From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:35638) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fHe8Q-0002fi-1i for guix-patches@gnu.org; Sat, 12 May 2018 19:41:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fHe8M-0001hO-RJ for guix-patches@gnu.org; Sat, 12 May 2018 19:41:06 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:52059) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fHe8M-0001hI-Ol for guix-patches@gnu.org; Sat, 12 May 2018 19:41:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1fHe8M-0007AQ-De for guix-patches@gnu.org; Sat, 12 May 2018 19:41:02 -0400 Subject: [bug#31437] [PATCH 1/2] doc: Update documentation of guix lint References: <20180513013222.2f0629dc@alma-ubu> In-Reply-To: <20180513013222.2f0629dc@alma-ubu> Resent-Message-ID: Date: Sun, 13 May 2018 01:40:00 +0200 From: =?UTF-8?Q?Bj=C3=B6rn_?= =?UTF-8?Q?H=C3=B6fling?= Message-ID: <20180513014000.132a2c85@alma-ubu> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; boundary="Sig_/2B+0.SFrTBKOjr2DZ.SDgAn"; protocol="application/pgp-signature" List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: 31437@debbugs.gnu.org --Sig_/2B+0.SFrTBKOjr2DZ.SDgAn Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable * doc/guix.texi (Invoking guix lint): Add cpe-version to example. * doc/guix.texi (Invoking guix lint): Add example for lint-hidden-cve. --- doc/guix.texi | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 637c9c3f4..f0b666b9e 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -6835,15 +6835,31 @@ where @code{CVE-YYYY-ABCD} is the CVE identifier---= e.g., =20 Package developers can specify in package recipes the @uref{https://nvd.nist.gov/cpe.cfm,Common Platform Enumeration (CPE)} -name and version of the package when they differ from the name that Guix -uses, as in this example: +name and version of the package when they differ from the name or version +that Guix uses, as in this example: =20 @example (package (name "grub") ;; @dots{} ;; CPE calls this package "grub2". - (properties '((cpe-name . "grub2")))) + (properties '((cpe-name . "grub2") + (cpe-version . "2.3"))) +@end example + +Sometimes, the CVE database contains false positives. Package developers = who +found CVE alerts and verified they can be ignored can declare them as in +this example: + +@example +(package + (name "t1lib") + ;; @dots{} + ;; These CVEs are false positives and can be ignored: + (properties `((lint-hidden-cve . ("CVE-2011-0433" + "CVE-2011-1553" + "CVE-2011-1554" + "CVE-2011-5244"))))) @end example =20 @item formatting --=20 2.17.0 --Sig_/2B+0.SFrTBKOjr2DZ.SDgAn Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlr3e1EACgkQvyhstlk+X/3udQCfXFnvhZ1Q/QrB2sIxyFhzSBVo r/gAmwZOp2BE+d7oTpa7JBBYq0BAF8Eb =SITp -----END PGP SIGNATURE----- --Sig_/2B+0.SFrTBKOjr2DZ.SDgAn--