M guix/scripts/lint.scm => guix/scripts/lint.scm +10 -3
@@ 7,6 7,7 @@
;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
;;; Copyright © 2017 Alex Kost <alezost@gmail.com>
;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
;;;
;;; This file is part of GNU Guix.
;;;
@@ 881,10 882,16 @@ the NIST server non-fatal."
(or (and=> (package-source package)
origin-patches)
'())))
+ (known-safe (or (assq-ref (package-properties package)
+ 'lint-hidden-cve)
+ '()))
(unpatched (remove (lambda (vuln)
- (find (cute string-contains
- <> (vulnerability-id vuln))
- patches))
+ (let ((id (vulnerability-id vuln)))
+ (or
+ (find (cute string-contains
+ <> id)
+ patches)
+ (member id known-safe))))
vulnerabilities)))
(unless (null? unpatched)
(emit-warning package
M tests/lint.scm => tests/lint.scm +15 -0
@@ 5,6 5,7 @@
;;; Copyright © 2015, 2016 Mathieu Lirzin <mthl@gnu.org>
;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
;;; Copyright © 2017 Alex Kost <alezost@gmail.com>
+;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
;;;
;;; This file is part of GNU Guix.
;;;
@@ 702,6 703,20 @@
(patches
(list "/a/b/pi-CVE-2015-1234.patch"))))))))))
+(test-assert "cve: known safe from vulnerability"
+ (mock ((guix scripts lint) package-vulnerabilities
+ (lambda (package)
+ (list (make-struct (@@ (guix cve) <vulnerability>) 0
+ "CVE-2015-1234"
+ (list (cons (package-name package)
+ (package-version package)))))))
+ (string-null?
+ (with-warnings
+ (check-vulnerabilities
+ (dummy-package "pi"
+ (version "3.14")
+ (properties `((lint-hidden-cve . ("CVE-2015-1234"))))))))))
+
(test-assert "cve: vulnerability fixed in replacement version"
(mock ((guix scripts lint) package-vulnerabilities
(lambda (package)