|
conditional expression in the blacklist can specify when to
continue/stop a traversal. For example, in
<condition>
<within>
<traverse>
<not><hasAttr name='outputHash' value='.+' /></not>
</traverse>
<hasAttr name='outputHash' value='ef1cb003448b4a53517b8f25adb12452' />
</within>
</condition>
we traverse the dependency graph, not following the dependencies of
`fetchurl' derivations (as indicated by the presence of an
`outputHash' attribute - this is a bit ugly). The resulting set of
paths is scanned for a fetch of a file with the given hash, in this
case, the hash of zlib-1.2.1.tar.gz (which has a security bug). The
intent is that a dependency on zlib is not a problem if it is in a
`fetchurl' derivation, since that's build-time only. (Other
build-time uses of zlib *might* be a problem, e.g., static linking.)
|
