summaryrefslogtreecommitdiff
path: root/guix/scripts/lint.scm
diff options
context:
space:
mode:
authorLudovic Courtès <ludo@gnu.org>2016-10-03 23:30:49 +0200
committerLudovic Courtès <ludo@gnu.org>2016-10-03 23:30:49 +0200
commit9bee2bd1b02c7ef91cc7232e8647bd07525d3382 (patch)
treee55a12a00b9cdf6041063598324ead5cb0ac7251 /guix/scripts/lint.scm
parent0f7cd95b8138f120bf0bc0593e772ed8c373f994 (diff)
lint: 'cve' checker reports the replacement's vulnerabilities.
Before, 'guix lint -c cve' would report the vulnerabilities of the original package while pretending they are the vulnerabilities of the replacement. * guix/scripts/lint.scm (check-vulnerabilities): Consider the package replacement before calling 'package-vulnerabilities'. * tests/lint.scm ("cve: vulnerability fixed in replacement version"): New test.
Diffstat (limited to 'guix/scripts/lint.scm')
-rw-r--r--guix/scripts/lint.scm38
1 files changed, 19 insertions, 19 deletions
diff --git a/guix/scripts/lint.scm b/guix/scripts/lint.scm
index eac3214bbf..b3ec6d628e 100644
--- a/guix/scripts/lint.scm
+++ b/guix/scripts/lint.scm
@@ -683,25 +683,25 @@ from ~s: ~a (~s)~%")
(define (check-vulnerabilities package)
"Check for known vulnerabilities for PACKAGE."
- (match (package-vulnerabilities package)
- (()
- #t)
- ((vulnerabilities ...)
- (let* ((package (or (package-replacement package) package))
- (patches (filter-map patch-file-name
- (or (and=> (package-source package)
- origin-patches)
- '())))
- (unpatched (remove (lambda (vuln)
- (find (cute string-contains
- <> (vulnerability-id vuln))
- patches))
- vulnerabilities)))
- (unless (null? unpatched)
- (emit-warning package
- (format #f (_ "probably vulnerable to ~a")
- (string-join (map vulnerability-id unpatched)
- ", "))))))))
+ (let ((package (or (package-replacement package) package)))
+ (match (package-vulnerabilities package)
+ (()
+ #t)
+ ((vulnerabilities ...)
+ (let* ((patches (filter-map patch-file-name
+ (or (and=> (package-source package)
+ origin-patches)
+ '())))
+ (unpatched (remove (lambda (vuln)
+ (find (cute string-contains
+ <> (vulnerability-id vuln))
+ patches))
+ vulnerabilities)))
+ (unless (null? unpatched)
+ (emit-warning package
+ (format #f (_ "probably vulnerable to ~a")
+ (string-join (map vulnerability-id unpatched)
+ ", ")))))))))
;;;