guix-patches
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#31442] [PATCH 4/5] profiles: Record fixed vulnerabilities as proper

From: Ludovic Courtès
Subject: [bug#31442] [PATCH 4/5] profiles: Record fixed vulnerabilities as properties of entries.
Date: Mon, 14 May 2018 10:25:49 +0200 
* guix/profiles.scm (package->manifest-entry)[fixed, cpe-name]
[cpe-version]: New variables.
Populate the 'properties' field based on these.
* tests/profiles.scm ("manifest-entry-properties"): New test.
---
 guix/profiles.scm  | 23 ++++++++++++++++++++++-
 tests/profiles.scm | 22 ++++++++++++++++++++++
 2 files changed, 44 insertions(+), 1 deletion(-)

diff --git a/guix/profiles.scm b/guix/profiles.scm
index 02828e465..6656cf356 100644
--- a/guix/profiles.scm
+++ b/guix/profiles.scm
@@ -286,6 +286,17 @@ file name."
 (define* (package->manifest-entry package #:optional (output "out")
                                   #:key (parent (delay #f)))
   "Return a manifest entry for the OUTPUT of package PACKAGE."
+  (define fixed
+    (append (package-patched-vulnerabilities package)
+            (or (assq-ref (package-properties package) 'lint-hidden-cve)
+                '())))
+
+  (define cpe-name
+    (assoc-ref (package-properties package) 'cpe-name))
+
+  (define cpe-version
+    (assoc-ref (package-properties package) 'cpe-version))
+
   ;; For each dependency, keep a promise pointing to its "parent" entry.
   (letrec* ((deps  (map (match-lambda
                           ((label package)
@@ -303,7 +314,17 @@ file name."
                      (dependencies (delete-duplicates deps))
                      (search-paths
                       (package-transitive-native-search-paths package))
-                     (parent parent))))
+                     (parent parent)
+                     (properties `(,@(if cpe-name
+                                         `((cpe-name . ,cpe-name))
+                                         '())
+                                   ,@(if cpe-version
+                                         `((cpe-version . ,cpe-version))
+                                         '())
+                                   ,@(if (null? fixed)
+                                         '()
+                                         `((fixed-vulnerabilities
+                                            . ,fixed))))))))
     entry))
 
 (define (packages->manifest packages)
diff --git a/tests/profiles.scm b/tests/profiles.scm
index c668c2b83..8152e4b68 100644
--- a/tests/profiles.scm
+++ b/tests/profiles.scm
@@ -439,6 +439,28 @@
                                                     #:locales? #f)))
         (return #f)))))
 
+(test-equal "manifest-entry-properties"
+  '(((fixed-vulnerabilities "CVE-2015-1234"))
+    ((fixed-vulnerabilities "CVE-2016-1234" "CVE-2018-4567"))
+    ((cpe-name . "Pi")
+     (fixed-vulnerabilities "CVE-2002-0001"))
+    ())
+  (let ((p1 (dummy-package "pi"
+              (source (dummy-origin
+                       (patches (list "/a/b/pi-CVE-2015-1234.patch"))))))
+        (p2 (dummy-package "pi"
+              (source (dummy-origin
+                       (patches
+                        (list
+                         "/a/b/pi-CVE-2016-1234-CVE-2018-4567.patch"))))))
+        (p3 (dummy-package "pi" (source (dummy-origin))
+                           (properties
+                            '((cpe-name . "Pi")
+                              (lint-hidden-cve "CVE-2002-0001")))))
+        (p4 (dummy-package "pi" (source (dummy-origin)))))
+    (map (compose manifest-entry-properties package->manifest-entry)
+         (list p1 p2 p3 p4))))
+
 (test-assertm "no collision"
   ;; Here we have an entry that is "lowered" (its 'item' field is a store file
   ;; name) and another entry (its 'item' field is a package) that is
-- 
2.17.0
reply via email to
[Prev in Thread] Current Thread [Next in Thread]