[PATCH 00/21] Add lint-hidden-cve property for near-leaf packages.

  • Open
  • quality assurance status badge
Details
One participant
  • Nicolas Graves
Owner
unassigned
Submitted by
Nicolas Graves
Severity
normal
N
N
Nicolas Graves wrote 4 days ago
(address . guix-patches@gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026222934.25890-1-ngraves@ngraves.fr
This patch series is adding lint-hidden-cve properties for packages
that have less than 10 dependents.

Some packages of these packages have been updated, only when the
update was trivial and harmless.

This is not applying any security fix by itself, but will help
security-related work.

Nicolas Graves (21):
gnu: libgda: Rename patch for guix lint.
gnu: upx: Update to 4.2.4.
gnu: halibut: Add lint-hidden-cve property.
gnu: portfolio: Update to 1.0.1.
gnu: folders: Add lint-hidden-cve property.
gnu: spectra: Add lint-hidden-cve property.
gnu: express: Add lint-hidden-cve property.
gnu: cli: Add lint-hidden-cve property.
gnu: h2c: Add lint-hidden-cve property.
gnu: xenon: Update to 0.9.3.
gnu: bolt: Update to 0.9.8.
gnu: sylpheed: Add release-monitoring-url property.
gnu: openvswitch: Update to 3.4.0.
gnu: quagga: Fix build and hide CVE.
gnu: bwm-ng: Add lint-hidden-cve property.
gnu: onedrive: Update to 2.5.2.
gnu: got: Update to 0.104.
gnu: dex: Update to 0.10.1.
gnu: immer: Add lint-hidden-cve property.
gnu: cvs: Add lint-hidden-cve property.
gnu: gerbv: Add lint-hidden-cve property.

gnu/local.mk | 2 +-
gnu/packages/algebra.scm | 2 ++
gnu/packages/bioinformatics.scm | 2 ++
gnu/packages/code.scm | 6 ++++--
gnu/packages/compression.scm | 7 ++++---
gnu/packages/cpp.scm | 4 ++++
gnu/packages/curl.scm | 2 ++
gnu/packages/documentation.scm | 16 ++++++++------
gnu/packages/engineering.scm | 2 ++
gnu/packages/esolangs.scm | 8 +++++++
gnu/packages/gnome-xyz.scm | 6 ++++--
gnu/packages/gnome.scm | 2 +-
gnu/packages/linux.scm | 21 ++++++++++++-------
gnu/packages/mail.scm | 2 ++
gnu/packages/networking.scm | 16 ++++++++++----
...9359.patch => libgda-CVE-2021-39359.patch} | 0
gnu/packages/sync.scm | 8 +++++--
gnu/packages/version-control.scm | 13 +++++++++---
gnu/packages/xdisorg.scm | 19 ++++++++++-------
19 files changed, 99 insertions(+), 39 deletions(-)
rename gnu/packages/patches/{libgda-cve-2021-39359.patch => libgda-CVE-2021-39359.patch} (100%)

--
2.46.0
N
N
Nicolas Graves wrote 4 days ago
[PATCH 01/21] gnu: libgda: Rename patch for guix lint.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026224125.29272-1-ngraves@ngraves.fr
* gnu/packages/gnome.scm (libgda)[source]<origin>: Rename patch for
CVE to be ignored by guix lint.
---
gnu/local.mk | 2 +-
gnu/packages/gnome.scm | 2 +-
...{libgda-cve-2021-39359.patch => libgda-CVE-2021-39359.patch} | 0
3 files changed, 2 insertions(+), 2 deletions(-)
rename gnu/packages/patches/{libgda-cve-2021-39359.patch => libgda-CVE-2021-39359.patch} (100%)

Toggle diff (32 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index c432685775..d253b424bb 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1666,7 +1666,7 @@ dist_patch_DATA = \
%D%/packages/patches/libcroco-CVE-2020-12825.patch \
%D%/packages/patches/libcyaml-libyaml-compat.patch \
%D%/packages/patches/libexpected-use-provided-catch2.patch \
- %D%/packages/patches/libgda-cve-2021-39359.patch \
+ %D%/packages/patches/libgda-CVE-2021-39359.patch \
%D%/packages/patches/libgda-disable-data-proxy-test.patch \
%D%/packages/patches/libgda-fix-build.patch \
%D%/packages/patches/libgda-fix-missing-initialization.patch \
diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index 77a0633b50..9b26819261 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -13653,7 +13653,7 @@ (define-public libgda
name "-" version ".tar.xz"))
(sha256
(base32 "0w564z7krgjk19r39mi5qn4kggpdg9ggbyn9pb4aavb61r14npwr"))
- (patches (search-patches "libgda-cve-2021-39359.patch"
+ (patches (search-patches "libgda-CVE-2021-39359.patch"
"libgda-disable-data-proxy-test.patch"
"libgda-fix-build.patch"
"libgda-fix-missing-initialization.patch"
diff --git a/gnu/packages/patches/libgda-cve-2021-39359.patch b/gnu/packages/patches/libgda-CVE-2021-39359.patch
similarity index 100%
rename from gnu/packages/patches/libgda-cve-2021-39359.patch
rename to gnu/packages/patches/libgda-CVE-2021-39359.patch
--
2.46.0
N
N
Nicolas Graves wrote 4 days ago
[PATCH 02/21] gnu: upx: Update to 4.2.4.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026224125.29272-2-ngraves@ngraves.fr
* gnu/packages/compression.scm (upx): Update to 4.2.4.
[properties]: Add lint-hidden-cve property.
---
gnu/packages/compression.scm | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)

Toggle diff (33 lines)
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index 97696ff0ef..a32b15a64a 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -2438,15 +2438,14 @@ (define-public ucl
(define-public upx
(package
(name "upx")
- (version "4.1.0")
+ (version "4.2.4")
(source
(origin
(method url-fetch)
(uri (string-append "https://github.com/upx/upx/releases/download/v"
version "/upx-" version "-src.tar.xz"))
(sha256
- (base32
- "1l273pwa573x9l3izw75cz8ysn2g8w8w3s56rahppa3ya65zg0h5"))))
+ (base32 "1i71p03861hlf5x1w217l67zm5inm449zhbg6kpv8zyj0wb5dmjy"))))
(build-system cmake-build-system)
(home-page "https://upx.github.io/")
(synopsis "Compression tool for executables")
@@ -2455,6 +2454,8 @@ (define-public upx
compressor. UPX typically reduces the file size of programs and shared
libraries by around 50%--70%, thus reducing disk space, network load times,
download times, and other distribution and storage costs.")
+ ;; These CVEs have been fixed since 4.0.2 but are still linted.
+ (properties `((lint-hidden-cve . ("CVE-2023-23456" "CVE-2023-23457"))))
(license license:gpl2+)))
(define-public quazip-0
--
2.46.0
N
N
Nicolas Graves wrote 4 days ago
[PATCH 03/21] gnu: halibut: Add lint-hidden-cve property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026224125.29272-3-ngraves@ngraves.fr
* gnu/packages/documentation.scm (halibut)
[description]: Reformat field to match max chars.
[properties]: Add lint-hidden-cve property.
---
gnu/packages/documentation.scm | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)

Toggle diff (29 lines)
diff --git a/gnu/packages/documentation.scm b/gnu/packages/documentation.scm
index f0e37561f7..7522b5f769 100644
--- a/gnu/packages/documentation.scm
+++ b/gnu/packages/documentation.scm
@@ -264,12 +264,16 @@ (define-public halibut
(home-page "https://www.chiark.greenend.org.uk/~sgtatham/halibut/")
(synopsis "Documentation production system for software manuals")
(description
- "Halibut is a text formatting system designed primarily for writing software
-documentation. It accepts a single source format and outputs any combination of
-plain text, HTML, Unix man or info pages, PostScript or PDF. It has extensive
-support for indexing and cross-referencing, and generates hyperlinks within output
-documents wherever possible. It supports Unicode, with the ability to fall back to
-an alternative representation if Unicode output is not available.")
+ "Halibut is a text formatting system designed primarily for writing
+software documentation. It accepts a single source format and outputs any
+combination of plain text, HTML, Unix man or info pages, PostScript or PDF.
+It has extensive support for indexing and cross-referencing, and generates
+hyperlinks within output documents wherever possible. It supports Unicode,
+with the ability to fall back to an alternative representation if Unicode
+output is not available.")
+ ;; This CVE concerns the halibut RPC-based communication framework,
+ ;; rather than the halibut text formatting system.
+ (properties `((lint-hidden-cve . ("CVE-2021-31819"))))
(license license:expat)))
(define-public doc++
--
2.46.0
N
N
Nicolas Graves wrote 4 days ago
[PATCH 05/21] gnu: folders: Add lint-hidden-cve property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026224125.29272-5-ngraves@ngraves.fr
* gnu/packages/esolangs.scm (folders):
[properties]: Add lint-hindden-cve property.
---
gnu/packages/esolangs.scm | 8 ++++++++
1 file changed, 8 insertions(+)

Toggle diff (21 lines)
diff --git a/gnu/packages/esolangs.scm b/gnu/packages/esolangs.scm
index 796f8d3f23..b29787e7bf 100644
--- a/gnu/packages/esolangs.scm
+++ b/gnu/packages/esolangs.scm
@@ -117,6 +117,14 @@ (define-public folders
(description "Folders is a programming language, in which programs
are encoded as (nested) directories. Note that the switches you pass to
@command{du} may affect your score when code golfing.")
+ (properties `((lint-hidden-cve
+ ;; These CVEs concern...
+ . ( ; ...the Wordpress Folders plugin
+ "CVE-2023-40204"
+ ;; ...the Jenkins Folders plugin
+ "CVE-2023-40336"
+ "CVE-2023-40337"
+ "CVE-2023-40338"))))
(license license:expat)))
(define-public shakespeare-spl
--
2.46.0
N
N
Nicolas Graves wrote 4 days ago
[PATCH 06/21] gnu: spectra: Add lint-hidden-cve property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026224125.29272-6-ngraves@ngraves.fr
* gnu/packages/algebra.scm (spectra)[properties]: Add lint-hidden-cve
property.
---
gnu/packages/algebra.scm | 2 ++
1 file changed, 2 insertions(+)

Toggle diff (15 lines)
diff --git a/gnu/packages/algebra.scm b/gnu/packages/algebra.scm
index 2187cd062d..cb390ea976 100644
--- a/gnu/packages/algebra.scm
+++ b/gnu/packages/algebra.scm
@@ -1317,6 +1317,8 @@ (define-public spectra
built on top of Eigen. It is implemented as a header-only C++ library and can
be easily embedded in C++ projects that require calculating eigenvalues of
large matrices.")
+ ;; These CVEs concern the Wordpress Spectra plugin.
+ (properties `((lint-hidden-cve . ("CVE-2023-36676" "CVE-2023-49833"))))
(license license:mpl2.0)))
(define-public gappa
--
2.46.0
N
N
Nicolas Graves wrote 4 days ago
[PATCH 07/21] gnu: express: Add lint-hidden-cve property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026224125.29272-7-ngraves@ngraves.fr
* gnu/packages/bioinformatics.scm (express)[properties]: Add
lint-hidden-cve property.
---
gnu/packages/bioinformatics.scm | 2 ++
1 file changed, 2 insertions(+)

Toggle diff (15 lines)
diff --git a/gnu/packages/bioinformatics.scm b/gnu/packages/bioinformatics.scm
index a2ffbd5155..2f463c8969 100644
--- a/gnu/packages/bioinformatics.scm
+++ b/gnu/packages/bioinformatics.scm
@@ -6924,6 +6924,8 @@ (define-public express
transcript-level RNA-Seq quantification, allele-specific/haplotype expression
analysis (from RNA-Seq), transcription factor binding quantification in
ChIP-Seq, and analysis of metagenomic data.")
+ ;; These CVEs concern the Express.js node framework.
+ (properties `((lint-hidden-cve . ("CVE-2022-24999" "CVE-2024-43796"))))
(license license:artistic2.0)))
(define-public express-beta-diversity
--
2.46.0
N
N
Nicolas Graves wrote 4 days ago
[PATCH 08/21] gnu: cli: Add lint-hidden-cve property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026224125.29272-8-ngraves@ngraves.fr
* gnu/packages/cpp.scm (cli)[properties]: Add lint-cve-property.
---
gnu/packages/cpp.scm | 2 ++
1 file changed, 2 insertions(+)

Toggle diff (15 lines)
diff --git a/gnu/packages/cpp.scm b/gnu/packages/cpp.scm
index 26fc169154..e9c6dc096b 100644
--- a/gnu/packages/cpp.scm
+++ b/gnu/packages/cpp.scm
@@ -2304,6 +2304,8 @@ (define-public cli
options that your program supports, their types, default values, and
documentation.")
(home-page "https://codesynthesis.com/projects/cli/")
+ ;; This CVE concerns Snyk CLI rather than this package.
+ (properties `((lint-hidden-cve . ("CVE-2022-40764"))))
(license license:expat)))
(define-public xsd
--
2.46.0
N
N
Nicolas Graves wrote 4 days ago
[PATCH 04/21] gnu: portfolio: Update to 1.0.1.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026224125.29272-4-ngraves@ngraves.fr
* gnu/packages/gnome-xyz.scm (portfolio): Update to 1.0.1.
[properties]: Add lint-hidden-cve property.
---
gnu/packages/gnome-xyz.scm | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

Toggle diff (33 lines)
diff --git a/gnu/packages/gnome-xyz.scm b/gnu/packages/gnome-xyz.scm
index a09c0befb0..b399d30886 100644
--- a/gnu/packages/gnome-xyz.scm
+++ b/gnu/packages/gnome-xyz.scm
@@ -485,7 +485,7 @@ (define-public gnome-plots
(define-public portfolio
(package
(name "portfolio")
- (version "1.0.0")
+ (version "1.0.1")
(source (origin
(method git-fetch)
(uri (git-reference
@@ -494,7 +494,7 @@ (define-public portfolio
(file-name (git-file-name name version))
(sha256
(base32
- "1ai9mx801m5lngkljg42vrpvhbvc3071sp4jypsvbzw55hxnn5ba"))))
+ "1s06kd2dhsb143piw89yzwfck7qwzlh4nlgjj2bxpsa3g68c1g11"))))
(arguments
(list #:glib-or-gtk? #t
#:imported-modules `(,@%meson-build-system-modules
@@ -537,6 +537,8 @@ (define-public portfolio
"Portfolio is a minimalist file manager for those who want to use Linux
mobile devices. Tap to activate and long press to select, to browse, open,
copy, move, delete, or edit your files.")
+ ;; This CVE concerns the Wordpress Portfolio plugin, not this package.
+ (properties `((lint-hidden-cve . ("CVE-2019-13232"))))
(license license:gpl3+)))
(define-public gnome-shell-extension-unite-shell
--
2.46.0
N
N
Nicolas Graves wrote 4 days ago
[PATCH 10/21] gnu: xenon: Update to 0.9.3.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026224125.29272-10-ngraves@ngraves.fr
* gnu/packages/code.scm (xenon): Update to 0.9.3.
[properties]: Add lint-hidden-cve property.
---
gnu/packages/code.scm | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

Toggle diff (32 lines)
diff --git a/gnu/packages/code.scm b/gnu/packages/code.scm
index 3f7a6de478..bbf10be987 100644
--- a/gnu/packages/code.scm
+++ b/gnu/packages/code.scm
@@ -1077,14 +1077,14 @@ (define-public cscope
(define-public xenon
(package
(name "xenon")
- (version "0.9.0")
+ (version "0.9.3")
(source
(origin
(method url-fetch)
(uri (pypi-uri "xenon" version))
(sha256
(base32
- "1f4gynjzfckm3rjfywwgz1c7icfx3zjqirf16aj73xv0c9ncpffj"))))
+ "1yj31bqz2bphvvyb0jkas7bxc2rw76rf1csz0mwmvah8pbc3hxaa"))))
(build-system python-build-system)
(arguments (list #:tests? #f)) ;test suite not shipped with the PyPI archive
(inputs (list python-pyyaml python-radon python-requests))
@@ -1096,6 +1096,8 @@ (define-public xenon
line options, various thresholds can be set for the complexity of code. It
will fail (i.e., it will exit with a non-zero exit code) when any of these
requirements is not met.")
+ ;; This CVE is for another package named Xenon too.
+ (properties '((lint-hidden-cve . ("CVE-2023-39427"))))
(license license:expat)))
(define-public python-xenon
--
2.46.0
N
N
Nicolas Graves wrote 4 days ago
[PATCH 11/21] gnu: bolt: Update to 0.9.8.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026224125.29272-11-ngraves@ngraves.fr
* gnu/packages/linux.scm (bolt): Update to 0.9.8.
[arguments]<#:phases>: Update phase 'replace-directories.
[properties]: Add lint-hidden-cve property.
---
gnu/packages/linux.scm | 21 +++++++++++++--------
1 file changed, 13 insertions(+), 8 deletions(-)

Toggle diff (55 lines)
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index e496f3c88d..f9f13ca28a 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -3366,7 +3366,7 @@ (define-public iptables-nft
(define-public bolt
(package
(name "bolt")
- (version "0.9.5")
+ (version "0.9.8")
(source (origin
(method git-fetch)
(uri (git-reference
@@ -3375,7 +3375,7 @@ (define-public bolt
(file-name (git-file-name name version))
(sha256
(base32
- "1b9z0sfrz6bj0mddng9s0dx59g9239zmrl03hxx2x88mb7r0wmcg"))))
+ "1i9nyvx3qcf4m607qmpklpl9xqzsh423k8y3fr6c5n0k4ajy4cxh"))))
(build-system meson-build-system)
(arguments
(list #:configure-flags '(list "--localstatedir=/var")
@@ -3384,12 +3384,11 @@ (define-public bolt
(add-after 'unpack 'replace-directories
(lambda* (#:key outputs #:allow-other-keys)
(substitute* "meson.build"
- (("udev.get_pkgconfig_variable..udevdir..")
- (string-append "'"
- #$output "/lib/udev'")))
- (substitute* "scripts/meson-install.sh"
- (("mkdir.*")
- ""))))
+ (("udev.get_variable\\(pkgconfig: 'udevdir'\\)")
+ (string-append "'" #$output "/lib/udev'"))
+ ;; Don't install in /var
+ (("not systemd\\.found\\(\\)")
+ "false"))))
(add-before 'install 'no-polkit-magic
(lambda* (#:key outputs #:allow-other-keys)
(setenv "PKEXEC_UID" "something"))))))
@@ -3411,6 +3410,12 @@ (define-public bolt
@command{boltd}. It can list devices, monitor changes, and initiate
authorization of devices.")
(home-page "https://gitlab.freedesktop.org/bolt/bolt")
+ (properties `((lint-hidden-cve . (;; These CVEs concern...
+ ;; ...the Bolt PHP cms
+ "CVE-2021-27367"
+ "CVE-2022-31321"
+ ;; ...the Bolt orchestration tool
+ "CVE-2023-5214"))))
(license license:gpl2+)))
(define-public jitterentropy-rngd
--
2.46.0
N
N
Nicolas Graves wrote 4 days ago
[PATCH 12/21] gnu: sylpheed: Add release-monitoring-url property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026224125.29272-12-ngraves@ngraves.fr
* gnu/packages/mail.scm (sylpheed)[properties]: Add
release-monitoring-url.
---
gnu/packages/mail.scm | 2 ++
1 file changed, 2 insertions(+)

Toggle diff (15 lines)
diff --git a/gnu/packages/mail.scm b/gnu/packages/mail.scm
index 2c69a7b818..77be7626a9 100644
--- a/gnu/packages/mail.scm
+++ b/gnu/packages/mail.scm
@@ -4561,6 +4561,8 @@ (define-public sylpheed
"Sylpheed is a simple, lightweight but featureful, and easy-to-use e-mail
client. Sylpheed provides intuitive user-interface. Sylpheed is also
designed for keyboard-oriented operation.")
+ (properties '((release-monitoring-url
+ . "https://sylpheed.sraoss.jp/en/download.html")))
(license license:gpl2+)))
(define-public python-authres
--
2.46.0
N
N
Nicolas Graves wrote 4 days ago
[PATCH 13/21] gnu: openvswitch: Update to 3.4.0.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026224125.29272-13-ngraves@ngraves.fr
* gnu/packages/networking.scm (openvswitch): Update to 3.4.0.
[properties]: Add lint-hidden-cve property.
---
gnu/packages/networking.scm | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)

Toggle diff (35 lines)
diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index a56b574e97..d98179cf2f 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -2877,7 +2877,7 @@ (define-public nzbget
(define-public openvswitch
(package
(name "openvswitch")
- (version "3.2.0")
+ (version "3.4.0")
(source (origin
(method url-fetch)
(uri (string-append
@@ -2885,7 +2885,7 @@ (define-public openvswitch
version ".tar.gz"))
(sha256
(base32
- "1i0lb40lwbakmmqklmfcgr01l1ymsawgdi7k9a1zzp8ariw7x4ff"))))
+ "10g84h6lis6fafyjhvmdrs8r539xcar04cc3rsk448gs6848hsqr"))))
(build-system gnu-build-system)
(arguments
'(#:configure-flags
@@ -2961,7 +2961,9 @@ (define-public openvswitch
supporting standard management interfaces and protocols (e.g. NetFlow, sFlow,
IPFIX, RSPAN, CLI, LACP, 802.1ag).")
(properties
- '((release-monitoring-url . "https://www.openvswitch.org/download/")))
+ '((release-monitoring-url . "https://www.openvswitch.org/download/")
+ ;; This CVE is fixed since 3.2.0.
+ (lint-hidden-cve . ("CVE-2023-5366"))))
(license ; see debian/copyright for detail
(list license:lgpl2.1 ; xenserver and utilities/bugtool
license:gpl2 ; datapath
--
2.46.0
N
N
Nicolas Graves wrote 4 days ago
[PATCH 14/21] gnu: quagga: Fix build and hide CVE.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026224125.29272-14-ngraves@ngraves.fr
* gnu/packages/networking.scm (quagga)
[inputs]: Add libxcrypt.
[properties]: Add lint-hidden-cve property.
---
gnu/packages/networking.scm | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)

Toggle diff (26 lines)
diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index d98179cf2f..53bc670c41 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -3138,7 +3138,7 @@ (define-public quagga
(delete-file "vtysh/extract.pl")))))
(build-system gnu-build-system)
(native-inputs (list gawk gcc-9 pkg-config perl dejagnu))
- (inputs (list readline c-ares))
+ (inputs (list c-ares libxcrypt readline))
(synopsis "Routing Software Suite")
(description "Quagga is a routing software suite, providing implementations
of OSPFv2, OSPFv3, RIP v1 and v2, RIPng and BGP-4 for Unix platforms.
@@ -3149,6 +3149,10 @@ (define-public quagga
clients which typically implement a routing protocol and communicate routing
updates to the zebra daemon.")
(home-page "https://www.nongnu.org/quagga/")
+ ;; This CVE concerns systemd services files that we currently don't use.
+ ;; If we were to use them, a fixing patch can be found here:
+ ;; https://build.opensuse.org/request/show/1035188
+ (properties '((lint-hidden-cve . ("CVE-2021-44038"))))
(license license:gpl2+)))
(define-public bgpq3
--
2.46.0
N
N
Nicolas Graves wrote 4 days ago
[PATCH 15/21] gnu: bwm-ng: Add lint-hidden-cve property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026224125.29272-15-ngraves@ngraves.fr
* gnu/packages/networking.scm (bwm-ng)[properties]: Add
lint-hidden-cve property.
---
gnu/packages/networking.scm | 2 ++
1 file changed, 2 insertions(+)

Toggle diff (15 lines)
diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index 53bc670c41..7ed011a7f4 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -2152,6 +2152,8 @@ (define-public bwm-ng
(description "Bandwidth Monitor NG is a small and simple console based
live network and disk I/O bandwidth monitor.")
(home-page "https://www.gropp.org/?id=projects&sub=bwm-ng")
+ ;; This CVE concerns the npm bwm-ng package rather than this one.
+ (properties '((lint-hidden-cve . ("CVE-2023-26129"))))
(license license:gpl2)))
(define-public aircrack-ng
--
2.46.0
N
N
Nicolas Graves wrote 4 days ago
[PATCH 09/21] gnu: h2c: Add lint-hidden-cve property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026224125.29272-9-ngraves@ngraves.fr
* gnu/packages/curl.scm (h2c)[property]: Add lint-hidden-cve property.
---
gnu/packages/curl.scm | 2 ++
1 file changed, 2 insertions(+)

Toggle diff (15 lines)
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 9f74018205..bac1841c82 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -366,6 +366,8 @@ (define-public h2c
(description
"Provided a set of HTTP request headers, h2c outputs how to invoke
curl to obtain exactly that HTTP request.")
+ ;; This CVE is for the h2c function in Go.
+ (properties `((lint-hidden-cve . ("CVE-2022-41721"))))
(license license:expat)))
(define-public coeurl
--
2.46.0
N
N
Nicolas Graves wrote 4 days ago
[PATCH 16/21] gnu: onedrive: Update to 2.5.2.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026224125.29272-16-ngraves@ngraves.fr
* gnu/packages/sync.scm (onedrive): Update to 2.5.2.
[properties]: Add lint-hidden-cve.
---
gnu/packages/sync.scm | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)

Toggle diff (35 lines)
diff --git a/gnu/packages/sync.scm b/gnu/packages/sync.scm
index af736d0c28..df3bcb6523 100644
--- a/gnu/packages/sync.scm
+++ b/gnu/packages/sync.scm
@@ -374,7 +374,7 @@ (define-public owncloud-client
(define-public onedrive
(package
(name "onedrive")
- (version "2.4.25")
+ (version "2.5.2")
(source
(origin
(method git-fetch)
@@ -383,7 +383,7 @@ (define-public onedrive
(commit (string-append "v" version))))
(file-name (git-file-name name version))
(sha256
- (base32 "1i93mq4r9w8cqrdfsfv8wparfd3dbrppc5z04ab056545hk0x89k"))))
+ (base32 "0307qa3nncarn6r5837nn9z5nv8j60ycykq6pfn93qriabk65qlx"))))
(build-system gnu-build-system)
(arguments
(list
@@ -420,6 +420,10 @@ (define-public onedrive
Business, OneDrive for Office365 and SharePoint and fully supports Azure
National Cloud Deployments. It supports one-way and two-way sync capabilities
and securely connects to Microsoft OneDrive services.")
+ ;; These CVEs concern another Microsoft product.
+ (properties '((lint-hidden-cve . ("CVE-2023-24882"
+ "CVE-2023-24890"
+ "CVE-2023-24923"))))
(license license:gpl3)))
(define-public lsyncd
--
2.46.0
N
N
Nicolas Graves wrote 4 days ago
[PATCH 17/21] gnu: got: Update to 0.104.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026224125.29272-17-ngraves@ngraves.fr
* gnu/packages/version-control.scm (got): Update to 0.104.
[properties]: Add release-monitoring-url and lint-hidden-cve
properties.
---
gnu/packages/version-control.scm | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)

Toggle diff (38 lines)
diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index 6bd37fee82..9c8fdea0a6 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -971,7 +971,7 @@ (define-public git-tools
(define-public got
(package
(name "got")
- (version "0.103")
+ (version "0.104")
(source (origin
(method url-fetch)
(uri
@@ -980,7 +980,7 @@ (define-public got
version ".tar.gz"))
(sha256
(base32
- "0y18961xrj4rja850i31gadiaps2qnkfb4jlramlz9akyf9mwh1j"))))
+ "1jf8d7bd6jb09ci66n3rjfv94kvzgnqbw1js74hpajdw41wphbdk"))))
(inputs
(list libevent
`(,util-linux "lib")
@@ -1016,7 +1016,12 @@ (define-public got
"Game of Trees (Got) is a version control system which prioritizes ease of use
and simplicity over flexibility.")
(license license:isc)
- (home-page "https://gameoftrees.org/")))
+ (home-page "https://gameoftrees.org/")
+ (properties
+ ;; Can lint for updates, but not update in place.
+ '((release-monitoring-url . "https://gameoftrees.org/releases/")
+ ;; This CVE is for another Node got package.
+ (lint-hidden-cve . "CVE-2022-33987")))))
(define-public xdiff
(let ((revision "0")
--
2.46.0
N
N
Nicolas Graves wrote 4 days ago
[PATCH 18/21] gnu: dex: Update to 0.10.1.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026224125.29272-18-ngraves@ngraves.fr
* gnu/packages/xdisorg.scm (dex): Update to 0.10.1.
[arguments]: Improve style.
[properties]: Add lint-hidden-cve property.
---
gnu/packages/xdisorg.scm | 19 ++++++++++++-------
1 file changed, 12 insertions(+), 7 deletions(-)

Toggle diff (49 lines)
diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm
index ca50bebab4..10c04fc4e8 100644
--- a/gnu/packages/xdisorg.scm
+++ b/gnu/packages/xdisorg.scm
@@ -3536,7 +3536,7 @@ (define-public nwg-launchers
(define-public dex
(package
(name "dex")
- (version "0.9.0")
+ (version "0.10.1")
(source (origin
(method git-fetch)
(uri (git-reference
@@ -3544,15 +3544,16 @@ (define-public dex
(commit (string-append "v" version))))
(sha256
(base32
- "03aapcywnz4kl548cygpi25m8adwbmqlmwgxa66v4156ax9dqs86"))
+ "1d7fqy63i4q0mw316i5ws1sgdq3f7h3bsf3avvmy0nzshz7i5y6m"))
(file-name (git-file-name name version))))
(build-system gnu-build-system)
(arguments
- `(#:make-flags (list (string-append "PREFIX=" (assoc-ref %outputs "out")))
- #:phases
- (modify-phases %standard-phases
- (delete 'configure))
- #:tests? #f))
+ (list
+ #:make-flags #~(list (string-append "PREFIX=" #$output))
+ #:phases
+ #~(modify-phases %standard-phases
+ (delete 'configure))
+ #:tests? #f)) ; No tests.
(inputs
(list python))
(native-inputs
@@ -3562,6 +3563,10 @@ (define-public dex
(description
"@command{dex}, @dfn{DesktopEntry Execution}, is a program to generate
and execute @file{.desktop} files of the Application type.")
+ (properties
+ ;; These CVEs concern...
+ '((lint-hidden-cve . ("CVE-2024-20802" ; ...a dex Samsung package.
+ "CVE-2022-39222")))) ; ...a OpenID connect tool.
(license license:gpl3+)))
(define-public sx
--
2.46.0
N
N
Nicolas Graves wrote 4 days ago
[PATCH 19/21] gnu: immer: Add lint-hidden-cve property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026224125.29272-19-ngraves@ngraves.fr
* gnu/packages/cpp.scm (immer)[properties]: Add lint-hidden-cve
property.
---
gnu/packages/cpp.scm | 2 ++
1 file changed, 2 insertions(+)

Toggle diff (15 lines)
diff --git a/gnu/packages/cpp.scm b/gnu/packages/cpp.scm
index e9c6dc096b..80eaa26b37 100644
--- a/gnu/packages/cpp.scm
+++ b/gnu/packages/cpp.scm
@@ -1864,6 +1864,8 @@ (define-public immer
(synopsis "Immutable data structures")
(description "Immer is a library of persistent and immutable data structures
written in C++.")
+ ;; This CVEs concern the immer.js Node package.
+ (properties '((lint-hidden-cve . ("CVE-2021-23436" "CVE-2021-3757"))))
(license license:boost1.0)))
(define-public zug
--
2.46.0
N
N
Nicolas Graves wrote 4 days ago
[PATCH 21/21] gnu: gerbv: Add lint-hidden-cve property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026224125.29272-21-ngraves@ngraves.fr
* gnu/packages/engineering.scm (gerbv)[properties]: Add
lint-hidden-cve property.
---
gnu/packages/engineering.scm | 2 ++
1 file changed, 2 insertions(+)

Toggle diff (15 lines)
diff --git a/gnu/packages/engineering.scm b/gnu/packages/engineering.scm
index 6f449f0c39..89e60a7218 100644
--- a/gnu/packages/engineering.scm
+++ b/gnu/packages/engineering.scm
@@ -868,6 +868,8 @@ (define-public gerbv
you load several files on top of each other, do measurements on the displayed
image, etc. Besides viewing Gerbers, you may also view Excellon drill files
as well as pick-place files.")
+ ;; This CVE has been fixed in version 2.10.0.
+ (properties '((lint-hidden-cve . ("CVE-2023-4508"))))
(license license:gpl2+)))
(define-public translate2geda
--
2.46.0
N
N
Nicolas Graves wrote 4 days ago
[PATCH 20/21] gnu: cvs: Add lint-hidden-cve property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241026224125.29272-20-ngraves@ngraves.fr
* gnu/packages/version-control.scm (cvs)[properties]: Add
lint-hidden-cve property.
---
gnu/packages/version-control.scm | 2 ++
1 file changed, 2 insertions(+)

Toggle diff (15 lines)
diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index 9c8fdea0a6..f4a0f577a9 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -2750,6 +2750,8 @@ (define-public cvs
Configuration Management (SCM). Using it, you can record the history of
sources files, and documents. It fills a similar role to the free software
RCS, PRCS, and Aegis packages.")
+ ;; This CVE concerns the Jenkins CVS plugin.
+ (properties '((lint-hidden-cve . ("CVE-2022-29037"))))
(license license:gpl1+)))
(define-public cvs-fast-export
--
2.46.0
N
N
Nicolas Graves wrote 4 days ago
control message for bug #74034
(address . control@debbugs.gnu.org)
877c9tcv1j.fsf@ngraves.fr
tags 74034 + moreinfo
quit

I'm splitting this patch series in two.


--
Best regards,
Nicolas Graves
N
N
Nicolas Graves wrote 3 days ago
[PATCH v2 00/16] Add cpe-vendor and lint-hidden-cpe-vendors properties.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027181946.25348-1-ngraves@ngraves.fr
This is a rewrite of 74034 after a new first commit introducing the
management of cpe-vendor data from the CVE database.

Nicolas Graves (16):
guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.
gnu: halibut: Add cpe-vendor property.
gnu: portfolio: Update to 1.0.1.
gnu: folders: Add lint-hidden-cpe-vendors property.
gnu: spectra: Add lint-hidden-cpe-vendors property.
gnu: express: Add lint-hidden-cpe-vendors property.
gnu: cli: Add lint-hidden-cpe-vendors property.
gnu: h2c: Add lint-hidden-cpe-vendors property.
gnu: xenon: Update to 0.9.3.
gnu: bolt: Update to 0.9.8.
gnu: bwm-ng: Add lint-hidden-cpe-vendors property.
gnu: onedrive: Update to 2.5.2.
gnu: got: Update to 0.104.
gnu: dex: Update to 0.10.1.
gnu: immer: Add lint-hidden-cpe-vendors property.
gnu: cvs: Add lint-hidden-cpe-vendors property.

gnu/packages/algebra.scm | 1 +
gnu/packages/bioinformatics.scm | 1 +
gnu/packages/code.scm | 5 ++-
gnu/packages/cpp.scm | 2 +
gnu/packages/curl.scm | 1 +
gnu/packages/documentation.scm | 14 ++++---
gnu/packages/esolangs.scm | 1 +
gnu/packages/gnome-xyz.scm | 5 ++-
gnu/packages/linux.scm | 16 +++----
gnu/packages/networking.scm | 1 +
gnu/packages/sync.scm | 5 ++-
gnu/packages/version-control.scm | 11 +++--
gnu/packages/xdisorg.scm | 17 ++++----
guix/cve.scm | 71 +++++++++++++++++++++-----------
guix/lint.scm | 11 ++++-
tests/cve.scm | 30 +++++++-------
16 files changed, 120 insertions(+), 72 deletions(-)

--
2.46.0
N
N
Nicolas Graves wrote 3 days ago
[PATCH v2 01/16] guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027181946.25348-2-ngraves@ngraves.fr
* guix/cve.scm: Exploit cpe vendors information.
(cpe->package-name): Rename to cpe->package and use
cpe_vendor:cpe_name in place or cpe_name.
(filter-vendors): Add helper function.
(vulnerabilities->lookup-proc): Extract cpe_name for table
hashes. Add vendor and hidden-vendor arguments. Adapt condition to
pass vulnerabilities to result in the fold.

* guix/lint.scm (package-vulnerabilities): Use additional arguments
from vulnerabilities->lookup-proc.

* tests/cve.scm: Adapt tests.
---
guix/cve.scm | 71 +++++++++++++++++++++++++++++++++------------------
guix/lint.scm | 11 ++++++--
tests/cve.scm | 30 +++++++++++-----------
3 files changed, 70 insertions(+), 42 deletions(-)

Toggle diff (196 lines)
diff --git a/guix/cve.scm b/guix/cve.scm
index 9e1cf5b587..a2335f15ef 100644
--- a/guix/cve.scm
+++ b/guix/cve.scm
@@ -106,22 +106,22 @@ (define (reference-data->cve-references alist)
(define %cpe-package-rx
;; For applications: "cpe:2.3:a:VENDOR:PACKAGE:VERSION", or sometimes
;; "cpe:2.3:a:VENDOR:PACKAGE:VERSION:PATCH-LEVEL".
- (make-regexp "^cpe:2\\.3:a:([^:]+):([^:]+):([^:]+):([^:]+):"))
+ (make-regexp "^cpe:2\\.3:a:([^:]+:[^:]+):([^:]+):([^:]+):"))
-(define (cpe->package-name cpe)
+(define (cpe->package cpe)
"Converts the Common Platform Enumeration (CPE) string CPE to a package
-name, in a very naive way. Return two values: the package name, and its
-version string. Return #f and #f if CPE does not look like an application CPE
-string."
+name, in a very naive way. Return two values: the package identifier
+(composed from the CPE vendor and the package name), and its version string.
+Return #f and #f if CPE does not look like an application CPE string."
(cond ((regexp-exec %cpe-package-rx cpe)
=>
(lambda (matches)
- (values (match:substring matches 2)
- (match (match:substring matches 3)
+ (values (match:substring matches 1)
+ (match (match:substring matches 2)
("*" '_)
(version
(string-append version
- (match (match:substring matches 4)
+ (match (match:substring matches 3)
("" "")
(patch-level
;; Drop the colon from things like
@@ -142,7 +142,7 @@ (define (cpe-match->cve-configuration alist)
;; Normally "cpe23Uri" is here in each "cpe_match" item, but CVE-2020-0534
;; has a configuration that lacks it.
(and cpe
- (let-values (((package version) (cpe->package-name cpe)))
+ (let-values (((package version) (cpe->package cpe)))
(and package
`(,package
,(cond ((and (or starti starte) (or endi ende))
@@ -228,6 +228,24 @@ (define (version-matches? version sexp)
(('>= min)
(version>=? version min))))
+(define (filter-vendors vuln vendor hidden-vendors)
+
+ (define (vendor-matches? vendor+name)
+ (if vendor
+ (string-prefix? (string-append vendor ":") vendor+name)
+ (if hidden-vendors
+ (not (any (lambda (v)
+ (string-prefix? (string-append v ":") vendor+name))
+ hidden-vendors))
+ #t)))
+
+ (match vuln
+ (($ <vulnerability> id packages)
+ (any (match-lambda
+ (((? vendor-matches? vendor+name) . _) #t)
+ (_ #f))
+ packages))))
+
;;;
;;; High-level interface.
@@ -404,28 +422,31 @@ (define table
(($ <vulnerability> id packages)
(fold (lambda (package table)
(match package
- ((name . versions)
- (vhash-cons name (cons vuln versions)
+ ((vendor+name . versions)
+ (vhash-cons (match (string-split vendor+name #\:)
+ ((vendor name) name)
+ ((name) name))
+ (cons vuln versions)
table))))
table
packages))))
vlist-null
vulnerabilities))
- (lambda* (package #:optional version)
- (vhash-fold* (if version
- (lambda (pair result)
- (match pair
- ((vuln sexp)
- (if (version-matches? version sexp)
- (cons vuln result)
- result))))
- (lambda (pair result)
- (match pair
- ((vuln . _)
- (cons vuln result)))))
- '()
- package table)))
+ (lambda* (package #:key (version #f) (vendor #f) (hidden-vendors #f))
+ (vhash-fold*
+ (lambda (pair result)
+ (match pair
+ ((vuln sexp)
+ (if (and (or (not (or vendor hidden-vendors))
+ (and (or vendor hidden-vendors)
+ (filter-vendors vuln vendor hidden-vendors)))
+ (or (not version)
+ (and version (version-matches? version sexp))))
+ (cons vuln result)
+ result))))
+ '()
+ package table)))
;;; cve.scm ends here
diff --git a/guix/lint.scm b/guix/lint.scm
index 8c6c20c723..db3f59e3ec 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -1551,8 +1551,15 @@ (define package-vulnerabilities
(package-name package)))
(version (or (assoc-ref (package-properties package)
'cpe-version)
- (package-version package))))
- ((force lookup) name version)))))
+ (package-version package)))
+ (vendor (assoc-ref (package-properties package)
+ 'cpe-vendor))
+ (hidden-vendors (assoc-ref (package-properties package)
+ 'lint-hidden-cpe-vendors)))
+ ((force lookup) name
+ #:version version
+ #:vendor vendor
+ #:hidden-vendors hidden-vendors)))))
;; Prevent Guile 3 from inlining this procedure so we can mock it in tests.
(set! package-vulnerabilities package-vulnerabilities)
diff --git a/tests/cve.scm b/tests/cve.scm
index b69da0e120..0b6346a4d4 100644
--- a/tests/cve.scm
+++ b/tests/cve.scm
@@ -34,19 +34,19 @@ (define %expected-vulnerabilities
(vulnerability "CVE-2019-0001"
;; Only the "a" CPE configurations are kept; the "o"
;; configurations are discarded.
- '(("junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
+ '(("juniper:junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
(vulnerability "CVE-2019-0005"
- '(("junos" (or "18.11" "18.1"))))
+ '(("juniper:junos" (or "18.11" "18.1"))))
;; CVE-2019-0005 has no "a" configurations.
(vulnerability "CVE-2019-14811"
- '(("ghostscript" (< "9.28"))))
+ '(("artifex:ghostscript" (< "9.28"))))
(vulnerability "CVE-2019-17365"
- '(("nix" (<= "2.3"))))
+ '(("nixos:nix" (<= "2.3"))))
(vulnerability "CVE-2019-1010180"
- '(("gdb" _))) ;any version
+ '(("gnu:gdb" _))) ;any version
(vulnerability "CVE-2019-1010204"
- '(("binutils" (and (>= "2.21") (<= "2.31.1")))
- ("binutils_gold" (and (>= "1.11") (<= "1.16")))))
+ '(("gnu:binutils" (and (>= "2.21") (<= "2.31.1")))
+ ("gnu:binutils_gold" (and (>= "1.11") (<= "1.16")))))
;; CVE-2019-18192 has no associated configurations.
))
@@ -92,15 +92,15 @@ (define %expected-vulnerabilities
(let* ((vulns (call-with-input-file %sample json->vulnerabilities))
(lookup (vulnerabilities->lookup-proc vulns)))
(list (lookup "ghostscript")
- (lookup "ghostscript" "9.27")
- (lookup "ghostscript" "9.28")
+ (lookup "ghostscript" #:version "9.27")
+ (lookup "ghostscript" #:version "9.28")
(lookup "gdb")
- (lookup "gdb" "42.0")
+ (lookup "gdb" #:version "42.0")
(lookup "nix")
- (lookup "nix" "2.4")
- (lookup "binutils" "2.31.1")
- (lookup "binutils" "2.10")
- (lookup "binutils_gold" "1.11")
- (lookup "binutils" "2.32"))))
+ (lookup "nix" #:version "2.4")
+ (lookup "binutils" #:version "2.31.1")
+ (lookup "binutils" #:version "2.10")
+ (lookup "binutils_gold" #:version "1.11")
+ (lookup "binutils" #:version "2.32"))))
(test-end "cve")
--
2.46.0
N
N
Nicolas Graves wrote 3 days ago
[PATCH v2 02/16] gnu: halibut: Add cpe-vendor property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027181946.25348-3-ngraves@ngraves.fr
* gnu/packages/documentation.scm (halibut)
[description]: Reformat field to match max chars.
[properties]: Add cpe-vendor property.
---
gnu/packages/documentation.scm | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)

Toggle diff (27 lines)
diff --git a/gnu/packages/documentation.scm b/gnu/packages/documentation.scm
index f0e37561f7..e1d563945a 100644
--- a/gnu/packages/documentation.scm
+++ b/gnu/packages/documentation.scm
@@ -264,12 +264,14 @@ (define-public halibut
(home-page "https://www.chiark.greenend.org.uk/~sgtatham/halibut/")
(synopsis "Documentation production system for software manuals")
(description
- "Halibut is a text formatting system designed primarily for writing software
-documentation. It accepts a single source format and outputs any combination of
-plain text, HTML, Unix man or info pages, PostScript or PDF. It has extensive
-support for indexing and cross-referencing, and generates hyperlinks within output
-documents wherever possible. It supports Unicode, with the ability to fall back to
-an alternative representation if Unicode output is not available.")
+ "Halibut is a text formatting system designed primarily for writing
+software documentation. It accepts a single source format and outputs any
+combination of plain text, HTML, Unix man or info pages, PostScript or PDF.
+It has extensive support for indexing and cross-referencing, and generates
+hyperlinks within output documents wherever possible. It supports Unicode,
+with the ability to fall back to an alternative representation if Unicode
+output is not available.")
+ (properties `((cpe-vendor . "halibut_project")))
(license license:expat)))
(define-public doc++
--
2.46.0
N
N
Nicolas Graves wrote 3 days ago
[PATCH v2 01/16] guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027182029.25707-1-ngraves@ngraves.fr
* guix/cve.scm: Exploit cpe vendors information.
(cpe->package-name): Rename to cpe->package and use
cpe_vendor:cpe_name in place or cpe_name.
(filter-vendors): Add helper function.
(vulnerabilities->lookup-proc): Extract cpe_name for table
hashes. Add vendor and hidden-vendor arguments. Adapt condition to
pass vulnerabilities to result in the fold.

* guix/lint.scm (package-vulnerabilities): Use additional arguments
from vulnerabilities->lookup-proc.

* tests/cve.scm: Adapt tests.
---
guix/cve.scm | 71 +++++++++++++++++++++++++++++++++------------------
guix/lint.scm | 11 ++++++--
tests/cve.scm | 30 +++++++++++-----------
3 files changed, 70 insertions(+), 42 deletions(-)

Toggle diff (196 lines)
diff --git a/guix/cve.scm b/guix/cve.scm
index 9e1cf5b587..a2335f15ef 100644
--- a/guix/cve.scm
+++ b/guix/cve.scm
@@ -106,22 +106,22 @@ (define (reference-data->cve-references alist)
(define %cpe-package-rx
;; For applications: "cpe:2.3:a:VENDOR:PACKAGE:VERSION", or sometimes
;; "cpe:2.3:a:VENDOR:PACKAGE:VERSION:PATCH-LEVEL".
- (make-regexp "^cpe:2\\.3:a:([^:]+):([^:]+):([^:]+):([^:]+):"))
+ (make-regexp "^cpe:2\\.3:a:([^:]+:[^:]+):([^:]+):([^:]+):"))
-(define (cpe->package-name cpe)
+(define (cpe->package cpe)
"Converts the Common Platform Enumeration (CPE) string CPE to a package
-name, in a very naive way. Return two values: the package name, and its
-version string. Return #f and #f if CPE does not look like an application CPE
-string."
+name, in a very naive way. Return two values: the package identifier
+(composed from the CPE vendor and the package name), and its version string.
+Return #f and #f if CPE does not look like an application CPE string."
(cond ((regexp-exec %cpe-package-rx cpe)
=>
(lambda (matches)
- (values (match:substring matches 2)
- (match (match:substring matches 3)
+ (values (match:substring matches 1)
+ (match (match:substring matches 2)
("*" '_)
(version
(string-append version
- (match (match:substring matches 4)
+ (match (match:substring matches 3)
("" "")
(patch-level
;; Drop the colon from things like
@@ -142,7 +142,7 @@ (define (cpe-match->cve-configuration alist)
;; Normally "cpe23Uri" is here in each "cpe_match" item, but CVE-2020-0534
;; has a configuration that lacks it.
(and cpe
- (let-values (((package version) (cpe->package-name cpe)))
+ (let-values (((package version) (cpe->package cpe)))
(and package
`(,package
,(cond ((and (or starti starte) (or endi ende))
@@ -228,6 +228,24 @@ (define (version-matches? version sexp)
(('>= min)
(version>=? version min))))
+(define (filter-vendors vuln vendor hidden-vendors)
+
+ (define (vendor-matches? vendor+name)
+ (if vendor
+ (string-prefix? (string-append vendor ":") vendor+name)
+ (if hidden-vendors
+ (not (any (lambda (v)
+ (string-prefix? (string-append v ":") vendor+name))
+ hidden-vendors))
+ #t)))
+
+ (match vuln
+ (($ <vulnerability> id packages)
+ (any (match-lambda
+ (((? vendor-matches? vendor+name) . _) #t)
+ (_ #f))
+ packages))))
+
;;;
;;; High-level interface.
@@ -404,28 +422,31 @@ (define table
(($ <vulnerability> id packages)
(fold (lambda (package table)
(match package
- ((name . versions)
- (vhash-cons name (cons vuln versions)
+ ((vendor+name . versions)
+ (vhash-cons (match (string-split vendor+name #\:)
+ ((vendor name) name)
+ ((name) name))
+ (cons vuln versions)
table))))
table
packages))))
vlist-null
vulnerabilities))
- (lambda* (package #:optional version)
- (vhash-fold* (if version
- (lambda (pair result)
- (match pair
- ((vuln sexp)
- (if (version-matches? version sexp)
- (cons vuln result)
- result))))
- (lambda (pair result)
- (match pair
- ((vuln . _)
- (cons vuln result)))))
- '()
- package table)))
+ (lambda* (package #:key (version #f) (vendor #f) (hidden-vendors #f))
+ (vhash-fold*
+ (lambda (pair result)
+ (match pair
+ ((vuln sexp)
+ (if (and (or (not (or vendor hidden-vendors))
+ (and (or vendor hidden-vendors)
+ (filter-vendors vuln vendor hidden-vendors)))
+ (or (not version)
+ (and version (version-matches? version sexp))))
+ (cons vuln result)
+ result))))
+ '()
+ package table)))
;;; cve.scm ends here
diff --git a/guix/lint.scm b/guix/lint.scm
index 8c6c20c723..db3f59e3ec 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -1551,8 +1551,15 @@ (define package-vulnerabilities
(package-name package)))
(version (or (assoc-ref (package-properties package)
'cpe-version)
- (package-version package))))
- ((force lookup) name version)))))
+ (package-version package)))
+ (vendor (assoc-ref (package-properties package)
+ 'cpe-vendor))
+ (hidden-vendors (assoc-ref (package-properties package)
+ 'lint-hidden-cpe-vendors)))
+ ((force lookup) name
+ #:version version
+ #:vendor vendor
+ #:hidden-vendors hidden-vendors)))))
;; Prevent Guile 3 from inlining this procedure so we can mock it in tests.
(set! package-vulnerabilities package-vulnerabilities)
diff --git a/tests/cve.scm b/tests/cve.scm
index b69da0e120..0b6346a4d4 100644
--- a/tests/cve.scm
+++ b/tests/cve.scm
@@ -34,19 +34,19 @@ (define %expected-vulnerabilities
(vulnerability "CVE-2019-0001"
;; Only the "a" CPE configurations are kept; the "o"
;; configurations are discarded.
- '(("junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
+ '(("juniper:junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
(vulnerability "CVE-2019-0005"
- '(("junos" (or "18.11" "18.1"))))
+ '(("juniper:junos" (or "18.11" "18.1"))))
;; CVE-2019-0005 has no "a" configurations.
(vulnerability "CVE-2019-14811"
- '(("ghostscript" (< "9.28"))))
+ '(("artifex:ghostscript" (< "9.28"))))
(vulnerability "CVE-2019-17365"
- '(("nix" (<= "2.3"))))
+ '(("nixos:nix" (<= "2.3"))))
(vulnerability "CVE-2019-1010180"
- '(("gdb" _))) ;any version
+ '(("gnu:gdb" _))) ;any version
(vulnerability "CVE-2019-1010204"
- '(("binutils" (and (>= "2.21") (<= "2.31.1")))
- ("binutils_gold" (and (>= "1.11") (<= "1.16")))))
+ '(("gnu:binutils" (and (>= "2.21") (<= "2.31.1")))
+ ("gnu:binutils_gold" (and (>= "1.11") (<= "1.16")))))
;; CVE-2019-18192 has no associated configurations.
))
@@ -92,15 +92,15 @@ (define %expected-vulnerabilities
(let* ((vulns (call-with-input-file %sample json->vulnerabilities))
(lookup (vulnerabilities->lookup-proc vulns)))
(list (lookup "ghostscript")
- (lookup "ghostscript" "9.27")
- (lookup "ghostscript" "9.28")
+ (lookup "ghostscript" #:version "9.27")
+ (lookup "ghostscript" #:version "9.28")
(lookup "gdb")
- (lookup "gdb" "42.0")
+ (lookup "gdb" #:version "42.0")
(lookup "nix")
- (lookup "nix" "2.4")
- (lookup "binutils" "2.31.1")
- (lookup "binutils" "2.10")
- (lookup "binutils_gold" "1.11")
- (lookup "binutils" "2.32"))))
+ (lookup "nix" #:version "2.4")
+ (lookup "binutils" #:version "2.31.1")
+ (lookup "binutils" #:version "2.10")
+ (lookup "binutils_gold" #:version "1.11")
+ (lookup "binutils" #:version "2.32"))))
(test-end "cve")
--
2.46.0
N
N
Nicolas Graves wrote 3 days ago
[PATCH v2 02/16] gnu: halibut: Add cpe-vendor property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027182029.25707-2-ngraves@ngraves.fr
* gnu/packages/documentation.scm (halibut)
[description]: Reformat field to match max chars.
[properties]: Add cpe-vendor property.
---
gnu/packages/documentation.scm | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)

Toggle diff (27 lines)
diff --git a/gnu/packages/documentation.scm b/gnu/packages/documentation.scm
index f0e37561f7..e1d563945a 100644
--- a/gnu/packages/documentation.scm
+++ b/gnu/packages/documentation.scm
@@ -264,12 +264,14 @@ (define-public halibut
(home-page "https://www.chiark.greenend.org.uk/~sgtatham/halibut/")
(synopsis "Documentation production system for software manuals")
(description
- "Halibut is a text formatting system designed primarily for writing software
-documentation. It accepts a single source format and outputs any combination of
-plain text, HTML, Unix man or info pages, PostScript or PDF. It has extensive
-support for indexing and cross-referencing, and generates hyperlinks within output
-documents wherever possible. It supports Unicode, with the ability to fall back to
-an alternative representation if Unicode output is not available.")
+ "Halibut is a text formatting system designed primarily for writing
+software documentation. It accepts a single source format and outputs any
+combination of plain text, HTML, Unix man or info pages, PostScript or PDF.
+It has extensive support for indexing and cross-referencing, and generates
+hyperlinks within output documents wherever possible. It supports Unicode,
+with the ability to fall back to an alternative representation if Unicode
+output is not available.")
+ (properties `((cpe-vendor . "halibut_project")))
(license license:expat)))
(define-public doc++
--
2.46.0
N
N
Nicolas Graves wrote 3 days ago
[PATCH v2 03/16] gnu: portfolio: Update to 1.0.1.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027182029.25707-3-ngraves@ngraves.fr
* gnu/packages/gnome-xyz.scm (portfolio): Update to 1.0.1.
[properties]: Add lint-hidden-cpe-vendors property.
---
gnu/packages/gnome-xyz.scm | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

Toggle diff (32 lines)
diff --git a/gnu/packages/gnome-xyz.scm b/gnu/packages/gnome-xyz.scm
index a09c0befb0..74c2600b60 100644
--- a/gnu/packages/gnome-xyz.scm
+++ b/gnu/packages/gnome-xyz.scm
@@ -485,7 +485,7 @@ (define-public gnome-plots
(define-public portfolio
(package
(name "portfolio")
- (version "1.0.0")
+ (version "1.0.1")
(source (origin
(method git-fetch)
(uri (git-reference
@@ -494,7 +494,7 @@ (define-public portfolio
(file-name (git-file-name name version))
(sha256
(base32
- "1ai9mx801m5lngkljg42vrpvhbvc3071sp4jypsvbzw55hxnn5ba"))))
+ "1s06kd2dhsb143piw89yzwfck7qwzlh4nlgjj2bxpsa3g68c1g11"))))
(arguments
(list #:glib-or-gtk? #t
#:imported-modules `(,@%meson-build-system-modules
@@ -537,6 +537,7 @@ (define-public portfolio
"Portfolio is a minimalist file manager for those who want to use Linux
mobile devices. Tap to activate and long press to select, to browse, open,
copy, move, delete, or edit your files.")
+ (properties `((lint-hidden-cpe-vendors . ("radiustheme"))))
(license license:gpl3+)))
(define-public gnome-shell-extension-unite-shell
--
2.46.0
N
N
Nicolas Graves wrote 3 days ago
[PATCH v2 04/16] gnu: folders: Add lint-hidden-cpe-vendors property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027182029.25707-4-ngraves@ngraves.fr
* gnu/packages/esolangs.scm (folders):
[properties]: Add lint-hindden-cpe-vendors property.
---
gnu/packages/esolangs.scm | 1 +
1 file changed, 1 insertion(+)

Toggle diff (14 lines)
diff --git a/gnu/packages/esolangs.scm b/gnu/packages/esolangs.scm
index 796f8d3f23..58c5307fdc 100644
--- a/gnu/packages/esolangs.scm
+++ b/gnu/packages/esolangs.scm
@@ -117,6 +117,7 @@ (define-public folders
(description "Folders is a programming language, in which programs
are encoded as (nested) directories. Note that the switches you pass to
@command{du} may affect your score when code golfing.")
+ (properties `((lint-hidden-cpe-vendors . ("premio" "jenkins"))))
(license license:expat)))
(define-public shakespeare-spl
--
2.46.0
N
N
Nicolas Graves wrote 3 days ago
[PATCH v2 05/16] gnu: spectra: Add lint-hidden-cpe-vendors property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027182029.25707-5-ngraves@ngraves.fr
* gnu/packages/algebra.scm (spectra)[properties]: Add
lint-hidden-cpe-vendors property.
---
gnu/packages/algebra.scm | 1 +
1 file changed, 1 insertion(+)

Toggle diff (14 lines)
diff --git a/gnu/packages/algebra.scm b/gnu/packages/algebra.scm
index 2187cd062d..5822431373 100644
--- a/gnu/packages/algebra.scm
+++ b/gnu/packages/algebra.scm
@@ -1317,6 +1317,7 @@ (define-public spectra
built on top of Eigen. It is implemented as a header-only C++ library and can
be easily embedded in C++ projects that require calculating eigenvalues of
large matrices.")
+ (properties `((lint-hidden-cpe-vendors . ("brainstormforce"))))
(license license:mpl2.0)))
(define-public gappa
--
2.46.0
N
N
Nicolas Graves wrote 3 days ago
[PATCH v2 06/16] gnu: express: Add lint-hidden-cpe-vendors property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027182029.25707-6-ngraves@ngraves.fr
* gnu/packages/bioinformatics.scm (express)[properties]: Add
lint-hidden-cpe-vendors property.
---
gnu/packages/bioinformatics.scm | 1 +
1 file changed, 1 insertion(+)

Toggle diff (14 lines)
diff --git a/gnu/packages/bioinformatics.scm b/gnu/packages/bioinformatics.scm
index a2ffbd5155..bb356f4903 100644
--- a/gnu/packages/bioinformatics.scm
+++ b/gnu/packages/bioinformatics.scm
@@ -6924,6 +6924,7 @@ (define-public express
transcript-level RNA-Seq quantification, allele-specific/haplotype expression
analysis (from RNA-Seq), transcription factor binding quantification in
ChIP-Seq, and analysis of metagenomic data.")
+ (properties `((lint-hidden-cpe-vendors . ("openjsf"))))
(license license:artistic2.0)))
(define-public express-beta-diversity
--
2.46.0
N
N
Nicolas Graves wrote 3 days ago
[PATCH v2 07/16] gnu: cli: Add lint-hidden-cpe-vendors property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027182029.25707-7-ngraves@ngraves.fr
* gnu/packages/cpp.scm (cli)[properties]: Add lint-hidden-cpe-vendors
property.
---
gnu/packages/cpp.scm | 1 +
1 file changed, 1 insertion(+)

Toggle diff (14 lines)
diff --git a/gnu/packages/cpp.scm b/gnu/packages/cpp.scm
index 26fc169154..550f57c6bf 100644
--- a/gnu/packages/cpp.scm
+++ b/gnu/packages/cpp.scm
@@ -2304,6 +2304,7 @@ (define-public cli
options that your program supports, their types, default values, and
documentation.")
(home-page "https://codesynthesis.com/projects/cli/")
+ (properties `((lint-hidden-cpe-vendors . ("snyk"))))
(license license:expat)))
(define-public xsd
--
2.46.0
N
N
Nicolas Graves wrote 3 days ago
[PATCH v2 08/16] gnu: h2c: Add lint-hidden-cpe-vendors property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027182029.25707-8-ngraves@ngraves.fr
* gnu/packages/curl.scm (h2c)[property]: Add lint-hidden-cpe-vendors property.
---
gnu/packages/curl.scm | 1 +
1 file changed, 1 insertion(+)

Toggle diff (14 lines)
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 9f74018205..2b4b7ebdd8 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -366,6 +366,7 @@ (define-public h2c
(description
"Provided a set of HTTP request headers, h2c outputs how to invoke
curl to obtain exactly that HTTP request.")
+ (properties `((lint-hidden-cpe-vendors . ("golang"))))
(license license:expat)))
(define-public coeurl
--
2.46.0
N
N
Nicolas Graves wrote 3 days ago
[PATCH v2 09/16] gnu: xenon: Update to 0.9.3.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027182029.25707-9-ngraves@ngraves.fr
* gnu/packages/code.scm (xenon): Update to 0.9.3.
[properties]: Add lint-hidden-cpe-vendors property.
---
gnu/packages/code.scm | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

Toggle diff (31 lines)
diff --git a/gnu/packages/code.scm b/gnu/packages/code.scm
index 3f7a6de478..ed48119fe1 100644
--- a/gnu/packages/code.scm
+++ b/gnu/packages/code.scm
@@ -1077,14 +1077,14 @@ (define-public cscope
(define-public xenon
(package
(name "xenon")
- (version "0.9.0")
+ (version "0.9.3")
(source
(origin
(method url-fetch)
(uri (pypi-uri "xenon" version))
(sha256
(base32
- "1f4gynjzfckm3rjfywwgz1c7icfx3zjqirf16aj73xv0c9ncpffj"))))
+ "1yj31bqz2bphvvyb0jkas7bxc2rw76rf1csz0mwmvah8pbc3hxaa"))))
(build-system python-build-system)
(arguments (list #:tests? #f)) ;test suite not shipped with the PyPI archive
(inputs (list python-pyyaml python-radon python-requests))
@@ -1096,6 +1096,7 @@ (define-public xenon
line options, various thresholds can be set for the complexity of code. It
will fail (i.e., it will exit with a non-zero exit code) when any of these
requirements is not met.")
+ (properties '((lint-hidden-cpe-vendors . ("ashlar"))))
(license license:expat)))
(define-public python-xenon
--
2.46.0
N
N
Nicolas Graves wrote 3 days ago
[PATCH v2 11/16] gnu: bwm-ng: Add lint-hidden-cpe-vendors property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027182029.25707-11-ngraves@ngraves.fr
* gnu/packages/networking.scm (bwm-ng)[properties]: Add
lint-hidden-cpe-vendors property.
---
gnu/packages/networking.scm | 1 +
1 file changed, 1 insertion(+)

Toggle diff (14 lines)
diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index a56b574e97..8c5548323f 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -2152,6 +2152,7 @@ (define-public bwm-ng
(description "Bandwidth Monitor NG is a small and simple console based
live network and disk I/O bandwidth monitor.")
(home-page "https://www.gropp.org/?id=projects&sub=bwm-ng")
+ (properties '((lint-hidden-cpe-vendors . ("bwm-ng_project"))))
(license license:gpl2)))
(define-public aircrack-ng
--
2.46.0
N
N
Nicolas Graves wrote 3 days ago
[PATCH v2 12/16] gnu: onedrive: Update to 2.5.2.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027182029.25707-12-ngraves@ngraves.fr
* gnu/packages/sync.scm (onedrive): Update to 2.5.2.
[properties]: Add lint-hidden-cpe-vendors.
---
gnu/packages/sync.scm | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

Toggle diff (32 lines)
diff --git a/gnu/packages/sync.scm b/gnu/packages/sync.scm
index af736d0c28..b21993a639 100644
--- a/gnu/packages/sync.scm
+++ b/gnu/packages/sync.scm
@@ -374,7 +374,7 @@ (define-public owncloud-client
(define-public onedrive
(package
(name "onedrive")
- (version "2.4.25")
+ (version "2.5.2")
(source
(origin
(method git-fetch)
@@ -383,7 +383,7 @@ (define-public onedrive
(commit (string-append "v" version))))
(file-name (git-file-name name version))
(sha256
- (base32 "1i93mq4r9w8cqrdfsfv8wparfd3dbrppc5z04ab056545hk0x89k"))))
+ (base32 "0307qa3nncarn6r5837nn9z5nv8j60ycykq6pfn93qriabk65qlx"))))
(build-system gnu-build-system)
(arguments
(list
@@ -420,6 +420,7 @@ (define-public onedrive
Business, OneDrive for Office365 and SharePoint and fully supports Azure
National Cloud Deployments. It supports one-way and two-way sync capabilities
and securely connects to Microsoft OneDrive services.")
+ (properties '((lint-hidden-cpe-vendors . ("microsoft"))))
(license license:gpl3)))
(define-public lsyncd
--
2.46.0
N
N
Nicolas Graves wrote 3 days ago
[PATCH v2 10/16] gnu: bolt: Update to 0.9.8.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027182029.25707-10-ngraves@ngraves.fr
* gnu/packages/linux.scm (bolt): Update to 0.9.8.
[arguments]<#:phases>: Update phase 'replace-directories.
[properties]: Add lint-hidden-cpe-vendors property.
---
gnu/packages/linux.scm | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)

Toggle diff (50 lines)
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index e496f3c88d..9d16c0a9b3 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -3366,7 +3366,7 @@ (define-public iptables-nft
(define-public bolt
(package
(name "bolt")
- (version "0.9.5")
+ (version "0.9.8")
(source (origin
(method git-fetch)
(uri (git-reference
@@ -3375,7 +3375,7 @@ (define-public bolt
(file-name (git-file-name name version))
(sha256
(base32
- "1b9z0sfrz6bj0mddng9s0dx59g9239zmrl03hxx2x88mb7r0wmcg"))))
+ "1i9nyvx3qcf4m607qmpklpl9xqzsh423k8y3fr6c5n0k4ajy4cxh"))))
(build-system meson-build-system)
(arguments
(list #:configure-flags '(list "--localstatedir=/var")
@@ -3384,12 +3384,11 @@ (define-public bolt
(add-after 'unpack 'replace-directories
(lambda* (#:key outputs #:allow-other-keys)
(substitute* "meson.build"
- (("udev.get_pkgconfig_variable..udevdir..")
- (string-append "'"
- #$output "/lib/udev'")))
- (substitute* "scripts/meson-install.sh"
- (("mkdir.*")
- ""))))
+ (("udev.get_variable\\(pkgconfig: 'udevdir'\\)")
+ (string-append "'" #$output "/lib/udev'"))
+ ;; Don't install in /var
+ (("not systemd\\.found\\(\\)")
+ "false"))))
(add-before 'install 'no-polkit-magic
(lambda* (#:key outputs #:allow-other-keys)
(setenv "PKEXEC_UID" "something"))))))
@@ -3411,6 +3410,7 @@ (define-public bolt
@command{boltd}. It can list devices, monitor changes, and initiate
authorization of devices.")
(home-page "https://gitlab.freedesktop.org/bolt/bolt")
+ (properties `((lint-hidden-cpe-vendors . ("boltcms" "puppet"))))
(license license:gpl2+)))
(define-public jitterentropy-rngd
--
2.46.0
N
N
Nicolas Graves wrote 3 days ago
[PATCH v2 13/16] gnu: got: Update to 0.104.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027182029.25707-13-ngraves@ngraves.fr
* gnu/packages/version-control.scm (got): Update to 0.104.
[properties]: Add release-monitoring-url and lint-hidden-cpe-vendors
properties.
---
gnu/packages/version-control.scm | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)

Toggle diff (37 lines)
diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index 6bd37fee82..df0739a39c 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -971,7 +971,7 @@ (define-public git-tools
(define-public got
(package
(name "got")
- (version "0.103")
+ (version "0.104")
(source (origin
(method url-fetch)
(uri
@@ -980,7 +980,7 @@ (define-public got
version ".tar.gz"))
(sha256
(base32
- "0y18961xrj4rja850i31gadiaps2qnkfb4jlramlz9akyf9mwh1j"))))
+ "1jf8d7bd6jb09ci66n3rjfv94kvzgnqbw1js74hpajdw41wphbdk"))))
(inputs
(list libevent
`(,util-linux "lib")
@@ -1016,7 +1016,11 @@ (define-public got
"Game of Trees (Got) is a version control system which prioritizes ease of use
and simplicity over flexibility.")
(license license:isc)
- (home-page "https://gameoftrees.org/")))
+ (home-page "https://gameoftrees.org/")
+ (properties
+ ;; Can lint for updates, but not update in place.
+ '((release-monitoring-url . "https://gameoftrees.org/releases/")
+ (lint-hidden-cpe-vendors . ("got_project"))))))
(define-public xdiff
(let ((revision "0")
--
2.46.0
N
N
Nicolas Graves wrote 3 days ago
[PATCH v2 14/16] gnu: dex: Update to 0.10.1.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027182029.25707-14-ngraves@ngraves.fr
* gnu/packages/xdisorg.scm (dex): Update to 0.10.1.
[arguments]: Improve style.
[properties]: Add lint-hidden-cpe-vendors property.
---
gnu/packages/xdisorg.scm | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)

Toggle diff (47 lines)
diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm
index ca50bebab4..0977a856cb 100644
--- a/gnu/packages/xdisorg.scm
+++ b/gnu/packages/xdisorg.scm
@@ -3536,7 +3536,7 @@ (define-public nwg-launchers
(define-public dex
(package
(name "dex")
- (version "0.9.0")
+ (version "0.10.1")
(source (origin
(method git-fetch)
(uri (git-reference
@@ -3544,15 +3544,16 @@ (define-public dex
(commit (string-append "v" version))))
(sha256
(base32
- "03aapcywnz4kl548cygpi25m8adwbmqlmwgxa66v4156ax9dqs86"))
+ "1d7fqy63i4q0mw316i5ws1sgdq3f7h3bsf3avvmy0nzshz7i5y6m"))
(file-name (git-file-name name version))))
(build-system gnu-build-system)
(arguments
- `(#:make-flags (list (string-append "PREFIX=" (assoc-ref %outputs "out")))
- #:phases
- (modify-phases %standard-phases
- (delete 'configure))
- #:tests? #f))
+ (list
+ #:make-flags #~(list (string-append "PREFIX=" #$output))
+ #:phases
+ #~(modify-phases %standard-phases
+ (delete 'configure))
+ #:tests? #f)) ; No tests.
(inputs
(list python))
(native-inputs
@@ -3562,6 +3563,8 @@ (define-public dex
(description
"@command{dex}, @dfn{DesktopEntry Execution}, is a program to generate
and execute @file{.desktop} files of the Application type.")
+ (properties
+ '((lint-hidden-cpe-vendors . ("samsung" "linuxfoundation"))))
(license license:gpl3+)))
(define-public sx
--
2.46.0
N
N
Nicolas Graves wrote 3 days ago
[PATCH v2 16/16] gnu: cvs: Add lint-hidden-cpe-vendors property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027182029.25707-16-ngraves@ngraves.fr
* gnu/packages/version-control.scm (cvs)[properties]: Add
lint-hidden-cpe-vendors property.
---
gnu/packages/version-control.scm | 1 +
1 file changed, 1 insertion(+)

Toggle diff (14 lines)
diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index df0739a39c..28ffd454df 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -2749,6 +2749,7 @@ (define-public cvs
Configuration Management (SCM). Using it, you can record the history of
sources files, and documents. It fills a similar role to the free software
RCS, PRCS, and Aegis packages.")
+ (properties '((lint-hidden-cpe-vendors . ("jenkins"))))
(license license:gpl1+)))
(define-public cvs-fast-export
--
2.46.0
N
N
Nicolas Graves wrote 3 days ago
[PATCH v2 15/16] gnu: immer: Add lint-hidden-cpe-vendors property.
(address . 74034@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027182029.25707-15-ngraves@ngraves.fr
* gnu/packages/cpp.scm (immer)[properties]: Add
lint-hidden-cpe-vendors property.
---
gnu/packages/cpp.scm | 1 +
1 file changed, 1 insertion(+)

Toggle diff (14 lines)
diff --git a/gnu/packages/cpp.scm b/gnu/packages/cpp.scm
index 550f57c6bf..c0f9620f78 100644
--- a/gnu/packages/cpp.scm
+++ b/gnu/packages/cpp.scm
@@ -1864,6 +1864,7 @@ (define-public immer
(synopsis "Immutable data structures")
(description "Immer is a library of persistent and immutable data structures
written in C++.")
+ (properties '((lint-hidden-cpe-vendors . ("immer_project"))))
(license license:boost1.0)))
(define-public zug
--
2.46.0
N
N
Nicolas Graves wrote 3 days ago
control message for bug #74034
(address . control@debbugs.gnu.org)
87y129bdmj.fsf@ngraves.fr
tags 74034 - moreinfo
quit

Ready to review.


--
Best regards,
Nicolas Graves
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 74034@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 74034
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch