From unknown Thu Sep 11 12:41:55 2025 X-Loop: help-debbugs@gnu.org Subject: bug#40142: CVE checker return false positives Resent-From: Brice Waegeneire Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 20 Mar 2020 09:11:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 40142 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 40142@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.158469543921194 (code B ref -1); Fri, 20 Mar 2020 09:11:02 +0000 Received: (at submit) by debbugs.gnu.org; 20 Mar 2020 09:10:39 +0000 Received: from localhost ([127.0.0.1]:43967 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jFDfq-0005Vm-Lx for submit@debbugs.gnu.org; Fri, 20 Mar 2020 05:10:38 -0400 Received: from lists.gnu.org ([209.51.188.17]:49081) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jFDfo-0005Ve-Qz for submit@debbugs.gnu.org; Fri, 20 Mar 2020 05:10:37 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:50228) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jFDfn-0006Z7-JG for bug-guix@gnu.org; Fri, 20 Mar 2020 05:10:36 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.1 required=5.0 tests=BAYES_50,RCVD_IN_DNSWL_LOW, URIBL_BLOCKED autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1jFDfm-00077A-CN for bug-guix@gnu.org; Fri, 20 Mar 2020 05:10:35 -0400 Received: from relay3-d.mail.gandi.net ([217.70.183.195]:56911) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1jFDfm-00071v-5d for bug-guix@gnu.org; Fri, 20 Mar 2020 05:10:34 -0400 Received: from webmail.gandi.net (webmail18.sd4.0x35.net [10.200.201.18]) (Authenticated sender: brice@waegenei.re) by relay3-d.mail.gandi.net (Postfix) with ESMTPA id 9E8A260009 for ; Fri, 20 Mar 2020 09:10:31 +0000 (UTC) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Fri, 20 Mar 2020 09:10:31 +0000 From: Brice Waegeneire Message-ID: <0bb3b7878b37095b4ed7fa49aee5936f@waegenei.re> X-Sender: brice@waegenei.re User-Agent: Roundcube Webmail/1.3.8 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 217.70.183.195 X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hello, The CVE checker of “guix lint” returns false positives: ┌──── │ LANGUAGE=C guix lint git 2>&1 ├─── │ gnu/packages/version-control.scm:149:2: git@2.25.1: probably vulnerable to CVE-2020-2136, CVE-2019-1003010, CVE-2018-1000110, CVE-2018-1000182 │ /gnu/store/8q0nfd6vnc6lnjh13rwl7fyimwlv7fml-guix-module-union/share/guile/site/3.0/gnu/packages/version-control.scm:153:12: git@2.25.1: can be upgraded to 2.25.2 │ /gnu/store/8q0nfd6vnc6lnjh13rwl7fyimwlv7fml-guix-module-union/share/guile/site/3.0/gnu/packages/version-control.scm:154:11: git@2.25.1: source not archived on Software Heritage └──── • [CVE-2020-2136]: “Jenkins Git Plugin 4.2.0 and earlier […]” • [CVE-2019-1003010]: “[…] Jenkins Git Plugin 3.9.1 and earlier […]” • [CVE-2018-1000110]: “[…] Jenkins Git Plugin version 3.7.0 and earlier […]” • [CVE-2018-1000182]: “[…] Jenkins Git Plugin 3.9.0 and older […]” Also note the missing / on the first line and it output on `stderr' instead of `stdout'. [CVE-2020-2136] [CVE-2019-1003010] [CVE-2018-1000110] [CVE-2018-1000182] Brice. From unknown Thu Sep 11 12:41:55 2025 X-Loop: help-debbugs@gnu.org Subject: bug#40142: CVE checker return false positives Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Sat, 21 Mar 2020 16:26:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 40142 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Brice Waegeneire Cc: 40142@debbugs.gnu.org Received: via spool by 40142-submit@debbugs.gnu.org id=B40142.158480794124681 (code B ref 40142); Sat, 21 Mar 2020 16:26:01 +0000 Received: (at 40142) by debbugs.gnu.org; 21 Mar 2020 16:25:41 +0000 Received: from localhost ([127.0.0.1]:47847 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jFgwP-0006Q1-1j for submit@debbugs.gnu.org; Sat, 21 Mar 2020 12:25:41 -0400 Received: from eggs.gnu.org ([209.51.188.92]:33524) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jFgwO-0006Pq-5e for 40142@debbugs.gnu.org; Sat, 21 Mar 2020 12:25:40 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:47576) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1jFgwI-0001zO-0k; Sat, 21 Mar 2020 12:25:34 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=56016 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1jFgwA-0001Zh-Cu; Sat, 21 Mar 2020 12:25:33 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <0bb3b7878b37095b4ed7fa49aee5936f@waegenei.re> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 2 Germinal an 228 de la =?UTF-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Sat, 21 Mar 2020 17:25:23 +0100 In-Reply-To: <0bb3b7878b37095b4ed7fa49aee5936f@waegenei.re> (Brice Waegeneire's message of "Fri, 20 Mar 2020 09:10:31 +0000") Message-ID: <87sgi1znd8.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Hi, Brice Waegeneire skribis: > The CVE checker of =E2=80=9Cguix lint=E2=80=9D returns false positives: > =E2=94=8C=E2=94=80=E2=94=80=E2=94=80=E2=94=80 > =E2=94=82 LANGUAGE=3DC guix lint git 2>&1 > =E2=94=9C=E2=94=80=E2=94=80=E2=94=80 > =E2=94=82 gnu/packages/version-control.scm:149:2: git@2.25.1: probably > vulnerable to CVE-2020-2136, CVE-2019-1003010, CVE-2018-1000110, > CVE-2018-1000182 [...] > =E2=80=A2 [CVE-2020-2136]: =E2=80=9CJenkins Git Plugin 4.2.0 and earlier = [=E2=80=A6]=E2=80=9D > =E2=80=A2 [CVE-2019-1003010]: =E2=80=9C[=E2=80=A6] Jenkins Git Plugin 3.9= .1 and earlier [=E2=80=A6]=E2=80=9D > =E2=80=A2 [CVE-2018-1000110]: =E2=80=9C[=E2=80=A6] Jenkins Git Plugin ver= sion 3.7.0 and earlier > [=E2=80=A6]=E2=80=9D > =E2=80=A2 [CVE-2018-1000182]: =E2=80=9C[=E2=80=A6] Jenkins Git Plugin 3.9= .0 and older [=E2=80=A6]=E2=80=9D (guix cve) reports it as applying to =E2=80=9Cgit=E2=80=9D: --8<---------------cut here---------------start------------->8--- scheme@(guix cve)> (define items (call-with-decompressed-port 'gzip (http-fetch (yearly-feed-uri 2020= )) json->cve-items)) scheme@(guix cve)> (find (lambda (item) (string=3D? (cve-id (cve-item-cve item)) "CVE-2020-2136")) items) $130 =3D #< cve: #< id: "CVE-2020-2136" data-type: CVE data-= format: MITRE references: (#< url: "http://www.openwall.com/= lists/oss-security/2020/03/09/1" tags: ("Third Party Advisory")> #< url: "https://jenkins.io/security/advisory/2020-03-09/#SECURITY-172= 3" tags: ("Vendor Advisory")>)> configurations: (("git" (<=3D "4.2.0"))) pu= blished-date: # last-modified-date: #> --8<---------------cut here---------------end--------------->8--- I think the problem stems from the fact that the CVE configuration specify =E2=80=9Cjenkins:git=E2=80=9D (where =E2=80=9Cjenkins=E2=80=9D is t= he =E2=80=9Cvendor=E2=80=9D and =E2=80=9Cgit=E2=80=9D is the =E2=80=9Cproduct=E2=80=9D), but we just strip the vendor part: --8<---------------cut here---------------start------------->8--- $ wget -O - -q https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2020.json= .gz| gunzip | jq [=E2=80=A6] "configurations": { "CVE_data_version": "4.0", "nodes": [ { "operator": "OR", "cpe_match": [ { "vulnerable": true, "cpe23Uri": "cpe:2.3:a:jenkins:git:*:*:*:*:*:jenkins:*:*", "versionEndIncluding": "4.2.0" } ] } ] --8<---------------cut here---------------end--------------->8--- It=E2=80=99s usually the case that the vendor part has little relevance for= free software packages, but in this case it does make a difference. Probably the fix would be to preserve the vendor part in the API and to somehow use it meaningfully. Ideas & patches welcome! > Also note the missing / on the first line and it output on `stderr' > instead of `stdout'. What do you mean? Thanks, Ludo=E2=80=99. From unknown Thu Sep 11 12:41:55 2025 X-Loop: help-debbugs@gnu.org Subject: bug#40142: CVE checker return false positives Resent-From: Brice Waegeneire Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Sat, 21 Mar 2020 16:58:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 40142 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 40142@debbugs.gnu.org Received: via spool by 40142-submit@debbugs.gnu.org id=B40142.158480986328682 (code B ref 40142); Sat, 21 Mar 2020 16:58:02 +0000 Received: (at 40142) by debbugs.gnu.org; 21 Mar 2020 16:57:43 +0000 Received: from localhost ([127.0.0.1]:47914 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jFhRP-0007SY-6N for submit@debbugs.gnu.org; Sat, 21 Mar 2020 12:57:43 -0400 Received: from relay3-d.mail.gandi.net ([217.70.183.195]:45587) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jFhRM-0007SF-SO for 40142@debbugs.gnu.org; Sat, 21 Mar 2020 12:57:41 -0400 Received: from webmail.gandi.net (webmail18.sd4.0x35.net [10.200.201.18]) (Authenticated sender: brice@waegenei.re) by relay3-d.mail.gandi.net (Postfix) with ESMTPA id 55E5060005; Sat, 21 Mar 2020 16:57:33 +0000 (UTC) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Sat, 21 Mar 2020 16:57:33 +0000 From: Brice Waegeneire In-Reply-To: <87sgi1znd8.fsf@gnu.org> References: <0bb3b7878b37095b4ed7fa49aee5936f@waegenei.re> <87sgi1znd8.fsf@gnu.org> Message-ID: <95d598f98f65efd7a5c89aaf52b80df1@waegenei.re> X-Sender: brice@waegenei.re User-Agent: Roundcube Webmail/1.3.8 X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Hello, On 2020-03-21 16:25, Ludovic Courtès wrote: > Probably the fix would be to preserve the vendor part in the API and to > somehow use it meaningfully. > > Ideas & patches welcome! I'll see what I can write a patch to fix it then. >> Also note the missing / on the first line and it output on `stderr' >> instead of `stdout'. > > What do you mean? I misunderstood the meaning of “gnu/packages/version-control.scm:149:2:” and thought there was a missing / before “gnu/”; this is irrelevant. About the output stream of “guix lint” I think it should output to `stdout', not `stderr' as it's currently the case. Brice. From debbugs-submit-bounces@debbugs.gnu.org Sat Mar 21 17:57:31 2020 Received: (at control) by debbugs.gnu.org; 21 Mar 2020 21:57:31 +0000 Received: from localhost ([127.0.0.1]:48332 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jFm7X-0007xb-JK for submit@debbugs.gnu.org; Sat, 21 Mar 2020 17:57:31 -0400 Received: from eggs.gnu.org ([209.51.188.92]:41708) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jFm7W-0007xL-7P for control@debbugs.gnu.org; Sat, 21 Mar 2020 17:57:30 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:51653) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1jFm7R-0006BX-0z for control@debbugs.gnu.org; Sat, 21 Mar 2020 17:57:25 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=56264 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1jFm7P-000529-6b for control@debbugs.gnu.org; Sat, 21 Mar 2020 17:57:24 -0400 Date: Sat, 21 Mar 2020 22:57:20 +0100 Message-Id: <87y2rtwev3.fsf@gnu.org> To: control@debbugs.gnu.org From: =?utf-8?Q?Ludovic_Court=C3=A8s?= Subject: control message for bug #40142 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) retitle 40142 (guix cve) discards configuration "vendor", leading to false positives quit From unknown Thu Sep 11 12:41:55 2025 X-Loop: help-debbugs@gnu.org Subject: bug#40142: (guix cve) discards configuration "vendor", leading to false positives References: <0bb3b7878b37095b4ed7fa49aee5936f@waegenei.re> In-Reply-To: <0bb3b7878b37095b4ed7fa49aee5936f@waegenei.re> Resent-From: Brice Waegeneire Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 01 Apr 2020 17:02:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 40142 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 40142@debbugs.gnu.org Received: via spool by 40142-submit@debbugs.gnu.org id=B40142.158576051725372 (code B ref 40142); Wed, 01 Apr 2020 17:02:02 +0000 Received: (at 40142) by debbugs.gnu.org; 1 Apr 2020 17:01:57 +0000 Received: from localhost ([127.0.0.1]:38603 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jJgkW-0006b9-Sf for submit@debbugs.gnu.org; Wed, 01 Apr 2020 13:01:57 -0400 Received: from relay4-d.mail.gandi.net ([217.70.183.196]:45081) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jJgkU-0006aa-Pm for 40142@debbugs.gnu.org; Wed, 01 Apr 2020 13:01:55 -0400 Received: from webmail.gandi.net (webmail18.sd4.0x35.net [10.200.201.18]) (Authenticated sender: brice@waegenei.re) by relay4-d.mail.gandi.net (Postfix) with ESMTPA id 2FDADE000E for <40142@debbugs.gnu.org>; Wed, 1 Apr 2020 17:01:47 +0000 (UTC) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Wed, 01 Apr 2020 17:01:47 +0000 From: Brice Waegeneire Message-ID: X-Sender: brice@waegenei.re User-Agent: Roundcube Webmail/1.3.8 X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Hello, I have thought of a way to improve on those false positives. And I have submitted a patch to solve the stderr situation at https://issues.guix.info/issue/40367. > Probably the fix would be to preserve the vendor part in the API and to > somehow use it meaningfully It looks like, for most free software the name of the software is used as the vendor too, but I'm guessing that's not always the case in particular when two project are using the same name. So we can't just filter the entries where the vendor name isn't the name of the package or we could end up with false negatives which seems worse than false positive for a vulnerability checker. One solution would be to display the name of the vendor when it doesn't correspond to the name of the package. Such solution would still output false positives but at least it will be quicker to identify then as such, compared to looking up and reading trough each CVE. - Brice From unknown Thu Sep 11 12:41:55 2025 X-Loop: help-debbugs@gnu.org Subject: bug#40142: (guix cve) discards configuration "vendor", leading to false positives Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 02 Apr 2020 10:39:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 40142 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Brice Waegeneire Cc: 40142@debbugs.gnu.org Received: via spool by 40142-submit@debbugs.gnu.org id=B40142.158582390628925 (code B ref 40142); Thu, 02 Apr 2020 10:39:01 +0000 Received: (at 40142) by debbugs.gnu.org; 2 Apr 2020 10:38:26 +0000 Received: from localhost ([127.0.0.1]:39248 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jJxEw-0007WS-HR for submit@debbugs.gnu.org; Thu, 02 Apr 2020 06:38:26 -0400 Received: from eggs.gnu.org ([209.51.188.92]:52853) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jJxEu-0007W1-PP for 40142@debbugs.gnu.org; Thu, 02 Apr 2020 06:38:25 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:53690) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1jJxEp-0006Av-2A; Thu, 02 Apr 2020 06:38:19 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=43186 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1jJxEo-00026E-2W; Thu, 02 Apr 2020 06:38:18 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <0bb3b7878b37095b4ed7fa49aee5936f@waegenei.re> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 14 Germinal an 228 de la =?UTF-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Thu, 02 Apr 2020 12:38:16 +0200 In-Reply-To: (Brice Waegeneire's message of "Wed, 01 Apr 2020 17:01:47 +0000") Message-ID: <87mu7up3zb.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Hi, Brice Waegeneire skribis: > It looks like, for most free software the name of the software is used > as > the vendor too, but I'm guessing that's not always the case in > particular > when two project are using the same name. So we can't just filter the > entries where the vendor name isn't the name of the package or we could > end up with false negatives which seems worse than false positive for a > vulnerability checker. Yeah. > One solution would be to display the name of the vendor when it doesn't > correspond to the name of the package. Such solution would still output > false positives but at least it will be quicker to identify then as > such, > compared to looking up and reading trough each CVE. Yes, though I think that (guix cve) should simply preserve the vendor part, and leave it up to its user, =E2=80=98guix lint=E2=80=99, to display = vendor mismatches. Thanks, Ludo=E2=80=99.