GNU bug report logs -
#31437
[PATCH 0/2] opencv: Ignore CVEs. Document lint-hidden-cve
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 31437 in the body.
You can then email your comments to 31437 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#31437; Package
guix-patches.
(Sat, 12 May 2018 23:33:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Björn Höfling <bjoern.hoefling <at> bjoernhoefling.de>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Sat, 12 May 2018 23:33:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
These two little patches are a follow-up to
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=30801
Björn
Björn Höfling (2):
doc: Update documentation of guix lint
gnu: opencv: Ignore CVEs.
doc/guix.texi | 22 +++++++++++++++++++---
gnu/packages/image-processing.scm | 5 +++++
2 files changed, 24 insertions(+), 3 deletions(-)
--
2.17.0
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#31437; Package
guix-patches.
(Sat, 12 May 2018 23:41:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 31437 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
* doc/guix.texi (Invoking guix lint): Add cpe-version to example.
* doc/guix.texi (Invoking guix lint): Add example for lint-hidden-cve.
---
doc/guix.texi | 22 +++++++++++++++++++---
1 file changed, 19 insertions(+), 3 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 637c9c3f4..f0b666b9e 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -6835,15 +6835,31 @@ where @code{CVE-YYYY-ABCD} is the CVE identifier---e.g.,
Package developers can specify in package recipes the
@uref{https://nvd.nist.gov/cpe.cfm,Common Platform Enumeration (CPE)}
-name and version of the package when they differ from the name that Guix
-uses, as in this example:
+name and version of the package when they differ from the name or version
+that Guix uses, as in this example:
@example
(package
(name "grub")
;; @dots{}
;; CPE calls this package "grub2".
- (properties '((cpe-name . "grub2"))))
+ (properties '((cpe-name . "grub2")
+ (cpe-version . "2.3")))
+@end example
+
+Sometimes, the CVE database contains false positives. Package developers who
+found CVE alerts and verified they can be ignored can declare them as in
+this example:
+
+@example
+(package
+ (name "t1lib")
+ ;; @dots{}
+ ;; These CVEs are false positives and can be ignored:
+ (properties `((lint-hidden-cve . ("CVE-2011-0433"
+ "CVE-2011-1553"
+ "CVE-2011-1554"
+ "CVE-2011-5244")))))
@end example
@item formatting
--
2.17.0
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#31437; Package
guix-patches.
(Sat, 12 May 2018 23:41:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 31437 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
* gnu/packages/image-processing.scm (opencv)[properties]: Add a
lint-hidden-cve property and add three CVEs to be ignored.
---
gnu/packages/image-processing.scm | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/gnu/packages/image-processing.scm
b/gnu/packages/image-processing.scm index ef303e134..4842ad450 100644
--- a/gnu/packages/image-processing.scm
+++ b/gnu/packages/image-processing.scm
@@ -222,6 +222,11 @@ integrates with various databases on GUI toolkits
such as Qt and Tk.") (for-each delete-file
'("modules/java/test/pure_test/lib/junit-4.11.jar"
"samples/java/sbt/sbt/sbt-launch.jar"))))))
+ ;; These three CVEs are not a problem of OpenCV, see:
+ ;; https://github.com/opencv/opencv/issues/10998
+ (properties '((lint-hidden-cve . ("CVE-2018-7712"
+ "CVE-2018-7713"
+ "CVE-2018-7714"))))
(build-system cmake-build-system)
(arguments
`(#:configure-flags
--
2.17.0
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#31437; Package
guix-patches.
(Mon, 14 May 2018 09:00:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 31437 <at> debbugs.gnu.org (full text, mbox):
Hello,
Björn Höfling <bjoern.hoefling <at> bjoernhoefling.de> skribis:
> * doc/guix.texi (Invoking guix lint): Add cpe-version to example.
> * doc/guix.texi (Invoking guix lint): Add example for lint-hidden-cve.
I reworded the bit about ‘lint-hidden-cve’, mostly so that packagers
don’t start using it without a very good reason ;-), and committed.
Thanks!
Ludo’.
Reply sent
to
ludo <at> gnu.org (Ludovic Courtès):
You have taken responsibility.
(Mon, 14 May 2018 09:04:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Björn Höfling <bjoern.hoefling <at> bjoernhoefling.de>:
bug acknowledged by developer.
(Mon, 14 May 2018 09:04:02 GMT)
Full text and
rfc822 format available.
Message #19 received at 31437-done <at> debbugs.gnu.org (full text, mbox):
Björn Höfling <bjoern.hoefling <at> bjoernhoefling.de> skribis:
> * gnu/packages/image-processing.scm (opencv)[properties]: Add a
> lint-hidden-cve property and add three CVEs to be ignored.
Applied, thanks!
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Mon, 11 Jun 2018 11:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 7 years and 8 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.