GNU bug report logs -
#40142
(guix cve) discards configuration "vendor", leading to false positives
Previous Next
Full log
Message #16 received at 40142 <at> debbugs.gnu.org (full text, mbox):
Hello,
I have thought of a way to improve on those false positives. And I have
submitted a patch to solve the stderr situation at
https://issues.guix.info/issue/40367.
> Probably the fix would be to preserve the vendor part in the API and to
> somehow use it meaningfully
It looks like, for most free software the name of the software is used
as
the vendor too, but I'm guessing that's not always the case in
particular
when two project are using the same name. So we can't just filter the
entries where the vendor name isn't the name of the package or we could
end up with false negatives which seems worse than false positive for a
vulnerability checker.
One solution would be to display the name of the vendor when it doesn't
correspond to the name of the package. Such solution would still output
false positives but at least it will be quicker to identify then as
such,
compared to looking up and reading trough each CVE.
- Brice
This bug report was last modified 5 years and 163 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.