On Sat, Feb 11, 2017 at 02:53:46PM -0500, Leo Famulari wrote:
> It's important to name the package in accordance with the CPE or set
> the cpe-name property, or else `guix lint -c cve` won't work for that
> package.

In commit 84b60a7cdfc (gnu: lcms: Fix an out-of-bounds read.) I tried to
set the cpe-name but couldn't get it to work, and then I forgot to
remove it from the commit message before pushing.

Anyways, I still can't get it to work after trying again today.

This package should be reported as vulnerable to CVE-2016-10165. The CVE
database for 2016 includes this line in the entry for that CVE:

<cpe-lang:fact-ref name="cpe:/a:littlecms:little_cms_color_engine"/>

But when setting the cpe-name to little_cms_color_engine, the linter
still doesn't report the vulnerability.

Any ideas?