aboutsummaryrefslogtreecommitdiff
path: root/guix
diff options
context:
space:
mode:
authorEfraim Flashner <efraim@flashner.co.il>2017-11-30 23:41:29 +0200
committerEfraim Flashner <efraim@flashner.co.il>2017-12-10 21:59:07 +0200
commitf4007b25476dfd97885f358d2dabbd463f6f6017 (patch)
treecc50563d23c77d455fc5e03cc7cb8cc0a61c7ac5 /guix
parent308b8f79c5267ae442e4a8874cfed80f3c5a8831 (diff)
downloadgnu-guix-f4007b25476dfd97885f358d2dabbd463f6f6017.tar
gnu-guix-f4007b25476dfd97885f358d2dabbd463f6f6017.tar.gz
lint: 'check-vulnerabilities' also checks package properties.
* guix/scripts/lint.scm (check-vulnerabilities): Also check for CVEs listed as mitigated in the package properties. * tests/lint.scm ("cve: known safe from vulnerability"): New test.
Diffstat (limited to 'guix')
-rw-r--r--guix/scripts/lint.scm13
1 files changed, 10 insertions, 3 deletions
diff --git a/guix/scripts/lint.scm b/guix/scripts/lint.scm
index 1b43b0a63c..4ec3267007 100644
--- a/guix/scripts/lint.scm
+++ b/guix/scripts/lint.scm
@@ -7,6 +7,7 @@
;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
;;; Copyright © 2017 Alex Kost <alezost@gmail.com>
;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -881,10 +882,16 @@ the NIST server non-fatal."
(or (and=> (package-source package)
origin-patches)
'())))
+ (known-safe (or (assq-ref (package-properties package)
+ 'lint-hidden-cve)
+ '()))
(unpatched (remove (lambda (vuln)
- (find (cute string-contains
- <> (vulnerability-id vuln))
- patches))
+ (let ((id (vulnerability-id vuln)))
+ (or
+ (find (cute string-contains
+ <> id)
+ patches)
+ (member id known-safe))))
vulnerabilities)))
(unless (null? unpatched)
(emit-warning package