.gz
lint: Honor 'cpe-name' and 'cpe-version' package properties.
* guix/scripts/lint.scm (package-name->cpe-name): Remove. (package-vulnerabilities): Honor 'cpe-name' and 'cpe-version' properties. * gnu/packages/grub.scm (grub)[properties]: New field. * gnu/packages/gnuzilla.scm (icecat)[properties]: Add 'cpe-name' and 'cpe-version'. * doc/guix.texi (Invoking guix lint): Mention 'cpe-name'.
-rw-r--r--doc/guix.texi13
-rw-r--r--gnu/packages/gnuzilla.scm6
-rw-r--r--gnu/packages/grub.scm5
-rw-r--r--guix/scripts/lint.scm21
4 files changed, 30 insertions, 15 deletions
diff --git a/doc/guix.texi b/doc/guix.texi
index 0e63ecadfd..3f0106be02 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -4961,6 +4961,19 @@ To view information about a particular vulnerability, visit pages such as:
where @code{CVE-YYYY-ABCD} is the CVE identifier---e.g.,
@code{CVE-2015-7554}.
+Package developers can specify in package recipes the
+@uref{https://nvd.nist.gov/cpe.cfm,Common Platform Enumeration (CPE)}
+name and version of the package when they differ from the name that Guix
+uses, as in this example:
+
+@example
+(package
+ (name "grub")
+ ;; @dots{}
+ ;; CPE calls this package "grub2".
+ (properties '((cpe-name . "grub2"))))
+@end example
+
@item formatting
Warn about obvious source code formatting issues: trailing white space,
use of tabulations, etc.
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index df1075c370..7e52534b8f 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -517,4 +517,8 @@ standards.")
software, which does not recommend non-free plugins and addons. It also
features built-in privacy-protecting features.")
(license license:mpl2.0) ;and others, see toolkit/content/license.html
- (properties '((ftp-directory . "/gnu/gnuzilla")))))
+ (properties
+ `((ftp-directory . "/gnu/gnuzilla")
+ (cpe-name . "firefox_esr")
+ (cpe-version . ,(string-drop-right version
+ (string-length "-gnu1")))))))
diff --git a/gnu/packages/grub.scm b/gnu/packages/grub.scm
index 5fc7ee8386..ec2feebbf4 100644
--- a/gnu/packages/grub.scm
+++ b/gnu/packages/grub.scm
@@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2015 Leo Famulari <leo@famulari.name>
;;;
@@ -132,4 +132,5 @@ then goes on to load the rest of the operating system. As a multiboot
bootloader, GRUB handles the presence of multiple operating systems installed
on the same computer; upon booting the computer, the user is presented with a
menu to select one of the installed operating systems.")
- (license gpl3+)))
+ (license gpl3+)
+ (properties '((cpe-name . "grub2")))))
diff --git a/guix/scripts/lint.scm b/guix/scripts/lint.scm
index 06001d3eae..b4fdb6f905 100644
--- a/guix/scripts/lint.scm
+++ b/guix/scripts/lint.scm
@@ -600,15 +600,6 @@ be determined."
((? origin?)
(and=> (origin-actual-file-name patch) basename))))
-(define (package-name->cpe-name name)
- "Do a basic conversion of NAME, a Guix package name, to the corresponding
-Common Platform Enumeration (CPE) name."
- (match name
- ("icecat" "firefox") ;or "firefox_esr"
- ("grub" "grub2")
- ;; TODO: Add more.
- (_ name)))
-
(define (current-vulnerabilities*)
"Like 'current-vulnerabilities', but return the empty list upon networking
or HTTP errors. This allows network-less operation and makes problems with
@@ -635,9 +626,15 @@ from ~s: ~a (~s)~%")
(current-vulnerabilities*)))))
(lambda (package)
"Return a list of vulnerabilities affecting PACKAGE."
- ((force lookup)
- (package-name->cpe-name (package-name package))
- (package-version package)))))
+ ;; First we retrieve the Common Platform Enumeration (CPE) name and
+ ;; version for PACKAGE, then we can pass them to LOOKUP.
+ (let ((name (or (assoc-ref (package-properties package)
+ 'cpe-name)
+ (package-name package)))
+ (version (or (assoc-ref (package-properties package)
+ 'cpe-version)
+ (package-version package))))
+ ((force lookup) name version)))))
(define (check-vulnerabilities package)
"Check for known vulnerabilities for PACKAGE."