GNU bug report logs - #40142
(guix cve) discards configuration "vendor", leading to false positives

Previous Next

Full log

Message #19 received at 40142 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Brice Waegeneire <brice <at> waegenei.re>
Cc: 40142 <at> debbugs.gnu.org
Subject: Re: bug#40142: (guix cve) discards configuration "vendor",
 leading to false positives
Date: Thu, 02 Apr 2020 12:38:16 +0200

Hi,

Brice Waegeneire <brice <at> waegenei.re> skribis:

> It looks like, for most free software the name of the software is used
> as
>  the vendor too, but I'm guessing that's not always the case in
> particular
>  when two project are using the same name. So we can't just filter the
>  entries where the vendor name isn't the name of the package or we could
>  end up with false negatives which seems worse than false positive for a
>  vulnerability checker.

Yeah.

> One solution would be to display the name of the vendor when it doesn't
> correspond to the name of the package. Such solution would still output
> false positives but at least it will be quicker to identify then as
> such,
> compared to looking up and reading trough each CVE.

Yes, though I think that (guix cve) should simply preserve the vendor
part, and leave it up to its user, ‘guix lint’, to display vendor
mismatches.

Thanks,
Ludo’.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.