bug#40142: (guix cve) discards configuration "vendor", leading to false positives

unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed

From: Brice Waegeneire <brice@waegenei.re>
To: 40142@debbugs.gnu.org
Subject: bug#40142: (guix cve) discards configuration "vendor", leading to false positives
Date: Wed, 01 Apr 2020 17:01:47 +0000	[thread overview]
Message-ID: <ee58b7a4cda4f5a09eb1bbd303ac36d6@waegenei.re> (raw)
In-Reply-To: <0bb3b7878b37095b4ed7fa49aee5936f@waegenei.re>

Hello,

I have thought of a way to improve on those false positives. And I have
submitted a patch to solve the stderr situation at
https://issues.guix.info/issue/40367.

> Probably the fix would be to preserve the vendor part in the API and to
> somehow use it meaningfully

It looks like, for most free software the name of the software is used 
as
  the vendor too, but I'm guessing that's not always the case in 
particular
  when two project are using the same name. So we can't just filter the
  entries where the vendor name isn't the name of the package or we could
  end up with false negatives which seems worse than false positive for a
  vulnerability checker.

One solution would be to display the name of the vendor when it doesn't
correspond to the name of the package. Such solution would still output
false positives but at least it will be quicker to identify then as 
such,
compared to looking up and reading trough each CVE.

- Brice

next prev parent reply	other threads:[~2020-04-01 17:02 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-03-20  9:10 bug#40142: CVE checker return false positives Brice Waegeneire
2020-03-21 16:25 ` Ludovic Courtès
2020-03-21 16:57   ` Brice Waegeneire
2020-04-01 17:01 ` Brice Waegeneire [this message]
2020-04-02 10:38   ` bug#40142: (guix cve) discards configuration "vendor", leading to " Ludovic Courtès

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ee58b7a4cda4f5a09eb1bbd303ac36d6@waegenei.re \
    --to=brice@waegenei.re \
    --cc=40142@debbugs.gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).