diff options
| author | Ludovic Courtès <ludo@gnu.org> | 2015-11-26 22:59:06 +0100 |
|---|---|---|
| committer | Ludovic Courtès <ludo@gnu.org> | 2015-11-26 23:04:19 +0100 |
| commit | 5432734b00ae14c3a93af358fc7bbf80e3db5ee8 (patch) | |
| tree | a2dbd935bfb43f2d7e4523a2182de26f3268103f /guix | |
| parent | 0eef7551303e3fc855809d84eed8421d2a075cfa (diff) | |
lint: Add "cve" checker.
Fixes <http://bugs.gnu.org/21289>.
* guix/scripts/lint.scm (package-name->cpe-name, package-vulnerabilities)
(check-vulnerabilities): New procedures.
* guix/scripts/lint.scm (%checkers): Add "cve" checker.
* tests/lint.scm ("cve", "cve: one vulnerability"): New tests.
* doc/guix.texi (Invoking guix lint): Mention it.
Diffstat (limited to 'guix')
| -rw-r--r-- | guix/scripts/lint.scm | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/guix/scripts/lint.scm b/guix/scripts/lint.scm index 034f0f95ee..1da4790f2d 100644 --- a/guix/scripts/lint.scm +++ b/guix/scripts/lint.scm @@ -32,6 +32,7 @@ #:use-module (guix scripts) #:use-module (guix gnu-maintenance) #:use-module (guix monads) + #:use-module (guix cve) #:use-module (gnu packages) #:use-module (ice-9 match) #:use-module (ice-9 regex) @@ -61,6 +62,7 @@ check-source check-source-file-name check-license + check-vulnerabilities check-formatting run-checkers @@ -571,6 +573,34 @@ descriptions maintained upstream." (emit-warning package (_ "invalid license field") 'license)))) +(define (package-name->cpe-name name) + "Do a basic conversion of NAME, a Guix package name, to the corresponding +Common Platform Enumeration (CPE) name." + (match name + ("icecat" "firefox") ;or "firefox_esr" + ;; TODO: Add more. + (_ name))) + +(define package-vulnerabilities + (let ((lookup (delay (vulnerabilities->lookup-proc + (current-vulnerabilities))))) + (lambda (package) + "Return a list of vulnerabilities affecting PACKAGE." + ((force lookup) + (package-name->cpe-name (package-name package)) + (package-version package))))) + +(define (check-vulnerabilities package) + "Check for known vulnerabilities for PACKAGE." + (match (package-vulnerabilities package) + (() + #t) + ((vulnerabilities ...) + (emit-warning package + (format #f (_ "probably vulnerable to ~a") + (string-join (map vulnerability-id vulnerabilities) + ", ")))))) + ;;; ;;; Source code formatting. @@ -709,6 +739,11 @@ or a list thereof") (description "Validate package synopses") (check check-synopsis-style)) (lint-checker + (name 'cve) + (description "Check the Common Vulnerabilities and Exposures\ + (CVE) database") + (check check-vulnerabilities)) + (lint-checker (name 'formatting) (description "Look for formatting issues in the source") (check check-formatting)))) |