~ruther/guix-local: lint: Honor 'cpe-name' and 'cpe-version' package properties.

4 files changed, 30 insertions(+), 15 deletions(-)

M doc/guix.texi
M gnu/packages/gnuzilla.scm
M gnu/packages/grub.scm
M guix/scripts/lint.scm

M doc/guix.texi => doc/guix.texi +13 -0

@@ 4961,6 4961,19 @@ To view information about a particular vulnerability, visit pages such as:
 where @code{CVE-YYYY-ABCD} is the CVE identifier---e.g.,
 @code{CVE-2015-7554}.
 
+Package developers can specify in package recipes the
+@uref{https://nvd.nist.gov/cpe.cfm,Common Platform Enumeration (CPE)}
+name and version of the package when they differ from the name that Guix
+uses, as in this example:
+
+@example
+(package
+  (name "grub")
+  ;; @dots{}
+  ;; CPE calls this package "grub2".
+  (properties '((cpe-name . "grub2"))))
+@end example
+
 @item formatting
 Warn about obvious source code formatting issues: trailing white space,
 use of tabulations, etc.

M gnu/packages/gnuzilla.scm => gnu/packages/gnuzilla.scm +5 -1

@@ 517,4 517,8 @@ standards.")
 software, which does not recommend non-free plugins and addons.  It also
 features built-in privacy-protecting features.")
     (license license:mpl2.0)     ;and others, see toolkit/content/license.html
-    (properties '((ftp-directory . "/gnu/gnuzilla")))))
+    (properties
+     `((ftp-directory . "/gnu/gnuzilla")
+       (cpe-name . "firefox_esr")
+       (cpe-version . ,(string-drop-right version
+                                          (string-length "-gnu1")))))))

M gnu/packages/grub.scm => gnu/packages/grub.scm +3 -2

@@ 1,5 1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015 Leo Famulari <leo@famulari.name>
 ;;;


@@ 132,4 132,5 @@ then goes on to load the rest of the operating system.  As a multiboot
 bootloader, GRUB handles the presence of multiple operating systems installed
 on the same computer; upon booting the computer, the user is presented with a
 menu to select one of the installed operating systems.")
-    (license gpl3+)))
+    (license gpl3+)
+    (properties '((cpe-name . "grub2")))))

M guix/scripts/lint.scm => guix/scripts/lint.scm +9 -12

@@ 600,15 600,6 @@ be determined."
     ((? origin?)
      (and=> (origin-actual-file-name patch) basename))))
 
-(define (package-name->cpe-name name)
-  "Do a basic conversion of NAME, a Guix package name, to the corresponding
-Common Platform Enumeration (CPE) name."
-  (match name
-    ("icecat"   "firefox")                        ;or "firefox_esr"
-    ("grub"     "grub2")
-    ;; TODO: Add more.
-    (_          name)))
-
 (define (current-vulnerabilities*)
   "Like 'current-vulnerabilities', but return the empty list upon networking
 or HTTP errors.  This allows network-less operation and makes problems with


@@ 635,9 626,15 @@ from ~s: ~a (~s)~%")
                         (current-vulnerabilities*)))))
     (lambda (package)
       "Return a list of vulnerabilities affecting PACKAGE."
-      ((force lookup)
-       (package-name->cpe-name (package-name package))
-       (package-version package)))))
+      ;; First we retrieve the Common Platform Enumeration (CPE) name and
+      ;; version for PACKAGE, then we can pass them to LOOKUP.
+      (let ((name    (or (assoc-ref (package-properties package)
+                                    'cpe-name)
+                         (package-name package)))
+            (version (or (assoc-ref (package-properties package)
+                                    'cpe-version)
+                         (package-version package))))
+        ((force lookup) name version)))))
 
 (define (check-vulnerabilities package)
   "Check for known vulnerabilities for PACKAGE."