From mboxrd@z Thu Jan  1 00:00:00 1970
From: Brice Waegeneire <brice@waegenei.re>
Subject: bug#40142: (guix cve) discards configuration "vendor",
 leading to false positives
Date: Wed, 01 Apr 2020 17:01:47 +0000
Message-ID: <ee58b7a4cda4f5a09eb1bbd303ac36d6@waegenei.re>
References: <0bb3b7878b37095b4ed7fa49aee5936f@waegenei.re>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII;
 format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane-mx.org@gnu.org>
Received: from eggs.gnu.org ([2001:470:142:3::10]:40359)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1jJgkd-0008St-Jx
 for bug-guix@gnu.org; Wed, 01 Apr 2020 13:02:04 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1jJgkc-0001us-G5
 for bug-guix@gnu.org; Wed, 01 Apr 2020 13:02:03 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:55290)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1jJgkc-0001uo-Cd
 for bug-guix@gnu.org; Wed, 01 Apr 2020 13:02:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1jJgkc-0006bf-9D
 for bug-guix@gnu.org; Wed, 01 Apr 2020 13:02:02 -0400
In-Reply-To: <0bb3b7878b37095b4ed7fa49aee5936f@waegenei.re>
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.40142.B40142.158576051725372@debbugs.gnu.org>
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-guix>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane-mx.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane-mx.org@gnu.org>
To: 40142@debbugs.gnu.org

Hello,

I have thought of a way to improve on those false positives. And I have
submitted a patch to solve the stderr situation at
https://issues.guix.info/issue/40367.

> Probably the fix would be to preserve the vendor part in the API and to
> somehow use it meaningfully

It looks like, for most free software the name of the software is used 
as
  the vendor too, but I'm guessing that's not always the case in 
particular
  when two project are using the same name. So we can't just filter the
  entries where the vendor name isn't the name of the package or we could
  end up with false negatives which seems worse than false positive for a
  vulnerability checker.

One solution would be to display the name of the vendor when it doesn't
correspond to the name of the package. Such solution would still output
false positives but at least it will be quicker to identify then as 
such,
compared to looking up and reading trough each CVE.

- Brice