diff options
author | Björn Höfling <bjoern.hoefling@bjoernhoefling.de> | 2018-05-13 01:40:00 +0200 |
---|---|---|
committer | Ludovic Courtès <ludo@gnu.org> | 2018-05-14 23:01:36 +0200 |
commit | 5ac7bf56d0b20d505b747425c5d17f2cc33d9302 (patch) | |
tree | f0a72554d3fe66933e094ee70975ed291db43323 | |
parent | 320344055a04025d25376a688a4f1caca65be66e (diff) | |
download | guix-5ac7bf56d0b20d505b747425c5d17f2cc33d9302.tar.gz |
doc: Update documentation of guix lint
* doc/guix.texi (Invoking guix lint): Add cpe-version to example. (Invoking guix lint): Add example for lint-hidden-cve. Co-authored-by: Ludovic Courtès <ludo@gnu.org>
-rw-r--r-- | doc/guix.texi | 24 |
1 files changed, 21 insertions, 3 deletions
diff --git a/doc/guix.texi b/doc/guix.texi index 637c9c3f4d..a771ab7ae1 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -6835,15 +6835,33 @@ where @code{CVE-YYYY-ABCD} is the CVE identifier---e.g., Package developers can specify in package recipes the @uref{https://nvd.nist.gov/cpe.cfm,Common Platform Enumeration (CPE)} -name and version of the package when they differ from the name that Guix -uses, as in this example: +name and version of the package when they differ from the name or version +that Guix uses, as in this example: @example (package (name "grub") ;; @dots{} ;; CPE calls this package "grub2". - (properties '((cpe-name . "grub2")))) + (properties '((cpe-name . "grub2") + (cpe-version . "2.3"))) +@end example + +@c See <http://www.openwall.com/lists/oss-security/2017/03/15/3>. +Some entries in the CVE database do not specify which version of a +package they apply to, and would thus ``stick around'' forever. Package +developers who found CVE alerts and verified they can be ignored can +declare them as in this example: + +@example +(package + (name "t1lib") + ;; @dots{} + ;; These CVEs no longer apply and can be safely ignored. + (properties `((lint-hidden-cve . ("CVE-2011-0433" + "CVE-2011-1553" + "CVE-2011-1554" + "CVE-2011-5244"))))) @end example @item formatting |