On Fri, 11 May 2018 14:00:05 +0200
ludo@gnu.org (Ludovic Courtès) wrote:

> >> ‘guix lint’ reports this:
> >> 
> >>   gnu/packages/image-processing.scm:201:2: opencv@3.4.1: probably
> >> vulnerable to CVE-2018-7712, CVE-2018-7713, CVE-2018-7714
> >> 
> >> Could you take a look?  It could be that 3.4.2 is around the corner
> >> and we’ll just update at that point; if not, we may have to apply
> >> upstream patches for these issues.  
> >
> > While finally linting, I noticed these too. OpenCV claims this is
> > not an issue:
> >
> > https://github.com/opencv/opencv/issues/10998
> >
> > Should we mention it somewhere in the code? Is there a formal
> > process to hide or comment specific CVEs?  
> 
> The developer’s reasoning makes sense to me (IOW, the CVEs should be
> against the applications that don’t handle exceptions properly rather
> than against OpenCV itself.)
> 
> You can use the ‘lint-hidden-cve’ property to explicitly hide them.
> Please add a comment with the URL above as well.

I added a new patch including documentation about lint-hidden-cve:

https://debbugs.gnu.org/cgi/bugreport.cgi?bug=31437

Björn