From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:37880) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fI8p0-0005T9-Df for guix-patches@gnu.org; Mon, 14 May 2018 04:27:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fI8oy-0003WB-2F for guix-patches@gnu.org; Mon, 14 May 2018 04:27:06 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:53529) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fI8ox-0003Vs-U7 for guix-patches@gnu.org; Mon, 14 May 2018 04:27:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1fI8ox-0007bx-Nf for guix-patches@gnu.org; Mon, 14 May 2018 04:27:03 -0400 Subject: [bug#31442] [PATCH 4/5] profiles: Record fixed vulnerabilities as properties of entries. Resent-Message-ID: From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Date: Mon, 14 May 2018 10:25:49 +0200 Message-Id: <20180514082550.1131-4-ludo@gnu.org> In-Reply-To: <20180514082550.1131-1-ludo@gnu.org> References: <20180514082550.1131-1-ludo@gnu.org> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: 31442@debbugs.gnu.org * guix/profiles.scm (package->manifest-entry)[fixed, cpe-name] [cpe-version]: New variables. Populate the 'properties' field based on these. * tests/profiles.scm ("manifest-entry-properties"): New test. --- guix/profiles.scm | 23 ++++++++++++++++++++++- tests/profiles.scm | 22 ++++++++++++++++++++++ 2 files changed, 44 insertions(+), 1 deletion(-) diff --git a/guix/profiles.scm b/guix/profiles.scm index 02828e465..6656cf356 100644 --- a/guix/profiles.scm +++ b/guix/profiles.scm @@ -286,6 +286,17 @@ file name." (define* (package->manifest-entry package #:optional (output "out") #:key (parent (delay #f))) "Return a manifest entry for the OUTPUT of package PACKAGE." + (define fixed + (append (package-patched-vulnerabilities package) + (or (assq-ref (package-properties package) 'lint-hidden-cve) + '()))) + + (define cpe-name + (assoc-ref (package-properties package) 'cpe-name)) + + (define cpe-version + (assoc-ref (package-properties package) 'cpe-version)) + ;; For each dependency, keep a promise pointing to its "parent" entry. (letrec* ((deps (map (match-lambda ((label package) @@ -303,7 +314,17 @@ file name." (dependencies (delete-duplicates deps)) (search-paths (package-transitive-native-search-paths package)) - (parent parent)))) + (parent parent) + (properties `(,@(if cpe-name + `((cpe-name . ,cpe-name)) + '()) + ,@(if cpe-version + `((cpe-version . ,cpe-version)) + '()) + ,@(if (null? fixed) + '() + `((fixed-vulnerabilities + . ,fixed)))))))) entry)) (define (packages->manifest packages) diff --git a/tests/profiles.scm b/tests/profiles.scm index c668c2b83..8152e4b68 100644 --- a/tests/profiles.scm +++ b/tests/profiles.scm @@ -439,6 +439,28 @@ #:locales? #f))) (return #f))))) +(test-equal "manifest-entry-properties" + '(((fixed-vulnerabilities "CVE-2015-1234")) + ((fixed-vulnerabilities "CVE-2016-1234" "CVE-2018-4567")) + ((cpe-name . "Pi") + (fixed-vulnerabilities "CVE-2002-0001")) + ()) + (let ((p1 (dummy-package "pi" + (source (dummy-origin + (patches (list "/a/b/pi-CVE-2015-1234.patch")))))) + (p2 (dummy-package "pi" + (source (dummy-origin + (patches + (list + "/a/b/pi-CVE-2016-1234-CVE-2018-4567.patch")))))) + (p3 (dummy-package "pi" (source (dummy-origin)) + (properties + '((cpe-name . "Pi") + (lint-hidden-cve "CVE-2002-0001"))))) + (p4 (dummy-package "pi" (source (dummy-origin))))) + (map (compose manifest-entry-properties package->manifest-entry) + (list p1 p2 p3 p4)))) + (test-assertm "no collision" ;; Here we have an entry that is "lowered" (its 'item' field is a store file ;; name) and another entry (its 'item' field is a package) that is -- 2.17.0