[bug#74034] [PATCH 00/21] Add lint-hidden-cve property for near-leaf packages.

[bug#74034] [PATCH 00/21] Add lint-hidden-cve property for near-leaf packages.

[Nicolas Graves via Guix-patches via]

This patch series is adding lint-hidden-cve properties for packages
that have less than 10 dependents.

Some packages of these packages have been updated, only when the
update was trivial and harmless.

This is not applying any security fix by itself, but will help
security-related work.

Nicolas Graves (21):
  gnu: libgda: Rename patch for guix lint.
  gnu: upx: Update to 4.2.4.
  gnu: halibut: Add lint-hidden-cve property.
  gnu: portfolio: Update to 1.0.1.
  gnu: folders: Add lint-hidden-cve property.
  gnu: spectra: Add lint-hidden-cve property.
  gnu: express: Add lint-hidden-cve property.
  gnu: cli: Add lint-hidden-cve property.
  gnu: h2c: Add lint-hidden-cve property.
  gnu: xenon: Update to 0.9.3.
  gnu: bolt: Update to 0.9.8.
  gnu: sylpheed: Add release-monitoring-url property.
  gnu: openvswitch: Update to 3.4.0.
  gnu: quagga: Fix build and hide CVE.
  gnu: bwm-ng: Add lint-hidden-cve property.
  gnu: onedrive: Update to 2.5.2.
  gnu: got: Update to 0.104.
  gnu: dex: Update to 0.10.1.
  gnu: immer: Add lint-hidden-cve property.
  gnu: cvs: Add lint-hidden-cve property.
  gnu: gerbv: Add lint-hidden-cve property.

 gnu/local.mk                                  |  2 +-
 gnu/packages/algebra.scm                      |  2 ++
 gnu/packages/bioinformatics.scm               |  2 ++
 gnu/packages/code.scm                         |  6 ++++--
 gnu/packages/compression.scm                  |  7 ++++---
 gnu/packages/cpp.scm                          |  4 ++++
 gnu/packages/curl.scm                         |  2 ++
 gnu/packages/documentation.scm                | 16 ++++++++------
 gnu/packages/engineering.scm                  |  2 ++
 gnu/packages/esolangs.scm                     |  8 +++++++
 gnu/packages/gnome-xyz.scm                    |  6 ++++--
 gnu/packages/gnome.scm                        |  2 +-
 gnu/packages/linux.scm                        | 21 ++++++++++++-------
 gnu/packages/mail.scm                         |  2 ++
 gnu/packages/networking.scm                   | 16 ++++++++++----
 ...9359.patch => libgda-CVE-2021-39359.patch} |  0
 gnu/packages/sync.scm                         |  8 +++++--
 gnu/packages/version-control.scm              | 13 +++++++++---
 gnu/packages/xdisorg.scm                      | 19 ++++++++++-------
 19 files changed, 99 insertions(+), 39 deletions(-)
 rename gnu/packages/patches/{libgda-cve-2021-39359.patch => libgda-CVE-2021-39359.patch} (100%)

-- 
2.46.0

[bug#74034] [PATCH 01/21] gnu: libgda: Rename patch for guix lint.

[Nicolas Graves via Guix-patches via]

* gnu/packages/gnome.scm (libgda)[source]<origin>: Rename patch for
CVE to be ignored by guix lint.
---
 gnu/local.mk                                                    | 2 +-
 gnu/packages/gnome.scm                                          | 2 +-
 ...{libgda-cve-2021-39359.patch => libgda-CVE-2021-39359.patch} | 0
 3 files changed, 2 insertions(+), 2 deletions(-)
 rename gnu/packages/patches/{libgda-cve-2021-39359.patch => libgda-CVE-2021-39359.patch} (100%)

diff --git a/gnu/local.mk b/gnu/local.mk
index c432685775..d253b424bb 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1666,7 +1666,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/libcroco-CVE-2020-12825.patch		\
   %D%/packages/patches/libcyaml-libyaml-compat.patch		\
   %D%/packages/patches/libexpected-use-provided-catch2.patch	\
-  %D%/packages/patches/libgda-cve-2021-39359.patch		\
+  %D%/packages/patches/libgda-CVE-2021-39359.patch		\
   %D%/packages/patches/libgda-disable-data-proxy-test.patch     \
   %D%/packages/patches/libgda-fix-build.patch			\
   %D%/packages/patches/libgda-fix-missing-initialization.patch	\
diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index 77a0633b50..9b26819261 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -13653,7 +13653,7 @@ (define-public libgda
                            name "-" version ".tar.xz"))
        (sha256
         (base32 "0w564z7krgjk19r39mi5qn4kggpdg9ggbyn9pb4aavb61r14npwr"))
-       (patches (search-patches "libgda-cve-2021-39359.patch"
+       (patches (search-patches "libgda-CVE-2021-39359.patch"
                                 "libgda-disable-data-proxy-test.patch"
                                 "libgda-fix-build.patch"
                                 "libgda-fix-missing-initialization.patch"
diff --git a/gnu/packages/patches/libgda-cve-2021-39359.patch b/gnu/packages/patches/libgda-CVE-2021-39359.patch
similarity index 100%
rename from gnu/packages/patches/libgda-cve-2021-39359.patch
rename to gnu/packages/patches/libgda-CVE-2021-39359.patch
-- 
2.46.0

[bug#74034] [PATCH 02/21] gnu: upx: Update to 4.2.4.

[Nicolas Graves via Guix-patches via]

* gnu/packages/compression.scm (upx): Update to 4.2.4.
[properties]: Add lint-hidden-cve property.
---
 gnu/packages/compression.scm | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index 97696ff0ef..a32b15a64a 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -2438,15 +2438,14 @@ (define-public ucl
 (define-public upx
   (package
     (name "upx")
-    (version "4.1.0")
+    (version "4.2.4")
     (source
      (origin
        (method url-fetch)
        (uri (string-append "https://github.com/upx/upx/releases/download/v"
                            version "/upx-" version "-src.tar.xz"))
        (sha256
-        (base32
-         "1l273pwa573x9l3izw75cz8ysn2g8w8w3s56rahppa3ya65zg0h5"))))
+        (base32 "1i71p03861hlf5x1w217l67zm5inm449zhbg6kpv8zyj0wb5dmjy"))))
     (build-system cmake-build-system)
     (home-page "https://upx.github.io/")
     (synopsis "Compression tool for executables")
@@ -2455,6 +2454,8 @@ (define-public upx
 compressor.  UPX typically reduces the file size of programs and shared
 libraries by around 50%--70%, thus reducing disk space, network load times,
 download times, and other distribution and storage costs.")
+    ;; These CVEs have been fixed since 4.0.2 but are still linted.
+    (properties `((lint-hidden-cve . ("CVE-2023-23456" "CVE-2023-23457"))))
     (license license:gpl2+)))
 
 (define-public quazip-0
-- 
2.46.0

[bug#74034] [PATCH 03/21] gnu: halibut: Add lint-hidden-cve property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/documentation.scm (halibut)
[description]: Reformat field to match max chars.
[properties]: Add lint-hidden-cve property.
---
 gnu/packages/documentation.scm | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/gnu/packages/documentation.scm b/gnu/packages/documentation.scm
index f0e37561f7..7522b5f769 100644
--- a/gnu/packages/documentation.scm
+++ b/gnu/packages/documentation.scm
@@ -264,12 +264,16 @@ (define-public halibut
     (home-page "https://www.chiark.greenend.org.uk/~sgtatham/halibut/")
     (synopsis "Documentation production system for software manuals")
     (description
-     "Halibut is a text formatting system designed primarily for writing software
-documentation.  It accepts a single source format and outputs any combination of
-plain text, HTML, Unix man or info pages, PostScript or PDF.  It has extensive
-support for indexing and cross-referencing, and generates hyperlinks within output
-documents wherever possible.  It supports Unicode, with the ability to fall back to
-an alternative representation if Unicode output is not available.")
+     "Halibut is a text formatting system designed primarily for writing
+software documentation.  It accepts a single source format and outputs any
+combination of plain text, HTML, Unix man or info pages, PostScript or PDF.
+It has extensive support for indexing and cross-referencing, and generates
+hyperlinks within output documents wherever possible.  It supports Unicode,
+with the ability to fall back to an alternative representation if Unicode
+output is not available.")
+    ;; This CVE concerns the halibut RPC-based communication framework,
+    ;; rather than the halibut text formatting system.
+    (properties `((lint-hidden-cve . ("CVE-2021-31819"))))
     (license license:expat)))
 
 (define-public doc++
-- 
2.46.0

[bug#74034] [PATCH 04/21] gnu: portfolio: Update to 1.0.1.

[Nicolas Graves via Guix-patches via]

* gnu/packages/gnome-xyz.scm (portfolio): Update to 1.0.1.
[properties]: Add lint-hidden-cve property.
---
 gnu/packages/gnome-xyz.scm | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/gnome-xyz.scm b/gnu/packages/gnome-xyz.scm
index a09c0befb0..b399d30886 100644
--- a/gnu/packages/gnome-xyz.scm
+++ b/gnu/packages/gnome-xyz.scm
@@ -485,7 +485,7 @@ (define-public gnome-plots
 (define-public portfolio
   (package
     (name "portfolio")
-    (version "1.0.0")
+    (version "1.0.1")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -494,7 +494,7 @@ (define-public portfolio
               (file-name (git-file-name name version))
               (sha256
                (base32
-                "1ai9mx801m5lngkljg42vrpvhbvc3071sp4jypsvbzw55hxnn5ba"))))
+                "1s06kd2dhsb143piw89yzwfck7qwzlh4nlgjj2bxpsa3g68c1g11"))))
     (arguments
      (list #:glib-or-gtk? #t
            #:imported-modules `(,@%meson-build-system-modules
@@ -537,6 +537,8 @@ (define-public portfolio
      "Portfolio is a minimalist file manager for those who want to use Linux
 mobile devices.  Tap to activate and long press to select, to browse, open,
 copy, move, delete, or edit your files.")
+    ;; This CVE concerns the Wordpress Portfolio plugin, not this package.
+    (properties `((lint-hidden-cve . ("CVE-2019-13232"))))
     (license license:gpl3+)))
 
 (define-public gnome-shell-extension-unite-shell
-- 
2.46.0

[bug#74034] [PATCH 05/21] gnu: folders: Add lint-hidden-cve property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/esolangs.scm (folders):
[properties]: Add lint-hindden-cve property.
---
 gnu/packages/esolangs.scm | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/gnu/packages/esolangs.scm b/gnu/packages/esolangs.scm
index 796f8d3f23..b29787e7bf 100644
--- a/gnu/packages/esolangs.scm
+++ b/gnu/packages/esolangs.scm
@@ -117,6 +117,14 @@ (define-public folders
     (description "Folders is a programming language, in which programs
 are encoded as (nested) directories.  Note that the switches you pass to
 @command{du} may affect your score when code golfing.")
+    (properties `((lint-hidden-cve
+                   ;; These CVEs concern...
+                   . ( ; ...the Wordpress Folders plugin
+                      "CVE-2023-40204"
+                      ;; ...the Jenkins Folders plugin
+                      "CVE-2023-40336"
+                      "CVE-2023-40337"
+                      "CVE-2023-40338"))))
     (license license:expat)))
 
 (define-public shakespeare-spl
-- 
2.46.0

[bug#74034] [PATCH 06/21] gnu: spectra: Add lint-hidden-cve property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/algebra.scm (spectra)[properties]: Add lint-hidden-cve
property.
---
 gnu/packages/algebra.scm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/gnu/packages/algebra.scm b/gnu/packages/algebra.scm
index 2187cd062d..cb390ea976 100644
--- a/gnu/packages/algebra.scm
+++ b/gnu/packages/algebra.scm
@@ -1317,6 +1317,8 @@ (define-public spectra
 built on top of Eigen.  It is implemented as a header-only C++ library and can
 be easily embedded in C++ projects that require calculating eigenvalues of
 large matrices.")
+    ;; These CVEs concern the Wordpress Spectra plugin.
+    (properties `((lint-hidden-cve . ("CVE-2023-36676" "CVE-2023-49833"))))
     (license license:mpl2.0)))
 
 (define-public gappa
-- 
2.46.0

[bug#74034] [PATCH 07/21] gnu: express: Add lint-hidden-cve property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/bioinformatics.scm (express)[properties]: Add
lint-hidden-cve property.
---
 gnu/packages/bioinformatics.scm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/gnu/packages/bioinformatics.scm b/gnu/packages/bioinformatics.scm
index a2ffbd5155..2f463c8969 100644
--- a/gnu/packages/bioinformatics.scm
+++ b/gnu/packages/bioinformatics.scm
@@ -6924,6 +6924,8 @@ (define-public express
 transcript-level RNA-Seq quantification, allele-specific/haplotype expression
 analysis (from RNA-Seq), transcription factor binding quantification in
 ChIP-Seq, and analysis of metagenomic data.")
+    ;; These CVEs concern the Express.js node framework.
+    (properties `((lint-hidden-cve . ("CVE-2022-24999" "CVE-2024-43796"))))
     (license license:artistic2.0)))
 
 (define-public express-beta-diversity
-- 
2.46.0

[bug#74034] [PATCH 08/21] gnu: cli: Add lint-hidden-cve property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/cpp.scm (cli)[properties]: Add lint-cve-property.
---
 gnu/packages/cpp.scm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/gnu/packages/cpp.scm b/gnu/packages/cpp.scm
index 26fc169154..e9c6dc096b 100644
--- a/gnu/packages/cpp.scm
+++ b/gnu/packages/cpp.scm
@@ -2304,6 +2304,8 @@ (define-public cli
 options that your program supports, their types, default values, and
 documentation.")
     (home-page "https://codesynthesis.com/projects/cli/")
+    ;; This CVE concerns Snyk CLI rather than this package.
+    (properties `((lint-hidden-cve . ("CVE-2022-40764"))))
     (license license:expat)))
 
 (define-public xsd
-- 
2.46.0

[bug#74034] [PATCH 09/21] gnu: h2c: Add lint-hidden-cve property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/curl.scm (h2c)[property]: Add lint-hidden-cve property.
---
 gnu/packages/curl.scm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 9f74018205..bac1841c82 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -366,6 +366,8 @@ (define-public h2c
     (description
      "Provided a set of HTTP request headers, h2c outputs how to invoke
 curl to obtain exactly that HTTP request.")
+    ;; This CVE is for the h2c function in Go.
+    (properties `((lint-hidden-cve . ("CVE-2022-41721"))))
     (license license:expat)))
 
 (define-public coeurl
-- 
2.46.0

[bug#74034] [PATCH 10/21] gnu: xenon: Update to 0.9.3.

[Nicolas Graves via Guix-patches via]

* gnu/packages/code.scm (xenon): Update to 0.9.3.
[properties]: Add lint-hidden-cve property.
---
 gnu/packages/code.scm | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/code.scm b/gnu/packages/code.scm
index 3f7a6de478..bbf10be987 100644
--- a/gnu/packages/code.scm
+++ b/gnu/packages/code.scm
@@ -1077,14 +1077,14 @@ (define-public cscope
 (define-public xenon
   (package
     (name "xenon")
-    (version "0.9.0")
+    (version "0.9.3")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "xenon" version))
        (sha256
         (base32
-         "1f4gynjzfckm3rjfywwgz1c7icfx3zjqirf16aj73xv0c9ncpffj"))))
+         "1yj31bqz2bphvvyb0jkas7bxc2rw76rf1csz0mwmvah8pbc3hxaa"))))
     (build-system python-build-system)
     (arguments (list #:tests? #f)) ;test suite not shipped with the PyPI archive
     (inputs (list python-pyyaml python-radon python-requests))
@@ -1096,6 +1096,8 @@ (define-public xenon
 line options, various thresholds can be set for the complexity of code.  It
 will fail (i.e., it will exit with a non-zero exit code) when any of these
 requirements is not met.")
+    ;; This CVE is for another package named Xenon too.
+    (properties '((lint-hidden-cve . ("CVE-2023-39427"))))
     (license license:expat)))
 
 (define-public python-xenon
-- 
2.46.0

[bug#74034] [PATCH 11/21] gnu: bolt: Update to 0.9.8.

[Nicolas Graves via Guix-patches via]

* gnu/packages/linux.scm (bolt): Update to 0.9.8.
[arguments]<#:phases>: Update phase 'replace-directories.
[properties]: Add lint-hidden-cve property.
---
 gnu/packages/linux.scm | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index e496f3c88d..f9f13ca28a 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -3366,7 +3366,7 @@ (define-public iptables-nft
 (define-public bolt
   (package
     (name "bolt")
-    (version "0.9.5")
+    (version "0.9.8")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -3375,7 +3375,7 @@ (define-public bolt
               (file-name (git-file-name name version))
               (sha256
                (base32
-                "1b9z0sfrz6bj0mddng9s0dx59g9239zmrl03hxx2x88mb7r0wmcg"))))
+                "1i9nyvx3qcf4m607qmpklpl9xqzsh423k8y3fr6c5n0k4ajy4cxh"))))
     (build-system meson-build-system)
     (arguments
      (list #:configure-flags '(list "--localstatedir=/var")
@@ -3384,12 +3384,11 @@ (define-public bolt
                         (add-after 'unpack 'replace-directories
                           (lambda* (#:key outputs #:allow-other-keys)
                             (substitute* "meson.build"
-                              (("udev.get_pkgconfig_variable..udevdir..")
-                               (string-append "'"
-                                              #$output "/lib/udev'")))
-                            (substitute* "scripts/meson-install.sh"
-                              (("mkdir.*")
-                               ""))))
+                              (("udev.get_variable\\(pkgconfig: 'udevdir'\\)")
+                               (string-append "'" #$output "/lib/udev'"))
+                              ;; Don't install in /var
+                              (("not systemd\\.found\\(\\)")
+                               "false"))))
                         (add-before 'install 'no-polkit-magic
                           (lambda* (#:key outputs #:allow-other-keys)
                             (setenv "PKEXEC_UID" "something"))))))
@@ -3411,6 +3410,12 @@ (define-public bolt
 @command{boltd}.  It can list devices, monitor changes, and initiate
 authorization of devices.")
     (home-page "https://gitlab.freedesktop.org/bolt/bolt")
+    (properties `((lint-hidden-cve . (;; These CVEs concern...
+                                      ;; ...the Bolt PHP cms
+                                      "CVE-2021-27367"
+                                      "CVE-2022-31321"
+                                      ;; ...the Bolt orchestration tool
+                                      "CVE-2023-5214"))))
     (license license:gpl2+)))
 
 (define-public jitterentropy-rngd
-- 
2.46.0

[bug#74034] [PATCH 12/21] gnu: sylpheed: Add release-monitoring-url property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/mail.scm (sylpheed)[properties]: Add
release-monitoring-url.
---
 gnu/packages/mail.scm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/gnu/packages/mail.scm b/gnu/packages/mail.scm
index 2c69a7b818..77be7626a9 100644
--- a/gnu/packages/mail.scm
+++ b/gnu/packages/mail.scm
@@ -4561,6 +4561,8 @@ (define-public sylpheed
      "Sylpheed is a simple, lightweight but featureful, and easy-to-use e-mail
 client.  Sylpheed provides intuitive user-interface.  Sylpheed is also
 designed for keyboard-oriented operation.")
+    (properties '((release-monitoring-url
+                   . "https://sylpheed.sraoss.jp/en/download.html")))
     (license license:gpl2+)))
 
 (define-public python-authres
-- 
2.46.0

[bug#74034] [PATCH 13/21] gnu: openvswitch: Update to 3.4.0.

[Nicolas Graves via Guix-patches via]

* gnu/packages/networking.scm (openvswitch): Update to 3.4.0.
[properties]: Add lint-hidden-cve property.
---
 gnu/packages/networking.scm | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index a56b574e97..d98179cf2f 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -2877,7 +2877,7 @@ (define-public nzbget
 (define-public openvswitch
   (package
     (name "openvswitch")
-    (version "3.2.0")
+    (version "3.4.0")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -2885,7 +2885,7 @@ (define-public openvswitch
                     version ".tar.gz"))
               (sha256
                (base32
-                "1i0lb40lwbakmmqklmfcgr01l1ymsawgdi7k9a1zzp8ariw7x4ff"))))
+                "10g84h6lis6fafyjhvmdrs8r539xcar04cc3rsk448gs6848hsqr"))))
     (build-system gnu-build-system)
     (arguments
      '(#:configure-flags
@@ -2961,7 +2961,9 @@ (define-public openvswitch
 supporting standard management interfaces and protocols (e.g. NetFlow, sFlow,
 IPFIX, RSPAN, CLI, LACP, 802.1ag).")
     (properties
-     '((release-monitoring-url . "https://www.openvswitch.org/download/")))
+     '((release-monitoring-url . "https://www.openvswitch.org/download/")
+       ;; This CVE is fixed since 3.2.0.
+       (lint-hidden-cve . ("CVE-2023-5366"))))
     (license                            ; see debian/copyright for detail
      (list license:lgpl2.1              ; xenserver and utilities/bugtool
            license:gpl2                 ; datapath
-- 
2.46.0

[bug#74034] [PATCH 14/21] gnu: quagga: Fix build and hide CVE.

[Nicolas Graves via Guix-patches via]

* gnu/packages/networking.scm (quagga)
[inputs]: Add libxcrypt.
[properties]: Add lint-hidden-cve property.
---
 gnu/packages/networking.scm | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index d98179cf2f..53bc670c41 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -3138,7 +3138,7 @@ (define-public quagga
                         (delete-file "vtysh/extract.pl")))))
     (build-system gnu-build-system)
     (native-inputs (list gawk gcc-9 pkg-config perl dejagnu))
-    (inputs (list readline c-ares))
+    (inputs (list c-ares libxcrypt readline))
     (synopsis "Routing Software Suite")
     (description "Quagga is a routing software suite, providing implementations
 of OSPFv2, OSPFv3, RIP v1 and v2, RIPng and BGP-4 for Unix platforms.
@@ -3149,6 +3149,10 @@ (define-public quagga
 clients which typically implement a routing protocol and communicate routing
 updates to the zebra daemon.")
     (home-page "https://www.nongnu.org/quagga/")
+    ;; This CVE concerns systemd services files that we currently don't use.
+    ;; If we were to use them, a fixing patch can be found here:
+    ;; https://build.opensuse.org/request/show/1035188
+    (properties '((lint-hidden-cve . ("CVE-2021-44038"))))
     (license license:gpl2+)))
 
 (define-public bgpq3
-- 
2.46.0

[bug#74034] [PATCH 15/21] gnu: bwm-ng: Add lint-hidden-cve property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/networking.scm (bwm-ng)[properties]: Add
lint-hidden-cve property.
---
 gnu/packages/networking.scm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index 53bc670c41..7ed011a7f4 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -2152,6 +2152,8 @@ (define-public bwm-ng
     (description "Bandwidth Monitor NG is a small and simple console based
 live network and disk I/O bandwidth monitor.")
     (home-page "https://www.gropp.org/?id=projects&sub=bwm-ng")
+    ;; This CVE concerns the npm bwm-ng package rather than this one.
+    (properties '((lint-hidden-cve . ("CVE-2023-26129"))))
     (license license:gpl2)))
 
 (define-public aircrack-ng
-- 
2.46.0

[bug#74034] [PATCH 16/21] gnu: onedrive: Update to 2.5.2.

[Nicolas Graves via Guix-patches via]

* gnu/packages/sync.scm (onedrive): Update to 2.5.2.
[properties]: Add lint-hidden-cve.
---
 gnu/packages/sync.scm | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/sync.scm b/gnu/packages/sync.scm
index af736d0c28..df3bcb6523 100644
--- a/gnu/packages/sync.scm
+++ b/gnu/packages/sync.scm
@@ -374,7 +374,7 @@ (define-public owncloud-client
 (define-public onedrive
   (package
     (name "onedrive")
-    (version "2.4.25")
+    (version "2.5.2")
     (source
       (origin
         (method git-fetch)
@@ -383,7 +383,7 @@ (define-public onedrive
                (commit (string-append "v" version))))
         (file-name (git-file-name name version))
         (sha256
-         (base32 "1i93mq4r9w8cqrdfsfv8wparfd3dbrppc5z04ab056545hk0x89k"))))
+         (base32 "0307qa3nncarn6r5837nn9z5nv8j60ycykq6pfn93qriabk65qlx"))))
     (build-system gnu-build-system)
     (arguments
      (list
@@ -420,6 +420,10 @@ (define-public onedrive
 Business, OneDrive for Office365 and SharePoint and fully supports Azure
 National Cloud Deployments.  It supports one-way and two-way sync capabilities
 and securely connects to Microsoft OneDrive services.")
+    ;; These CVEs concern another Microsoft product.
+    (properties '((lint-hidden-cve . ("CVE-2023-24882"
+                                      "CVE-2023-24890"
+                                      "CVE-2023-24923"))))
     (license license:gpl3)))
 
 (define-public lsyncd
-- 
2.46.0

[bug#74034] [PATCH 17/21] gnu: got: Update to 0.104.

[Nicolas Graves via Guix-patches via]

* gnu/packages/version-control.scm (got): Update to 0.104.
[properties]: Add release-monitoring-url and lint-hidden-cve
properties.
---
 gnu/packages/version-control.scm | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index 6bd37fee82..9c8fdea0a6 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -971,7 +971,7 @@ (define-public git-tools
 (define-public got
   (package
     (name "got")
-    (version "0.103")
+    (version "0.104")
     (source (origin
               (method url-fetch)
               (uri
@@ -980,7 +980,7 @@ (define-public got
                   version ".tar.gz"))
               (sha256
                (base32
-                "0y18961xrj4rja850i31gadiaps2qnkfb4jlramlz9akyf9mwh1j"))))
+                "1jf8d7bd6jb09ci66n3rjfv94kvzgnqbw1js74hpajdw41wphbdk"))))
     (inputs
      (list libevent
            `(,util-linux "lib")
@@ -1016,7 +1016,12 @@ (define-public got
      "Game of Trees (Got) is a version control system which prioritizes ease of use
 and simplicity over flexibility.")
     (license license:isc)
-    (home-page "https://gameoftrees.org/")))
+    (home-page "https://gameoftrees.org/")
+    (properties
+     ;; Can lint for updates, but not update in place.
+     '((release-monitoring-url . "https://gameoftrees.org/releases/")
+       ;; This CVE is for another Node got package.
+       (lint-hidden-cve . "CVE-2022-33987")))))
 
 (define-public xdiff
   (let ((revision "0")
-- 
2.46.0

[bug#74034] [PATCH 18/21] gnu: dex: Update to 0.10.1.

[Nicolas Graves via Guix-patches via]

* gnu/packages/xdisorg.scm (dex): Update to 0.10.1.
[arguments]: Improve style.
[properties]: Add lint-hidden-cve property.
---
 gnu/packages/xdisorg.scm | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm
index ca50bebab4..10c04fc4e8 100644
--- a/gnu/packages/xdisorg.scm
+++ b/gnu/packages/xdisorg.scm
@@ -3536,7 +3536,7 @@ (define-public nwg-launchers
 (define-public dex
   (package
     (name "dex")
-    (version "0.9.0")
+    (version "0.10.1")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -3544,15 +3544,16 @@ (define-public dex
                     (commit (string-append "v" version))))
               (sha256
                (base32
-                "03aapcywnz4kl548cygpi25m8adwbmqlmwgxa66v4156ax9dqs86"))
+                "1d7fqy63i4q0mw316i5ws1sgdq3f7h3bsf3avvmy0nzshz7i5y6m"))
               (file-name (git-file-name name version))))
     (build-system gnu-build-system)
     (arguments
-     `(#:make-flags (list (string-append "PREFIX=" (assoc-ref %outputs "out")))
-       #:phases
-       (modify-phases %standard-phases
-         (delete 'configure))
-       #:tests? #f))
+     (list
+      #:make-flags #~(list (string-append "PREFIX=" #$output))
+      #:phases
+      #~(modify-phases %standard-phases
+          (delete 'configure))
+      #:tests? #f))  ; No tests.
     (inputs
      (list python))
     (native-inputs
@@ -3562,6 +3563,10 @@ (define-public dex
     (description
      "@command{dex}, @dfn{DesktopEntry Execution}, is a program to generate
 and execute @file{.desktop} files of the Application type.")
+    (properties
+     ;; These CVEs concern...
+     '((lint-hidden-cve . ("CVE-2024-20802"  ; ...a dex Samsung package.
+                           "CVE-2022-39222")))) ; ...a OpenID connect tool.
     (license license:gpl3+)))
 
 (define-public sx
-- 
2.46.0

[bug#74034] [PATCH 19/21] gnu: immer: Add lint-hidden-cve property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/cpp.scm (immer)[properties]: Add lint-hidden-cve
property.
---
 gnu/packages/cpp.scm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/gnu/packages/cpp.scm b/gnu/packages/cpp.scm
index e9c6dc096b..80eaa26b37 100644
--- a/gnu/packages/cpp.scm
+++ b/gnu/packages/cpp.scm
@@ -1864,6 +1864,8 @@ (define-public immer
    (synopsis "Immutable data structures")
    (description "Immer is a library of persistent and immutable data structures
 written in C++.")
+   ;; This CVEs concern the immer.js Node package.
+   (properties '((lint-hidden-cve . ("CVE-2021-23436" "CVE-2021-3757"))))
    (license license:boost1.0)))
 
 (define-public zug
-- 
2.46.0

[bug#74034] [PATCH 20/21] gnu: cvs: Add lint-hidden-cve property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/version-control.scm (cvs)[properties]: Add
lint-hidden-cve property.
---
 gnu/packages/version-control.scm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index 9c8fdea0a6..f4a0f577a9 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -2750,6 +2750,8 @@ (define-public cvs
 Configuration Management (SCM).  Using it, you can record the history of
 sources files, and documents.  It fills a similar role to the free software
 RCS, PRCS, and Aegis packages.")
+    ;; This CVE concerns the Jenkins CVS plugin.
+    (properties '((lint-hidden-cve . ("CVE-2022-29037"))))
     (license license:gpl1+)))
 
 (define-public cvs-fast-export
-- 
2.46.0

[bug#74034] [PATCH 21/21] gnu: gerbv: Add lint-hidden-cve property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/engineering.scm (gerbv)[properties]: Add
lint-hidden-cve property.
---
 gnu/packages/engineering.scm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/gnu/packages/engineering.scm b/gnu/packages/engineering.scm
index 6f449f0c39..89e60a7218 100644
--- a/gnu/packages/engineering.scm
+++ b/gnu/packages/engineering.scm
@@ -868,6 +868,8 @@ (define-public gerbv
 you load several files on top of each other, do measurements on the displayed
 image, etc.  Besides viewing Gerbers, you may also view Excellon drill files
 as well as pick-place files.")
+    ;; This CVE has been fixed in version 2.10.0.
+    (properties '((lint-hidden-cve . ("CVE-2023-4508"))))
     (license license:gpl2+)))
 
 (define-public translate2geda
-- 
2.46.0

[bug#74034] [PATCH v2 00/16] Add cpe-vendor and lint-hidden-cpe-vendors properties.

[Nicolas Graves via Guix-patches via]

This is a rewrite of 74034 after a new first commit introducing the
management of cpe-vendor data from the CVE database.

Nicolas Graves (16):
  guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.
  gnu: halibut: Add cpe-vendor property.
  gnu: portfolio: Update to 1.0.1.
  gnu: folders: Add lint-hidden-cpe-vendors property.
  gnu: spectra: Add lint-hidden-cpe-vendors property.
  gnu: express: Add lint-hidden-cpe-vendors property.
  gnu: cli: Add lint-hidden-cpe-vendors property.
  gnu: h2c: Add lint-hidden-cpe-vendors property.
  gnu: xenon: Update to 0.9.3.
  gnu: bolt: Update to 0.9.8.
  gnu: bwm-ng: Add lint-hidden-cpe-vendors property.
  gnu: onedrive: Update to 2.5.2.
  gnu: got: Update to 0.104.
  gnu: dex: Update to 0.10.1.
  gnu: immer: Add lint-hidden-cpe-vendors property.
  gnu: cvs: Add lint-hidden-cpe-vendors property.

 gnu/packages/algebra.scm         |  1 +
 gnu/packages/bioinformatics.scm  |  1 +
 gnu/packages/code.scm            |  5 ++-
 gnu/packages/cpp.scm             |  2 +
 gnu/packages/curl.scm            |  1 +
 gnu/packages/documentation.scm   | 14 ++++---
 gnu/packages/esolangs.scm        |  1 +
 gnu/packages/gnome-xyz.scm       |  5 ++-
 gnu/packages/linux.scm           | 16 +++----
 gnu/packages/networking.scm      |  1 +
 gnu/packages/sync.scm            |  5 ++-
 gnu/packages/version-control.scm | 11 +++--
 gnu/packages/xdisorg.scm         | 17 ++++----
 guix/cve.scm                     | 71 +++++++++++++++++++++-----------
 guix/lint.scm                    | 11 ++++-
 tests/cve.scm                    | 30 +++++++-------
 16 files changed, 120 insertions(+), 72 deletions(-)

-- 
2.46.0

[bug#74034] [PATCH v2 01/16] guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.

[Nicolas Graves via Guix-patches via]

* guix/cve.scm: Exploit cpe vendors information.
(cpe->package-name): Rename to cpe->package and use
cpe_vendor:cpe_name in place or cpe_name.
(filter-vendors): Add helper function.
(vulnerabilities->lookup-proc): Extract cpe_name for table
hashes. Add vendor and hidden-vendor arguments. Adapt condition to
pass vulnerabilities to result in the fold.

* guix/lint.scm (package-vulnerabilities): Use additional arguments
from vulnerabilities->lookup-proc.

* tests/cve.scm: Adapt tests.
---
 guix/cve.scm  | 71 +++++++++++++++++++++++++++++++++------------------
 guix/lint.scm | 11 ++++++--
 tests/cve.scm | 30 +++++++++++-----------
 3 files changed, 70 insertions(+), 42 deletions(-)

diff --git a/guix/cve.scm b/guix/cve.scm
index 9e1cf5b587..a2335f15ef 100644
--- a/guix/cve.scm
+++ b/guix/cve.scm
@@ -106,22 +106,22 @@ (define (reference-data->cve-references alist)
 (define %cpe-package-rx
   ;; For applications: "cpe:2.3:a:VENDOR:PACKAGE:VERSION", or sometimes
   ;; "cpe:2.3:a:VENDOR:PACKAGE:VERSION:PATCH-LEVEL".
-  (make-regexp "^cpe:2\\.3:a:([^:]+):([^:]+):([^:]+):([^:]+):"))
+  (make-regexp "^cpe:2\\.3:a:([^:]+:[^:]+):([^:]+):([^:]+):"))
 
-(define (cpe->package-name cpe)
+(define (cpe->package cpe)
   "Converts the Common Platform Enumeration (CPE) string CPE to a package
-name, in a very naive way.  Return two values: the package name, and its
-version string.  Return #f and #f if CPE does not look like an application CPE
-string."
+name, in a very naive way.  Return two values: the package identifier
+(composed from the CPE vendor and the package name), and its version string.
+Return #f and #f if CPE does not look like an application CPE string."
   (cond ((regexp-exec %cpe-package-rx cpe)
          =>
          (lambda (matches)
-           (values (match:substring matches 2)
-                   (match (match:substring matches 3)
+           (values (match:substring matches 1)
+                   (match (match:substring matches 2)
                      ("*" '_)
                      (version
                       (string-append version
-                                     (match (match:substring matches 4)
+                                     (match (match:substring matches 3)
                                        ("" "")
                                        (patch-level
                                         ;; Drop the colon from things like
@@ -142,7 +142,7 @@ (define (cpe-match->cve-configuration alist)
     ;; Normally "cpe23Uri" is here in each "cpe_match" item, but CVE-2020-0534
     ;; has a configuration that lacks it.
     (and cpe
-         (let-values (((package version) (cpe->package-name cpe)))
+         (let-values (((package version) (cpe->package cpe)))
            (and package
                 `(,package
                    ,(cond ((and (or starti starte) (or endi ende))
@@ -228,6 +228,24 @@ (define (version-matches? version sexp)
     (('>= min)
      (version>=? version min))))
 
+(define (filter-vendors vuln vendor hidden-vendors)
+
+  (define (vendor-matches? vendor+name)
+    (if vendor
+        (string-prefix? (string-append vendor ":") vendor+name)
+        (if hidden-vendors
+            (not (any (lambda (v)
+                        (string-prefix? (string-append v ":") vendor+name))
+                      hidden-vendors))
+            #t)))
+
+  (match vuln
+    (($ <vulnerability> id packages)
+     (any (match-lambda
+            (((? vendor-matches? vendor+name) . _)  #t)
+            (_                                      #f))
+          packages))))
+
 \f
 ;;;
 ;;; High-level interface.
@@ -404,28 +422,31 @@ (define table
               (($ <vulnerability> id packages)
                (fold (lambda (package table)
                        (match package
-                         ((name . versions)
-                          (vhash-cons name (cons vuln versions)
+                         ((vendor+name . versions)
+                          (vhash-cons (match (string-split vendor+name #\:)
+                                        ((vendor name) name)
+                                        ((name)        name))
+                                      (cons vuln versions)
                                       table))))
                      table
                      packages))))
           vlist-null
           vulnerabilities))
 
-  (lambda* (package #:optional version)
-    (vhash-fold* (if version
-                     (lambda (pair result)
-                       (match pair
-                         ((vuln sexp)
-                          (if (version-matches? version sexp)
-                              (cons vuln result)
-                              result))))
-                     (lambda (pair result)
-                       (match pair
-                         ((vuln . _)
-                          (cons vuln result)))))
-                 '()
-                 package table)))
+  (lambda* (package #:key (version #f) (vendor #f) (hidden-vendors #f))
+    (vhash-fold*
+     (lambda (pair result)
+       (match pair
+         ((vuln sexp)
+          (if (and (or (not (or vendor hidden-vendors))
+                       (and (or vendor hidden-vendors)
+                            (filter-vendors vuln vendor hidden-vendors)))
+                   (or (not version)
+                       (and version (version-matches? version sexp))))
+              (cons vuln result)
+              result))))
+     '()
+     package table)))
 
 
 ;;; cve.scm ends here
diff --git a/guix/lint.scm b/guix/lint.scm
index 8c6c20c723..db3f59e3ec 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -1551,8 +1551,15 @@ (define package-vulnerabilities
                          (package-name package)))
             (version (or (assoc-ref (package-properties package)
                                     'cpe-version)
-                         (package-version package))))
-        ((force lookup) name version)))))
+                         (package-version package)))
+            (vendor (assoc-ref (package-properties package)
+                               'cpe-vendor))
+            (hidden-vendors (assoc-ref (package-properties package)
+                                       'lint-hidden-cpe-vendors)))
+        ((force lookup) name
+         #:version version
+         #:vendor vendor
+         #:hidden-vendors hidden-vendors)))))
 
 ;; Prevent Guile 3 from inlining this procedure so we can mock it in tests.
 (set! package-vulnerabilities package-vulnerabilities)
diff --git a/tests/cve.scm b/tests/cve.scm
index b69da0e120..0b6346a4d4 100644
--- a/tests/cve.scm
+++ b/tests/cve.scm
@@ -34,19 +34,19 @@ (define %expected-vulnerabilities
    (vulnerability "CVE-2019-0001"
                   ;; Only the "a" CPE configurations are kept; the "o"
                   ;; configurations are discarded.
-                  '(("junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
+                  '(("juniper:junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
    (vulnerability "CVE-2019-0005"
-                  '(("junos" (or "18.11" "18.1"))))
+                  '(("juniper:junos" (or "18.11" "18.1"))))
    ;; CVE-2019-0005 has no "a" configurations.
    (vulnerability "CVE-2019-14811"
-                  '(("ghostscript" (< "9.28"))))
+                  '(("artifex:ghostscript" (< "9.28"))))
    (vulnerability "CVE-2019-17365"
-                  '(("nix" (<= "2.3"))))
+                  '(("nixos:nix" (<= "2.3"))))
    (vulnerability "CVE-2019-1010180"
-                  '(("gdb" _)))                   ;any version
+                  '(("gnu:gdb" _)))                   ;any version
    (vulnerability "CVE-2019-1010204"
-                  '(("binutils" (and (>= "2.21") (<= "2.31.1")))
-                    ("binutils_gold" (and (>= "1.11") (<= "1.16")))))
+                  '(("gnu:binutils" (and (>= "2.21") (<= "2.31.1")))
+                    ("gnu:binutils_gold" (and (>= "1.11") (<= "1.16")))))
    ;; CVE-2019-18192 has no associated configurations.
    ))
 
@@ -92,15 +92,15 @@ (define %expected-vulnerabilities
   (let* ((vulns  (call-with-input-file %sample json->vulnerabilities))
          (lookup (vulnerabilities->lookup-proc vulns)))
     (list (lookup "ghostscript")
-          (lookup "ghostscript" "9.27")
-          (lookup "ghostscript" "9.28")
+          (lookup "ghostscript" #:version "9.27")
+          (lookup "ghostscript" #:version "9.28")
           (lookup "gdb")
-          (lookup "gdb" "42.0")
+          (lookup "gdb" #:version "42.0")
           (lookup "nix")
-          (lookup "nix" "2.4")
-          (lookup "binutils" "2.31.1")
-          (lookup "binutils" "2.10")
-          (lookup "binutils_gold" "1.11")
-          (lookup "binutils" "2.32"))))
+          (lookup "nix" #:version "2.4")
+          (lookup "binutils" #:version "2.31.1")
+          (lookup "binutils" #:version "2.10")
+          (lookup "binutils_gold" #:version "1.11")
+          (lookup "binutils" #:version "2.32"))))
 
 (test-end "cve")
-- 
2.46.0

[bug#74034] [PATCH v2 02/16] gnu: halibut: Add cpe-vendor property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/documentation.scm (halibut)
[description]: Reformat field to match max chars.
[properties]: Add cpe-vendor property.
---
 gnu/packages/documentation.scm | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/gnu/packages/documentation.scm b/gnu/packages/documentation.scm
index f0e37561f7..e1d563945a 100644
--- a/gnu/packages/documentation.scm
+++ b/gnu/packages/documentation.scm
@@ -264,12 +264,14 @@ (define-public halibut
     (home-page "https://www.chiark.greenend.org.uk/~sgtatham/halibut/")
     (synopsis "Documentation production system for software manuals")
     (description
-     "Halibut is a text formatting system designed primarily for writing software
-documentation.  It accepts a single source format and outputs any combination of
-plain text, HTML, Unix man or info pages, PostScript or PDF.  It has extensive
-support for indexing and cross-referencing, and generates hyperlinks within output
-documents wherever possible.  It supports Unicode, with the ability to fall back to
-an alternative representation if Unicode output is not available.")
+     "Halibut is a text formatting system designed primarily for writing
+software documentation.  It accepts a single source format and outputs any
+combination of plain text, HTML, Unix man or info pages, PostScript or PDF.
+It has extensive support for indexing and cross-referencing, and generates
+hyperlinks within output documents wherever possible.  It supports Unicode,
+with the ability to fall back to an alternative representation if Unicode
+output is not available.")
+    (properties `((cpe-vendor . "halibut_project")))
     (license license:expat)))
 
 (define-public doc++
-- 
2.46.0

[bug#74034] [PATCH v2 01/16] guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.

[Nicolas Graves via Guix-patches via]

* guix/cve.scm: Exploit cpe vendors information.
(cpe->package-name): Rename to cpe->package and use
cpe_vendor:cpe_name in place or cpe_name.
(filter-vendors): Add helper function.
(vulnerabilities->lookup-proc): Extract cpe_name for table
hashes. Add vendor and hidden-vendor arguments. Adapt condition to
pass vulnerabilities to result in the fold.

* guix/lint.scm (package-vulnerabilities): Use additional arguments
from vulnerabilities->lookup-proc.

* tests/cve.scm: Adapt tests.
---
 guix/cve.scm  | 71 +++++++++++++++++++++++++++++++++------------------
 guix/lint.scm | 11 ++++++--
 tests/cve.scm | 30 +++++++++++-----------
 3 files changed, 70 insertions(+), 42 deletions(-)

diff --git a/guix/cve.scm b/guix/cve.scm
index 9e1cf5b587..a2335f15ef 100644
--- a/guix/cve.scm
+++ b/guix/cve.scm
@@ -106,22 +106,22 @@ (define (reference-data->cve-references alist)
 (define %cpe-package-rx
   ;; For applications: "cpe:2.3:a:VENDOR:PACKAGE:VERSION", or sometimes
   ;; "cpe:2.3:a:VENDOR:PACKAGE:VERSION:PATCH-LEVEL".
-  (make-regexp "^cpe:2\\.3:a:([^:]+):([^:]+):([^:]+):([^:]+):"))
+  (make-regexp "^cpe:2\\.3:a:([^:]+:[^:]+):([^:]+):([^:]+):"))
 
-(define (cpe->package-name cpe)
+(define (cpe->package cpe)
   "Converts the Common Platform Enumeration (CPE) string CPE to a package
-name, in a very naive way.  Return two values: the package name, and its
-version string.  Return #f and #f if CPE does not look like an application CPE
-string."
+name, in a very naive way.  Return two values: the package identifier
+(composed from the CPE vendor and the package name), and its version string.
+Return #f and #f if CPE does not look like an application CPE string."
   (cond ((regexp-exec %cpe-package-rx cpe)
          =>
          (lambda (matches)
-           (values (match:substring matches 2)
-                   (match (match:substring matches 3)
+           (values (match:substring matches 1)
+                   (match (match:substring matches 2)
                      ("*" '_)
                      (version
                       (string-append version
-                                     (match (match:substring matches 4)
+                                     (match (match:substring matches 3)
                                        ("" "")
                                        (patch-level
                                         ;; Drop the colon from things like
@@ -142,7 +142,7 @@ (define (cpe-match->cve-configuration alist)
     ;; Normally "cpe23Uri" is here in each "cpe_match" item, but CVE-2020-0534
     ;; has a configuration that lacks it.
     (and cpe
-         (let-values (((package version) (cpe->package-name cpe)))
+         (let-values (((package version) (cpe->package cpe)))
            (and package
                 `(,package
                    ,(cond ((and (or starti starte) (or endi ende))
@@ -228,6 +228,24 @@ (define (version-matches? version sexp)
     (('>= min)
      (version>=? version min))))
 
+(define (filter-vendors vuln vendor hidden-vendors)
+
+  (define (vendor-matches? vendor+name)
+    (if vendor
+        (string-prefix? (string-append vendor ":") vendor+name)
+        (if hidden-vendors
+            (not (any (lambda (v)
+                        (string-prefix? (string-append v ":") vendor+name))
+                      hidden-vendors))
+            #t)))
+
+  (match vuln
+    (($ <vulnerability> id packages)
+     (any (match-lambda
+            (((? vendor-matches? vendor+name) . _)  #t)
+            (_                                      #f))
+          packages))))
+
 \f
 ;;;
 ;;; High-level interface.
@@ -404,28 +422,31 @@ (define table
               (($ <vulnerability> id packages)
                (fold (lambda (package table)
                        (match package
-                         ((name . versions)
-                          (vhash-cons name (cons vuln versions)
+                         ((vendor+name . versions)
+                          (vhash-cons (match (string-split vendor+name #\:)
+                                        ((vendor name) name)
+                                        ((name)        name))
+                                      (cons vuln versions)
                                       table))))
                      table
                      packages))))
           vlist-null
           vulnerabilities))
 
-  (lambda* (package #:optional version)
-    (vhash-fold* (if version
-                     (lambda (pair result)
-                       (match pair
-                         ((vuln sexp)
-                          (if (version-matches? version sexp)
-                              (cons vuln result)
-                              result))))
-                     (lambda (pair result)
-                       (match pair
-                         ((vuln . _)
-                          (cons vuln result)))))
-                 '()
-                 package table)))
+  (lambda* (package #:key (version #f) (vendor #f) (hidden-vendors #f))
+    (vhash-fold*
+     (lambda (pair result)
+       (match pair
+         ((vuln sexp)
+          (if (and (or (not (or vendor hidden-vendors))
+                       (and (or vendor hidden-vendors)
+                            (filter-vendors vuln vendor hidden-vendors)))
+                   (or (not version)
+                       (and version (version-matches? version sexp))))
+              (cons vuln result)
+              result))))
+     '()
+     package table)))
 
 
 ;;; cve.scm ends here
diff --git a/guix/lint.scm b/guix/lint.scm
index 8c6c20c723..db3f59e3ec 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -1551,8 +1551,15 @@ (define package-vulnerabilities
                          (package-name package)))
             (version (or (assoc-ref (package-properties package)
                                     'cpe-version)
-                         (package-version package))))
-        ((force lookup) name version)))))
+                         (package-version package)))
+            (vendor (assoc-ref (package-properties package)
+                               'cpe-vendor))
+            (hidden-vendors (assoc-ref (package-properties package)
+                                       'lint-hidden-cpe-vendors)))
+        ((force lookup) name
+         #:version version
+         #:vendor vendor
+         #:hidden-vendors hidden-vendors)))))
 
 ;; Prevent Guile 3 from inlining this procedure so we can mock it in tests.
 (set! package-vulnerabilities package-vulnerabilities)
diff --git a/tests/cve.scm b/tests/cve.scm
index b69da0e120..0b6346a4d4 100644
--- a/tests/cve.scm
+++ b/tests/cve.scm
@@ -34,19 +34,19 @@ (define %expected-vulnerabilities
    (vulnerability "CVE-2019-0001"
                   ;; Only the "a" CPE configurations are kept; the "o"
                   ;; configurations are discarded.
-                  '(("junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
+                  '(("juniper:junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
    (vulnerability "CVE-2019-0005"
-                  '(("junos" (or "18.11" "18.1"))))
+                  '(("juniper:junos" (or "18.11" "18.1"))))
    ;; CVE-2019-0005 has no "a" configurations.
    (vulnerability "CVE-2019-14811"
-                  '(("ghostscript" (< "9.28"))))
+                  '(("artifex:ghostscript" (< "9.28"))))
    (vulnerability "CVE-2019-17365"
-                  '(("nix" (<= "2.3"))))
+                  '(("nixos:nix" (<= "2.3"))))
    (vulnerability "CVE-2019-1010180"
-                  '(("gdb" _)))                   ;any version
+                  '(("gnu:gdb" _)))                   ;any version
    (vulnerability "CVE-2019-1010204"
-                  '(("binutils" (and (>= "2.21") (<= "2.31.1")))
-                    ("binutils_gold" (and (>= "1.11") (<= "1.16")))))
+                  '(("gnu:binutils" (and (>= "2.21") (<= "2.31.1")))
+                    ("gnu:binutils_gold" (and (>= "1.11") (<= "1.16")))))
    ;; CVE-2019-18192 has no associated configurations.
    ))
 
@@ -92,15 +92,15 @@ (define %expected-vulnerabilities
   (let* ((vulns  (call-with-input-file %sample json->vulnerabilities))
          (lookup (vulnerabilities->lookup-proc vulns)))
     (list (lookup "ghostscript")
-          (lookup "ghostscript" "9.27")
-          (lookup "ghostscript" "9.28")
+          (lookup "ghostscript" #:version "9.27")
+          (lookup "ghostscript" #:version "9.28")
           (lookup "gdb")
-          (lookup "gdb" "42.0")
+          (lookup "gdb" #:version "42.0")
           (lookup "nix")
-          (lookup "nix" "2.4")
-          (lookup "binutils" "2.31.1")
-          (lookup "binutils" "2.10")
-          (lookup "binutils_gold" "1.11")
-          (lookup "binutils" "2.32"))))
+          (lookup "nix" #:version "2.4")
+          (lookup "binutils" #:version "2.31.1")
+          (lookup "binutils" #:version "2.10")
+          (lookup "binutils_gold" #:version "1.11")
+          (lookup "binutils" #:version "2.32"))))
 
 (test-end "cve")
-- 
2.46.0

[bug#74034] [PATCH v2 02/16] gnu: halibut: Add cpe-vendor property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/documentation.scm (halibut)
[description]: Reformat field to match max chars.
[properties]: Add cpe-vendor property.
---
 gnu/packages/documentation.scm | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/gnu/packages/documentation.scm b/gnu/packages/documentation.scm
index f0e37561f7..e1d563945a 100644
--- a/gnu/packages/documentation.scm
+++ b/gnu/packages/documentation.scm
@@ -264,12 +264,14 @@ (define-public halibut
     (home-page "https://www.chiark.greenend.org.uk/~sgtatham/halibut/")
     (synopsis "Documentation production system for software manuals")
     (description
-     "Halibut is a text formatting system designed primarily for writing software
-documentation.  It accepts a single source format and outputs any combination of
-plain text, HTML, Unix man or info pages, PostScript or PDF.  It has extensive
-support for indexing and cross-referencing, and generates hyperlinks within output
-documents wherever possible.  It supports Unicode, with the ability to fall back to
-an alternative representation if Unicode output is not available.")
+     "Halibut is a text formatting system designed primarily for writing
+software documentation.  It accepts a single source format and outputs any
+combination of plain text, HTML, Unix man or info pages, PostScript or PDF.
+It has extensive support for indexing and cross-referencing, and generates
+hyperlinks within output documents wherever possible.  It supports Unicode,
+with the ability to fall back to an alternative representation if Unicode
+output is not available.")
+    (properties `((cpe-vendor . "halibut_project")))
     (license license:expat)))
 
 (define-public doc++
-- 
2.46.0

[bug#74034] [PATCH v2 03/16] gnu: portfolio: Update to 1.0.1.

[Nicolas Graves via Guix-patches via]

* gnu/packages/gnome-xyz.scm (portfolio): Update to 1.0.1.
[properties]: Add lint-hidden-cpe-vendors property.
---
 gnu/packages/gnome-xyz.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/gnome-xyz.scm b/gnu/packages/gnome-xyz.scm
index a09c0befb0..74c2600b60 100644
--- a/gnu/packages/gnome-xyz.scm
+++ b/gnu/packages/gnome-xyz.scm
@@ -485,7 +485,7 @@ (define-public gnome-plots
 (define-public portfolio
   (package
     (name "portfolio")
-    (version "1.0.0")
+    (version "1.0.1")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -494,7 +494,7 @@ (define-public portfolio
               (file-name (git-file-name name version))
               (sha256
                (base32
-                "1ai9mx801m5lngkljg42vrpvhbvc3071sp4jypsvbzw55hxnn5ba"))))
+                "1s06kd2dhsb143piw89yzwfck7qwzlh4nlgjj2bxpsa3g68c1g11"))))
     (arguments
      (list #:glib-or-gtk? #t
            #:imported-modules `(,@%meson-build-system-modules
@@ -537,6 +537,7 @@ (define-public portfolio
      "Portfolio is a minimalist file manager for those who want to use Linux
 mobile devices.  Tap to activate and long press to select, to browse, open,
 copy, move, delete, or edit your files.")
+    (properties `((lint-hidden-cpe-vendors . ("radiustheme"))))
     (license license:gpl3+)))
 
 (define-public gnome-shell-extension-unite-shell
-- 
2.46.0

[bug#74034] [PATCH v2 04/16] gnu: folders: Add lint-hidden-cpe-vendors property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/esolangs.scm (folders):
[properties]: Add lint-hindden-cpe-vendors property.
---
 gnu/packages/esolangs.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/esolangs.scm b/gnu/packages/esolangs.scm
index 796f8d3f23..58c5307fdc 100644
--- a/gnu/packages/esolangs.scm
+++ b/gnu/packages/esolangs.scm
@@ -117,6 +117,7 @@ (define-public folders
     (description "Folders is a programming language, in which programs
 are encoded as (nested) directories.  Note that the switches you pass to
 @command{du} may affect your score when code golfing.")
+    (properties `((lint-hidden-cpe-vendors . ("premio" "jenkins"))))
     (license license:expat)))
 
 (define-public shakespeare-spl
-- 
2.46.0

[bug#74034] [PATCH v2 05/16] gnu: spectra: Add lint-hidden-cpe-vendors property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/algebra.scm (spectra)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/algebra.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/algebra.scm b/gnu/packages/algebra.scm
index 2187cd062d..5822431373 100644
--- a/gnu/packages/algebra.scm
+++ b/gnu/packages/algebra.scm
@@ -1317,6 +1317,7 @@ (define-public spectra
 built on top of Eigen.  It is implemented as a header-only C++ library and can
 be easily embedded in C++ projects that require calculating eigenvalues of
 large matrices.")
+    (properties `((lint-hidden-cpe-vendors . ("brainstormforce"))))
     (license license:mpl2.0)))
 
 (define-public gappa
-- 
2.46.0

[bug#74034] [PATCH v2 06/16] gnu: express: Add lint-hidden-cpe-vendors property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/bioinformatics.scm (express)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/bioinformatics.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/bioinformatics.scm b/gnu/packages/bioinformatics.scm
index a2ffbd5155..bb356f4903 100644
--- a/gnu/packages/bioinformatics.scm
+++ b/gnu/packages/bioinformatics.scm
@@ -6924,6 +6924,7 @@ (define-public express
 transcript-level RNA-Seq quantification, allele-specific/haplotype expression
 analysis (from RNA-Seq), transcription factor binding quantification in
 ChIP-Seq, and analysis of metagenomic data.")
+    (properties `((lint-hidden-cpe-vendors . ("openjsf"))))
     (license license:artistic2.0)))
 
 (define-public express-beta-diversity
-- 
2.46.0

[bug#74034] [PATCH v2 07/16] gnu: cli: Add lint-hidden-cpe-vendors property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/cpp.scm (cli)[properties]: Add lint-hidden-cpe-vendors
property.
---
 gnu/packages/cpp.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/cpp.scm b/gnu/packages/cpp.scm
index 26fc169154..550f57c6bf 100644
--- a/gnu/packages/cpp.scm
+++ b/gnu/packages/cpp.scm
@@ -2304,6 +2304,7 @@ (define-public cli
 options that your program supports, their types, default values, and
 documentation.")
     (home-page "https://codesynthesis.com/projects/cli/")
+    (properties `((lint-hidden-cpe-vendors . ("snyk"))))
     (license license:expat)))
 
 (define-public xsd
-- 
2.46.0

[bug#74034] [PATCH v2 08/16] gnu: h2c: Add lint-hidden-cpe-vendors property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/curl.scm (h2c)[property]: Add lint-hidden-cpe-vendors property.
---
 gnu/packages/curl.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 9f74018205..2b4b7ebdd8 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -366,6 +366,7 @@ (define-public h2c
     (description
      "Provided a set of HTTP request headers, h2c outputs how to invoke
 curl to obtain exactly that HTTP request.")
+    (properties `((lint-hidden-cpe-vendors . ("golang"))))
     (license license:expat)))
 
 (define-public coeurl
-- 
2.46.0

[bug#74034] [PATCH v2 09/16] gnu: xenon: Update to 0.9.3.

[Nicolas Graves via Guix-patches via]

* gnu/packages/code.scm (xenon): Update to 0.9.3.
[properties]: Add lint-hidden-cpe-vendors property.
---
 gnu/packages/code.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/code.scm b/gnu/packages/code.scm
index 3f7a6de478..ed48119fe1 100644
--- a/gnu/packages/code.scm
+++ b/gnu/packages/code.scm
@@ -1077,14 +1077,14 @@ (define-public cscope
 (define-public xenon
   (package
     (name "xenon")
-    (version "0.9.0")
+    (version "0.9.3")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "xenon" version))
        (sha256
         (base32
-         "1f4gynjzfckm3rjfywwgz1c7icfx3zjqirf16aj73xv0c9ncpffj"))))
+         "1yj31bqz2bphvvyb0jkas7bxc2rw76rf1csz0mwmvah8pbc3hxaa"))))
     (build-system python-build-system)
     (arguments (list #:tests? #f)) ;test suite not shipped with the PyPI archive
     (inputs (list python-pyyaml python-radon python-requests))
@@ -1096,6 +1096,7 @@ (define-public xenon
 line options, various thresholds can be set for the complexity of code.  It
 will fail (i.e., it will exit with a non-zero exit code) when any of these
 requirements is not met.")
+    (properties '((lint-hidden-cpe-vendors . ("ashlar"))))
     (license license:expat)))
 
 (define-public python-xenon
-- 
2.46.0

[bug#74034] [PATCH v2 10/16] gnu: bolt: Update to 0.9.8.

[Nicolas Graves via Guix-patches via]

* gnu/packages/linux.scm (bolt): Update to 0.9.8.
[arguments]<#:phases>: Update phase 'replace-directories.
[properties]: Add lint-hidden-cpe-vendors property.
---
 gnu/packages/linux.scm | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index e496f3c88d..9d16c0a9b3 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -3366,7 +3366,7 @@ (define-public iptables-nft
 (define-public bolt
   (package
     (name "bolt")
-    (version "0.9.5")
+    (version "0.9.8")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -3375,7 +3375,7 @@ (define-public bolt
               (file-name (git-file-name name version))
               (sha256
                (base32
-                "1b9z0sfrz6bj0mddng9s0dx59g9239zmrl03hxx2x88mb7r0wmcg"))))
+                "1i9nyvx3qcf4m607qmpklpl9xqzsh423k8y3fr6c5n0k4ajy4cxh"))))
     (build-system meson-build-system)
     (arguments
      (list #:configure-flags '(list "--localstatedir=/var")
@@ -3384,12 +3384,11 @@ (define-public bolt
                         (add-after 'unpack 'replace-directories
                           (lambda* (#:key outputs #:allow-other-keys)
                             (substitute* "meson.build"
-                              (("udev.get_pkgconfig_variable..udevdir..")
-                               (string-append "'"
-                                              #$output "/lib/udev'")))
-                            (substitute* "scripts/meson-install.sh"
-                              (("mkdir.*")
-                               ""))))
+                              (("udev.get_variable\\(pkgconfig: 'udevdir'\\)")
+                               (string-append "'" #$output "/lib/udev'"))
+                              ;; Don't install in /var
+                              (("not systemd\\.found\\(\\)")
+                               "false"))))
                         (add-before 'install 'no-polkit-magic
                           (lambda* (#:key outputs #:allow-other-keys)
                             (setenv "PKEXEC_UID" "something"))))))
@@ -3411,6 +3410,7 @@ (define-public bolt
 @command{boltd}.  It can list devices, monitor changes, and initiate
 authorization of devices.")
     (home-page "https://gitlab.freedesktop.org/bolt/bolt")
+    (properties `((lint-hidden-cpe-vendors . ("boltcms" "puppet"))))
     (license license:gpl2+)))
 
 (define-public jitterentropy-rngd
-- 
2.46.0

[bug#74034] [PATCH v2 11/16] gnu: bwm-ng: Add lint-hidden-cpe-vendors property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/networking.scm (bwm-ng)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/networking.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index a56b574e97..8c5548323f 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -2152,6 +2152,7 @@ (define-public bwm-ng
     (description "Bandwidth Monitor NG is a small and simple console based
 live network and disk I/O bandwidth monitor.")
     (home-page "https://www.gropp.org/?id=projects&sub=bwm-ng")
+    (properties '((lint-hidden-cpe-vendors . ("bwm-ng_project"))))
     (license license:gpl2)))
 
 (define-public aircrack-ng
-- 
2.46.0

[bug#74034] [PATCH v2 12/16] gnu: onedrive: Update to 2.5.2.

[Nicolas Graves via Guix-patches via]

* gnu/packages/sync.scm (onedrive): Update to 2.5.2.
[properties]: Add lint-hidden-cpe-vendors.
---
 gnu/packages/sync.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/sync.scm b/gnu/packages/sync.scm
index af736d0c28..b21993a639 100644
--- a/gnu/packages/sync.scm
+++ b/gnu/packages/sync.scm
@@ -374,7 +374,7 @@ (define-public owncloud-client
 (define-public onedrive
   (package
     (name "onedrive")
-    (version "2.4.25")
+    (version "2.5.2")
     (source
       (origin
         (method git-fetch)
@@ -383,7 +383,7 @@ (define-public onedrive
                (commit (string-append "v" version))))
         (file-name (git-file-name name version))
         (sha256
-         (base32 "1i93mq4r9w8cqrdfsfv8wparfd3dbrppc5z04ab056545hk0x89k"))))
+         (base32 "0307qa3nncarn6r5837nn9z5nv8j60ycykq6pfn93qriabk65qlx"))))
     (build-system gnu-build-system)
     (arguments
      (list
@@ -420,6 +420,7 @@ (define-public onedrive
 Business, OneDrive for Office365 and SharePoint and fully supports Azure
 National Cloud Deployments.  It supports one-way and two-way sync capabilities
 and securely connects to Microsoft OneDrive services.")
+    (properties '((lint-hidden-cpe-vendors . ("microsoft"))))
     (license license:gpl3)))
 
 (define-public lsyncd
-- 
2.46.0

[bug#74034] [PATCH v2 13/16] gnu: got: Update to 0.104.

[Nicolas Graves via Guix-patches via]

* gnu/packages/version-control.scm (got): Update to 0.104.
[properties]: Add release-monitoring-url and lint-hidden-cpe-vendors
properties.
---
 gnu/packages/version-control.scm | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index 6bd37fee82..df0739a39c 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -971,7 +971,7 @@ (define-public git-tools
 (define-public got
   (package
     (name "got")
-    (version "0.103")
+    (version "0.104")
     (source (origin
               (method url-fetch)
               (uri
@@ -980,7 +980,7 @@ (define-public got
                   version ".tar.gz"))
               (sha256
                (base32
-                "0y18961xrj4rja850i31gadiaps2qnkfb4jlramlz9akyf9mwh1j"))))
+                "1jf8d7bd6jb09ci66n3rjfv94kvzgnqbw1js74hpajdw41wphbdk"))))
     (inputs
      (list libevent
            `(,util-linux "lib")
@@ -1016,7 +1016,11 @@ (define-public got
      "Game of Trees (Got) is a version control system which prioritizes ease of use
 and simplicity over flexibility.")
     (license license:isc)
-    (home-page "https://gameoftrees.org/")))
+    (home-page "https://gameoftrees.org/")
+    (properties
+     ;; Can lint for updates, but not update in place.
+     '((release-monitoring-url . "https://gameoftrees.org/releases/")
+       (lint-hidden-cpe-vendors . ("got_project"))))))
 
 (define-public xdiff
   (let ((revision "0")
-- 
2.46.0

[bug#74034] [PATCH v2 14/16] gnu: dex: Update to 0.10.1.

[Nicolas Graves via Guix-patches via]

* gnu/packages/xdisorg.scm (dex): Update to 0.10.1.
[arguments]: Improve style.
[properties]: Add lint-hidden-cpe-vendors property.
---
 gnu/packages/xdisorg.scm | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm
index ca50bebab4..0977a856cb 100644
--- a/gnu/packages/xdisorg.scm
+++ b/gnu/packages/xdisorg.scm
@@ -3536,7 +3536,7 @@ (define-public nwg-launchers
 (define-public dex
   (package
     (name "dex")
-    (version "0.9.0")
+    (version "0.10.1")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -3544,15 +3544,16 @@ (define-public dex
                     (commit (string-append "v" version))))
               (sha256
                (base32
-                "03aapcywnz4kl548cygpi25m8adwbmqlmwgxa66v4156ax9dqs86"))
+                "1d7fqy63i4q0mw316i5ws1sgdq3f7h3bsf3avvmy0nzshz7i5y6m"))
               (file-name (git-file-name name version))))
     (build-system gnu-build-system)
     (arguments
-     `(#:make-flags (list (string-append "PREFIX=" (assoc-ref %outputs "out")))
-       #:phases
-       (modify-phases %standard-phases
-         (delete 'configure))
-       #:tests? #f))
+     (list
+      #:make-flags #~(list (string-append "PREFIX=" #$output))
+      #:phases
+      #~(modify-phases %standard-phases
+          (delete 'configure))
+      #:tests? #f))  ; No tests.
     (inputs
      (list python))
     (native-inputs
@@ -3562,6 +3563,8 @@ (define-public dex
     (description
      "@command{dex}, @dfn{DesktopEntry Execution}, is a program to generate
 and execute @file{.desktop} files of the Application type.")
+    (properties
+     '((lint-hidden-cpe-vendors . ("samsung" "linuxfoundation"))))
     (license license:gpl3+)))
 
 (define-public sx
-- 
2.46.0

[bug#74034] [PATCH v2 15/16] gnu: immer: Add lint-hidden-cpe-vendors property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/cpp.scm (immer)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/cpp.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/cpp.scm b/gnu/packages/cpp.scm
index 550f57c6bf..c0f9620f78 100644
--- a/gnu/packages/cpp.scm
+++ b/gnu/packages/cpp.scm
@@ -1864,6 +1864,7 @@ (define-public immer
    (synopsis "Immutable data structures")
    (description "Immer is a library of persistent and immutable data structures
 written in C++.")
+   (properties '((lint-hidden-cpe-vendors . ("immer_project"))))
    (license license:boost1.0)))
 
 (define-public zug
-- 
2.46.0

[bug#74034] [PATCH v2 16/16] gnu: cvs: Add lint-hidden-cpe-vendors property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/version-control.scm (cvs)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/version-control.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index df0739a39c..28ffd454df 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -2749,6 +2749,7 @@ (define-public cvs
 Configuration Management (SCM).  Using it, you can record the history of
 sources files, and documents.  It fills a similar role to the free software
 RCS, PRCS, and Aegis packages.")
+    (properties '((lint-hidden-cpe-vendors . ("jenkins"))))
     (license license:gpl1+)))
 
 (define-public cvs-fast-export
-- 
2.46.0

[bug#74034] [PATCH v2 01/16] guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.

[Ludovic Courtès]

Hi,

Nicolas Graves <ngraves@ngraves.fr> skribis:

> * guix/cve.scm: Exploit cpe vendors information.
> (cpe->package-name): Rename to cpe->package and use
> cpe_vendor:cpe_name in place or cpe_name.
> (filter-vendors): Add helper function.
> (vulnerabilities->lookup-proc): Extract cpe_name for table
> hashes. Add vendor and hidden-vendor arguments. Adapt condition to
> pass vulnerabilities to result in the fold.
>
> * guix/lint.scm (package-vulnerabilities): Use additional arguments
> from vulnerabilities->lookup-proc.
>
> * tests/cve.scm: Adapt tests.

Nice!

Please mention the names of tests being change in the commit log (see
‘git log’ for examples).

> -(define (cpe->package-name cpe)
> +(define (cpe->package cpe)

Or ‘cpe->package-identifier’?

It’s unpleasant that said identifier is an unparsed “vendor:package”
string.  I wonder if we should instead leave ‘%cpe-package-rx’ unchanged
and return three values: package, version, vendor.

The downside is that it would lead to more changes down the road because
we’d have to carry the vendor bit along.

Thoughts?

> +(define (filter-vendors vuln vendor hidden-vendors)
> +

Always add a docstring for top-level procedures.

> +  (define (vendor-matches? vendor+name)
> +    (if vendor
> +        (string-prefix? (string-append vendor ":") vendor+name)
> +        (if hidden-vendors
> +            (not (any (lambda (v)
> +                        (string-prefix? (string-append v ":") vendor+name))
> +                      hidden-vendors))
> +            #t)))

(if x y #t) => (or (not x) y)
s/v/vendor/

> +  (lambda* (package #:key (version #f) (vendor #f) (hidden-vendors #f))

I’d keep ‘version’ option rather than keyword, for compatibility and
because it’s more commonly useful than the others.

‘hidden-vendors’ should always be a list, the empty list by default
(rule of thumb: avoid “#f | list” polymorphism if a list is as
expressive.)

> +    (vhash-fold*
> +     (lambda (pair result)
> +       (match pair
> +         ((vuln sexp)
> +          (if (and (or (not (or vendor hidden-vendors))
> +                       (and (or vendor hidden-vendors)
> +                            (filter-vendors vuln vendor hidden-vendors)))
> +                   (or (not version)
> +                       (and version (version-matches? version sexp))))

(or (not x) (and x y)) => (or (not x) y)

Thanks,
Ludo’.

[bug#74034] [PATCH v2 01/16] guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.

[Nicolas Graves via Guix-patches via]

On 2024-11-06 22:43, Ludovic Courtès wrote:

> Hi,
>
> Nicolas Graves <ngraves@ngraves.fr> skribis:
>
>> * guix/cve.scm: Exploit cpe vendors information.
>> (cpe->package-name): Rename to cpe->package and use
>> cpe_vendor:cpe_name in place or cpe_name.
>> (filter-vendors): Add helper function.
>> (vulnerabilities->lookup-proc): Extract cpe_name for table
>> hashes. Add vendor and hidden-vendor arguments. Adapt condition to
>> pass vulnerabilities to result in the fold.
>>
>> * guix/lint.scm (package-vulnerabilities): Use additional arguments
>> from vulnerabilities->lookup-proc.
>>
>> * tests/cve.scm: Adapt tests.
>
> Nice!
>
> Please mention the names of tests being change in the commit log (see
> ‘git log’ for examples).
>
>> -(define (cpe->package-name cpe)
>> +(define (cpe->package cpe)
>
> Or ‘cpe->package-identifier’?
>
> It’s unpleasant that said identifier is an unparsed “vendor:package”
> string.  I wonder if we should instead leave ‘%cpe-package-rx’ unchanged
> and return three values: package, version, vendor.
>
> The downside is that it would lead to more changes down the road because
> we’d have to carry the vendor bit along.
>
> Thoughts?

I actually took this route first, then reverted back to editing the
regexp.  This was indeed for simplicity (rationale: make a first working
version with minimal changes, then if necessary improve).  Yes indeed
doing this makes a lot of changes in the code, although not complex.

I agree with the rest of the changes. I'll try to make a commit on top
of that, possibly this weekend.


-- 
Best regards,
Nicolas Graves

[bug#74034] [PATCH v2 01/16] guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.

[Nicolas Graves via Guix-patches via]

On 2024-11-07 09:45, Nicolas Graves via Guix-patches via wrote:


>
> I actually took this route first, then reverted back to editing the
> regexp.  This was indeed for simplicity (rationale: make a first working
> version with minimal changes, then if necessary improve).  Yes indeed
> doing this makes a lot of changes in the code, although not complex.
>
> I agree with the rest of the changes. I'll try to make a commit on top
> of that, possibly this weekend.

Indeed it's quite tedious to dig into nested folds.  Maybe we can just
leave a TODO comment inviting a courageous candidate to tackle this in
the future ?  I feel we should block this by perfectionism it we have a
suitable enough package-identifier.  Not that I don't like to dig,
rather than I'll me more at peace tackling this when I have more time.

-- 
Best regards,
Nicolas Graves

[bug#74034] [PATCH v3 01/17] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.

[Nicolas Graves via Guix-patches via]

* guix/cve.scm: Exploit cpe vendors information.
(cpe->package-name): Rename to...
(cpe->package-identifier): Renamed from cpe->package-name. Use
cpe_vendor:cpe_name in place or cpe_name.
(vulnerabily-matches?): Add helper function.
(vulnerabilities->lookup-proc): Extract cpe_name for table
hashes. Add vendor and hidden-vendor arguments. Adapt condition to
pass vulnerabilities to result in the fold.

* guix/lint.scm (package-vulnerabilities): Use additional arguments
from vulnerabilities->lookup-proc.

* tests/cve.scm (%expected-vulnerabilities): Adapt variable to changes
in guix/cve.scm.
---
 guix/cve.scm  | 69 ++++++++++++++++++++++++++++++++-------------------
 guix/lint.scm | 10 ++++++--
 tests/cve.scm | 14 +++++------
 3 files changed, 59 insertions(+), 34 deletions(-)

diff --git a/guix/cve.scm b/guix/cve.scm
index 9e1cf5b587..f7984be0ad 100644
--- a/guix/cve.scm
+++ b/guix/cve.scm
@@ -106,22 +106,22 @@ (define (reference-data->cve-references alist)
 (define %cpe-package-rx
   ;; For applications: "cpe:2.3:a:VENDOR:PACKAGE:VERSION", or sometimes
   ;; "cpe:2.3:a:VENDOR:PACKAGE:VERSION:PATCH-LEVEL".
-  (make-regexp "^cpe:2\\.3:a:([^:]+):([^:]+):([^:]+):([^:]+):"))
+  (make-regexp "^cpe:2\\.3:a:([^:]+:[^:]+):([^:]+):([^:]+):"))
 
-(define (cpe->package-name cpe)
+(define (cpe->package-identifier cpe)
   "Converts the Common Platform Enumeration (CPE) string CPE to a package
-name, in a very naive way.  Return two values: the package name, and its
-version string.  Return #f and #f if CPE does not look like an application CPE
-string."
+identifier, in a very naive way.  Return two values: the package identifier
+(composed from the CPE vendor and the package name), and its version string.
+Return #f and #f if CPE does not look like an application CPE string."
   (cond ((regexp-exec %cpe-package-rx cpe)
          =>
          (lambda (matches)
-           (values (match:substring matches 2)
-                   (match (match:substring matches 3)
+           (values (match:substring matches 1)
+                   (match (match:substring matches 2)
                      ("*" '_)
                      (version
                       (string-append version
-                                     (match (match:substring matches 4)
+                                     (match (match:substring matches 3)
                                        ("" "")
                                        (patch-level
                                         ;; Drop the colon from things like
@@ -142,7 +142,7 @@ (define (cpe-match->cve-configuration alist)
     ;; Normally "cpe23Uri" is here in each "cpe_match" item, but CVE-2020-0534
     ;; has a configuration that lacks it.
     (and cpe
-         (let-values (((package version) (cpe->package-name cpe)))
+         (let-values (((package version) (cpe->package-identifier cpe)))
            (and package
                 `(,package
                    ,(cond ((and (or starti starte) (or endi ende))
@@ -228,6 +228,24 @@ (define (version-matches? version sexp)
     (('>= min)
      (version>=? version min))))
 
+(define (vulnerability-matches? vuln vendor hidden-vendors)
+  "Checks if a VENDOR matches at least one of <vulnerability> VULN
+packages.  When VENDOR is #f, ignore packages that have a vendor among
+HIDDEN-VENDORS."
+  (define (vendor-matches? vendor+name)
+    (if vendor
+        (string-prefix? (string-append vendor ":") vendor+name)
+        (or (null? hidden-vendors)
+            (not (any (cut string-prefix? (string-append <> ":") vendor+name)
+                  hidden-vendors)))))
+
+  (match vuln
+    (($ <vulnerability> id packages)
+     (any (match-lambda
+            (((? vendor-matches? vendor+name) . _)  #t)
+            (_                                      #f))
+          packages))))
+
 \f
 ;;;
 ;;; High-level interface.
@@ -404,28 +422,29 @@ (define table
               (($ <vulnerability> id packages)
                (fold (lambda (package table)
                        (match package
-                         ((name . versions)
-                          (vhash-cons name (cons vuln versions)
+                         ((vendor+name . versions)
+                          (vhash-cons (match (string-split vendor+name #\:)
+                                        ((vendor name) name)
+                                        ((name)        name))
+                                      (cons vuln versions)
                                       table))))
                      table
                      packages))))
           vlist-null
           vulnerabilities))
 
-  (lambda* (package #:optional version)
-    (vhash-fold* (if version
-                     (lambda (pair result)
-                       (match pair
-                         ((vuln sexp)
-                          (if (version-matches? version sexp)
-                              (cons vuln result)
-                              result))))
-                     (lambda (pair result)
-                       (match pair
-                         ((vuln . _)
-                          (cons vuln result)))))
-                 '()
-                 package table)))
+  (lambda* (package #:optional version #:key (vendor #f) (hidden-vendors '()))
+    (vhash-fold*
+     (lambda (pair result)
+       (match pair
+         ((vuln sexp)
+          (if (and (or (and (not vendor) (null? hidden-vendors))
+                       (vulnerability-matches? vuln vendor hidden-vendors))
+                   (or (not version) (version-matches? version sexp)))
+              (cons vuln result)
+              result))))
+     '()
+     package table)))
 
 
 ;;; cve.scm ends here
diff --git a/guix/lint.scm b/guix/lint.scm
index 8c6c20c723..bea6d0a194 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -1551,8 +1551,14 @@ (define package-vulnerabilities
                          (package-name package)))
             (version (or (assoc-ref (package-properties package)
                                     'cpe-version)
-                         (package-version package))))
-        ((force lookup) name version)))))
+                         (package-version package)))
+            (vendor (assoc-ref (package-properties package)
+                               'cpe-vendor))
+            (hidden-vendors (assoc-ref (package-properties package)
+                                       'lint-hidden-cpe-vendors)))
+        ((force lookup) name version
+         #:vendor vendor
+         #:hidden-vendors hidden-vendors)))))
 
 ;; Prevent Guile 3 from inlining this procedure so we can mock it in tests.
 (set! package-vulnerabilities package-vulnerabilities)
diff --git a/tests/cve.scm b/tests/cve.scm
index b69da0e120..6567d73c69 100644
--- a/tests/cve.scm
+++ b/tests/cve.scm
@@ -34,19 +34,19 @@ (define %expected-vulnerabilities
    (vulnerability "CVE-2019-0001"
                   ;; Only the "a" CPE configurations are kept; the "o"
                   ;; configurations are discarded.
-                  '(("junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
+                  '(("juniper:junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
    (vulnerability "CVE-2019-0005"
-                  '(("junos" (or "18.11" "18.1"))))
+                  '(("juniper:junos" (or "18.11" "18.1"))))
    ;; CVE-2019-0005 has no "a" configurations.
    (vulnerability "CVE-2019-14811"
-                  '(("ghostscript" (< "9.28"))))
+                  '(("artifex:ghostscript" (< "9.28"))))
    (vulnerability "CVE-2019-17365"
-                  '(("nix" (<= "2.3"))))
+                  '(("nixos:nix" (<= "2.3"))))
    (vulnerability "CVE-2019-1010180"
-                  '(("gdb" _)))                   ;any version
+                  '(("gnu:gdb" _)))                   ;any version
    (vulnerability "CVE-2019-1010204"
-                  '(("binutils" (and (>= "2.21") (<= "2.31.1")))
-                    ("binutils_gold" (and (>= "1.11") (<= "1.16")))))
+                  '(("gnu:binutils" (and (>= "2.21") (<= "2.31.1")))
+                    ("gnu:binutils_gold" (and (>= "1.11") (<= "1.16")))))
    ;; CVE-2019-18192 has no associated configurations.
    ))
 
-- 
2.46.0

[bug#74034] [PATCH v3 02/17] cve: Separate vendor and string.

[Nicolas Graves via Guix-patches via]

---
 guix/cve.scm  | 111 +++++++++++++++++++++++++-------------------------
 tests/cve.scm |  14 +++----
 2 files changed, 63 insertions(+), 62 deletions(-)

diff --git a/guix/cve.scm b/guix/cve.scm
index f7984be0ad..4f410ccc5e 100644
--- a/guix/cve.scm
+++ b/guix/cve.scm
@@ -25,11 +25,11 @@ (define-module (guix cve)
   #:use-module (web uri)
   #:use-module (srfi srfi-1)
   #:use-module (srfi srfi-9)
-  #:use-module (srfi srfi-11)
   #:use-module (srfi srfi-19)
   #:use-module (srfi srfi-26)
   #:use-module (srfi srfi-34)
   #:use-module (srfi srfi-35)
+  #:use-module (srfi srfi-71)
   #:use-module (ice-9 match)
   #:use-module (ice-9 regex)
   #:use-module (ice-9 vlist)
@@ -106,7 +106,7 @@ (define (reference-data->cve-references alist)
 (define %cpe-package-rx
   ;; For applications: "cpe:2.3:a:VENDOR:PACKAGE:VERSION", or sometimes
   ;; "cpe:2.3:a:VENDOR:PACKAGE:VERSION:PATCH-LEVEL".
-  (make-regexp "^cpe:2\\.3:a:([^:]+:[^:]+):([^:]+):([^:]+):"))
+  (make-regexp "^cpe:2\\.3:a:([^:]+):([^:]+):([^:]+):([^:]+):"))
 
 (define (cpe->package-identifier cpe)
   "Converts the Common Platform Enumeration (CPE) string CPE to a package
@@ -117,18 +117,19 @@ (define (cpe->package-identifier cpe)
          =>
          (lambda (matches)
            (values (match:substring matches 1)
-                   (match (match:substring matches 2)
+                   (match:substring matches 2)
+                   (match (match:substring matches 3)
                      ("*" '_)
                      (version
                       (string-append version
-                                     (match (match:substring matches 3)
+                                     (match (match:substring matches 4)
                                        ("" "")
                                        (patch-level
                                         ;; Drop the colon from things like
                                         ;; "cpe:2.3:a:openbsd:openssh:6.8:p1".
                                         (string-drop patch-level 1)))))))))
         (else
-         (values #f #f))))
+         (values #f #f #f))))
 
 (define (cpe-match->cve-configuration alist)
   "Convert ALIST, a \"cpe_match\" alist, into an sexp representing the package
@@ -142,17 +143,18 @@ (define (cpe-match->cve-configuration alist)
     ;; Normally "cpe23Uri" is here in each "cpe_match" item, but CVE-2020-0534
     ;; has a configuration that lacks it.
     (and cpe
-         (let-values (((package version) (cpe->package-identifier cpe)))
+         (let ((vendor package version (cpe->package-identifier cpe)))
            (and package
-                `(,package
-                   ,(cond ((and (or starti starte) (or endi ende))
-                           `(and ,(if starti `(>= ,starti) `(> ,starte))
-                                 ,(if endi `(<= ,endi) `(< ,ende))))
-                          (starti `(>= ,starti))
-                          (starte `(> ,starte))
-                          (endi   `(<= ,endi))
-                          (ende   `(< ,ende))
-                          (else   version))))))))
+                `(,vendor
+                  ,package
+                  ,(cond ((and (or starti starte) (or endi ende))
+                          `(and ,(if starti `(>= ,starti) `(> ,starte))
+                                ,(if endi `(<= ,endi) `(< ,ende))))
+                         (starti `(>= ,starti))
+                         (starte `(> ,starte))
+                         (endi   `(<= ,endi))
+                         (ende   `(< ,ende))
+                         (else   version))))))))
 
 (define (configuration-data->cve-configurations alist)
   "Given ALIST, a JSON dictionary for the baroque \"configurations\"
@@ -232,18 +234,12 @@ (define (vulnerability-matches? vuln vendor hidden-vendors)
   "Checks if a VENDOR matches at least one of <vulnerability> VULN
 packages.  When VENDOR is #f, ignore packages that have a vendor among
 HIDDEN-VENDORS."
-  (define (vendor-matches? vendor+name)
-    (if vendor
-        (string-prefix? (string-append vendor ":") vendor+name)
-        (or (null? hidden-vendors)
-            (not (any (cut string-prefix? (string-append <> ":") vendor+name)
-                  hidden-vendors)))))
-
   (match vuln
     (($ <vulnerability> id packages)
      (any (match-lambda
-            (((? vendor-matches? vendor+name) . _)  #t)
-            (_                                      #f))
+            (((? (cut string=? <> vendor)) _)        #t)
+            (((? (cut member <> hidden-vendors)) _)  #t)
+            (_                                       #f))
           packages))))
 
 \f
@@ -290,39 +286,47 @@ (define sexp->vulnerability
      (vulnerability id packages))))
 
 (define (cve-configuration->package-list config)
-  "Parse CONFIG, a config sexp, and return a list of the form (P SEXP)
-where P is a package name and SEXP expresses constraints on the matching
-versions."
+  "Parse CONFIG, a config sexp, and return a list of the form (V P SEXP)
+where V is a CPE vendor, P is a package name and SEXP expresses constraints on
+the matching versions."
   (let loop ((config config)
-             (packages '()))
+             (vendor+package-list '()))
     (match config
       (('or configs ...)
-       (fold loop packages configs))
-      (('and config _ ...)                        ;XXX
-       (loop config packages))
-      (((? string? package) '_)                   ;any version
-       (cons `(,package _)
-             (alist-delete package packages)))
-      (((? string? package) sexp)
-       (let ((previous (assoc-ref packages package)))
-         (if previous
-             (cons `(,package (or ,sexp ,@previous))
-                   (alist-delete package packages))
-             (cons `(,package ,sexp) packages)))))))
+       (fold loop vendor+package-list configs))
+      (('and config _ ...)                            ;XXX
+       (loop config vendor+package-list))
+      (((? string? vendor) (? string? package) sexp)
+       (let ((filtered-list (filter (match-lambda
+                                      ((vendor package _)  #f)
+                                      (otherwise           otherwise))
+                                    vendor+package-list)))
+         (match sexp
+           ('_  ;any version
+            (cons `(,vendor ,package _) filtered-list))
+           (_
+            (match (assoc-ref (assoc-ref vendor+package-list vendor) package)
+              ((previous)
+               (cons `(,vendor ,package (or ,sexp ,previous)) filtered-list))
+              (_
+               (cons `(,vendor ,package ,sexp) vendor+package-list))))))))))
 
 (define (merge-package-lists lst)
-  "Merge the list in LST, each of which has the form (p sexp), where P
-is the name of a package and SEXP is an sexp that constrains matching
-versions."
+  "Merge the list in LST, each of which has the form (V P SEXP), where V is a
+CPE vendor, P is the name of a package and SEXP is an sexp that constrains
+matching versions."
   (fold (lambda (plist result)                    ;XXX: quadratic
           (fold (match-lambda*
-                  (((package version) result)
-                   (match (assoc-ref result package)
-                     (#f
-                      (cons `(,package ,version) result))
-                     ((previous)
-                      (cons `(,package (or ,version ,previous))
-                            (alist-delete package result))))))
+                  (((vendor package version) result)
+                   (match (assoc-ref result vendor)
+                     (((? (cut string=? package <>)) previous)
+                      (cons `(,vendor ,package (or ,version ,previous))
+                            (filter (match-lambda
+                                      ((vendor package _)  #f)
+                                      (otherwise           otherwise))
+                                    result)))
+                     (_
+                      (cons `(,vendor ,package ,version) result)))))
                 result
                 plist))
         '()
@@ -422,11 +426,8 @@ (define table
               (($ <vulnerability> id packages)
                (fold (lambda (package table)
                        (match package
-                         ((vendor+name . versions)
-                          (vhash-cons (match (string-split vendor+name #\:)
-                                        ((vendor name) name)
-                                        ((name)        name))
-                                      (cons vuln versions)
+                         ((vendor name versions)
+                          (vhash-cons name (cons vuln `(,versions))
                                       table))))
                      table
                      packages))))
diff --git a/tests/cve.scm b/tests/cve.scm
index 6567d73c69..90ada2b647 100644
--- a/tests/cve.scm
+++ b/tests/cve.scm
@@ -34,19 +34,19 @@ (define %expected-vulnerabilities
    (vulnerability "CVE-2019-0001"
                   ;; Only the "a" CPE configurations are kept; the "o"
                   ;; configurations are discarded.
-                  '(("juniper:junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
+                  '(("juniper" "junos" (or "18.2" (or "18.21-s3" "18.21-s4")))))
    (vulnerability "CVE-2019-0005"
-                  '(("juniper:junos" (or "18.11" "18.1"))))
+                  '(("juniper" "junos" (or "18.1" "18.11"))))
    ;; CVE-2019-0005 has no "a" configurations.
    (vulnerability "CVE-2019-14811"
-                  '(("artifex:ghostscript" (< "9.28"))))
+                  '(("artifex" "ghostscript" (< "9.28"))))
    (vulnerability "CVE-2019-17365"
-                  '(("nixos:nix" (<= "2.3"))))
+                  '(("nixos" "nix" (<= "2.3"))))
    (vulnerability "CVE-2019-1010180"
-                  '(("gnu:gdb" _)))                   ;any version
+                  '(("gnu" "gdb" _)))                   ;any version
    (vulnerability "CVE-2019-1010204"
-                  '(("gnu:binutils" (and (>= "2.21") (<= "2.31.1")))
-                    ("gnu:binutils_gold" (and (>= "1.11") (<= "1.16")))))
+                  '(("gnu" "binutils" (and (>= "2.21") (<= "2.31.1")))
+                    ("gnu" "binutils_gold" (and (>= "1.11") (<= "1.16")))))
    ;; CVE-2019-18192 has no associated configurations.
    ))
 
-- 
2.46.0

[bug#74034] [PATCH v3 03/17] gnu: halibut: Add cpe-vendor property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/documentation.scm (halibut)
[description]: Reformat field to match max chars.
[properties]: Add cpe-vendor property.
---
 gnu/packages/documentation.scm | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/gnu/packages/documentation.scm b/gnu/packages/documentation.scm
index f0e37561f7..e1d563945a 100644
--- a/gnu/packages/documentation.scm
+++ b/gnu/packages/documentation.scm
@@ -264,12 +264,14 @@ (define-public halibut
     (home-page "https://www.chiark.greenend.org.uk/~sgtatham/halibut/")
     (synopsis "Documentation production system for software manuals")
     (description
-     "Halibut is a text formatting system designed primarily for writing software
-documentation.  It accepts a single source format and outputs any combination of
-plain text, HTML, Unix man or info pages, PostScript or PDF.  It has extensive
-support for indexing and cross-referencing, and generates hyperlinks within output
-documents wherever possible.  It supports Unicode, with the ability to fall back to
-an alternative representation if Unicode output is not available.")
+     "Halibut is a text formatting system designed primarily for writing
+software documentation.  It accepts a single source format and outputs any
+combination of plain text, HTML, Unix man or info pages, PostScript or PDF.
+It has extensive support for indexing and cross-referencing, and generates
+hyperlinks within output documents wherever possible.  It supports Unicode,
+with the ability to fall back to an alternative representation if Unicode
+output is not available.")
+    (properties `((cpe-vendor . "halibut_project")))
     (license license:expat)))
 
 (define-public doc++
-- 
2.46.0

[bug#74034] [PATCH v3 04/17] gnu: portfolio: Update to 1.0.1.

[Nicolas Graves via Guix-patches via]

* gnu/packages/gnome-xyz.scm (portfolio): Update to 1.0.1.
[properties]: Add lint-hidden-cpe-vendors property.
---
 gnu/packages/gnome-xyz.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/gnome-xyz.scm b/gnu/packages/gnome-xyz.scm
index a09c0befb0..74c2600b60 100644
--- a/gnu/packages/gnome-xyz.scm
+++ b/gnu/packages/gnome-xyz.scm
@@ -485,7 +485,7 @@ (define-public gnome-plots
 (define-public portfolio
   (package
     (name "portfolio")
-    (version "1.0.0")
+    (version "1.0.1")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -494,7 +494,7 @@ (define-public portfolio
               (file-name (git-file-name name version))
               (sha256
                (base32
-                "1ai9mx801m5lngkljg42vrpvhbvc3071sp4jypsvbzw55hxnn5ba"))))
+                "1s06kd2dhsb143piw89yzwfck7qwzlh4nlgjj2bxpsa3g68c1g11"))))
     (arguments
      (list #:glib-or-gtk? #t
            #:imported-modules `(,@%meson-build-system-modules
@@ -537,6 +537,7 @@ (define-public portfolio
      "Portfolio is a minimalist file manager for those who want to use Linux
 mobile devices.  Tap to activate and long press to select, to browse, open,
 copy, move, delete, or edit your files.")
+    (properties `((lint-hidden-cpe-vendors . ("radiustheme"))))
     (license license:gpl3+)))
 
 (define-public gnome-shell-extension-unite-shell
-- 
2.46.0

[bug#74034] [PATCH v3 05/17] gnu: folders: Add lint-hidden-cpe-vendors property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/esolangs.scm (folders):
[properties]: Add lint-hindden-cpe-vendors property.
---
 gnu/packages/esolangs.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/esolangs.scm b/gnu/packages/esolangs.scm
index 796f8d3f23..58c5307fdc 100644
--- a/gnu/packages/esolangs.scm
+++ b/gnu/packages/esolangs.scm
@@ -117,6 +117,7 @@ (define-public folders
     (description "Folders is a programming language, in which programs
 are encoded as (nested) directories.  Note that the switches you pass to
 @command{du} may affect your score when code golfing.")
+    (properties `((lint-hidden-cpe-vendors . ("premio" "jenkins"))))
     (license license:expat)))
 
 (define-public shakespeare-spl
-- 
2.46.0

[bug#74034] [PATCH v3 06/17] gnu: spectra: Add lint-hidden-cpe-vendors property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/algebra.scm (spectra)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/algebra.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/algebra.scm b/gnu/packages/algebra.scm
index 2187cd062d..5822431373 100644
--- a/gnu/packages/algebra.scm
+++ b/gnu/packages/algebra.scm
@@ -1317,6 +1317,7 @@ (define-public spectra
 built on top of Eigen.  It is implemented as a header-only C++ library and can
 be easily embedded in C++ projects that require calculating eigenvalues of
 large matrices.")
+    (properties `((lint-hidden-cpe-vendors . ("brainstormforce"))))
     (license license:mpl2.0)))
 
 (define-public gappa
-- 
2.46.0

[bug#74034] [PATCH v3 07/17] gnu: express: Add lint-hidden-cpe-vendors property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/bioinformatics.scm (express)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/bioinformatics.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/bioinformatics.scm b/gnu/packages/bioinformatics.scm
index 35ff96ce42..34b58a5511 100644
--- a/gnu/packages/bioinformatics.scm
+++ b/gnu/packages/bioinformatics.scm
@@ -7047,6 +7047,7 @@ (define-public express
 transcript-level RNA-Seq quantification, allele-specific/haplotype expression
 analysis (from RNA-Seq), transcription factor binding quantification in
 ChIP-Seq, and analysis of metagenomic data.")
+    (properties `((lint-hidden-cpe-vendors . ("openjsf"))))
     (license license:artistic2.0)))
 
 (define-public express-beta-diversity
-- 
2.46.0

[bug#74034] [PATCH v3 08/17] gnu: cli: Add lint-hidden-cpe-vendors property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/cpp.scm (cli)[properties]: Add lint-hidden-cpe-vendors
property.
---
 gnu/packages/cpp.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/cpp.scm b/gnu/packages/cpp.scm
index f8e8557ef1..bb6872d7e3 100644
--- a/gnu/packages/cpp.scm
+++ b/gnu/packages/cpp.scm
@@ -2327,6 +2327,7 @@ (define-public cli
 options that your program supports, their types, default values, and
 documentation.")
     (home-page "https://codesynthesis.com/projects/cli/")
+    (properties `((lint-hidden-cpe-vendors . ("snyk"))))
     (license license:expat)))
 
 (define-public xsd
-- 
2.46.0

[bug#74034] [PATCH v3 09/17] gnu: h2c: Add lint-hidden-cpe-vendors property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/curl.scm (h2c)[property]: Add lint-hidden-cpe-vendors property.
---
 gnu/packages/curl.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 9f74018205..2b4b7ebdd8 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -366,6 +366,7 @@ (define-public h2c
     (description
      "Provided a set of HTTP request headers, h2c outputs how to invoke
 curl to obtain exactly that HTTP request.")
+    (properties `((lint-hidden-cpe-vendors . ("golang"))))
     (license license:expat)))
 
 (define-public coeurl
-- 
2.46.0

[bug#74034] [PATCH v3 10/17] gnu: xenon: Update to 0.9.3.

[Nicolas Graves via Guix-patches via]

* gnu/packages/code.scm (xenon): Update to 0.9.3.
[properties]: Add lint-hidden-cpe-vendors property.
---
 gnu/packages/code.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/code.scm b/gnu/packages/code.scm
index 04ca4dfd6b..5ed2126225 100644
--- a/gnu/packages/code.scm
+++ b/gnu/packages/code.scm
@@ -1054,14 +1054,14 @@ (define-public cscope
 (define-public xenon
   (package
     (name "xenon")
-    (version "0.9.0")
+    (version "0.9.3")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "xenon" version))
        (sha256
         (base32
-         "1f4gynjzfckm3rjfywwgz1c7icfx3zjqirf16aj73xv0c9ncpffj"))))
+         "1yj31bqz2bphvvyb0jkas7bxc2rw76rf1csz0mwmvah8pbc3hxaa"))))
     (build-system python-build-system)
     (arguments (list #:tests? #f)) ;test suite not shipped with the PyPI archive
     (inputs (list python-pyyaml python-radon python-requests))
@@ -1073,6 +1073,7 @@ (define-public xenon
 line options, various thresholds can be set for the complexity of code.  It
 will fail (i.e., it will exit with a non-zero exit code) when any of these
 requirements is not met.")
+    (properties '((lint-hidden-cpe-vendors . ("ashlar"))))
     (license license:expat)))
 
 (define-public python-xenon
-- 
2.46.0

[bug#74034] [PATCH v3 11/17] gnu: bolt: Update to 0.9.8.

[Nicolas Graves via Guix-patches via]

* gnu/packages/linux.scm (bolt): Update to 0.9.8.
[arguments]<#:phases>: Update phase 'replace-directories.
[properties]: Add lint-hidden-cpe-vendors property.
---
 gnu/packages/linux.scm | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 992790188a..6b79efa91f 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -3366,7 +3366,7 @@ (define-public iptables-nft
 (define-public bolt
   (package
     (name "bolt")
-    (version "0.9.5")
+    (version "0.9.8")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -3375,7 +3375,7 @@ (define-public bolt
               (file-name (git-file-name name version))
               (sha256
                (base32
-                "1b9z0sfrz6bj0mddng9s0dx59g9239zmrl03hxx2x88mb7r0wmcg"))))
+                "1i9nyvx3qcf4m607qmpklpl9xqzsh423k8y3fr6c5n0k4ajy4cxh"))))
     (build-system meson-build-system)
     (arguments
      (list #:configure-flags '(list "--localstatedir=/var")
@@ -3384,12 +3384,11 @@ (define-public bolt
                         (add-after 'unpack 'replace-directories
                           (lambda* (#:key outputs #:allow-other-keys)
                             (substitute* "meson.build"
-                              (("udev.get_pkgconfig_variable..udevdir..")
-                               (string-append "'"
-                                              #$output "/lib/udev'")))
-                            (substitute* "scripts/meson-install.sh"
-                              (("mkdir.*")
-                               ""))))
+                              (("udev.get_variable\\(pkgconfig: 'udevdir'\\)")
+                               (string-append "'" #$output "/lib/udev'"))
+                              ;; Don't install in /var
+                              (("not systemd\\.found\\(\\)")
+                               "false"))))
                         (add-before 'install 'no-polkit-magic
                           (lambda* (#:key outputs #:allow-other-keys)
                             (setenv "PKEXEC_UID" "something"))))))
@@ -3411,6 +3410,7 @@ (define-public bolt
 @command{boltd}.  It can list devices, monitor changes, and initiate
 authorization of devices.")
     (home-page "https://gitlab.freedesktop.org/bolt/bolt")
+    (properties `((lint-hidden-cpe-vendors . ("boltcms" "puppet"))))
     (license license:gpl2+)))
 
 (define-public jitterentropy-rngd
-- 
2.46.0

[bug#74034] [PATCH v3 12/17] gnu: bwm-ng: Add lint-hidden-cpe-vendors property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/networking.scm (bwm-ng)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/networking.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index 6e3a355bd4..2bdf011f34 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -2157,6 +2157,7 @@ (define-public bwm-ng
     (description "Bandwidth Monitor NG is a small and simple console based
 live network and disk I/O bandwidth monitor.")
     (home-page "https://www.gropp.org/?id=projects&sub=bwm-ng")
+    (properties '((lint-hidden-cpe-vendors . ("bwm-ng_project"))))
     (license license:gpl2)))
 
 (define-public aircrack-ng
-- 
2.46.0

[bug#74034] [PATCH v3 13/17] gnu: onedrive: Update to 2.5.2.

[Nicolas Graves via Guix-patches via]

* gnu/packages/sync.scm (onedrive): Update to 2.5.2.
[properties]: Add lint-hidden-cpe-vendors.
---
 gnu/packages/sync.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/sync.scm b/gnu/packages/sync.scm
index af736d0c28..b21993a639 100644
--- a/gnu/packages/sync.scm
+++ b/gnu/packages/sync.scm
@@ -374,7 +374,7 @@ (define-public owncloud-client
 (define-public onedrive
   (package
     (name "onedrive")
-    (version "2.4.25")
+    (version "2.5.2")
     (source
       (origin
         (method git-fetch)
@@ -383,7 +383,7 @@ (define-public onedrive
                (commit (string-append "v" version))))
         (file-name (git-file-name name version))
         (sha256
-         (base32 "1i93mq4r9w8cqrdfsfv8wparfd3dbrppc5z04ab056545hk0x89k"))))
+         (base32 "0307qa3nncarn6r5837nn9z5nv8j60ycykq6pfn93qriabk65qlx"))))
     (build-system gnu-build-system)
     (arguments
      (list
@@ -420,6 +420,7 @@ (define-public onedrive
 Business, OneDrive for Office365 and SharePoint and fully supports Azure
 National Cloud Deployments.  It supports one-way and two-way sync capabilities
 and securely connects to Microsoft OneDrive services.")
+    (properties '((lint-hidden-cpe-vendors . ("microsoft"))))
     (license license:gpl3)))
 
 (define-public lsyncd
-- 
2.46.0

[bug#74034] [PATCH v3 14/17] gnu: got: Update to 0.104.

[Nicolas Graves via Guix-patches via]

* gnu/packages/version-control.scm (got): Update to 0.104.
[properties]: Add release-monitoring-url and lint-hidden-cpe-vendors
properties.
---
 gnu/packages/version-control.scm | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index a15f274c37..f323766579 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -975,7 +975,7 @@ (define-public git-tools
 (define-public got
   (package
     (name "got")
-    (version "0.103")
+    (version "0.104")
     (source (origin
               (method url-fetch)
               (uri
@@ -984,7 +984,7 @@ (define-public got
                   version ".tar.gz"))
               (sha256
                (base32
-                "0y18961xrj4rja850i31gadiaps2qnkfb4jlramlz9akyf9mwh1j"))))
+                "1jf8d7bd6jb09ci66n3rjfv94kvzgnqbw1js74hpajdw41wphbdk"))))
     (inputs
      (list libevent
            `(,util-linux "lib")
@@ -1020,7 +1020,11 @@ (define-public got
      "Game of Trees (Got) is a version control system which prioritizes ease of use
 and simplicity over flexibility.")
     (license license:isc)
-    (home-page "https://gameoftrees.org/")))
+    (home-page "https://gameoftrees.org/")
+    (properties
+     ;; Can lint for updates, but not update in place.
+     '((release-monitoring-url . "https://gameoftrees.org/releases/")
+       (lint-hidden-cpe-vendors . ("got_project"))))))
 
 (define-public xdiff
   (let ((revision "0")
-- 
2.46.0

[bug#74034] [PATCH v3 15/17] gnu: dex: Update to 0.10.1.

[Nicolas Graves via Guix-patches via]

* gnu/packages/xdisorg.scm (dex): Update to 0.10.1.
[arguments]: Improve style.
[properties]: Add lint-hidden-cpe-vendors property.
---
 gnu/packages/xdisorg.scm | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm
index a75e9cd6ba..859d37d4b7 100644
--- a/gnu/packages/xdisorg.scm
+++ b/gnu/packages/xdisorg.scm
@@ -3536,7 +3536,7 @@ (define-public nwg-launchers
 (define-public dex
   (package
     (name "dex")
-    (version "0.9.0")
+    (version "0.10.1")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -3544,15 +3544,16 @@ (define-public dex
                     (commit (string-append "v" version))))
               (sha256
                (base32
-                "03aapcywnz4kl548cygpi25m8adwbmqlmwgxa66v4156ax9dqs86"))
+                "1d7fqy63i4q0mw316i5ws1sgdq3f7h3bsf3avvmy0nzshz7i5y6m"))
               (file-name (git-file-name name version))))
     (build-system gnu-build-system)
     (arguments
-     `(#:make-flags (list (string-append "PREFIX=" (assoc-ref %outputs "out")))
-       #:phases
-       (modify-phases %standard-phases
-         (delete 'configure))
-       #:tests? #f))
+     (list
+      #:make-flags #~(list (string-append "PREFIX=" #$output))
+      #:phases
+      #~(modify-phases %standard-phases
+          (delete 'configure))
+      #:tests? #f))  ; No tests.
     (inputs
      (list python))
     (native-inputs
@@ -3562,6 +3563,8 @@ (define-public dex
     (description
      "@command{dex}, @dfn{DesktopEntry Execution}, is a program to generate
 and execute @file{.desktop} files of the Application type.")
+    (properties
+     '((lint-hidden-cpe-vendors . ("samsung" "linuxfoundation"))))
     (license license:gpl3+)))
 
 (define-public sx
-- 
2.46.0

[bug#74034] [PATCH v3 16/17] gnu: immer: Add lint-hidden-cpe-vendors property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/cpp.scm (immer)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/cpp.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/cpp.scm b/gnu/packages/cpp.scm
index bb6872d7e3..5c686db532 100644
--- a/gnu/packages/cpp.scm
+++ b/gnu/packages/cpp.scm
@@ -1887,6 +1887,7 @@ (define-public immer
    (synopsis "Immutable data structures")
    (description "Immer is a library of persistent and immutable data structures
 written in C++.")
+   (properties '((lint-hidden-cpe-vendors . ("immer_project"))))
    (license license:boost1.0)))
 
 (define-public zug
-- 
2.46.0

[bug#74034] [PATCH v3 17/17] gnu: cvs: Add lint-hidden-cpe-vendors property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/version-control.scm (cvs)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/version-control.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index f323766579..505be48d17 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -2774,6 +2774,7 @@ (define-public cvs
 Configuration Management (SCM).  Using it, you can record the history of
 sources files, and documents.  It fills a similar role to the free software
 RCS, PRCS, and Aegis packages.")
+    (properties '((lint-hidden-cpe-vendors . ("jenkins"))))
     (license license:gpl1+)))
 
 (define-public cvs-fast-export
-- 
2.46.0

[bug#74034] [Nicolas Graves] [PATCH v3 02/17] cve: Separate vendor and string.

[Nicolas Graves via Guix-patches via]

This commit has currently no proper commit message, but it's because it
should probably be squashed if we want to go this way.

In the end, I've done it, quite tedious (for me at least!) but done.
I'm not super sure however that it's clearer (vulnerability-matches?
definitely is, but the whole, I doubt that).  Just pick your preference
I guess!

Nicolas

-------------------- Start of forwarded message --------------------
From: Nicolas Graves <ngraves@ngraves.fr>
To: 74034@debbugs.gnu.org
Cc: Nicolas Graves <ngraves@ngraves.fr>
Subject: [PATCH v3 02/17] cve: Separate vendor and string.
Date: Fri,  8 Nov 2024 19:02:25 +0100

---
 guix/cve.scm  | 111 +++++++++++++++++++++++++-------------------------
 tests/cve.scm |  14 +++----
 2 files changed, 63 insertions(+), 62 deletions(-)

diff --git a/guix/cve.scm b/guix/cve.scm
index f7984be0ad..4f410ccc5e 100644
--- a/guix/cve.scm
+++ b/guix/cve.scm
@@ -25,11 +25,11 @@ (define-module (guix cve)
   #:use-module (web uri)
   #:use-module (srfi srfi-1)
   #:use-module (srfi srfi-9)
-  #:use-module (srfi srfi-11)
   #:use-module (srfi srfi-19)
   #:use-module (srfi srfi-26)
   #:use-module (srfi srfi-34)
   #:use-module (srfi srfi-35)
+  #:use-module (srfi srfi-71)
   #:use-module (ice-9 match)
   #:use-module (ice-9 regex)
   #:use-module (ice-9 vlist)
@@ -106,7 +106,7 @@ (define (reference-data->cve-references alist)
 (define %cpe-package-rx
   ;; For applications: "cpe:2.3:a:VENDOR:PACKAGE:VERSION", or sometimes
   ;; "cpe:2.3:a:VENDOR:PACKAGE:VERSION:PATCH-LEVEL".
-  (make-regexp "^cpe:2\\.3:a:([^:]+:[^:]+):([^:]+):([^:]+):"))
+  (make-regexp "^cpe:2\\.3:a:([^:]+):([^:]+):([^:]+):([^:]+):"))
 
 (define (cpe->package-identifier cpe)
   "Converts the Common Platform Enumeration (CPE) string CPE to a package
@@ -117,18 +117,19 @@ (define (cpe->package-identifier cpe)
          =>
          (lambda (matches)
            (values (match:substring matches 1)
-                   (match (match:substring matches 2)
+                   (match:substring matches 2)
+                   (match (match:substring matches 3)
                      ("*" '_)
                      (version
                       (string-append version
-                                     (match (match:substring matches 3)
+                                     (match (match:substring matches 4)
                                        ("" "")
                                        (patch-level
                                         ;; Drop the colon from things like
                                         ;; "cpe:2.3:a:openbsd:openssh:6.8:p1".
                                         (string-drop patch-level 1)))))))))
         (else
-         (values #f #f))))
+         (values #f #f #f))))
 
 (define (cpe-match->cve-configuration alist)
   "Convert ALIST, a \"cpe_match\" alist, into an sexp representing the package
@@ -142,17 +143,18 @@ (define (cpe-match->cve-configuration alist)
     ;; Normally "cpe23Uri" is here in each "cpe_match" item, but CVE-2020-0534
     ;; has a configuration that lacks it.
     (and cpe
-         (let-values (((package version) (cpe->package-identifier cpe)))
+         (let ((vendor package version (cpe->package-identifier cpe)))
            (and package
-                `(,package
-                   ,(cond ((and (or starti starte) (or endi ende))
-                           `(and ,(if starti `(>= ,starti) `(> ,starte))
-                                 ,(if endi `(<= ,endi) `(< ,ende))))
-                          (starti `(>= ,starti))
-                          (starte `(> ,starte))
-                          (endi   `(<= ,endi))
-                          (ende   `(< ,ende))
-                          (else   version))))))))
+                `(,vendor
+                  ,package
+                  ,(cond ((and (or starti starte) (or endi ende))
+                          `(and ,(if starti `(>= ,starti) `(> ,starte))
+                                ,(if endi `(<= ,endi) `(< ,ende))))
+                         (starti `(>= ,starti))
+                         (starte `(> ,starte))
+                         (endi   `(<= ,endi))
+                         (ende   `(< ,ende))
+                         (else   version))))))))
 
 (define (configuration-data->cve-configurations alist)
   "Given ALIST, a JSON dictionary for the baroque \"configurations\"
@@ -232,18 +234,12 @@ (define (vulnerability-matches? vuln vendor hidden-vendors)
   "Checks if a VENDOR matches at least one of <vulnerability> VULN
 packages.  When VENDOR is #f, ignore packages that have a vendor among
 HIDDEN-VENDORS."
-  (define (vendor-matches? vendor+name)
-    (if vendor
-        (string-prefix? (string-append vendor ":") vendor+name)
-        (or (null? hidden-vendors)
-            (not (any (cut string-prefix? (string-append <> ":") vendor+name)
-                  hidden-vendors)))))
-
   (match vuln
     (($ <vulnerability> id packages)
      (any (match-lambda
-            (((? vendor-matches? vendor+name) . _)  #t)
-            (_                                      #f))
+            (((? (cut string=? <> vendor)) _)        #t)
+            (((? (cut member <> hidden-vendors)) _)  #t)
+            (_                                       #f))
           packages))))
 
 \f
@@ -290,39 +286,47 @@ (define sexp->vulnerability
      (vulnerability id packages))))
 
 (define (cve-configuration->package-list config)
-  "Parse CONFIG, a config sexp, and return a list of the form (P SEXP)
-where P is a package name and SEXP expresses constraints on the matching
-versions."
+  "Parse CONFIG, a config sexp, and return a list of the form (V P SEXP)
+where V is a CPE vendor, P is a package name and SEXP expresses constraints on
+the matching versions."
   (let loop ((config config)
-             (packages '()))
+             (vendor+package-list '()))
     (match config
       (('or configs ...)
-       (fold loop packages configs))
-      (('and config _ ...)                        ;XXX
-       (loop config packages))
-      (((? string? package) '_)                   ;any version
-       (cons `(,package _)
-             (alist-delete package packages)))
-      (((? string? package) sexp)
-       (let ((previous (assoc-ref packages package)))
-         (if previous
-             (cons `(,package (or ,sexp ,@previous))
-                   (alist-delete package packages))
-             (cons `(,package ,sexp) packages)))))))
+       (fold loop vendor+package-list configs))
+      (('and config _ ...)                            ;XXX
+       (loop config vendor+package-list))
+      (((? string? vendor) (? string? package) sexp)
+       (let ((filtered-list (filter (match-lambda
+                                      ((vendor package _)  #f)
+                                      (otherwise           otherwise))
+                                    vendor+package-list)))
+         (match sexp
+           ('_  ;any version
+            (cons `(,vendor ,package _) filtered-list))
+           (_
+            (match (assoc-ref (assoc-ref vendor+package-list vendor) package)
+              ((previous)
+               (cons `(,vendor ,package (or ,sexp ,previous)) filtered-list))
+              (_
+               (cons `(,vendor ,package ,sexp) vendor+package-list))))))))))
 
 (define (merge-package-lists lst)
-  "Merge the list in LST, each of which has the form (p sexp), where P
-is the name of a package and SEXP is an sexp that constrains matching
-versions."
+  "Merge the list in LST, each of which has the form (V P SEXP), where V is a
+CPE vendor, P is the name of a package and SEXP is an sexp that constrains
+matching versions."
   (fold (lambda (plist result)                    ;XXX: quadratic
           (fold (match-lambda*
-                  (((package version) result)
-                   (match (assoc-ref result package)
-                     (#f
-                      (cons `(,package ,version) result))
-                     ((previous)
-                      (cons `(,package (or ,version ,previous))
-                            (alist-delete package result))))))
+                  (((vendor package version) result)
+                   (match (assoc-ref result vendor)
+                     (((? (cut string=? package <>)) previous)
+                      (cons `(,vendor ,package (or ,version ,previous))
+                            (filter (match-lambda
+                                      ((vendor package _)  #f)
+                                      (otherwise           otherwise))
+                                    result)))
+                     (_
+                      (cons `(,vendor ,package ,version) result)))))
                 result
                 plist))
         '()
@@ -422,11 +426,8 @@ (define table
               (($ <vulnerability> id packages)
                (fold (lambda (package table)
                        (match package
-                         ((vendor+name . versions)
-                          (vhash-cons (match (string-split vendor+name #\:)
-                                        ((vendor name) name)
-                                        ((name)        name))
-                                      (cons vuln versions)
+                         ((vendor name versions)
+                          (vhash-cons name (cons vuln `(,versions))
                                       table))))
                      table
                      packages))))
diff --git a/tests/cve.scm b/tests/cve.scm
index 6567d73c69..90ada2b647 100644
--- a/tests/cve.scm
+++ b/tests/cve.scm
@@ -34,19 +34,19 @@ (define %expected-vulnerabilities
    (vulnerability "CVE-2019-0001"
                   ;; Only the "a" CPE configurations are kept; the "o"
                   ;; configurations are discarded.
-                  '(("juniper:junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
+                  '(("juniper" "junos" (or "18.2" (or "18.21-s3" "18.21-s4")))))
    (vulnerability "CVE-2019-0005"
-                  '(("juniper:junos" (or "18.11" "18.1"))))
+                  '(("juniper" "junos" (or "18.1" "18.11"))))
    ;; CVE-2019-0005 has no "a" configurations.
    (vulnerability "CVE-2019-14811"
-                  '(("artifex:ghostscript" (< "9.28"))))
+                  '(("artifex" "ghostscript" (< "9.28"))))
    (vulnerability "CVE-2019-17365"
-                  '(("nixos:nix" (<= "2.3"))))
+                  '(("nixos" "nix" (<= "2.3"))))
    (vulnerability "CVE-2019-1010180"
-                  '(("gnu:gdb" _)))                   ;any version
+                  '(("gnu" "gdb" _)))                   ;any version
    (vulnerability "CVE-2019-1010204"
-                  '(("gnu:binutils" (and (>= "2.21") (<= "2.31.1")))
-                    ("gnu:binutils_gold" (and (>= "1.11") (<= "1.16")))))
+                  '(("gnu" "binutils" (and (>= "2.21") (<= "2.31.1")))
+                    ("gnu" "binutils_gold" (and (>= "1.11") (<= "1.16")))))
    ;; CVE-2019-18192 has no associated configurations.
    ))
 
-- 
2.46.0

-------------------- End of forwarded message --------------------

-- 
Best regards,
Nicolas Graves

[bug#74034] [Nicolas Graves] [PATCH v3 02/17] cve: Separate vendor and string.

[Maxim Cournoyer]

Hi Nicolas,

Nicolas Graves <ngraves@ngraves.fr> writes:

> This commit has currently no proper commit message, but it's because it
> should probably be squashed if we want to go this way.
>
> In the end, I've done it, quite tedious (for me at least!) but done.
> I'm not super sure however that it's clearer (vulnerability-matches?
> definitely is, but the whole, I doubt that).  Just pick your preference
> I guess!

I think this one looks nicer without the parsing of colons every time we
need to extract the vendor/package name, thanks for having taken the
time to adjust it based on Ludovic's feedback.

[...]

>  (define (configuration-data->cve-configurations alist)
>    "Given ALIST, a JSON dictionary for the baroque \"configurations\"
> @@ -232,18 +234,12 @@ (define (vulnerability-matches? vuln vendor hidden-vendors)
>    "Checks if a VENDOR matches at least one of <vulnerability> VULN
>  packages.  When VENDOR is #f, ignore packages that have a vendor among
>  HIDDEN-VENDORS."
> -  (define (vendor-matches? vendor+name)
> -    (if vendor
> -        (string-prefix? (string-append vendor ":") vendor+name)
> -        (or (null? hidden-vendors)
> -            (not (any (cut string-prefix? (string-append <> ":") vendor+name)
> -                  hidden-vendors)))))
> -
>    (match vuln
>      (($ <vulnerability> id packages)
>       (any (match-lambda
> -            (((? vendor-matches? vendor+name) . _)  #t)
> -            (_                                      #f))
> +            (((? (cut string=? <> vendor)) _)        #t)
> +            (((? (cut member <> hidden-vendors)) _)  #t)

We are comparing <vulnerability> packages to the vendor strings; is this
correct?

At least I'd expect a hidden-vendors match to return #f, since I assume
we do not want to process these further?

> +            (_                                       #f))
>            packages))))
>
>  \f
> @@ -290,39 +286,47 @@ (define sexp->vulnerability
>       (vulnerability id packages))))
>
>  (define (cve-configuration->package-list config)
> -  "Parse CONFIG, a config sexp, and return a list of the form (P SEXP)
> -where P is a package name and SEXP expresses constraints on the matching
> -versions."
> +  "Parse CONFIG, a config sexp, and return a list of the form (V P SEXP)
> +where V is a CPE vendor, P is a package name and SEXP expresses constraints on
> +the matching versions."
>    (let loop ((config config)
> -             (packages '()))
> +             (vendor+package-list '()))

nitpick: I'm not too found of using the variable type in its name (here,
'list').  Perhaps just 'results' could do (plural to denote it's a
list).

>      (match config
>        (('or configs ...)
> -       (fold loop packages configs))
> -      (('and config _ ...)                        ;XXX
> -       (loop config packages))
> -      (((? string? package) '_)                   ;any version
> -       (cons `(,package _)
> -             (alist-delete package packages)))
> -      (((? string? package) sexp)
> -       (let ((previous (assoc-ref packages package)))
> -         (if previous
> -             (cons `(,package (or ,sexp ,@previous))
> -                   (alist-delete package packages))
> -             (cons `(,package ,sexp) packages)))))))
> +       (fold loop vendor+package-list configs))
> +      (('and config _ ...)                            ;XXX
> +       (loop config vendor+package-list))
> +      (((? string? vendor) (? string? package) sexp)
> +       (let ((filtered-list (filter (match-lambda
> +                                      ((vendor package _)  #f)

I'd use 'remove' to inverse the negative logic.  Assuming
'vendor+package-list' becomes 'results', the let-bound variable could
be named (let ((pruned-results (remove ...))) ...)).  Also,
shouldn't the '_' in the match-lambda be quoted to denote it's a literal
underscore character, not a "don't-care" pattern?

> +                                      (otherwise           otherwise))
> +                                    vendor+package-list)))
> +         (match sexp
> +           ('_  ;any version
> +            (cons `(,vendor ,package _) filtered-list))
> +           (_
> +            (match (assoc-ref (assoc-ref vendor+package-list vendor) package)
> +              ((previous)
> +               (cons `(,vendor ,package (or ,sexp ,previous)) filtered-list))
> +              (_
> +               (cons `(,vendor ,package ,sexp) vendor+package-list))))))))))

I find the logic expressed in this procedure a bit hard to follow, but
that's been inherited from the previous code, so OK.

>  (define (merge-package-lists lst)
> -  "Merge the list in LST, each of which has the form (p sexp), where P
> -is the name of a package and SEXP is an sexp that constrains matching
> -versions."
> +  "Merge the list in LST, each of which has the form (V P SEXP), where V is a
> +CPE vendor, P is the name of a package and SEXP is an sexp that constrains
> +matching versions."
>    (fold (lambda (plist result)                    ;XXX: quadratic
>            (fold (match-lambda*
> -                  (((package version) result)
> -                   (match (assoc-ref result package)
> -                     (#f
> -                      (cons `(,package ,version) result))
> -                     ((previous)
> -                      (cons `(,package (or ,version ,previous))
> -                            (alist-delete package result))))))
> +                  (((vendor package version) result)
> +                   (match (assoc-ref result vendor)
> +                     (((? (cut string=? package <>)) previous)
> +                      (cons `(,vendor ,package (or ,version ,previous))
> +                            (filter (match-lambda
> +                                      ((vendor package _)  #f)
> +                                      (otherwise           otherwise))
> +                                    result)))

This should use SRFI 1's 'remove' instead of 'filter'.

The rest looks good to me.

Could you please address my questions/suggestions and squash this into
the previous commit (with the accompanied changelog commit message
adjustment) ?

-- 
Thanks,
Maxim

[bug#74034] [Nicolas Graves] [PATCH v3 02/17] cve: Separate vendor and string.

[Nicolas Graves via Guix-patches via]

On 2024-11-13 11:53, Maxim Cournoyer wrote:

> Hi Nicolas,
>
> I think this one looks nicer without the parsing of colons every time we
> need to extract the vendor/package name, thanks for having taken the
> time to adjust it based on Ludovic's feedback.

Ok, will squash both commits then. 
>
> [...]
>
>>  (define (configuration-data->cve-configurations alist)
>>    "Given ALIST, a JSON dictionary for the baroque \"configurations\"
>> @@ -232,18 +234,12 @@ (define (vulnerability-matches? vuln vendor hidden-vendors)
>>    "Checks if a VENDOR matches at least one of <vulnerability> VULN
>>  packages.  When VENDOR is #f, ignore packages that have a vendor among
>>  HIDDEN-VENDORS."
>> -  (define (vendor-matches? vendor+name)
>> -    (if vendor
>> -        (string-prefix? (string-append vendor ":") vendor+name)
>> -        (or (null? hidden-vendors)
>> -            (not (any (cut string-prefix? (string-append <> ":") vendor+name)
>> -                  hidden-vendors)))))
>> -
>>    (match vuln
>>      (($ <vulnerability> id packages)
>>       (any (match-lambda
>> -            (((? vendor-matches? vendor+name) . _)  #t)
>> -            (_                                      #f))
>> +            (((? (cut string=? <> vendor)) _)        #t)
>> +            (((? (cut member <> hidden-vendors)) _)  #t)
>
> We are comparing <vulnerability> packages to the vendor strings; is this
> correct?

Actually the first sexp element of <vulnerability> packages (hence the
_). 
>
> At least I'd expect a hidden-vendors match to return #f, since I assume
> we do not want to process these further?

Indeed it looks like a mistake / forgotten not.  Will check the logic.


> The rest looks good to me.
>
> Could you please address my questions/suggestions and squash this into
> the previous commit (with the accompanied changelog commit message
> adjustment) ?

Yep.

-- 
Best regards,
Nicolas Graves

[bug#74034] [PATCH v4 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.

[Nicolas Graves via Guix-patches via]

* guix/cve.scm: Exploit cpe vendors information.
(cpe->package-name): Rename to...
(cpe->package-identifier): Renamed from cpe->package-name. Use
cpe_vendor:cpe_name in place or cpe_name.
(vulnerabily-matches?): Add helper function.
(vulnerabilities->lookup-proc): Extract cpe_name for table
hashes. Add vendor and hidden-vendor arguments. Adapt condition to
pass vulnerabilities to result in the fold.

* guix/lint.scm (package-vulnerabilities): Use additional arguments
from vulnerabilities->lookup-proc.

* tests/cve.scm (%expected-vulnerabilities): Adapt variable to changes
in guix/cve.scm.
---
 guix/cve.scm  | 143 +++++++++++++++++++++++++++++---------------------
 guix/lint.scm |  10 +++-
 tests/cve.scm |  14 ++---
 3 files changed, 99 insertions(+), 68 deletions(-)

diff --git a/guix/cve.scm b/guix/cve.scm
index 9e1cf5b587..ecf96e0659 100644
--- a/guix/cve.scm
+++ b/guix/cve.scm
@@ -25,11 +25,11 @@ (define-module (guix cve)
   #:use-module (web uri)
   #:use-module (srfi srfi-1)
   #:use-module (srfi srfi-9)
-  #:use-module (srfi srfi-11)
   #:use-module (srfi srfi-19)
   #:use-module (srfi srfi-26)
   #:use-module (srfi srfi-34)
   #:use-module (srfi srfi-35)
+  #:use-module (srfi srfi-71)
   #:use-module (ice-9 match)
   #:use-module (ice-9 regex)
   #:use-module (ice-9 vlist)
@@ -108,15 +108,16 @@ (define %cpe-package-rx
   ;; "cpe:2.3:a:VENDOR:PACKAGE:VERSION:PATCH-LEVEL".
   (make-regexp "^cpe:2\\.3:a:([^:]+):([^:]+):([^:]+):([^:]+):"))
 
-(define (cpe->package-name cpe)
+(define (cpe->package-identifier cpe)
   "Converts the Common Platform Enumeration (CPE) string CPE to a package
-name, in a very naive way.  Return two values: the package name, and its
-version string.  Return #f and #f if CPE does not look like an application CPE
-string."
+identifier, in a very naive way.  Return two values: the package identifier
+(composed from the CPE vendor and the package name), and its version string.
+Return #f and #f if CPE does not look like an application CPE string."
   (cond ((regexp-exec %cpe-package-rx cpe)
          =>
          (lambda (matches)
-           (values (match:substring matches 2)
+           (values (match:substring matches 1)
+                   (match:substring matches 2)
                    (match (match:substring matches 3)
                      ("*" '_)
                      (version
@@ -128,7 +129,7 @@ (define (cpe->package-name cpe)
                                         ;; "cpe:2.3:a:openbsd:openssh:6.8:p1".
                                         (string-drop patch-level 1)))))))))
         (else
-         (values #f #f))))
+         (values #f #f #f))))
 
 (define (cpe-match->cve-configuration alist)
   "Convert ALIST, a \"cpe_match\" alist, into an sexp representing the package
@@ -142,17 +143,18 @@ (define (cpe-match->cve-configuration alist)
     ;; Normally "cpe23Uri" is here in each "cpe_match" item, but CVE-2020-0534
     ;; has a configuration that lacks it.
     (and cpe
-         (let-values (((package version) (cpe->package-name cpe)))
+         (let ((vendor package version (cpe->package-identifier cpe)))
            (and package
-                `(,package
-                   ,(cond ((and (or starti starte) (or endi ende))
-                           `(and ,(if starti `(>= ,starti) `(> ,starte))
-                                 ,(if endi `(<= ,endi) `(< ,ende))))
-                          (starti `(>= ,starti))
-                          (starte `(> ,starte))
-                          (endi   `(<= ,endi))
-                          (ende   `(< ,ende))
-                          (else   version))))))))
+                `(,vendor
+                  ,package
+                  ,(cond ((and (or starti starte) (or endi ende))
+                          `(and ,(if starti `(>= ,starti) `(> ,starte))
+                                ,(if endi `(<= ,endi) `(< ,ende))))
+                         (starti `(>= ,starti))
+                         (starte `(> ,starte))
+                         (endi   `(<= ,endi))
+                         (ende   `(< ,ende))
+                         (else   version))))))))
 
 (define (configuration-data->cve-configurations alist)
   "Given ALIST, a JSON dictionary for the baroque \"configurations\"
@@ -228,6 +230,23 @@ (define (version-matches? version sexp)
     (('>= min)
      (version>=? version min))))
 
+(define (vulnerability-matches? vuln vendor hidden-vendors)
+  "Checks if a VENDOR matches at least one of <vulnerability> VULN
+packages.  When VENDOR is #f, ignore packages that have a vendor among
+HIDDEN-VENDORS."
+  (define hidden-vendor?
+    (if (list? hidden-vendors)
+        (cut member <> hidden-vendors)
+        (const #f)))
+
+  (match vuln
+    (($ <vulnerability> id packages)
+     (any (match-lambda
+            ((? (cut string=? <> vendor))   #t)
+            ((? hidden-vendor?)             #f)
+            (otherwise                      (not vendor)))
+          (map car packages)))))  ;candidate vendors
+
 \f
 ;;;
 ;;; High-level interface.
@@ -272,39 +291,47 @@ (define sexp->vulnerability
      (vulnerability id packages))))
 
 (define (cve-configuration->package-list config)
-  "Parse CONFIG, a config sexp, and return a list of the form (P SEXP)
-where P is a package name and SEXP expresses constraints on the matching
-versions."
+  "Parse CONFIG, a config sexp, and return a list of the form (V P SEXP)
+where V is a CPE vendor, P is a package name and SEXP expresses constraints on
+the matching versions."
   (let loop ((config config)
-             (packages '()))
+             (results '()))
     (match config
       (('or configs ...)
-       (fold loop packages configs))
-      (('and config _ ...)                        ;XXX
-       (loop config packages))
-      (((? string? package) '_)                   ;any version
-       (cons `(,package _)
-             (alist-delete package packages)))
-      (((? string? package) sexp)
-       (let ((previous (assoc-ref packages package)))
-         (if previous
-             (cons `(,package (or ,sexp ,@previous))
-                   (alist-delete package packages))
-             (cons `(,package ,sexp) packages)))))))
+       (fold loop results configs))
+      (('and config _ ...)                            ;XXX
+       (loop config results))
+      (((? string? vendor) (? string? package) sexp)
+       (let ((pruned-results (remove (match-lambda
+                                       ((vendor package _)  #t)
+                                       (otherwise           #f))
+                                     results)))
+         (match sexp
+           ('_  ;any version
+            (cons `(,vendor ,package _) pruned-results))
+           (_
+            (match (assoc-ref (assoc-ref results vendor) package)
+              ((previous)
+               (cons `(,vendor ,package (or ,sexp ,previous)) pruned-results))
+              (_
+               (cons `(,vendor ,package ,sexp) results))))))))))
 
 (define (merge-package-lists lst)
-  "Merge the list in LST, each of which has the form (p sexp), where P
-is the name of a package and SEXP is an sexp that constrains matching
-versions."
+  "Merge the list in LST, each of which has the form (V P SEXP), where V is a
+CPE vendor, P is the name of a package and SEXP is an sexp that constrains
+matching versions."
   (fold (lambda (plist result)                    ;XXX: quadratic
           (fold (match-lambda*
-                  (((package version) result)
-                   (match (assoc-ref result package)
-                     (#f
-                      (cons `(,package ,version) result))
-                     ((previous)
-                      (cons `(,package (or ,version ,previous))
-                            (alist-delete package result))))))
+                  (((vendor package version) result)
+                   (match (assoc-ref result vendor)
+                     (((? (cut string=? package <>)) previous)
+                      (cons `(,vendor ,package (or ,version ,previous))
+                            (remove (match-lambda
+                                      ((vendor package _)  #t)
+                                      (otherwise           #f))
+                                    result)))
+                     (_
+                      (cons `(,vendor ,package ,version) result)))))
                 result
                 plist))
         '()
@@ -404,28 +431,26 @@ (define table
               (($ <vulnerability> id packages)
                (fold (lambda (package table)
                        (match package
-                         ((name . versions)
-                          (vhash-cons name (cons vuln versions)
+                         ((vendor name versions)
+                          (vhash-cons name (cons vuln `(,versions))
                                       table))))
                      table
                      packages))))
           vlist-null
           vulnerabilities))
 
-  (lambda* (package #:optional version)
-    (vhash-fold* (if version
-                     (lambda (pair result)
-                       (match pair
-                         ((vuln sexp)
-                          (if (version-matches? version sexp)
-                              (cons vuln result)
-                              result))))
-                     (lambda (pair result)
-                       (match pair
-                         ((vuln . _)
-                          (cons vuln result)))))
-                 '()
-                 package table)))
+  (lambda* (package #:optional version #:key (vendor #f) (hidden-vendors '()))
+    (vhash-fold*
+     (lambda (pair result)
+       (match pair
+         ((vuln sexp)
+          (if (and (or (and (not vendor) (null? hidden-vendors))
+                       (vulnerability-matches? vuln vendor hidden-vendors))
+                   (or (not version) (version-matches? version sexp)))
+              (cons vuln result)
+              result))))
+     '()
+     package table)))
 
 
 ;;; cve.scm ends here
diff --git a/guix/lint.scm b/guix/lint.scm
index 8c6c20c723..bea6d0a194 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -1551,8 +1551,14 @@ (define package-vulnerabilities
                          (package-name package)))
             (version (or (assoc-ref (package-properties package)
                                     'cpe-version)
-                         (package-version package))))
-        ((force lookup) name version)))))
+                         (package-version package)))
+            (vendor (assoc-ref (package-properties package)
+                               'cpe-vendor))
+            (hidden-vendors (assoc-ref (package-properties package)
+                                       'lint-hidden-cpe-vendors)))
+        ((force lookup) name version
+         #:vendor vendor
+         #:hidden-vendors hidden-vendors)))))
 
 ;; Prevent Guile 3 from inlining this procedure so we can mock it in tests.
 (set! package-vulnerabilities package-vulnerabilities)
diff --git a/tests/cve.scm b/tests/cve.scm
index b69da0e120..90ada2b647 100644
--- a/tests/cve.scm
+++ b/tests/cve.scm
@@ -34,19 +34,19 @@ (define %expected-vulnerabilities
    (vulnerability "CVE-2019-0001"
                   ;; Only the "a" CPE configurations are kept; the "o"
                   ;; configurations are discarded.
-                  '(("junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
+                  '(("juniper" "junos" (or "18.2" (or "18.21-s3" "18.21-s4")))))
    (vulnerability "CVE-2019-0005"
-                  '(("junos" (or "18.11" "18.1"))))
+                  '(("juniper" "junos" (or "18.1" "18.11"))))
    ;; CVE-2019-0005 has no "a" configurations.
    (vulnerability "CVE-2019-14811"
-                  '(("ghostscript" (< "9.28"))))
+                  '(("artifex" "ghostscript" (< "9.28"))))
    (vulnerability "CVE-2019-17365"
-                  '(("nix" (<= "2.3"))))
+                  '(("nixos" "nix" (<= "2.3"))))
    (vulnerability "CVE-2019-1010180"
-                  '(("gdb" _)))                   ;any version
+                  '(("gnu" "gdb" _)))                   ;any version
    (vulnerability "CVE-2019-1010204"
-                  '(("binutils" (and (>= "2.21") (<= "2.31.1")))
-                    ("binutils_gold" (and (>= "1.11") (<= "1.16")))))
+                  '(("gnu" "binutils" (and (>= "2.21") (<= "2.31.1")))
+                    ("gnu" "binutils_gold" (and (>= "1.11") (<= "1.16")))))
    ;; CVE-2019-18192 has no associated configurations.
    ))
 
-- 
2.46.0

[bug#74034] [PATCH v4 03/16] gnu: portfolio: Update to 1.0.1.

[Nicolas Graves via Guix-patches via]

* gnu/packages/gnome-xyz.scm (portfolio): Update to 1.0.1.
[properties]: Add lint-hidden-cpe-vendors property.
---
 gnu/packages/gnome-xyz.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/gnome-xyz.scm b/gnu/packages/gnome-xyz.scm
index a09c0befb0..74c2600b60 100644
--- a/gnu/packages/gnome-xyz.scm
+++ b/gnu/packages/gnome-xyz.scm
@@ -485,7 +485,7 @@ (define-public gnome-plots
 (define-public portfolio
   (package
     (name "portfolio")
-    (version "1.0.0")
+    (version "1.0.1")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -494,7 +494,7 @@ (define-public portfolio
               (file-name (git-file-name name version))
               (sha256
                (base32
-                "1ai9mx801m5lngkljg42vrpvhbvc3071sp4jypsvbzw55hxnn5ba"))))
+                "1s06kd2dhsb143piw89yzwfck7qwzlh4nlgjj2bxpsa3g68c1g11"))))
     (arguments
      (list #:glib-or-gtk? #t
            #:imported-modules `(,@%meson-build-system-modules
@@ -537,6 +537,7 @@ (define-public portfolio
      "Portfolio is a minimalist file manager for those who want to use Linux
 mobile devices.  Tap to activate and long press to select, to browse, open,
 copy, move, delete, or edit your files.")
+    (properties `((lint-hidden-cpe-vendors . ("radiustheme"))))
     (license license:gpl3+)))
 
 (define-public gnome-shell-extension-unite-shell
-- 
2.46.0

[bug#74034] [PATCH v4 05/16] gnu: spectra: Add lint-hidden-cpe-vendors property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/algebra.scm (spectra)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/algebra.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/algebra.scm b/gnu/packages/algebra.scm
index 2187cd062d..5822431373 100644
--- a/gnu/packages/algebra.scm
+++ b/gnu/packages/algebra.scm
@@ -1317,6 +1317,7 @@ (define-public spectra
 built on top of Eigen.  It is implemented as a header-only C++ library and can
 be easily embedded in C++ projects that require calculating eigenvalues of
 large matrices.")
+    (properties `((lint-hidden-cpe-vendors . ("brainstormforce"))))
     (license license:mpl2.0)))
 
 (define-public gappa
-- 
2.46.0

[bug#74034] [PATCH v4 06/16] gnu: express: Add lint-hidden-cpe-vendors property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/bioinformatics.scm (express)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/bioinformatics.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/bioinformatics.scm b/gnu/packages/bioinformatics.scm
index 599d22c51e..4174364a08 100644
--- a/gnu/packages/bioinformatics.scm
+++ b/gnu/packages/bioinformatics.scm
@@ -7265,6 +7265,7 @@ (define-public express
 transcript-level RNA-Seq quantification, allele-specific/haplotype expression
 analysis (from RNA-Seq), transcription factor binding quantification in
 ChIP-Seq, and analysis of metagenomic data.")
+    (properties `((lint-hidden-cpe-vendors . ("openjsf"))))
     (license license:artistic2.0)))
 
 (define-public express-beta-diversity
-- 
2.46.0

[bug#74034] [PATCH v4 08/16] gnu: h2c: Add lint-hidden-cpe-vendors property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/curl.scm (h2c)[property]: Add lint-hidden-cpe-vendors property.
---
 gnu/packages/curl.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 96f993d99a..d238479769 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -377,6 +377,7 @@ (define-public h2c
     (description
      "Provided a set of HTTP request headers, h2c outputs how to invoke
 curl to obtain exactly that HTTP request.")
+    (properties `((lint-hidden-cpe-vendors . ("golang"))))
     (license license:expat)))
 
 (define-public coeurl
-- 
2.46.0

[bug#74034] [PATCH v4 10/16] gnu: bolt: Update to 0.9.8.

[Nicolas Graves via Guix-patches via]

* gnu/packages/linux.scm (bolt): Update to 0.9.8.
[arguments]<#:phases>: Update phase 'replace-directories.
[properties]: Add lint-hidden-cpe-vendors property.
---
 gnu/packages/linux.scm | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index a2a0359055..9c2cfa7ddf 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -3333,7 +3333,7 @@ (define-public iptables-nft
 (define-public bolt
   (package
     (name "bolt")
-    (version "0.9.5")
+    (version "0.9.8")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -3342,7 +3342,7 @@ (define-public bolt
               (file-name (git-file-name name version))
               (sha256
                (base32
-                "1b9z0sfrz6bj0mddng9s0dx59g9239zmrl03hxx2x88mb7r0wmcg"))))
+                "1i9nyvx3qcf4m607qmpklpl9xqzsh423k8y3fr6c5n0k4ajy4cxh"))))
     (build-system meson-build-system)
     (arguments
      (list #:configure-flags '(list "--localstatedir=/var")
@@ -3351,12 +3351,11 @@ (define-public bolt
                         (add-after 'unpack 'replace-directories
                           (lambda* (#:key outputs #:allow-other-keys)
                             (substitute* "meson.build"
-                              (("udev.get_pkgconfig_variable..udevdir..")
-                               (string-append "'"
-                                              #$output "/lib/udev'")))
-                            (substitute* "scripts/meson-install.sh"
-                              (("mkdir.*")
-                               ""))))
+                              (("udev.get_variable\\(pkgconfig: 'udevdir'\\)")
+                               (string-append "'" #$output "/lib/udev'"))
+                              ;; Don't install in /var
+                              (("not systemd\\.found\\(\\)")
+                               "false"))))
                         (add-before 'install 'no-polkit-magic
                           (lambda* (#:key outputs #:allow-other-keys)
                             (setenv "PKEXEC_UID" "something"))))))
@@ -3378,6 +3377,7 @@ (define-public bolt
 @command{boltd}.  It can list devices, monitor changes, and initiate
 authorization of devices.")
     (home-page "https://gitlab.freedesktop.org/bolt/bolt")
+    (properties `((lint-hidden-cpe-vendors . ("boltcms" "puppet"))))
     (license license:gpl2+)))
 
 (define-public jitterentropy-rngd
-- 
2.46.0

[bug#74034] [PATCH v4 11/16] gnu: bwm-ng: Add lint-hidden-cpe-vendors property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/networking.scm (bwm-ng)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/networking.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index f0f0619161..8115c989aa 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -2157,6 +2157,7 @@ (define-public bwm-ng
     (description "Bandwidth Monitor NG is a small and simple console based
 live network and disk I/O bandwidth monitor.")
     (home-page "https://www.gropp.org/?id=projects&sub=bwm-ng")
+    (properties '((lint-hidden-cpe-vendors . ("bwm-ng_project"))))
     (license license:gpl2)))
 
 (define-public aircrack-ng
-- 
2.46.0

[bug#74034] [PATCH v4 12/16] gnu: onedrive: Update to 2.5.2.

[Nicolas Graves via Guix-patches via]

* gnu/packages/sync.scm (onedrive): Update to 2.5.2.
[properties]: Add lint-hidden-cpe-vendors.
---
 gnu/packages/sync.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/sync.scm b/gnu/packages/sync.scm
index af736d0c28..b21993a639 100644
--- a/gnu/packages/sync.scm
+++ b/gnu/packages/sync.scm
@@ -374,7 +374,7 @@ (define-public owncloud-client
 (define-public onedrive
   (package
     (name "onedrive")
-    (version "2.4.25")
+    (version "2.5.2")
     (source
       (origin
         (method git-fetch)
@@ -383,7 +383,7 @@ (define-public onedrive
                (commit (string-append "v" version))))
         (file-name (git-file-name name version))
         (sha256
-         (base32 "1i93mq4r9w8cqrdfsfv8wparfd3dbrppc5z04ab056545hk0x89k"))))
+         (base32 "0307qa3nncarn6r5837nn9z5nv8j60ycykq6pfn93qriabk65qlx"))))
     (build-system gnu-build-system)
     (arguments
      (list
@@ -420,6 +420,7 @@ (define-public onedrive
 Business, OneDrive for Office365 and SharePoint and fully supports Azure
 National Cloud Deployments.  It supports one-way and two-way sync capabilities
 and securely connects to Microsoft OneDrive services.")
+    (properties '((lint-hidden-cpe-vendors . ("microsoft"))))
     (license license:gpl3)))
 
 (define-public lsyncd
-- 
2.46.0

[bug#74034] [PATCH v4 13/16] gnu: got: Update to 0.104.

[Nicolas Graves via Guix-patches via]

* gnu/packages/version-control.scm (got): Update to 0.104.
[properties]: Add release-monitoring-url and lint-hidden-cpe-vendors
properties.
---
 gnu/packages/version-control.scm | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index c892a83a98..27c14422d1 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -975,7 +975,7 @@ (define-public git-tools
 (define-public got
   (package
     (name "got")
-    (version "0.103")
+    (version "0.104")
     (source (origin
               (method url-fetch)
               (uri
@@ -984,7 +984,7 @@ (define-public got
                   version ".tar.gz"))
               (sha256
                (base32
-                "0y18961xrj4rja850i31gadiaps2qnkfb4jlramlz9akyf9mwh1j"))))
+                "1jf8d7bd6jb09ci66n3rjfv94kvzgnqbw1js74hpajdw41wphbdk"))))
     (inputs
      (list libevent
            `(,util-linux "lib")
@@ -1020,7 +1020,11 @@ (define-public got
      "Game of Trees (Got) is a version control system which prioritizes ease of use
 and simplicity over flexibility.")
     (license license:isc)
-    (home-page "https://gameoftrees.org/")))
+    (home-page "https://gameoftrees.org/")
+    (properties
+     ;; Can lint for updates, but not update in place.
+     '((release-monitoring-url . "https://gameoftrees.org/releases/")
+       (lint-hidden-cpe-vendors . ("got_project"))))))
 
 (define-public xdiff
   (let ((revision "0")
-- 
2.46.0

[bug#74034] [PATCH v4 14/16] gnu: dex: Update to 0.10.1.

[Nicolas Graves via Guix-patches via]

* gnu/packages/xdisorg.scm (dex): Update to 0.10.1.
[arguments]: Improve style.
[properties]: Add lint-hidden-cpe-vendors property.
---
 gnu/packages/xdisorg.scm | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm
index a75e9cd6ba..859d37d4b7 100644
--- a/gnu/packages/xdisorg.scm
+++ b/gnu/packages/xdisorg.scm
@@ -3536,7 +3536,7 @@ (define-public nwg-launchers
 (define-public dex
   (package
     (name "dex")
-    (version "0.9.0")
+    (version "0.10.1")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -3544,15 +3544,16 @@ (define-public dex
                     (commit (string-append "v" version))))
               (sha256
                (base32
-                "03aapcywnz4kl548cygpi25m8adwbmqlmwgxa66v4156ax9dqs86"))
+                "1d7fqy63i4q0mw316i5ws1sgdq3f7h3bsf3avvmy0nzshz7i5y6m"))
               (file-name (git-file-name name version))))
     (build-system gnu-build-system)
     (arguments
-     `(#:make-flags (list (string-append "PREFIX=" (assoc-ref %outputs "out")))
-       #:phases
-       (modify-phases %standard-phases
-         (delete 'configure))
-       #:tests? #f))
+     (list
+      #:make-flags #~(list (string-append "PREFIX=" #$output))
+      #:phases
+      #~(modify-phases %standard-phases
+          (delete 'configure))
+      #:tests? #f))  ; No tests.
     (inputs
      (list python))
     (native-inputs
@@ -3562,6 +3563,8 @@ (define-public dex
     (description
      "@command{dex}, @dfn{DesktopEntry Execution}, is a program to generate
 and execute @file{.desktop} files of the Application type.")
+    (properties
+     '((lint-hidden-cpe-vendors . ("samsung" "linuxfoundation"))))
     (license license:gpl3+)))
 
 (define-public sx
-- 
2.46.0

[bug#74034] [PATCH v4 15/16] gnu: immer: Add lint-hidden-cpe-vendors property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/cpp.scm (immer)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/cpp.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/cpp.scm b/gnu/packages/cpp.scm
index bb6872d7e3..5c686db532 100644
--- a/gnu/packages/cpp.scm
+++ b/gnu/packages/cpp.scm
@@ -1887,6 +1887,7 @@ (define-public immer
    (synopsis "Immutable data structures")
    (description "Immer is a library of persistent and immutable data structures
 written in C++.")
+   (properties '((lint-hidden-cpe-vendors . ("immer_project"))))
    (license license:boost1.0)))
 
 (define-public zug
-- 
2.46.0

[bug#74034] [PATCH v4 16/16] gnu: cvs: Add lint-hidden-cpe-vendors property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/version-control.scm (cvs)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/version-control.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index 27c14422d1..a0eb9f32d2 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -2774,6 +2774,7 @@ (define-public cvs
 Configuration Management (SCM).  Using it, you can record the history of
 sources files, and documents.  It fills a similar role to the free software
 RCS, PRCS, and Aegis packages.")
+    (properties '((lint-hidden-cpe-vendors . ("jenkins"))))
     (license license:gpl1+)))
 
 (define-public cvs-fast-export
-- 
2.46.0

[bug#74034] [PATCH v2] gnu: got: Update to 0.105.

[ashish.is--- via Guix-patches via]

From: Ashish SHUKLA <ashish.is@lostca.se>

* gnu/packages/version-control.scm (got): Update to 0.105.

Change-Id: I7846536927717b1a7cc79e8a3a70e9254eade22a
---
 gnu/packages/version-control.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index 3e66163253..531d4827dc 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -975,7 +975,7 @@ (define-public git-tools
 (define-public got
   (package
     (name "got")
-    (version "0.104")
+    (version "0.105")
     (source (origin
               (method url-fetch)
               (uri
@@ -984,7 +984,7 @@ (define-public got
                   version ".tar.gz"))
               (sha256
                (base32
-                "1jf8d7bd6jb09ci66n3rjfv94kvzgnqbw1js74hpajdw41wphbdk"))))
+                "0i52bkyhs2v8h1b6045hybnzyhr8hvgw87y3pr0s4vyhvihf6wri"))))
     (inputs
      (list libevent
            `(,util-linux "lib")

base-commit: b8d654f60a278790d0d65266b063b08c204ee15e
-- 
2.47.0