[bug#74034] [PATCH 00/21] Add lint-hidden-cve property for near-leaf packages.

[bug#74034] [PATCH 00/21] Add lint-hidden-cve property for near-leaf packages.

[Nicolas Graves via Guix-patches via]

This patch series is adding lint-hidden-cve properties for packages
that have less than 10 dependents.

Some packages of these packages have been updated, only when the
update was trivial and harmless.

This is not applying any security fix by itself, but will help
security-related work.

Nicolas Graves (21):
  gnu: libgda: Rename patch for guix lint.
  gnu: upx: Update to 4.2.4.
  gnu: halibut: Add lint-hidden-cve property.
  gnu: portfolio: Update to 1.0.1.
  gnu: folders: Add lint-hidden-cve property.
  gnu: spectra: Add lint-hidden-cve property.
  gnu: express: Add lint-hidden-cve property.
  gnu: cli: Add lint-hidden-cve property.
  gnu: h2c: Add lint-hidden-cve property.
  gnu: xenon: Update to 0.9.3.
  gnu: bolt: Update to 0.9.8.
  gnu: sylpheed: Add release-monitoring-url property.
  gnu: openvswitch: Update to 3.4.0.
  gnu: quagga: Fix build and hide CVE.
  gnu: bwm-ng: Add lint-hidden-cve property.
  gnu: onedrive: Update to 2.5.2.
  gnu: got: Update to 0.104.
  gnu: dex: Update to 0.10.1.
  gnu: immer: Add lint-hidden-cve property.
  gnu: cvs: Add lint-hidden-cve property.
  gnu: gerbv: Add lint-hidden-cve property.

 gnu/local.mk                                  |  2 +-
 gnu/packages/algebra.scm                      |  2 ++
 gnu/packages/bioinformatics.scm               |  2 ++
 gnu/packages/code.scm                         |  6 ++++--
 gnu/packages/compression.scm                  |  7 ++++---
 gnu/packages/cpp.scm                          |  4 ++++
 gnu/packages/curl.scm                         |  2 ++
 gnu/packages/documentation.scm                | 16 ++++++++------
 gnu/packages/engineering.scm                  |  2 ++
 gnu/packages/esolangs.scm                     |  8 +++++++
 gnu/packages/gnome-xyz.scm                    |  6 ++++--
 gnu/packages/gnome.scm                        |  2 +-
 gnu/packages/linux.scm                        | 21 ++++++++++++-------
 gnu/packages/mail.scm                         |  2 ++
 gnu/packages/networking.scm                   | 16 ++++++++++----
 ...9359.patch => libgda-CVE-2021-39359.patch} |  0
 gnu/packages/sync.scm                         |  8 +++++--
 gnu/packages/version-control.scm              | 13 +++++++++---
 gnu/packages/xdisorg.scm                      | 19 ++++++++++-------
 19 files changed, 99 insertions(+), 39 deletions(-)
 rename gnu/packages/patches/{libgda-cve-2021-39359.patch => libgda-CVE-2021-39359.patch} (100%)

-- 
2.46.0

[bug#74034] [PATCH 01/21] gnu: libgda: Rename patch for guix lint.

[Nicolas Graves via Guix-patches via]

* gnu/packages/gnome.scm (libgda)[source]<origin>: Rename patch for
CVE to be ignored by guix lint.
---
 gnu/local.mk                                                    | 2 +-
 gnu/packages/gnome.scm                                          | 2 +-
 ...{libgda-cve-2021-39359.patch => libgda-CVE-2021-39359.patch} | 0
 3 files changed, 2 insertions(+), 2 deletions(-)
 rename gnu/packages/patches/{libgda-cve-2021-39359.patch => libgda-CVE-2021-39359.patch} (100%)

diff --git a/gnu/local.mk b/gnu/local.mk
index c432685775..d253b424bb 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1666,7 +1666,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/libcroco-CVE-2020-12825.patch		\
   %D%/packages/patches/libcyaml-libyaml-compat.patch		\
   %D%/packages/patches/libexpected-use-provided-catch2.patch	\
-  %D%/packages/patches/libgda-cve-2021-39359.patch		\
+  %D%/packages/patches/libgda-CVE-2021-39359.patch		\
   %D%/packages/patches/libgda-disable-data-proxy-test.patch     \
   %D%/packages/patches/libgda-fix-build.patch			\
   %D%/packages/patches/libgda-fix-missing-initialization.patch	\
diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index 77a0633b50..9b26819261 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -13653,7 +13653,7 @@ (define-public libgda
                            name "-" version ".tar.xz"))
        (sha256
         (base32 "0w564z7krgjk19r39mi5qn4kggpdg9ggbyn9pb4aavb61r14npwr"))
-       (patches (search-patches "libgda-cve-2021-39359.patch"
+       (patches (search-patches "libgda-CVE-2021-39359.patch"
                                 "libgda-disable-data-proxy-test.patch"
                                 "libgda-fix-build.patch"
                                 "libgda-fix-missing-initialization.patch"
diff --git a/gnu/packages/patches/libgda-cve-2021-39359.patch b/gnu/packages/patches/libgda-CVE-2021-39359.patch
similarity index 100%
rename from gnu/packages/patches/libgda-cve-2021-39359.patch
rename to gnu/packages/patches/libgda-CVE-2021-39359.patch
-- 
2.46.0

[bug#74034] [PATCH 02/21] gnu: upx: Update to 4.2.4.

[Nicolas Graves via Guix-patches via]

* gnu/packages/compression.scm (upx): Update to 4.2.4.
[properties]: Add lint-hidden-cve property.
---
 gnu/packages/compression.scm | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index 97696ff0ef..a32b15a64a 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -2438,15 +2438,14 @@ (define-public ucl
 (define-public upx
   (package
     (name "upx")
-    (version "4.1.0")
+    (version "4.2.4")
     (source
      (origin
        (method url-fetch)
        (uri (string-append "https://github.com/upx/upx/releases/download/v"
                            version "/upx-" version "-src.tar.xz"))
        (sha256
-        (base32
-         "1l273pwa573x9l3izw75cz8ysn2g8w8w3s56rahppa3ya65zg0h5"))))
+        (base32 "1i71p03861hlf5x1w217l67zm5inm449zhbg6kpv8zyj0wb5dmjy"))))
     (build-system cmake-build-system)
     (home-page "https://upx.github.io/")
     (synopsis "Compression tool for executables")
@@ -2455,6 +2454,8 @@ (define-public upx
 compressor.  UPX typically reduces the file size of programs and shared
 libraries by around 50%--70%, thus reducing disk space, network load times,
 download times, and other distribution and storage costs.")
+    ;; These CVEs have been fixed since 4.0.2 but are still linted.
+    (properties `((lint-hidden-cve . ("CVE-2023-23456" "CVE-2023-23457"))))
     (license license:gpl2+)))
 
 (define-public quazip-0
-- 
2.46.0

[bug#74034] [PATCH 03/21] gnu: halibut: Add lint-hidden-cve property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/documentation.scm (halibut)
[description]: Reformat field to match max chars.
[properties]: Add lint-hidden-cve property.
---
 gnu/packages/documentation.scm | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/gnu/packages/documentation.scm b/gnu/packages/documentation.scm
index f0e37561f7..7522b5f769 100644
--- a/gnu/packages/documentation.scm
+++ b/gnu/packages/documentation.scm
@@ -264,12 +264,16 @@ (define-public halibut
     (home-page "https://www.chiark.greenend.org.uk/~sgtatham/halibut/")
     (synopsis "Documentation production system for software manuals")
     (description
-     "Halibut is a text formatting system designed primarily for writing software
-documentation.  It accepts a single source format and outputs any combination of
-plain text, HTML, Unix man or info pages, PostScript or PDF.  It has extensive
-support for indexing and cross-referencing, and generates hyperlinks within output
-documents wherever possible.  It supports Unicode, with the ability to fall back to
-an alternative representation if Unicode output is not available.")
+     "Halibut is a text formatting system designed primarily for writing
+software documentation.  It accepts a single source format and outputs any
+combination of plain text, HTML, Unix man or info pages, PostScript or PDF.
+It has extensive support for indexing and cross-referencing, and generates
+hyperlinks within output documents wherever possible.  It supports Unicode,
+with the ability to fall back to an alternative representation if Unicode
+output is not available.")
+    ;; This CVE concerns the halibut RPC-based communication framework,
+    ;; rather than the halibut text formatting system.
+    (properties `((lint-hidden-cve . ("CVE-2021-31819"))))
     (license license:expat)))
 
 (define-public doc++
-- 
2.46.0

[bug#74034] [PATCH 04/21] gnu: portfolio: Update to 1.0.1.

[Nicolas Graves via Guix-patches via]

* gnu/packages/gnome-xyz.scm (portfolio): Update to 1.0.1.
[properties]: Add lint-hidden-cve property.
---
 gnu/packages/gnome-xyz.scm | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/gnome-xyz.scm b/gnu/packages/gnome-xyz.scm
index a09c0befb0..b399d30886 100644
--- a/gnu/packages/gnome-xyz.scm
+++ b/gnu/packages/gnome-xyz.scm
@@ -485,7 +485,7 @@ (define-public gnome-plots
 (define-public portfolio
   (package
     (name "portfolio")
-    (version "1.0.0")
+    (version "1.0.1")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -494,7 +494,7 @@ (define-public portfolio
               (file-name (git-file-name name version))
               (sha256
                (base32
-                "1ai9mx801m5lngkljg42vrpvhbvc3071sp4jypsvbzw55hxnn5ba"))))
+                "1s06kd2dhsb143piw89yzwfck7qwzlh4nlgjj2bxpsa3g68c1g11"))))
     (arguments
      (list #:glib-or-gtk? #t
            #:imported-modules `(,@%meson-build-system-modules
@@ -537,6 +537,8 @@ (define-public portfolio
      "Portfolio is a minimalist file manager for those who want to use Linux
 mobile devices.  Tap to activate and long press to select, to browse, open,
 copy, move, delete, or edit your files.")
+    ;; This CVE concerns the Wordpress Portfolio plugin, not this package.
+    (properties `((lint-hidden-cve . ("CVE-2019-13232"))))
     (license license:gpl3+)))
 
 (define-public gnome-shell-extension-unite-shell
-- 
2.46.0

[bug#74034] [PATCH 05/21] gnu: folders: Add lint-hidden-cve property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/esolangs.scm (folders):
[properties]: Add lint-hindden-cve property.
---
 gnu/packages/esolangs.scm | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/gnu/packages/esolangs.scm b/gnu/packages/esolangs.scm
index 796f8d3f23..b29787e7bf 100644
--- a/gnu/packages/esolangs.scm
+++ b/gnu/packages/esolangs.scm
@@ -117,6 +117,14 @@ (define-public folders
     (description "Folders is a programming language, in which programs
 are encoded as (nested) directories.  Note that the switches you pass to
 @command{du} may affect your score when code golfing.")
+    (properties `((lint-hidden-cve
+                   ;; These CVEs concern...
+                   . ( ; ...the Wordpress Folders plugin
+                      "CVE-2023-40204"
+                      ;; ...the Jenkins Folders plugin
+                      "CVE-2023-40336"
+                      "CVE-2023-40337"
+                      "CVE-2023-40338"))))
     (license license:expat)))
 
 (define-public shakespeare-spl
-- 
2.46.0

[bug#74034] [PATCH 06/21] gnu: spectra: Add lint-hidden-cve property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/algebra.scm (spectra)[properties]: Add lint-hidden-cve
property.
---
 gnu/packages/algebra.scm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/gnu/packages/algebra.scm b/gnu/packages/algebra.scm
index 2187cd062d..cb390ea976 100644
--- a/gnu/packages/algebra.scm
+++ b/gnu/packages/algebra.scm
@@ -1317,6 +1317,8 @@ (define-public spectra
 built on top of Eigen.  It is implemented as a header-only C++ library and can
 be easily embedded in C++ projects that require calculating eigenvalues of
 large matrices.")
+    ;; These CVEs concern the Wordpress Spectra plugin.
+    (properties `((lint-hidden-cve . ("CVE-2023-36676" "CVE-2023-49833"))))
     (license license:mpl2.0)))
 
 (define-public gappa
-- 
2.46.0

[bug#74034] [PATCH 07/21] gnu: express: Add lint-hidden-cve property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/bioinformatics.scm (express)[properties]: Add
lint-hidden-cve property.
---
 gnu/packages/bioinformatics.scm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/gnu/packages/bioinformatics.scm b/gnu/packages/bioinformatics.scm
index a2ffbd5155..2f463c8969 100644
--- a/gnu/packages/bioinformatics.scm
+++ b/gnu/packages/bioinformatics.scm
@@ -6924,6 +6924,8 @@ (define-public express
 transcript-level RNA-Seq quantification, allele-specific/haplotype expression
 analysis (from RNA-Seq), transcription factor binding quantification in
 ChIP-Seq, and analysis of metagenomic data.")
+    ;; These CVEs concern the Express.js node framework.
+    (properties `((lint-hidden-cve . ("CVE-2022-24999" "CVE-2024-43796"))))
     (license license:artistic2.0)))
 
 (define-public express-beta-diversity
-- 
2.46.0

[bug#74034] [PATCH 08/21] gnu: cli: Add lint-hidden-cve property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/cpp.scm (cli)[properties]: Add lint-cve-property.
---
 gnu/packages/cpp.scm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/gnu/packages/cpp.scm b/gnu/packages/cpp.scm
index 26fc169154..e9c6dc096b 100644
--- a/gnu/packages/cpp.scm
+++ b/gnu/packages/cpp.scm
@@ -2304,6 +2304,8 @@ (define-public cli
 options that your program supports, their types, default values, and
 documentation.")
     (home-page "https://codesynthesis.com/projects/cli/")
+    ;; This CVE concerns Snyk CLI rather than this package.
+    (properties `((lint-hidden-cve . ("CVE-2022-40764"))))
     (license license:expat)))
 
 (define-public xsd
-- 
2.46.0

[bug#74034] [PATCH 09/21] gnu: h2c: Add lint-hidden-cve property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/curl.scm (h2c)[property]: Add lint-hidden-cve property.
---
 gnu/packages/curl.scm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 9f74018205..bac1841c82 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -366,6 +366,8 @@ (define-public h2c
     (description
      "Provided a set of HTTP request headers, h2c outputs how to invoke
 curl to obtain exactly that HTTP request.")
+    ;; This CVE is for the h2c function in Go.
+    (properties `((lint-hidden-cve . ("CVE-2022-41721"))))
     (license license:expat)))
 
 (define-public coeurl
-- 
2.46.0

[bug#74034] [PATCH 10/21] gnu: xenon: Update to 0.9.3.

[Nicolas Graves via Guix-patches via]

* gnu/packages/code.scm (xenon): Update to 0.9.3.
[properties]: Add lint-hidden-cve property.
---
 gnu/packages/code.scm | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/code.scm b/gnu/packages/code.scm
index 3f7a6de478..bbf10be987 100644
--- a/gnu/packages/code.scm
+++ b/gnu/packages/code.scm
@@ -1077,14 +1077,14 @@ (define-public cscope
 (define-public xenon
   (package
     (name "xenon")
-    (version "0.9.0")
+    (version "0.9.3")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "xenon" version))
        (sha256
         (base32
-         "1f4gynjzfckm3rjfywwgz1c7icfx3zjqirf16aj73xv0c9ncpffj"))))
+         "1yj31bqz2bphvvyb0jkas7bxc2rw76rf1csz0mwmvah8pbc3hxaa"))))
     (build-system python-build-system)
     (arguments (list #:tests? #f)) ;test suite not shipped with the PyPI archive
     (inputs (list python-pyyaml python-radon python-requests))
@@ -1096,6 +1096,8 @@ (define-public xenon
 line options, various thresholds can be set for the complexity of code.  It
 will fail (i.e., it will exit with a non-zero exit code) when any of these
 requirements is not met.")
+    ;; This CVE is for another package named Xenon too.
+    (properties '((lint-hidden-cve . ("CVE-2023-39427"))))
     (license license:expat)))
 
 (define-public python-xenon
-- 
2.46.0

[bug#74034] [PATCH 11/21] gnu: bolt: Update to 0.9.8.

[Nicolas Graves via Guix-patches via]

* gnu/packages/linux.scm (bolt): Update to 0.9.8.
[arguments]<#:phases>: Update phase 'replace-directories.
[properties]: Add lint-hidden-cve property.
---
 gnu/packages/linux.scm | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index e496f3c88d..f9f13ca28a 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -3366,7 +3366,7 @@ (define-public iptables-nft
 (define-public bolt
   (package
     (name "bolt")
-    (version "0.9.5")
+    (version "0.9.8")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -3375,7 +3375,7 @@ (define-public bolt
               (file-name (git-file-name name version))
               (sha256
                (base32
-                "1b9z0sfrz6bj0mddng9s0dx59g9239zmrl03hxx2x88mb7r0wmcg"))))
+                "1i9nyvx3qcf4m607qmpklpl9xqzsh423k8y3fr6c5n0k4ajy4cxh"))))
     (build-system meson-build-system)
     (arguments
      (list #:configure-flags '(list "--localstatedir=/var")
@@ -3384,12 +3384,11 @@ (define-public bolt
                         (add-after 'unpack 'replace-directories
                           (lambda* (#:key outputs #:allow-other-keys)
                             (substitute* "meson.build"
-                              (("udev.get_pkgconfig_variable..udevdir..")
-                               (string-append "'"
-                                              #$output "/lib/udev'")))
-                            (substitute* "scripts/meson-install.sh"
-                              (("mkdir.*")
-                               ""))))
+                              (("udev.get_variable\\(pkgconfig: 'udevdir'\\)")
+                               (string-append "'" #$output "/lib/udev'"))
+                              ;; Don't install in /var
+                              (("not systemd\\.found\\(\\)")
+                               "false"))))
                         (add-before 'install 'no-polkit-magic
                           (lambda* (#:key outputs #:allow-other-keys)
                             (setenv "PKEXEC_UID" "something"))))))
@@ -3411,6 +3410,12 @@ (define-public bolt
 @command{boltd}.  It can list devices, monitor changes, and initiate
 authorization of devices.")
     (home-page "https://gitlab.freedesktop.org/bolt/bolt")
+    (properties `((lint-hidden-cve . (;; These CVEs concern...
+                                      ;; ...the Bolt PHP cms
+                                      "CVE-2021-27367"
+                                      "CVE-2022-31321"
+                                      ;; ...the Bolt orchestration tool
+                                      "CVE-2023-5214"))))
     (license license:gpl2+)))
 
 (define-public jitterentropy-rngd
-- 
2.46.0

[bug#74034] [PATCH 12/21] gnu: sylpheed: Add release-monitoring-url property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/mail.scm (sylpheed)[properties]: Add
release-monitoring-url.
---
 gnu/packages/mail.scm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/gnu/packages/mail.scm b/gnu/packages/mail.scm
index 2c69a7b818..77be7626a9 100644
--- a/gnu/packages/mail.scm
+++ b/gnu/packages/mail.scm
@@ -4561,6 +4561,8 @@ (define-public sylpheed
      "Sylpheed is a simple, lightweight but featureful, and easy-to-use e-mail
 client.  Sylpheed provides intuitive user-interface.  Sylpheed is also
 designed for keyboard-oriented operation.")
+    (properties '((release-monitoring-url
+                   . "https://sylpheed.sraoss.jp/en/download.html")))
     (license license:gpl2+)))
 
 (define-public python-authres
-- 
2.46.0

[bug#74034] [PATCH 13/21] gnu: openvswitch: Update to 3.4.0.

[Nicolas Graves via Guix-patches via]

* gnu/packages/networking.scm (openvswitch): Update to 3.4.0.
[properties]: Add lint-hidden-cve property.
---
 gnu/packages/networking.scm | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index a56b574e97..d98179cf2f 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -2877,7 +2877,7 @@ (define-public nzbget
 (define-public openvswitch
   (package
     (name "openvswitch")
-    (version "3.2.0")
+    (version "3.4.0")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -2885,7 +2885,7 @@ (define-public openvswitch
                     version ".tar.gz"))
               (sha256
                (base32
-                "1i0lb40lwbakmmqklmfcgr01l1ymsawgdi7k9a1zzp8ariw7x4ff"))))
+                "10g84h6lis6fafyjhvmdrs8r539xcar04cc3rsk448gs6848hsqr"))))
     (build-system gnu-build-system)
     (arguments
      '(#:configure-flags
@@ -2961,7 +2961,9 @@ (define-public openvswitch
 supporting standard management interfaces and protocols (e.g. NetFlow, sFlow,
 IPFIX, RSPAN, CLI, LACP, 802.1ag).")
     (properties
-     '((release-monitoring-url . "https://www.openvswitch.org/download/")))
+     '((release-monitoring-url . "https://www.openvswitch.org/download/")
+       ;; This CVE is fixed since 3.2.0.
+       (lint-hidden-cve . ("CVE-2023-5366"))))
     (license                            ; see debian/copyright for detail
      (list license:lgpl2.1              ; xenserver and utilities/bugtool
            license:gpl2                 ; datapath
-- 
2.46.0

[bug#74034] [PATCH 14/21] gnu: quagga: Fix build and hide CVE.

[Nicolas Graves via Guix-patches via]

* gnu/packages/networking.scm (quagga)
[inputs]: Add libxcrypt.
[properties]: Add lint-hidden-cve property.
---
 gnu/packages/networking.scm | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index d98179cf2f..53bc670c41 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -3138,7 +3138,7 @@ (define-public quagga
                         (delete-file "vtysh/extract.pl")))))
     (build-system gnu-build-system)
     (native-inputs (list gawk gcc-9 pkg-config perl dejagnu))
-    (inputs (list readline c-ares))
+    (inputs (list c-ares libxcrypt readline))
     (synopsis "Routing Software Suite")
     (description "Quagga is a routing software suite, providing implementations
 of OSPFv2, OSPFv3, RIP v1 and v2, RIPng and BGP-4 for Unix platforms.
@@ -3149,6 +3149,10 @@ (define-public quagga
 clients which typically implement a routing protocol and communicate routing
 updates to the zebra daemon.")
     (home-page "https://www.nongnu.org/quagga/")
+    ;; This CVE concerns systemd services files that we currently don't use.
+    ;; If we were to use them, a fixing patch can be found here:
+    ;; https://build.opensuse.org/request/show/1035188
+    (properties '((lint-hidden-cve . ("CVE-2021-44038"))))
     (license license:gpl2+)))
 
 (define-public bgpq3
-- 
2.46.0

[bug#74034] [PATCH 15/21] gnu: bwm-ng: Add lint-hidden-cve property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/networking.scm (bwm-ng)[properties]: Add
lint-hidden-cve property.
---
 gnu/packages/networking.scm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index 53bc670c41..7ed011a7f4 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -2152,6 +2152,8 @@ (define-public bwm-ng
     (description "Bandwidth Monitor NG is a small and simple console based
 live network and disk I/O bandwidth monitor.")
     (home-page "https://www.gropp.org/?id=projects&sub=bwm-ng")
+    ;; This CVE concerns the npm bwm-ng package rather than this one.
+    (properties '((lint-hidden-cve . ("CVE-2023-26129"))))
     (license license:gpl2)))
 
 (define-public aircrack-ng
-- 
2.46.0

[bug#74034] [PATCH 16/21] gnu: onedrive: Update to 2.5.2.

[Nicolas Graves via Guix-patches via]

* gnu/packages/sync.scm (onedrive): Update to 2.5.2.
[properties]: Add lint-hidden-cve.
---
 gnu/packages/sync.scm | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/sync.scm b/gnu/packages/sync.scm
index af736d0c28..df3bcb6523 100644
--- a/gnu/packages/sync.scm
+++ b/gnu/packages/sync.scm
@@ -374,7 +374,7 @@ (define-public owncloud-client
 (define-public onedrive
   (package
     (name "onedrive")
-    (version "2.4.25")
+    (version "2.5.2")
     (source
       (origin
         (method git-fetch)
@@ -383,7 +383,7 @@ (define-public onedrive
                (commit (string-append "v" version))))
         (file-name (git-file-name name version))
         (sha256
-         (base32 "1i93mq4r9w8cqrdfsfv8wparfd3dbrppc5z04ab056545hk0x89k"))))
+         (base32 "0307qa3nncarn6r5837nn9z5nv8j60ycykq6pfn93qriabk65qlx"))))
     (build-system gnu-build-system)
     (arguments
      (list
@@ -420,6 +420,10 @@ (define-public onedrive
 Business, OneDrive for Office365 and SharePoint and fully supports Azure
 National Cloud Deployments.  It supports one-way and two-way sync capabilities
 and securely connects to Microsoft OneDrive services.")
+    ;; These CVEs concern another Microsoft product.
+    (properties '((lint-hidden-cve . ("CVE-2023-24882"
+                                      "CVE-2023-24890"
+                                      "CVE-2023-24923"))))
     (license license:gpl3)))
 
 (define-public lsyncd
-- 
2.46.0

[bug#74034] [PATCH 17/21] gnu: got: Update to 0.104.

[Nicolas Graves via Guix-patches via]

* gnu/packages/version-control.scm (got): Update to 0.104.
[properties]: Add release-monitoring-url and lint-hidden-cve
properties.
---
 gnu/packages/version-control.scm | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index 6bd37fee82..9c8fdea0a6 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -971,7 +971,7 @@ (define-public git-tools
 (define-public got
   (package
     (name "got")
-    (version "0.103")
+    (version "0.104")
     (source (origin
               (method url-fetch)
               (uri
@@ -980,7 +980,7 @@ (define-public got
                   version ".tar.gz"))
               (sha256
                (base32
-                "0y18961xrj4rja850i31gadiaps2qnkfb4jlramlz9akyf9mwh1j"))))
+                "1jf8d7bd6jb09ci66n3rjfv94kvzgnqbw1js74hpajdw41wphbdk"))))
     (inputs
      (list libevent
            `(,util-linux "lib")
@@ -1016,7 +1016,12 @@ (define-public got
      "Game of Trees (Got) is a version control system which prioritizes ease of use
 and simplicity over flexibility.")
     (license license:isc)
-    (home-page "https://gameoftrees.org/")))
+    (home-page "https://gameoftrees.org/")
+    (properties
+     ;; Can lint for updates, but not update in place.
+     '((release-monitoring-url . "https://gameoftrees.org/releases/")
+       ;; This CVE is for another Node got package.
+       (lint-hidden-cve . "CVE-2022-33987")))))
 
 (define-public xdiff
   (let ((revision "0")
-- 
2.46.0

[bug#74034] [PATCH 18/21] gnu: dex: Update to 0.10.1.

[Nicolas Graves via Guix-patches via]

* gnu/packages/xdisorg.scm (dex): Update to 0.10.1.
[arguments]: Improve style.
[properties]: Add lint-hidden-cve property.
---
 gnu/packages/xdisorg.scm | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm
index ca50bebab4..10c04fc4e8 100644
--- a/gnu/packages/xdisorg.scm
+++ b/gnu/packages/xdisorg.scm
@@ -3536,7 +3536,7 @@ (define-public nwg-launchers
 (define-public dex
   (package
     (name "dex")
-    (version "0.9.0")
+    (version "0.10.1")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -3544,15 +3544,16 @@ (define-public dex
                     (commit (string-append "v" version))))
               (sha256
                (base32
-                "03aapcywnz4kl548cygpi25m8adwbmqlmwgxa66v4156ax9dqs86"))
+                "1d7fqy63i4q0mw316i5ws1sgdq3f7h3bsf3avvmy0nzshz7i5y6m"))
               (file-name (git-file-name name version))))
     (build-system gnu-build-system)
     (arguments
-     `(#:make-flags (list (string-append "PREFIX=" (assoc-ref %outputs "out")))
-       #:phases
-       (modify-phases %standard-phases
-         (delete 'configure))
-       #:tests? #f))
+     (list
+      #:make-flags #~(list (string-append "PREFIX=" #$output))
+      #:phases
+      #~(modify-phases %standard-phases
+          (delete 'configure))
+      #:tests? #f))  ; No tests.
     (inputs
      (list python))
     (native-inputs
@@ -3562,6 +3563,10 @@ (define-public dex
     (description
      "@command{dex}, @dfn{DesktopEntry Execution}, is a program to generate
 and execute @file{.desktop} files of the Application type.")
+    (properties
+     ;; These CVEs concern...
+     '((lint-hidden-cve . ("CVE-2024-20802"  ; ...a dex Samsung package.
+                           "CVE-2022-39222")))) ; ...a OpenID connect tool.
     (license license:gpl3+)))
 
 (define-public sx
-- 
2.46.0

[bug#74034] [PATCH 19/21] gnu: immer: Add lint-hidden-cve property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/cpp.scm (immer)[properties]: Add lint-hidden-cve
property.
---
 gnu/packages/cpp.scm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/gnu/packages/cpp.scm b/gnu/packages/cpp.scm
index e9c6dc096b..80eaa26b37 100644
--- a/gnu/packages/cpp.scm
+++ b/gnu/packages/cpp.scm
@@ -1864,6 +1864,8 @@ (define-public immer
    (synopsis "Immutable data structures")
    (description "Immer is a library of persistent and immutable data structures
 written in C++.")
+   ;; This CVEs concern the immer.js Node package.
+   (properties '((lint-hidden-cve . ("CVE-2021-23436" "CVE-2021-3757"))))
    (license license:boost1.0)))
 
 (define-public zug
-- 
2.46.0

[bug#74034] [PATCH 20/21] gnu: cvs: Add lint-hidden-cve property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/version-control.scm (cvs)[properties]: Add
lint-hidden-cve property.
---
 gnu/packages/version-control.scm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index 9c8fdea0a6..f4a0f577a9 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -2750,6 +2750,8 @@ (define-public cvs
 Configuration Management (SCM).  Using it, you can record the history of
 sources files, and documents.  It fills a similar role to the free software
 RCS, PRCS, and Aegis packages.")
+    ;; This CVE concerns the Jenkins CVS plugin.
+    (properties '((lint-hidden-cve . ("CVE-2022-29037"))))
     (license license:gpl1+)))
 
 (define-public cvs-fast-export
-- 
2.46.0

[bug#74034] [PATCH 21/21] gnu: gerbv: Add lint-hidden-cve property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/engineering.scm (gerbv)[properties]: Add
lint-hidden-cve property.
---
 gnu/packages/engineering.scm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/gnu/packages/engineering.scm b/gnu/packages/engineering.scm
index 6f449f0c39..89e60a7218 100644
--- a/gnu/packages/engineering.scm
+++ b/gnu/packages/engineering.scm
@@ -868,6 +868,8 @@ (define-public gerbv
 you load several files on top of each other, do measurements on the displayed
 image, etc.  Besides viewing Gerbers, you may also view Excellon drill files
 as well as pick-place files.")
+    ;; This CVE has been fixed in version 2.10.0.
+    (properties '((lint-hidden-cve . ("CVE-2023-4508"))))
     (license license:gpl2+)))
 
 (define-public translate2geda
-- 
2.46.0

[bug#74034] [PATCH v2 00/16] Add cpe-vendor and lint-hidden-cpe-vendors properties.

[Nicolas Graves via Guix-patches via]

This is a rewrite of 74034 after a new first commit introducing the
management of cpe-vendor data from the CVE database.

Nicolas Graves (16):
  guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.
  gnu: halibut: Add cpe-vendor property.
  gnu: portfolio: Update to 1.0.1.
  gnu: folders: Add lint-hidden-cpe-vendors property.
  gnu: spectra: Add lint-hidden-cpe-vendors property.
  gnu: express: Add lint-hidden-cpe-vendors property.
  gnu: cli: Add lint-hidden-cpe-vendors property.
  gnu: h2c: Add lint-hidden-cpe-vendors property.
  gnu: xenon: Update to 0.9.3.
  gnu: bolt: Update to 0.9.8.
  gnu: bwm-ng: Add lint-hidden-cpe-vendors property.
  gnu: onedrive: Update to 2.5.2.
  gnu: got: Update to 0.104.
  gnu: dex: Update to 0.10.1.
  gnu: immer: Add lint-hidden-cpe-vendors property.
  gnu: cvs: Add lint-hidden-cpe-vendors property.

 gnu/packages/algebra.scm         |  1 +
 gnu/packages/bioinformatics.scm  |  1 +
 gnu/packages/code.scm            |  5 ++-
 gnu/packages/cpp.scm             |  2 +
 gnu/packages/curl.scm            |  1 +
 gnu/packages/documentation.scm   | 14 ++++---
 gnu/packages/esolangs.scm        |  1 +
 gnu/packages/gnome-xyz.scm       |  5 ++-
 gnu/packages/linux.scm           | 16 +++----
 gnu/packages/networking.scm      |  1 +
 gnu/packages/sync.scm            |  5 ++-
 gnu/packages/version-control.scm | 11 +++--
 gnu/packages/xdisorg.scm         | 17 ++++----
 guix/cve.scm                     | 71 +++++++++++++++++++++-----------
 guix/lint.scm                    | 11 ++++-
 tests/cve.scm                    | 30 +++++++-------
 16 files changed, 120 insertions(+), 72 deletions(-)

-- 
2.46.0

[bug#74034] [PATCH v2 01/16] guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.

[Nicolas Graves via Guix-patches via]

* guix/cve.scm: Exploit cpe vendors information.
(cpe->package-name): Rename to cpe->package and use
cpe_vendor:cpe_name in place or cpe_name.
(filter-vendors): Add helper function.
(vulnerabilities->lookup-proc): Extract cpe_name for table
hashes. Add vendor and hidden-vendor arguments. Adapt condition to
pass vulnerabilities to result in the fold.

* guix/lint.scm (package-vulnerabilities): Use additional arguments
from vulnerabilities->lookup-proc.

* tests/cve.scm: Adapt tests.
---
 guix/cve.scm  | 71 +++++++++++++++++++++++++++++++++------------------
 guix/lint.scm | 11 ++++++--
 tests/cve.scm | 30 +++++++++++-----------
 3 files changed, 70 insertions(+), 42 deletions(-)

diff --git a/guix/cve.scm b/guix/cve.scm
index 9e1cf5b587..a2335f15ef 100644
--- a/guix/cve.scm
+++ b/guix/cve.scm
@@ -106,22 +106,22 @@ (define (reference-data->cve-references alist)
 (define %cpe-package-rx
   ;; For applications: "cpe:2.3:a:VENDOR:PACKAGE:VERSION", or sometimes
   ;; "cpe:2.3:a:VENDOR:PACKAGE:VERSION:PATCH-LEVEL".
-  (make-regexp "^cpe:2\\.3:a:([^:]+):([^:]+):([^:]+):([^:]+):"))
+  (make-regexp "^cpe:2\\.3:a:([^:]+:[^:]+):([^:]+):([^:]+):"))
 
-(define (cpe->package-name cpe)
+(define (cpe->package cpe)
   "Converts the Common Platform Enumeration (CPE) string CPE to a package
-name, in a very naive way.  Return two values: the package name, and its
-version string.  Return #f and #f if CPE does not look like an application CPE
-string."
+name, in a very naive way.  Return two values: the package identifier
+(composed from the CPE vendor and the package name), and its version string.
+Return #f and #f if CPE does not look like an application CPE string."
   (cond ((regexp-exec %cpe-package-rx cpe)
          =>
          (lambda (matches)
-           (values (match:substring matches 2)
-                   (match (match:substring matches 3)
+           (values (match:substring matches 1)
+                   (match (match:substring matches 2)
                      ("*" '_)
                      (version
                       (string-append version
-                                     (match (match:substring matches 4)
+                                     (match (match:substring matches 3)
                                        ("" "")
                                        (patch-level
                                         ;; Drop the colon from things like
@@ -142,7 +142,7 @@ (define (cpe-match->cve-configuration alist)
     ;; Normally "cpe23Uri" is here in each "cpe_match" item, but CVE-2020-0534
     ;; has a configuration that lacks it.
     (and cpe
-         (let-values (((package version) (cpe->package-name cpe)))
+         (let-values (((package version) (cpe->package cpe)))
            (and package
                 `(,package
                    ,(cond ((and (or starti starte) (or endi ende))
@@ -228,6 +228,24 @@ (define (version-matches? version sexp)
     (('>= min)
      (version>=? version min))))
 
+(define (filter-vendors vuln vendor hidden-vendors)
+
+  (define (vendor-matches? vendor+name)
+    (if vendor
+        (string-prefix? (string-append vendor ":") vendor+name)
+        (if hidden-vendors
+            (not (any (lambda (v)
+                        (string-prefix? (string-append v ":") vendor+name))
+                      hidden-vendors))
+            #t)))
+
+  (match vuln
+    (($ <vulnerability> id packages)
+     (any (match-lambda
+            (((? vendor-matches? vendor+name) . _)  #t)
+            (_                                      #f))
+          packages))))
+
 \f
 ;;;
 ;;; High-level interface.
@@ -404,28 +422,31 @@ (define table
               (($ <vulnerability> id packages)
                (fold (lambda (package table)
                        (match package
-                         ((name . versions)
-                          (vhash-cons name (cons vuln versions)
+                         ((vendor+name . versions)
+                          (vhash-cons (match (string-split vendor+name #\:)
+                                        ((vendor name) name)
+                                        ((name)        name))
+                                      (cons vuln versions)
                                       table))))
                      table
                      packages))))
           vlist-null
           vulnerabilities))
 
-  (lambda* (package #:optional version)
-    (vhash-fold* (if version
-                     (lambda (pair result)
-                       (match pair
-                         ((vuln sexp)
-                          (if (version-matches? version sexp)
-                              (cons vuln result)
-                              result))))
-                     (lambda (pair result)
-                       (match pair
-                         ((vuln . _)
-                          (cons vuln result)))))
-                 '()
-                 package table)))
+  (lambda* (package #:key (version #f) (vendor #f) (hidden-vendors #f))
+    (vhash-fold*
+     (lambda (pair result)
+       (match pair
+         ((vuln sexp)
+          (if (and (or (not (or vendor hidden-vendors))
+                       (and (or vendor hidden-vendors)
+                            (filter-vendors vuln vendor hidden-vendors)))
+                   (or (not version)
+                       (and version (version-matches? version sexp))))
+              (cons vuln result)
+              result))))
+     '()
+     package table)))
 
 
 ;;; cve.scm ends here
diff --git a/guix/lint.scm b/guix/lint.scm
index 8c6c20c723..db3f59e3ec 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -1551,8 +1551,15 @@ (define package-vulnerabilities
                          (package-name package)))
             (version (or (assoc-ref (package-properties package)
                                     'cpe-version)
-                         (package-version package))))
-        ((force lookup) name version)))))
+                         (package-version package)))
+            (vendor (assoc-ref (package-properties package)
+                               'cpe-vendor))
+            (hidden-vendors (assoc-ref (package-properties package)
+                                       'lint-hidden-cpe-vendors)))
+        ((force lookup) name
+         #:version version
+         #:vendor vendor
+         #:hidden-vendors hidden-vendors)))))
 
 ;; Prevent Guile 3 from inlining this procedure so we can mock it in tests.
 (set! package-vulnerabilities package-vulnerabilities)
diff --git a/tests/cve.scm b/tests/cve.scm
index b69da0e120..0b6346a4d4 100644
--- a/tests/cve.scm
+++ b/tests/cve.scm
@@ -34,19 +34,19 @@ (define %expected-vulnerabilities
    (vulnerability "CVE-2019-0001"
                   ;; Only the "a" CPE configurations are kept; the "o"
                   ;; configurations are discarded.
-                  '(("junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
+                  '(("juniper:junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
    (vulnerability "CVE-2019-0005"
-                  '(("junos" (or "18.11" "18.1"))))
+                  '(("juniper:junos" (or "18.11" "18.1"))))
    ;; CVE-2019-0005 has no "a" configurations.
    (vulnerability "CVE-2019-14811"
-                  '(("ghostscript" (< "9.28"))))
+                  '(("artifex:ghostscript" (< "9.28"))))
    (vulnerability "CVE-2019-17365"
-                  '(("nix" (<= "2.3"))))
+                  '(("nixos:nix" (<= "2.3"))))
    (vulnerability "CVE-2019-1010180"
-                  '(("gdb" _)))                   ;any version
+                  '(("gnu:gdb" _)))                   ;any version
    (vulnerability "CVE-2019-1010204"
-                  '(("binutils" (and (>= "2.21") (<= "2.31.1")))
-                    ("binutils_gold" (and (>= "1.11") (<= "1.16")))))
+                  '(("gnu:binutils" (and (>= "2.21") (<= "2.31.1")))
+                    ("gnu:binutils_gold" (and (>= "1.11") (<= "1.16")))))
    ;; CVE-2019-18192 has no associated configurations.
    ))
 
@@ -92,15 +92,15 @@ (define %expected-vulnerabilities
   (let* ((vulns  (call-with-input-file %sample json->vulnerabilities))
          (lookup (vulnerabilities->lookup-proc vulns)))
     (list (lookup "ghostscript")
-          (lookup "ghostscript" "9.27")
-          (lookup "ghostscript" "9.28")
+          (lookup "ghostscript" #:version "9.27")
+          (lookup "ghostscript" #:version "9.28")
           (lookup "gdb")
-          (lookup "gdb" "42.0")
+          (lookup "gdb" #:version "42.0")
           (lookup "nix")
-          (lookup "nix" "2.4")
-          (lookup "binutils" "2.31.1")
-          (lookup "binutils" "2.10")
-          (lookup "binutils_gold" "1.11")
-          (lookup "binutils" "2.32"))))
+          (lookup "nix" #:version "2.4")
+          (lookup "binutils" #:version "2.31.1")
+          (lookup "binutils" #:version "2.10")
+          (lookup "binutils_gold" #:version "1.11")
+          (lookup "binutils" #:version "2.32"))))
 
 (test-end "cve")
-- 
2.46.0

[bug#74034] [PATCH v2 02/16] gnu: halibut: Add cpe-vendor property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/documentation.scm (halibut)
[description]: Reformat field to match max chars.
[properties]: Add cpe-vendor property.
---
 gnu/packages/documentation.scm | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/gnu/packages/documentation.scm b/gnu/packages/documentation.scm
index f0e37561f7..e1d563945a 100644
--- a/gnu/packages/documentation.scm
+++ b/gnu/packages/documentation.scm
@@ -264,12 +264,14 @@ (define-public halibut
     (home-page "https://www.chiark.greenend.org.uk/~sgtatham/halibut/")
     (synopsis "Documentation production system for software manuals")
     (description
-     "Halibut is a text formatting system designed primarily for writing software
-documentation.  It accepts a single source format and outputs any combination of
-plain text, HTML, Unix man or info pages, PostScript or PDF.  It has extensive
-support for indexing and cross-referencing, and generates hyperlinks within output
-documents wherever possible.  It supports Unicode, with the ability to fall back to
-an alternative representation if Unicode output is not available.")
+     "Halibut is a text formatting system designed primarily for writing
+software documentation.  It accepts a single source format and outputs any
+combination of plain text, HTML, Unix man or info pages, PostScript or PDF.
+It has extensive support for indexing and cross-referencing, and generates
+hyperlinks within output documents wherever possible.  It supports Unicode,
+with the ability to fall back to an alternative representation if Unicode
+output is not available.")
+    (properties `((cpe-vendor . "halibut_project")))
     (license license:expat)))
 
 (define-public doc++
-- 
2.46.0

[bug#74034] [PATCH v2 01/16] guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.

[Nicolas Graves via Guix-patches via]

* guix/cve.scm: Exploit cpe vendors information.
(cpe->package-name): Rename to cpe->package and use
cpe_vendor:cpe_name in place or cpe_name.
(filter-vendors): Add helper function.
(vulnerabilities->lookup-proc): Extract cpe_name for table
hashes. Add vendor and hidden-vendor arguments. Adapt condition to
pass vulnerabilities to result in the fold.

* guix/lint.scm (package-vulnerabilities): Use additional arguments
from vulnerabilities->lookup-proc.

* tests/cve.scm: Adapt tests.
---
 guix/cve.scm  | 71 +++++++++++++++++++++++++++++++++------------------
 guix/lint.scm | 11 ++++++--
 tests/cve.scm | 30 +++++++++++-----------
 3 files changed, 70 insertions(+), 42 deletions(-)

diff --git a/guix/cve.scm b/guix/cve.scm
index 9e1cf5b587..a2335f15ef 100644
--- a/guix/cve.scm
+++ b/guix/cve.scm
@@ -106,22 +106,22 @@ (define (reference-data->cve-references alist)
 (define %cpe-package-rx
   ;; For applications: "cpe:2.3:a:VENDOR:PACKAGE:VERSION", or sometimes
   ;; "cpe:2.3:a:VENDOR:PACKAGE:VERSION:PATCH-LEVEL".
-  (make-regexp "^cpe:2\\.3:a:([^:]+):([^:]+):([^:]+):([^:]+):"))
+  (make-regexp "^cpe:2\\.3:a:([^:]+:[^:]+):([^:]+):([^:]+):"))
 
-(define (cpe->package-name cpe)
+(define (cpe->package cpe)
   "Converts the Common Platform Enumeration (CPE) string CPE to a package
-name, in a very naive way.  Return two values: the package name, and its
-version string.  Return #f and #f if CPE does not look like an application CPE
-string."
+name, in a very naive way.  Return two values: the package identifier
+(composed from the CPE vendor and the package name), and its version string.
+Return #f and #f if CPE does not look like an application CPE string."
   (cond ((regexp-exec %cpe-package-rx cpe)
          =>
          (lambda (matches)
-           (values (match:substring matches 2)
-                   (match (match:substring matches 3)
+           (values (match:substring matches 1)
+                   (match (match:substring matches 2)
                      ("*" '_)
                      (version
                       (string-append version
-                                     (match (match:substring matches 4)
+                                     (match (match:substring matches 3)
                                        ("" "")
                                        (patch-level
                                         ;; Drop the colon from things like
@@ -142,7 +142,7 @@ (define (cpe-match->cve-configuration alist)
     ;; Normally "cpe23Uri" is here in each "cpe_match" item, but CVE-2020-0534
     ;; has a configuration that lacks it.
     (and cpe
-         (let-values (((package version) (cpe->package-name cpe)))
+         (let-values (((package version) (cpe->package cpe)))
            (and package
                 `(,package
                    ,(cond ((and (or starti starte) (or endi ende))
@@ -228,6 +228,24 @@ (define (version-matches? version sexp)
     (('>= min)
      (version>=? version min))))
 
+(define (filter-vendors vuln vendor hidden-vendors)
+
+  (define (vendor-matches? vendor+name)
+    (if vendor
+        (string-prefix? (string-append vendor ":") vendor+name)
+        (if hidden-vendors
+            (not (any (lambda (v)
+                        (string-prefix? (string-append v ":") vendor+name))
+                      hidden-vendors))
+            #t)))
+
+  (match vuln
+    (($ <vulnerability> id packages)
+     (any (match-lambda
+            (((? vendor-matches? vendor+name) . _)  #t)
+            (_                                      #f))
+          packages))))
+
 \f
 ;;;
 ;;; High-level interface.
@@ -404,28 +422,31 @@ (define table
               (($ <vulnerability> id packages)
                (fold (lambda (package table)
                        (match package
-                         ((name . versions)
-                          (vhash-cons name (cons vuln versions)
+                         ((vendor+name . versions)
+                          (vhash-cons (match (string-split vendor+name #\:)
+                                        ((vendor name) name)
+                                        ((name)        name))
+                                      (cons vuln versions)
                                       table))))
                      table
                      packages))))
           vlist-null
           vulnerabilities))
 
-  (lambda* (package #:optional version)
-    (vhash-fold* (if version
-                     (lambda (pair result)
-                       (match pair
-                         ((vuln sexp)
-                          (if (version-matches? version sexp)
-                              (cons vuln result)
-                              result))))
-                     (lambda (pair result)
-                       (match pair
-                         ((vuln . _)
-                          (cons vuln result)))))
-                 '()
-                 package table)))
+  (lambda* (package #:key (version #f) (vendor #f) (hidden-vendors #f))
+    (vhash-fold*
+     (lambda (pair result)
+       (match pair
+         ((vuln sexp)
+          (if (and (or (not (or vendor hidden-vendors))
+                       (and (or vendor hidden-vendors)
+                            (filter-vendors vuln vendor hidden-vendors)))
+                   (or (not version)
+                       (and version (version-matches? version sexp))))
+              (cons vuln result)
+              result))))
+     '()
+     package table)))
 
 
 ;;; cve.scm ends here
diff --git a/guix/lint.scm b/guix/lint.scm
index 8c6c20c723..db3f59e3ec 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -1551,8 +1551,15 @@ (define package-vulnerabilities
                          (package-name package)))
             (version (or (assoc-ref (package-properties package)
                                     'cpe-version)
-                         (package-version package))))
-        ((force lookup) name version)))))
+                         (package-version package)))
+            (vendor (assoc-ref (package-properties package)
+                               'cpe-vendor))
+            (hidden-vendors (assoc-ref (package-properties package)
+                                       'lint-hidden-cpe-vendors)))
+        ((force lookup) name
+         #:version version
+         #:vendor vendor
+         #:hidden-vendors hidden-vendors)))))
 
 ;; Prevent Guile 3 from inlining this procedure so we can mock it in tests.
 (set! package-vulnerabilities package-vulnerabilities)
diff --git a/tests/cve.scm b/tests/cve.scm
index b69da0e120..0b6346a4d4 100644
--- a/tests/cve.scm
+++ b/tests/cve.scm
@@ -34,19 +34,19 @@ (define %expected-vulnerabilities
    (vulnerability "CVE-2019-0001"
                   ;; Only the "a" CPE configurations are kept; the "o"
                   ;; configurations are discarded.
-                  '(("junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
+                  '(("juniper:junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
    (vulnerability "CVE-2019-0005"
-                  '(("junos" (or "18.11" "18.1"))))
+                  '(("juniper:junos" (or "18.11" "18.1"))))
    ;; CVE-2019-0005 has no "a" configurations.
    (vulnerability "CVE-2019-14811"
-                  '(("ghostscript" (< "9.28"))))
+                  '(("artifex:ghostscript" (< "9.28"))))
    (vulnerability "CVE-2019-17365"
-                  '(("nix" (<= "2.3"))))
+                  '(("nixos:nix" (<= "2.3"))))
    (vulnerability "CVE-2019-1010180"
-                  '(("gdb" _)))                   ;any version
+                  '(("gnu:gdb" _)))                   ;any version
    (vulnerability "CVE-2019-1010204"
-                  '(("binutils" (and (>= "2.21") (<= "2.31.1")))
-                    ("binutils_gold" (and (>= "1.11") (<= "1.16")))))
+                  '(("gnu:binutils" (and (>= "2.21") (<= "2.31.1")))
+                    ("gnu:binutils_gold" (and (>= "1.11") (<= "1.16")))))
    ;; CVE-2019-18192 has no associated configurations.
    ))
 
@@ -92,15 +92,15 @@ (define %expected-vulnerabilities
   (let* ((vulns  (call-with-input-file %sample json->vulnerabilities))
          (lookup (vulnerabilities->lookup-proc vulns)))
     (list (lookup "ghostscript")
-          (lookup "ghostscript" "9.27")
-          (lookup "ghostscript" "9.28")
+          (lookup "ghostscript" #:version "9.27")
+          (lookup "ghostscript" #:version "9.28")
           (lookup "gdb")
-          (lookup "gdb" "42.0")
+          (lookup "gdb" #:version "42.0")
           (lookup "nix")
-          (lookup "nix" "2.4")
-          (lookup "binutils" "2.31.1")
-          (lookup "binutils" "2.10")
-          (lookup "binutils_gold" "1.11")
-          (lookup "binutils" "2.32"))))
+          (lookup "nix" #:version "2.4")
+          (lookup "binutils" #:version "2.31.1")
+          (lookup "binutils" #:version "2.10")
+          (lookup "binutils_gold" #:version "1.11")
+          (lookup "binutils" #:version "2.32"))))
 
 (test-end "cve")
-- 
2.46.0

[bug#74034] [PATCH v2 02/16] gnu: halibut: Add cpe-vendor property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/documentation.scm (halibut)
[description]: Reformat field to match max chars.
[properties]: Add cpe-vendor property.
---
 gnu/packages/documentation.scm | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/gnu/packages/documentation.scm b/gnu/packages/documentation.scm
index f0e37561f7..e1d563945a 100644
--- a/gnu/packages/documentation.scm
+++ b/gnu/packages/documentation.scm
@@ -264,12 +264,14 @@ (define-public halibut
     (home-page "https://www.chiark.greenend.org.uk/~sgtatham/halibut/")
     (synopsis "Documentation production system for software manuals")
     (description
-     "Halibut is a text formatting system designed primarily for writing software
-documentation.  It accepts a single source format and outputs any combination of
-plain text, HTML, Unix man or info pages, PostScript or PDF.  It has extensive
-support for indexing and cross-referencing, and generates hyperlinks within output
-documents wherever possible.  It supports Unicode, with the ability to fall back to
-an alternative representation if Unicode output is not available.")
+     "Halibut is a text formatting system designed primarily for writing
+software documentation.  It accepts a single source format and outputs any
+combination of plain text, HTML, Unix man or info pages, PostScript or PDF.
+It has extensive support for indexing and cross-referencing, and generates
+hyperlinks within output documents wherever possible.  It supports Unicode,
+with the ability to fall back to an alternative representation if Unicode
+output is not available.")
+    (properties `((cpe-vendor . "halibut_project")))
     (license license:expat)))
 
 (define-public doc++
-- 
2.46.0

[bug#74034] [PATCH v2 03/16] gnu: portfolio: Update to 1.0.1.

[Nicolas Graves via Guix-patches via]

* gnu/packages/gnome-xyz.scm (portfolio): Update to 1.0.1.
[properties]: Add lint-hidden-cpe-vendors property.
---
 gnu/packages/gnome-xyz.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/gnome-xyz.scm b/gnu/packages/gnome-xyz.scm
index a09c0befb0..74c2600b60 100644
--- a/gnu/packages/gnome-xyz.scm
+++ b/gnu/packages/gnome-xyz.scm
@@ -485,7 +485,7 @@ (define-public gnome-plots
 (define-public portfolio
   (package
     (name "portfolio")
-    (version "1.0.0")
+    (version "1.0.1")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -494,7 +494,7 @@ (define-public portfolio
               (file-name (git-file-name name version))
               (sha256
                (base32
-                "1ai9mx801m5lngkljg42vrpvhbvc3071sp4jypsvbzw55hxnn5ba"))))
+                "1s06kd2dhsb143piw89yzwfck7qwzlh4nlgjj2bxpsa3g68c1g11"))))
     (arguments
      (list #:glib-or-gtk? #t
            #:imported-modules `(,@%meson-build-system-modules
@@ -537,6 +537,7 @@ (define-public portfolio
      "Portfolio is a minimalist file manager for those who want to use Linux
 mobile devices.  Tap to activate and long press to select, to browse, open,
 copy, move, delete, or edit your files.")
+    (properties `((lint-hidden-cpe-vendors . ("radiustheme"))))
     (license license:gpl3+)))
 
 (define-public gnome-shell-extension-unite-shell
-- 
2.46.0

[bug#74034] [PATCH v2 04/16] gnu: folders: Add lint-hidden-cpe-vendors property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/esolangs.scm (folders):
[properties]: Add lint-hindden-cpe-vendors property.
---
 gnu/packages/esolangs.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/esolangs.scm b/gnu/packages/esolangs.scm
index 796f8d3f23..58c5307fdc 100644
--- a/gnu/packages/esolangs.scm
+++ b/gnu/packages/esolangs.scm
@@ -117,6 +117,7 @@ (define-public folders
     (description "Folders is a programming language, in which programs
 are encoded as (nested) directories.  Note that the switches you pass to
 @command{du} may affect your score when code golfing.")
+    (properties `((lint-hidden-cpe-vendors . ("premio" "jenkins"))))
     (license license:expat)))
 
 (define-public shakespeare-spl
-- 
2.46.0

[bug#74034] [PATCH v2 05/16] gnu: spectra: Add lint-hidden-cpe-vendors property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/algebra.scm (spectra)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/algebra.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/algebra.scm b/gnu/packages/algebra.scm
index 2187cd062d..5822431373 100644
--- a/gnu/packages/algebra.scm
+++ b/gnu/packages/algebra.scm
@@ -1317,6 +1317,7 @@ (define-public spectra
 built on top of Eigen.  It is implemented as a header-only C++ library and can
 be easily embedded in C++ projects that require calculating eigenvalues of
 large matrices.")
+    (properties `((lint-hidden-cpe-vendors . ("brainstormforce"))))
     (license license:mpl2.0)))
 
 (define-public gappa
-- 
2.46.0

[bug#74034] [PATCH v2 06/16] gnu: express: Add lint-hidden-cpe-vendors property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/bioinformatics.scm (express)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/bioinformatics.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/bioinformatics.scm b/gnu/packages/bioinformatics.scm
index a2ffbd5155..bb356f4903 100644
--- a/gnu/packages/bioinformatics.scm
+++ b/gnu/packages/bioinformatics.scm
@@ -6924,6 +6924,7 @@ (define-public express
 transcript-level RNA-Seq quantification, allele-specific/haplotype expression
 analysis (from RNA-Seq), transcription factor binding quantification in
 ChIP-Seq, and analysis of metagenomic data.")
+    (properties `((lint-hidden-cpe-vendors . ("openjsf"))))
     (license license:artistic2.0)))
 
 (define-public express-beta-diversity
-- 
2.46.0

[bug#74034] [PATCH v2 07/16] gnu: cli: Add lint-hidden-cpe-vendors property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/cpp.scm (cli)[properties]: Add lint-hidden-cpe-vendors
property.
---
 gnu/packages/cpp.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/cpp.scm b/gnu/packages/cpp.scm
index 26fc169154..550f57c6bf 100644
--- a/gnu/packages/cpp.scm
+++ b/gnu/packages/cpp.scm
@@ -2304,6 +2304,7 @@ (define-public cli
 options that your program supports, their types, default values, and
 documentation.")
     (home-page "https://codesynthesis.com/projects/cli/")
+    (properties `((lint-hidden-cpe-vendors . ("snyk"))))
     (license license:expat)))
 
 (define-public xsd
-- 
2.46.0

[bug#74034] [PATCH v2 08/16] gnu: h2c: Add lint-hidden-cpe-vendors property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/curl.scm (h2c)[property]: Add lint-hidden-cpe-vendors property.
---
 gnu/packages/curl.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 9f74018205..2b4b7ebdd8 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -366,6 +366,7 @@ (define-public h2c
     (description
      "Provided a set of HTTP request headers, h2c outputs how to invoke
 curl to obtain exactly that HTTP request.")
+    (properties `((lint-hidden-cpe-vendors . ("golang"))))
     (license license:expat)))
 
 (define-public coeurl
-- 
2.46.0

[bug#74034] [PATCH v2 09/16] gnu: xenon: Update to 0.9.3.

[Nicolas Graves via Guix-patches via]

* gnu/packages/code.scm (xenon): Update to 0.9.3.
[properties]: Add lint-hidden-cpe-vendors property.
---
 gnu/packages/code.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/code.scm b/gnu/packages/code.scm
index 3f7a6de478..ed48119fe1 100644
--- a/gnu/packages/code.scm
+++ b/gnu/packages/code.scm
@@ -1077,14 +1077,14 @@ (define-public cscope
 (define-public xenon
   (package
     (name "xenon")
-    (version "0.9.0")
+    (version "0.9.3")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "xenon" version))
        (sha256
         (base32
-         "1f4gynjzfckm3rjfywwgz1c7icfx3zjqirf16aj73xv0c9ncpffj"))))
+         "1yj31bqz2bphvvyb0jkas7bxc2rw76rf1csz0mwmvah8pbc3hxaa"))))
     (build-system python-build-system)
     (arguments (list #:tests? #f)) ;test suite not shipped with the PyPI archive
     (inputs (list python-pyyaml python-radon python-requests))
@@ -1096,6 +1096,7 @@ (define-public xenon
 line options, various thresholds can be set for the complexity of code.  It
 will fail (i.e., it will exit with a non-zero exit code) when any of these
 requirements is not met.")
+    (properties '((lint-hidden-cpe-vendors . ("ashlar"))))
     (license license:expat)))
 
 (define-public python-xenon
-- 
2.46.0

[bug#74034] [PATCH v2 10/16] gnu: bolt: Update to 0.9.8.

[Nicolas Graves via Guix-patches via]

* gnu/packages/linux.scm (bolt): Update to 0.9.8.
[arguments]<#:phases>: Update phase 'replace-directories.
[properties]: Add lint-hidden-cpe-vendors property.
---
 gnu/packages/linux.scm | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index e496f3c88d..9d16c0a9b3 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -3366,7 +3366,7 @@ (define-public iptables-nft
 (define-public bolt
   (package
     (name "bolt")
-    (version "0.9.5")
+    (version "0.9.8")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -3375,7 +3375,7 @@ (define-public bolt
               (file-name (git-file-name name version))
               (sha256
                (base32
-                "1b9z0sfrz6bj0mddng9s0dx59g9239zmrl03hxx2x88mb7r0wmcg"))))
+                "1i9nyvx3qcf4m607qmpklpl9xqzsh423k8y3fr6c5n0k4ajy4cxh"))))
     (build-system meson-build-system)
     (arguments
      (list #:configure-flags '(list "--localstatedir=/var")
@@ -3384,12 +3384,11 @@ (define-public bolt
                         (add-after 'unpack 'replace-directories
                           (lambda* (#:key outputs #:allow-other-keys)
                             (substitute* "meson.build"
-                              (("udev.get_pkgconfig_variable..udevdir..")
-                               (string-append "'"
-                                              #$output "/lib/udev'")))
-                            (substitute* "scripts/meson-install.sh"
-                              (("mkdir.*")
-                               ""))))
+                              (("udev.get_variable\\(pkgconfig: 'udevdir'\\)")
+                               (string-append "'" #$output "/lib/udev'"))
+                              ;; Don't install in /var
+                              (("not systemd\\.found\\(\\)")
+                               "false"))))
                         (add-before 'install 'no-polkit-magic
                           (lambda* (#:key outputs #:allow-other-keys)
                             (setenv "PKEXEC_UID" "something"))))))
@@ -3411,6 +3410,7 @@ (define-public bolt
 @command{boltd}.  It can list devices, monitor changes, and initiate
 authorization of devices.")
     (home-page "https://gitlab.freedesktop.org/bolt/bolt")
+    (properties `((lint-hidden-cpe-vendors . ("boltcms" "puppet"))))
     (license license:gpl2+)))
 
 (define-public jitterentropy-rngd
-- 
2.46.0

[bug#74034] [PATCH v2 11/16] gnu: bwm-ng: Add lint-hidden-cpe-vendors property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/networking.scm (bwm-ng)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/networking.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index a56b574e97..8c5548323f 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -2152,6 +2152,7 @@ (define-public bwm-ng
     (description "Bandwidth Monitor NG is a small and simple console based
 live network and disk I/O bandwidth monitor.")
     (home-page "https://www.gropp.org/?id=projects&sub=bwm-ng")
+    (properties '((lint-hidden-cpe-vendors . ("bwm-ng_project"))))
     (license license:gpl2)))
 
 (define-public aircrack-ng
-- 
2.46.0

[bug#74034] [PATCH v2 12/16] gnu: onedrive: Update to 2.5.2.

[Nicolas Graves via Guix-patches via]

* gnu/packages/sync.scm (onedrive): Update to 2.5.2.
[properties]: Add lint-hidden-cpe-vendors.
---
 gnu/packages/sync.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/sync.scm b/gnu/packages/sync.scm
index af736d0c28..b21993a639 100644
--- a/gnu/packages/sync.scm
+++ b/gnu/packages/sync.scm
@@ -374,7 +374,7 @@ (define-public owncloud-client
 (define-public onedrive
   (package
     (name "onedrive")
-    (version "2.4.25")
+    (version "2.5.2")
     (source
       (origin
         (method git-fetch)
@@ -383,7 +383,7 @@ (define-public onedrive
                (commit (string-append "v" version))))
         (file-name (git-file-name name version))
         (sha256
-         (base32 "1i93mq4r9w8cqrdfsfv8wparfd3dbrppc5z04ab056545hk0x89k"))))
+         (base32 "0307qa3nncarn6r5837nn9z5nv8j60ycykq6pfn93qriabk65qlx"))))
     (build-system gnu-build-system)
     (arguments
      (list
@@ -420,6 +420,7 @@ (define-public onedrive
 Business, OneDrive for Office365 and SharePoint and fully supports Azure
 National Cloud Deployments.  It supports one-way and two-way sync capabilities
 and securely connects to Microsoft OneDrive services.")
+    (properties '((lint-hidden-cpe-vendors . ("microsoft"))))
     (license license:gpl3)))
 
 (define-public lsyncd
-- 
2.46.0

[bug#74034] [PATCH v2 13/16] gnu: got: Update to 0.104.

[Nicolas Graves via Guix-patches via]

* gnu/packages/version-control.scm (got): Update to 0.104.
[properties]: Add release-monitoring-url and lint-hidden-cpe-vendors
properties.
---
 gnu/packages/version-control.scm | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index 6bd37fee82..df0739a39c 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -971,7 +971,7 @@ (define-public git-tools
 (define-public got
   (package
     (name "got")
-    (version "0.103")
+    (version "0.104")
     (source (origin
               (method url-fetch)
               (uri
@@ -980,7 +980,7 @@ (define-public got
                   version ".tar.gz"))
               (sha256
                (base32
-                "0y18961xrj4rja850i31gadiaps2qnkfb4jlramlz9akyf9mwh1j"))))
+                "1jf8d7bd6jb09ci66n3rjfv94kvzgnqbw1js74hpajdw41wphbdk"))))
     (inputs
      (list libevent
            `(,util-linux "lib")
@@ -1016,7 +1016,11 @@ (define-public got
      "Game of Trees (Got) is a version control system which prioritizes ease of use
 and simplicity over flexibility.")
     (license license:isc)
-    (home-page "https://gameoftrees.org/")))
+    (home-page "https://gameoftrees.org/")
+    (properties
+     ;; Can lint for updates, but not update in place.
+     '((release-monitoring-url . "https://gameoftrees.org/releases/")
+       (lint-hidden-cpe-vendors . ("got_project"))))))
 
 (define-public xdiff
   (let ((revision "0")
-- 
2.46.0

[bug#74034] [PATCH v2 14/16] gnu: dex: Update to 0.10.1.

[Nicolas Graves via Guix-patches via]

* gnu/packages/xdisorg.scm (dex): Update to 0.10.1.
[arguments]: Improve style.
[properties]: Add lint-hidden-cpe-vendors property.
---
 gnu/packages/xdisorg.scm | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm
index ca50bebab4..0977a856cb 100644
--- a/gnu/packages/xdisorg.scm
+++ b/gnu/packages/xdisorg.scm
@@ -3536,7 +3536,7 @@ (define-public nwg-launchers
 (define-public dex
   (package
     (name "dex")
-    (version "0.9.0")
+    (version "0.10.1")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -3544,15 +3544,16 @@ (define-public dex
                     (commit (string-append "v" version))))
               (sha256
                (base32
-                "03aapcywnz4kl548cygpi25m8adwbmqlmwgxa66v4156ax9dqs86"))
+                "1d7fqy63i4q0mw316i5ws1sgdq3f7h3bsf3avvmy0nzshz7i5y6m"))
               (file-name (git-file-name name version))))
     (build-system gnu-build-system)
     (arguments
-     `(#:make-flags (list (string-append "PREFIX=" (assoc-ref %outputs "out")))
-       #:phases
-       (modify-phases %standard-phases
-         (delete 'configure))
-       #:tests? #f))
+     (list
+      #:make-flags #~(list (string-append "PREFIX=" #$output))
+      #:phases
+      #~(modify-phases %standard-phases
+          (delete 'configure))
+      #:tests? #f))  ; No tests.
     (inputs
      (list python))
     (native-inputs
@@ -3562,6 +3563,8 @@ (define-public dex
     (description
      "@command{dex}, @dfn{DesktopEntry Execution}, is a program to generate
 and execute @file{.desktop} files of the Application type.")
+    (properties
+     '((lint-hidden-cpe-vendors . ("samsung" "linuxfoundation"))))
     (license license:gpl3+)))
 
 (define-public sx
-- 
2.46.0

[bug#74034] [PATCH v2 15/16] gnu: immer: Add lint-hidden-cpe-vendors property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/cpp.scm (immer)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/cpp.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/cpp.scm b/gnu/packages/cpp.scm
index 550f57c6bf..c0f9620f78 100644
--- a/gnu/packages/cpp.scm
+++ b/gnu/packages/cpp.scm
@@ -1864,6 +1864,7 @@ (define-public immer
    (synopsis "Immutable data structures")
    (description "Immer is a library of persistent and immutable data structures
 written in C++.")
+   (properties '((lint-hidden-cpe-vendors . ("immer_project"))))
    (license license:boost1.0)))
 
 (define-public zug
-- 
2.46.0

[bug#74034] [PATCH v2 16/16] gnu: cvs: Add lint-hidden-cpe-vendors property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/version-control.scm (cvs)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/version-control.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index df0739a39c..28ffd454df 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -2749,6 +2749,7 @@ (define-public cvs
 Configuration Management (SCM).  Using it, you can record the history of
 sources files, and documents.  It fills a similar role to the free software
 RCS, PRCS, and Aegis packages.")
+    (properties '((lint-hidden-cpe-vendors . ("jenkins"))))
     (license license:gpl1+)))
 
 (define-public cvs-fast-export
-- 
2.46.0