[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
01/02: lint: Honor 'cpe-name' and 'cpe-version' package properties.
From: |
Ludovic Courtès |
Subject: |
01/02: lint: Honor 'cpe-name' and 'cpe-version' package properties. |
Date: |
Tue, 17 May 2016 16:16:10 +0000 (UTC) |
civodul pushed a commit to branch master
in repository guix.
commit 99effc8faa43d478371eb06aee5df8ae1383c51a
Author: Ludovic Courtès <address@hidden>
Date: Tue May 17 18:04:13 2016 +0200
lint: Honor 'cpe-name' and 'cpe-version' package properties.
* guix/scripts/lint.scm (package-name->cpe-name): Remove.
(package-vulnerabilities): Honor 'cpe-name' and 'cpe-version'
properties.
* gnu/packages/grub.scm (grub)[properties]: New field.
* gnu/packages/gnuzilla.scm (icecat)[properties]: Add 'cpe-name' and
'cpe-version'.
* doc/guix.texi (Invoking guix lint): Mention 'cpe-name'.
---
doc/guix.texi | 13 +++++++++++++
gnu/packages/gnuzilla.scm | 6 +++++-
gnu/packages/grub.scm | 5 +++--
guix/scripts/lint.scm | 21 +++++++++------------
4 files changed, 30 insertions(+), 15 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 0e63eca..3f0106b 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -4961,6 +4961,19 @@ To view information about a particular vulnerability,
visit pages such as:
where @code{CVE-YYYY-ABCD} is the CVE identifier---e.g.,
@code{CVE-2015-7554}.
+Package developers can specify in package recipes the
address@hidden://nvd.nist.gov/cpe.cfm,Common Platform Enumeration (CPE)}
+name and version of the package when they differ from the name that Guix
+uses, as in this example:
+
address@hidden
+(package
+ (name "grub")
+ ;; @dots{}
+ ;; CPE calls this package "grub2".
+ (properties '((cpe-name . "grub2"))))
address@hidden example
+
@item formatting
Warn about obvious source code formatting issues: trailing white space,
use of tabulations, etc.
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index df1075c..7e52534 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -517,4 +517,8 @@ standards.")
software, which does not recommend non-free plugins and addons. It also
features built-in privacy-protecting features.")
(license license:mpl2.0) ;and others, see toolkit/content/license.html
- (properties '((ftp-directory . "/gnu/gnuzilla")))))
+ (properties
+ `((ftp-directory . "/gnu/gnuzilla")
+ (cpe-name . "firefox_esr")
+ (cpe-version . ,(string-drop-right version
+ (string-length "-gnu1")))))))
diff --git a/gnu/packages/grub.scm b/gnu/packages/grub.scm
index 5fc7ee8..ec2feeb 100644
--- a/gnu/packages/grub.scm
+++ b/gnu/packages/grub.scm
@@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014, 2015 Ludovic Courtès <address@hidden>
+;;; Copyright © 2013, 2014, 2015, 2016 Ludovic Courtès <address@hidden>
;;; Copyright © 2015 Mark H Weaver <address@hidden>
;;; Copyright © 2015 Leo Famulari <address@hidden>
;;;
@@ -132,4 +132,5 @@ then goes on to load the rest of the operating system. As
a multiboot
bootloader, GRUB handles the presence of multiple operating systems installed
on the same computer; upon booting the computer, the user is presented with a
menu to select one of the installed operating systems.")
- (license gpl3+)))
+ (license gpl3+)
+ (properties '((cpe-name . "grub2")))))
diff --git a/guix/scripts/lint.scm b/guix/scripts/lint.scm
index 06001d3..b4fdb6f 100644
--- a/guix/scripts/lint.scm
+++ b/guix/scripts/lint.scm
@@ -600,15 +600,6 @@ be determined."
((? origin?)
(and=> (origin-actual-file-name patch) basename))))
-(define (package-name->cpe-name name)
- "Do a basic conversion of NAME, a Guix package name, to the corresponding
-Common Platform Enumeration (CPE) name."
- (match name
- ("icecat" "firefox") ;or "firefox_esr"
- ("grub" "grub2")
- ;; TODO: Add more.
- (_ name)))
-
(define (current-vulnerabilities*)
"Like 'current-vulnerabilities', but return the empty list upon networking
or HTTP errors. This allows network-less operation and makes problems with
@@ -635,9 +626,15 @@ from ~s: ~a (~s)~%")
(current-vulnerabilities*)))))
(lambda (package)
"Return a list of vulnerabilities affecting PACKAGE."
- ((force lookup)
- (package-name->cpe-name (package-name package))
- (package-version package)))))
+ ;; First we retrieve the Common Platform Enumeration (CPE) name and
+ ;; version for PACKAGE, then we can pass them to LOOKUP.
+ (let ((name (or (assoc-ref (package-properties package)
+ 'cpe-name)
+ (package-name package)))
+ (version (or (assoc-ref (package-properties package)
+ 'cpe-version)
+ (package-version package))))
+ ((force lookup) name version)))))
(define (check-vulnerabilities package)
"Check for known vulnerabilities for PACKAGE."