diff options
author | Ludovic Courtès <ludo@gnu.org> | 2016-10-03 23:30:49 +0200 |
---|---|---|
committer | Ludovic Courtès <ludo@gnu.org> | 2016-10-03 23:30:49 +0200 |
commit | 9bee2bd1b02c7ef91cc7232e8647bd07525d3382 (patch) | |
tree | e55a12a00b9cdf6041063598324ead5cb0ac7251 /guix/scripts | |
parent | 0f7cd95b8138f120bf0bc0593e772ed8c373f994 (diff) |
lint: 'cve' checker reports the replacement's vulnerabilities.
Before, 'guix lint -c cve' would report the vulnerabilities of the
original package while pretending they are the vulnerabilities of the
replacement.
* guix/scripts/lint.scm (check-vulnerabilities): Consider the package
replacement before calling 'package-vulnerabilities'.
* tests/lint.scm ("cve: vulnerability fixed in replacement version"):
New test.
Diffstat (limited to 'guix/scripts')
-rw-r--r-- | guix/scripts/lint.scm | 38 |
1 files changed, 19 insertions, 19 deletions
diff --git a/guix/scripts/lint.scm b/guix/scripts/lint.scm index eac3214bbf..b3ec6d628e 100644 --- a/guix/scripts/lint.scm +++ b/guix/scripts/lint.scm @@ -683,25 +683,25 @@ from ~s: ~a (~s)~%") (define (check-vulnerabilities package) "Check for known vulnerabilities for PACKAGE." - (match (package-vulnerabilities package) - (() - #t) - ((vulnerabilities ...) - (let* ((package (or (package-replacement package) package)) - (patches (filter-map patch-file-name - (or (and=> (package-source package) - origin-patches) - '()))) - (unpatched (remove (lambda (vuln) - (find (cute string-contains - <> (vulnerability-id vuln)) - patches)) - vulnerabilities))) - (unless (null? unpatched) - (emit-warning package - (format #f (_ "probably vulnerable to ~a") - (string-join (map vulnerability-id unpatched) - ", ")))))))) + (let ((package (or (package-replacement package) package))) + (match (package-vulnerabilities package) + (() + #t) + ((vulnerabilities ...) + (let* ((patches (filter-map patch-file-name + (or (and=> (package-source package) + origin-patches) + '()))) + (unpatched (remove (lambda (vuln) + (find (cute string-contains + <> (vulnerability-id vuln)) + patches)) + vulnerabilities))) + (unless (null? unpatched) + (emit-warning package + (format #f (_ "probably vulnerable to ~a") + (string-join (map vulnerability-id unpatched) + ", "))))))))) ;;; |