* Introduce a cpe-vendor package property?
@ 2024-10-25 13:33 Nicolas Graves
2024-10-26 15:08 ` Ludovic Courtès
0 siblings, 1 reply; 3+ messages in thread
From: Nicolas Graves @ 2024-10-25 13:33 UTC (permalink / raw)
To: guix-devel
Hi Guix,
As you've certainly noticed, I'm currently supplying some security
patches by checking every package that is linted on the cve checker.
I have a WIP patch series about adding lint-hidden-cve property to
packages where it is relevant. While doing it, I noticed that there are
quite some packages with duplicated cpe-names (a few examples : xenon,
bolt, express, halibut, folders, portfolio...) in the NIST database.
I was wondering about handling a cpe-vendor property to handle such
cases, since cpe-name won't help here.
To note: Most of the time, this won't help and we'll still have to fill
hidden-lint-cve (since most of these packages have no CVEs and therefore
are not in the database at all, despite having similarly-named
packages).
--
Best regards,
Nicolas Graves
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Introduce a cpe-vendor package property?
2024-10-25 13:33 Introduce a cpe-vendor package property? Nicolas Graves
@ 2024-10-26 15:08 ` Ludovic Courtès
2024-10-27 18:29 ` Nicolas Graves
0 siblings, 1 reply; 3+ messages in thread
From: Ludovic Courtès @ 2024-10-26 15:08 UTC (permalink / raw)
To: Nicolas Graves; +Cc: guix-devel
Hi,
Nicolas Graves <ngraves@ngraves.fr> skribis:
> I was wondering about handling a cpe-vendor property to handle such
> cases, since cpe-name won't help here.
Yes, we need that. (guix cve) currently blissfully ignores the “vendor”
part of CPE names; we can do better.
Thanks,
Ludo’.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Introduce a cpe-vendor package property?
2024-10-26 15:08 ` Ludovic Courtès
@ 2024-10-27 18:29 ` Nicolas Graves
0 siblings, 0 replies; 3+ messages in thread
From: Nicolas Graves @ 2024-10-27 18:29 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: guix-devel
On 2024-10-26 17:08, Ludovic Courtès wrote:
> Hi,
>
> Nicolas Graves <ngraves@ngraves.fr> skribis:
>
>> I was wondering about handling a cpe-vendor property to handle such
>> cases, since cpe-name won't help here.
>
> Yes, we need that. (guix cve) currently blissfully ignores the “vendor”
> part of CPE names; we can do better.
I've done that in the v2 of 74034. I actually introduce two properties,
cpe-vendor and lint-hidden-cpe-vendors (akin to lint-hidden-cve). This
is because:
- most of the time we don't have a cpe-vendor but we know which
others cpe-vendors to ignore
- knowing which ones to ignore brings more information than
lint-hidden-cve since it's stable in time (future CVEs for other
packages won't get raised)
--
Best regards,
Nicolas Graves
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-10-27 18:29 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-10-25 13:33 Introduce a cpe-vendor package property? Nicolas Graves
2024-10-26 15:08 ` Ludovic Courtès
2024-10-27 18:29 ` Nicolas Graves
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).