summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBjörn Höfling <bjoern.hoefling@bjoernhoefling.de>2018-05-13 01:40:00 +0200
committerLudovic Courtès <ludo@gnu.org>2018-05-14 23:01:36 +0200
commit5ac7bf56d0b20d505b747425c5d17f2cc33d9302 (patch)
treef0a72554d3fe66933e094ee70975ed291db43323
parent320344055a04025d25376a688a4f1caca65be66e (diff)
doc: Update documentation of guix lint
* doc/guix.texi (Invoking guix lint): Add cpe-version to example. (Invoking guix lint): Add example for lint-hidden-cve. Co-authored-by: Ludovic Courtès <ludo@gnu.org>
-rw-r--r--doc/guix.texi24
1 files changed, 21 insertions, 3 deletions
diff --git a/doc/guix.texi b/doc/guix.texi
index 637c9c3f4d..a771ab7ae1 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -6835,15 +6835,33 @@ where @code{CVE-YYYY-ABCD} is the CVE identifier---e.g.,
Package developers can specify in package recipes the
@uref{https://nvd.nist.gov/cpe.cfm,Common Platform Enumeration (CPE)}
-name and version of the package when they differ from the name that Guix
-uses, as in this example:
+name and version of the package when they differ from the name or version
+that Guix uses, as in this example:
@example
(package
(name "grub")
;; @dots{}
;; CPE calls this package "grub2".
- (properties '((cpe-name . "grub2"))))
+ (properties '((cpe-name . "grub2")
+ (cpe-version . "2.3")))
+@end example
+
+@c See <http://www.openwall.com/lists/oss-security/2017/03/15/3>.
+Some entries in the CVE database do not specify which version of a
+package they apply to, and would thus ``stick around'' forever. Package
+developers who found CVE alerts and verified they can be ignored can
+declare them as in this example:
+
+@example
+(package
+ (name "t1lib")
+ ;; @dots{}
+ ;; These CVEs no longer apply and can be safely ignored.
+ (properties `((lint-hidden-cve . ("CVE-2011-0433"
+ "CVE-2011-1553"
+ "CVE-2011-1554"
+ "CVE-2011-5244")))))
@end example
@item formatting