unofficial mirror of guix-patches@gnu.org 
 help / color / mirror / code / Atom feed
From: "Ludovic Courtès" <ludo@gnu.org>
To: 31442@debbugs.gnu.org
Subject: [bug#31442] [PATCH 4/5] profiles: Record fixed vulnerabilities as properties of entries.
Date: Mon, 14 May 2018 10:25:49 +0200	[thread overview]
Message-ID: <20180514082550.1131-4-ludo@gnu.org> (raw)
In-Reply-To: <20180514082550.1131-1-ludo@gnu.org>

* guix/profiles.scm (package->manifest-entry)[fixed, cpe-name]
[cpe-version]: New variables.
Populate the 'properties' field based on these.
* tests/profiles.scm ("manifest-entry-properties"): New test.
---
 guix/profiles.scm  | 23 ++++++++++++++++++++++-
 tests/profiles.scm | 22 ++++++++++++++++++++++
 2 files changed, 44 insertions(+), 1 deletion(-)

diff --git a/guix/profiles.scm b/guix/profiles.scm
index 02828e465..6656cf356 100644
--- a/guix/profiles.scm
+++ b/guix/profiles.scm
@@ -286,6 +286,17 @@ file name."
 (define* (package->manifest-entry package #:optional (output "out")
                                   #:key (parent (delay #f)))
   "Return a manifest entry for the OUTPUT of package PACKAGE."
+  (define fixed
+    (append (package-patched-vulnerabilities package)
+            (or (assq-ref (package-properties package) 'lint-hidden-cve)
+                '())))
+
+  (define cpe-name
+    (assoc-ref (package-properties package) 'cpe-name))
+
+  (define cpe-version
+    (assoc-ref (package-properties package) 'cpe-version))
+
   ;; For each dependency, keep a promise pointing to its "parent" entry.
   (letrec* ((deps  (map (match-lambda
                           ((label package)
@@ -303,7 +314,17 @@ file name."
                      (dependencies (delete-duplicates deps))
                      (search-paths
                       (package-transitive-native-search-paths package))
-                     (parent parent))))
+                     (parent parent)
+                     (properties `(,@(if cpe-name
+                                         `((cpe-name . ,cpe-name))
+                                         '())
+                                   ,@(if cpe-version
+                                         `((cpe-version . ,cpe-version))
+                                         '())
+                                   ,@(if (null? fixed)
+                                         '()
+                                         `((fixed-vulnerabilities
+                                            . ,fixed))))))))
     entry))
 
 (define (packages->manifest packages)
diff --git a/tests/profiles.scm b/tests/profiles.scm
index c668c2b83..8152e4b68 100644
--- a/tests/profiles.scm
+++ b/tests/profiles.scm
@@ -439,6 +439,28 @@
                                                     #:locales? #f)))
         (return #f)))))
 
+(test-equal "manifest-entry-properties"
+  '(((fixed-vulnerabilities "CVE-2015-1234"))
+    ((fixed-vulnerabilities "CVE-2016-1234" "CVE-2018-4567"))
+    ((cpe-name . "Pi")
+     (fixed-vulnerabilities "CVE-2002-0001"))
+    ())
+  (let ((p1 (dummy-package "pi"
+              (source (dummy-origin
+                       (patches (list "/a/b/pi-CVE-2015-1234.patch"))))))
+        (p2 (dummy-package "pi"
+              (source (dummy-origin
+                       (patches
+                        (list
+                         "/a/b/pi-CVE-2016-1234-CVE-2018-4567.patch"))))))
+        (p3 (dummy-package "pi" (source (dummy-origin))
+                           (properties
+                            '((cpe-name . "Pi")
+                              (lint-hidden-cve "CVE-2002-0001")))))
+        (p4 (dummy-package "pi" (source (dummy-origin)))))
+    (map (compose manifest-entry-properties package->manifest-entry)
+         (list p1 p2 p3 p4))))
+
 (test-assertm "no collision"
   ;; Here we have an entry that is "lowered" (its 'item' field is a store file
   ;; name) and another entry (its 'item' field is a package) that is
-- 
2.17.0

  parent reply	other threads:[~2018-05-14  8:27 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-05-13 20:25 [bug#31442] [PATCH 0/5] 'guix health': a tool to report vulnerable packages Ludovic Courtès
2018-05-14  8:25 ` [bug#31442] [PATCH 1/5] profiles: Add '%current-profile', 'user-friendly-profile', & co Ludovic Courtès
2018-05-14  8:25   ` [bug#31442] [PATCH 2/5] packages: Add 'package-patched-vulnerabilities' Ludovic Courtès
2018-05-14  8:25   ` [bug#31442] [PATCH 3/5] profiles: Add 'properties' field to manifest entries Ludovic Courtès
2018-05-14  8:25   ` Ludovic Courtès [this message]
2018-05-14  8:25   ` [bug#31442] [PATCH 5/5] DRAFT Add 'guix health' Ludovic Courtès
2018-06-09 10:18 ` [bug#31442] [PATCH 0/5] 'guix health': a tool to report vulnerable packages Ludovic Courtès

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180514082550.1131-4-ludo@gnu.org \
    --to=ludo@gnu.org \
    --cc=31442@debbugs.gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).