all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* [bug#74034] [PATCH 00/21] Add lint-hidden-cve property for near-leaf packages.
@ 2024-10-26 22:21 Nicolas Graves via Guix-patches via
  2024-10-26 22:41 ` [bug#74034] [PATCH 01/21] gnu: libgda: Rename patch for guix lint Nicolas Graves via Guix-patches via
                   ` (7 more replies)
  0 siblings, 8 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-10-26 22:21 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

This patch series is adding lint-hidden-cve properties for packages
that have less than 10 dependents.

Some packages of these packages have been updated, only when the
update was trivial and harmless.

This is not applying any security fix by itself, but will help
security-related work.

Nicolas Graves (21):
  gnu: libgda: Rename patch for guix lint.
  gnu: upx: Update to 4.2.4.
  gnu: halibut: Add lint-hidden-cve property.
  gnu: portfolio: Update to 1.0.1.
  gnu: folders: Add lint-hidden-cve property.
  gnu: spectra: Add lint-hidden-cve property.
  gnu: express: Add lint-hidden-cve property.
  gnu: cli: Add lint-hidden-cve property.
  gnu: h2c: Add lint-hidden-cve property.
  gnu: xenon: Update to 0.9.3.
  gnu: bolt: Update to 0.9.8.
  gnu: sylpheed: Add release-monitoring-url property.
  gnu: openvswitch: Update to 3.4.0.
  gnu: quagga: Fix build and hide CVE.
  gnu: bwm-ng: Add lint-hidden-cve property.
  gnu: onedrive: Update to 2.5.2.
  gnu: got: Update to 0.104.
  gnu: dex: Update to 0.10.1.
  gnu: immer: Add lint-hidden-cve property.
  gnu: cvs: Add lint-hidden-cve property.
  gnu: gerbv: Add lint-hidden-cve property.

 gnu/local.mk                                  |  2 +-
 gnu/packages/algebra.scm                      |  2 ++
 gnu/packages/bioinformatics.scm               |  2 ++
 gnu/packages/code.scm                         |  6 ++++--
 gnu/packages/compression.scm                  |  7 ++++---
 gnu/packages/cpp.scm                          |  4 ++++
 gnu/packages/curl.scm                         |  2 ++
 gnu/packages/documentation.scm                | 16 ++++++++------
 gnu/packages/engineering.scm                  |  2 ++
 gnu/packages/esolangs.scm                     |  8 +++++++
 gnu/packages/gnome-xyz.scm                    |  6 ++++--
 gnu/packages/gnome.scm                        |  2 +-
 gnu/packages/linux.scm                        | 21 ++++++++++++-------
 gnu/packages/mail.scm                         |  2 ++
 gnu/packages/networking.scm                   | 16 ++++++++++----
 ...9359.patch => libgda-CVE-2021-39359.patch} |  0
 gnu/packages/sync.scm                         |  8 +++++--
 gnu/packages/version-control.scm              | 13 +++++++++---
 gnu/packages/xdisorg.scm                      | 19 ++++++++++-------
 19 files changed, 99 insertions(+), 39 deletions(-)
 rename gnu/packages/patches/{libgda-cve-2021-39359.patch => libgda-CVE-2021-39359.patch} (100%)

-- 
2.46.0





^ permalink raw reply	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH 01/21] gnu: libgda: Rename patch for guix lint.
  2024-10-26 22:21 [bug#74034] [PATCH 00/21] Add lint-hidden-cve property for near-leaf packages Nicolas Graves via Guix-patches via
@ 2024-10-26 22:41 ` Nicolas Graves via Guix-patches via
  2024-10-26 22:41   ` [bug#74034] [PATCH 02/21] gnu: upx: Update to 4.2.4 Nicolas Graves via Guix-patches via
                     ` (19 more replies)
  2024-10-27 18:16 ` [bug#74034] [PATCH v2 00/16] Add cpe-vendor and lint-hidden-cpe-vendors properties Nicolas Graves via Guix-patches via
                   ` (6 subsequent siblings)
  7 siblings, 20 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-10-26 22:41 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/gnome.scm (libgda)[source]<origin>: Rename patch for
CVE to be ignored by guix lint.
---
 gnu/local.mk                                                    | 2 +-
 gnu/packages/gnome.scm                                          | 2 +-
 ...{libgda-cve-2021-39359.patch => libgda-CVE-2021-39359.patch} | 0
 3 files changed, 2 insertions(+), 2 deletions(-)
 rename gnu/packages/patches/{libgda-cve-2021-39359.patch => libgda-CVE-2021-39359.patch} (100%)

diff --git a/gnu/local.mk b/gnu/local.mk
index c432685775..d253b424bb 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1666,7 +1666,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/libcroco-CVE-2020-12825.patch		\
   %D%/packages/patches/libcyaml-libyaml-compat.patch		\
   %D%/packages/patches/libexpected-use-provided-catch2.patch	\
-  %D%/packages/patches/libgda-cve-2021-39359.patch		\
+  %D%/packages/patches/libgda-CVE-2021-39359.patch		\
   %D%/packages/patches/libgda-disable-data-proxy-test.patch     \
   %D%/packages/patches/libgda-fix-build.patch			\
   %D%/packages/patches/libgda-fix-missing-initialization.patch	\
diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index 77a0633b50..9b26819261 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -13653,7 +13653,7 @@ (define-public libgda
                            name "-" version ".tar.xz"))
        (sha256
         (base32 "0w564z7krgjk19r39mi5qn4kggpdg9ggbyn9pb4aavb61r14npwr"))
-       (patches (search-patches "libgda-cve-2021-39359.patch"
+       (patches (search-patches "libgda-CVE-2021-39359.patch"
                                 "libgda-disable-data-proxy-test.patch"
                                 "libgda-fix-build.patch"
                                 "libgda-fix-missing-initialization.patch"
diff --git a/gnu/packages/patches/libgda-cve-2021-39359.patch b/gnu/packages/patches/libgda-CVE-2021-39359.patch
similarity index 100%
rename from gnu/packages/patches/libgda-cve-2021-39359.patch
rename to gnu/packages/patches/libgda-CVE-2021-39359.patch
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH 02/21] gnu: upx: Update to 4.2.4.
  2024-10-26 22:41 ` [bug#74034] [PATCH 01/21] gnu: libgda: Rename patch for guix lint Nicolas Graves via Guix-patches via
@ 2024-10-26 22:41   ` Nicolas Graves via Guix-patches via
  2024-10-26 22:41   ` [bug#74034] [PATCH 03/21] gnu: halibut: Add lint-hidden-cve property Nicolas Graves via Guix-patches via
                     ` (18 subsequent siblings)
  19 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-10-26 22:41 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/compression.scm (upx): Update to 4.2.4.
[properties]: Add lint-hidden-cve property.
---
 gnu/packages/compression.scm | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index 97696ff0ef..a32b15a64a 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -2438,15 +2438,14 @@ (define-public ucl
 (define-public upx
   (package
     (name "upx")
-    (version "4.1.0")
+    (version "4.2.4")
     (source
      (origin
        (method url-fetch)
        (uri (string-append "https://github.com/upx/upx/releases/download/v"
                            version "/upx-" version "-src.tar.xz"))
        (sha256
-        (base32
-         "1l273pwa573x9l3izw75cz8ysn2g8w8w3s56rahppa3ya65zg0h5"))))
+        (base32 "1i71p03861hlf5x1w217l67zm5inm449zhbg6kpv8zyj0wb5dmjy"))))
     (build-system cmake-build-system)
     (home-page "https://upx.github.io/")
     (synopsis "Compression tool for executables")
@@ -2455,6 +2454,8 @@ (define-public upx
 compressor.  UPX typically reduces the file size of programs and shared
 libraries by around 50%--70%, thus reducing disk space, network load times,
 download times, and other distribution and storage costs.")
+    ;; These CVEs have been fixed since 4.0.2 but are still linted.
+    (properties `((lint-hidden-cve . ("CVE-2023-23456" "CVE-2023-23457"))))
     (license license:gpl2+)))
 
 (define-public quazip-0
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH 03/21] gnu: halibut: Add lint-hidden-cve property.
  2024-10-26 22:41 ` [bug#74034] [PATCH 01/21] gnu: libgda: Rename patch for guix lint Nicolas Graves via Guix-patches via
  2024-10-26 22:41   ` [bug#74034] [PATCH 02/21] gnu: upx: Update to 4.2.4 Nicolas Graves via Guix-patches via
@ 2024-10-26 22:41   ` Nicolas Graves via Guix-patches via
  2024-10-26 22:41   ` [bug#74034] [PATCH 04/21] gnu: portfolio: Update to 1.0.1 Nicolas Graves via Guix-patches via
                     ` (17 subsequent siblings)
  19 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-10-26 22:41 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/documentation.scm (halibut)
[description]: Reformat field to match max chars.
[properties]: Add lint-hidden-cve property.
---
 gnu/packages/documentation.scm | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/gnu/packages/documentation.scm b/gnu/packages/documentation.scm
index f0e37561f7..7522b5f769 100644
--- a/gnu/packages/documentation.scm
+++ b/gnu/packages/documentation.scm
@@ -264,12 +264,16 @@ (define-public halibut
     (home-page "https://www.chiark.greenend.org.uk/~sgtatham/halibut/")
     (synopsis "Documentation production system for software manuals")
     (description
-     "Halibut is a text formatting system designed primarily for writing software
-documentation.  It accepts a single source format and outputs any combination of
-plain text, HTML, Unix man or info pages, PostScript or PDF.  It has extensive
-support for indexing and cross-referencing, and generates hyperlinks within output
-documents wherever possible.  It supports Unicode, with the ability to fall back to
-an alternative representation if Unicode output is not available.")
+     "Halibut is a text formatting system designed primarily for writing
+software documentation.  It accepts a single source format and outputs any
+combination of plain text, HTML, Unix man or info pages, PostScript or PDF.
+It has extensive support for indexing and cross-referencing, and generates
+hyperlinks within output documents wherever possible.  It supports Unicode,
+with the ability to fall back to an alternative representation if Unicode
+output is not available.")
+    ;; This CVE concerns the halibut RPC-based communication framework,
+    ;; rather than the halibut text formatting system.
+    (properties `((lint-hidden-cve . ("CVE-2021-31819"))))
     (license license:expat)))
 
 (define-public doc++
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH 04/21] gnu: portfolio: Update to 1.0.1.
  2024-10-26 22:41 ` [bug#74034] [PATCH 01/21] gnu: libgda: Rename patch for guix lint Nicolas Graves via Guix-patches via
  2024-10-26 22:41   ` [bug#74034] [PATCH 02/21] gnu: upx: Update to 4.2.4 Nicolas Graves via Guix-patches via
  2024-10-26 22:41   ` [bug#74034] [PATCH 03/21] gnu: halibut: Add lint-hidden-cve property Nicolas Graves via Guix-patches via
@ 2024-10-26 22:41   ` Nicolas Graves via Guix-patches via
  2024-10-26 22:41   ` [bug#74034] [PATCH 05/21] gnu: folders: Add lint-hidden-cve property Nicolas Graves via Guix-patches via
                     ` (16 subsequent siblings)
  19 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-10-26 22:41 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/gnome-xyz.scm (portfolio): Update to 1.0.1.
[properties]: Add lint-hidden-cve property.
---
 gnu/packages/gnome-xyz.scm | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/gnome-xyz.scm b/gnu/packages/gnome-xyz.scm
index a09c0befb0..b399d30886 100644
--- a/gnu/packages/gnome-xyz.scm
+++ b/gnu/packages/gnome-xyz.scm
@@ -485,7 +485,7 @@ (define-public gnome-plots
 (define-public portfolio
   (package
     (name "portfolio")
-    (version "1.0.0")
+    (version "1.0.1")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -494,7 +494,7 @@ (define-public portfolio
               (file-name (git-file-name name version))
               (sha256
                (base32
-                "1ai9mx801m5lngkljg42vrpvhbvc3071sp4jypsvbzw55hxnn5ba"))))
+                "1s06kd2dhsb143piw89yzwfck7qwzlh4nlgjj2bxpsa3g68c1g11"))))
     (arguments
      (list #:glib-or-gtk? #t
            #:imported-modules `(,@%meson-build-system-modules
@@ -537,6 +537,8 @@ (define-public portfolio
      "Portfolio is a minimalist file manager for those who want to use Linux
 mobile devices.  Tap to activate and long press to select, to browse, open,
 copy, move, delete, or edit your files.")
+    ;; This CVE concerns the Wordpress Portfolio plugin, not this package.
+    (properties `((lint-hidden-cve . ("CVE-2019-13232"))))
     (license license:gpl3+)))
 
 (define-public gnome-shell-extension-unite-shell
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH 05/21] gnu: folders: Add lint-hidden-cve property.
  2024-10-26 22:41 ` [bug#74034] [PATCH 01/21] gnu: libgda: Rename patch for guix lint Nicolas Graves via Guix-patches via
                     ` (2 preceding siblings ...)
  2024-10-26 22:41   ` [bug#74034] [PATCH 04/21] gnu: portfolio: Update to 1.0.1 Nicolas Graves via Guix-patches via
@ 2024-10-26 22:41   ` Nicolas Graves via Guix-patches via
  2024-10-26 22:41   ` [bug#74034] [PATCH 06/21] gnu: spectra: " Nicolas Graves via Guix-patches via
                     ` (15 subsequent siblings)
  19 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-10-26 22:41 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/esolangs.scm (folders):
[properties]: Add lint-hindden-cve property.
---
 gnu/packages/esolangs.scm | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/gnu/packages/esolangs.scm b/gnu/packages/esolangs.scm
index 796f8d3f23..b29787e7bf 100644
--- a/gnu/packages/esolangs.scm
+++ b/gnu/packages/esolangs.scm
@@ -117,6 +117,14 @@ (define-public folders
     (description "Folders is a programming language, in which programs
 are encoded as (nested) directories.  Note that the switches you pass to
 @command{du} may affect your score when code golfing.")
+    (properties `((lint-hidden-cve
+                   ;; These CVEs concern...
+                   . ( ; ...the Wordpress Folders plugin
+                      "CVE-2023-40204"
+                      ;; ...the Jenkins Folders plugin
+                      "CVE-2023-40336"
+                      "CVE-2023-40337"
+                      "CVE-2023-40338"))))
     (license license:expat)))
 
 (define-public shakespeare-spl
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH 06/21] gnu: spectra: Add lint-hidden-cve property.
  2024-10-26 22:41 ` [bug#74034] [PATCH 01/21] gnu: libgda: Rename patch for guix lint Nicolas Graves via Guix-patches via
                     ` (3 preceding siblings ...)
  2024-10-26 22:41   ` [bug#74034] [PATCH 05/21] gnu: folders: Add lint-hidden-cve property Nicolas Graves via Guix-patches via
@ 2024-10-26 22:41   ` Nicolas Graves via Guix-patches via
  2024-10-26 22:41   ` [bug#74034] [PATCH 07/21] gnu: express: " Nicolas Graves via Guix-patches via
                     ` (14 subsequent siblings)
  19 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-10-26 22:41 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/algebra.scm (spectra)[properties]: Add lint-hidden-cve
property.
---
 gnu/packages/algebra.scm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/gnu/packages/algebra.scm b/gnu/packages/algebra.scm
index 2187cd062d..cb390ea976 100644
--- a/gnu/packages/algebra.scm
+++ b/gnu/packages/algebra.scm
@@ -1317,6 +1317,8 @@ (define-public spectra
 built on top of Eigen.  It is implemented as a header-only C++ library and can
 be easily embedded in C++ projects that require calculating eigenvalues of
 large matrices.")
+    ;; These CVEs concern the Wordpress Spectra plugin.
+    (properties `((lint-hidden-cve . ("CVE-2023-36676" "CVE-2023-49833"))))
     (license license:mpl2.0)))
 
 (define-public gappa
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH 07/21] gnu: express: Add lint-hidden-cve property.
  2024-10-26 22:41 ` [bug#74034] [PATCH 01/21] gnu: libgda: Rename patch for guix lint Nicolas Graves via Guix-patches via
                     ` (4 preceding siblings ...)
  2024-10-26 22:41   ` [bug#74034] [PATCH 06/21] gnu: spectra: " Nicolas Graves via Guix-patches via
@ 2024-10-26 22:41   ` Nicolas Graves via Guix-patches via
  2024-10-26 22:41   ` [bug#74034] [PATCH 08/21] gnu: cli: " Nicolas Graves via Guix-patches via
                     ` (13 subsequent siblings)
  19 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-10-26 22:41 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/bioinformatics.scm (express)[properties]: Add
lint-hidden-cve property.
---
 gnu/packages/bioinformatics.scm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/gnu/packages/bioinformatics.scm b/gnu/packages/bioinformatics.scm
index a2ffbd5155..2f463c8969 100644
--- a/gnu/packages/bioinformatics.scm
+++ b/gnu/packages/bioinformatics.scm
@@ -6924,6 +6924,8 @@ (define-public express
 transcript-level RNA-Seq quantification, allele-specific/haplotype expression
 analysis (from RNA-Seq), transcription factor binding quantification in
 ChIP-Seq, and analysis of metagenomic data.")
+    ;; These CVEs concern the Express.js node framework.
+    (properties `((lint-hidden-cve . ("CVE-2022-24999" "CVE-2024-43796"))))
     (license license:artistic2.0)))
 
 (define-public express-beta-diversity
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH 08/21] gnu: cli: Add lint-hidden-cve property.
  2024-10-26 22:41 ` [bug#74034] [PATCH 01/21] gnu: libgda: Rename patch for guix lint Nicolas Graves via Guix-patches via
                     ` (5 preceding siblings ...)
  2024-10-26 22:41   ` [bug#74034] [PATCH 07/21] gnu: express: " Nicolas Graves via Guix-patches via
@ 2024-10-26 22:41   ` Nicolas Graves via Guix-patches via
  2024-10-26 22:41   ` [bug#74034] [PATCH 09/21] gnu: h2c: " Nicolas Graves via Guix-patches via
                     ` (12 subsequent siblings)
  19 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-10-26 22:41 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/cpp.scm (cli)[properties]: Add lint-cve-property.
---
 gnu/packages/cpp.scm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/gnu/packages/cpp.scm b/gnu/packages/cpp.scm
index 26fc169154..e9c6dc096b 100644
--- a/gnu/packages/cpp.scm
+++ b/gnu/packages/cpp.scm
@@ -2304,6 +2304,8 @@ (define-public cli
 options that your program supports, their types, default values, and
 documentation.")
     (home-page "https://codesynthesis.com/projects/cli/")
+    ;; This CVE concerns Snyk CLI rather than this package.
+    (properties `((lint-hidden-cve . ("CVE-2022-40764"))))
     (license license:expat)))
 
 (define-public xsd
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH 09/21] gnu: h2c: Add lint-hidden-cve property.
  2024-10-26 22:41 ` [bug#74034] [PATCH 01/21] gnu: libgda: Rename patch for guix lint Nicolas Graves via Guix-patches via
                     ` (6 preceding siblings ...)
  2024-10-26 22:41   ` [bug#74034] [PATCH 08/21] gnu: cli: " Nicolas Graves via Guix-patches via
@ 2024-10-26 22:41   ` Nicolas Graves via Guix-patches via
  2024-10-26 22:41   ` [bug#74034] [PATCH 10/21] gnu: xenon: Update to 0.9.3 Nicolas Graves via Guix-patches via
                     ` (11 subsequent siblings)
  19 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-10-26 22:41 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/curl.scm (h2c)[property]: Add lint-hidden-cve property.
---
 gnu/packages/curl.scm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 9f74018205..bac1841c82 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -366,6 +366,8 @@ (define-public h2c
     (description
      "Provided a set of HTTP request headers, h2c outputs how to invoke
 curl to obtain exactly that HTTP request.")
+    ;; This CVE is for the h2c function in Go.
+    (properties `((lint-hidden-cve . ("CVE-2022-41721"))))
     (license license:expat)))
 
 (define-public coeurl
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH 10/21] gnu: xenon: Update to 0.9.3.
  2024-10-26 22:41 ` [bug#74034] [PATCH 01/21] gnu: libgda: Rename patch for guix lint Nicolas Graves via Guix-patches via
                     ` (7 preceding siblings ...)
  2024-10-26 22:41   ` [bug#74034] [PATCH 09/21] gnu: h2c: " Nicolas Graves via Guix-patches via
@ 2024-10-26 22:41   ` Nicolas Graves via Guix-patches via
  2024-10-26 22:41   ` [bug#74034] [PATCH 11/21] gnu: bolt: Update to 0.9.8 Nicolas Graves via Guix-patches via
                     ` (10 subsequent siblings)
  19 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-10-26 22:41 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/code.scm (xenon): Update to 0.9.3.
[properties]: Add lint-hidden-cve property.
---
 gnu/packages/code.scm | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/code.scm b/gnu/packages/code.scm
index 3f7a6de478..bbf10be987 100644
--- a/gnu/packages/code.scm
+++ b/gnu/packages/code.scm
@@ -1077,14 +1077,14 @@ (define-public cscope
 (define-public xenon
   (package
     (name "xenon")
-    (version "0.9.0")
+    (version "0.9.3")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "xenon" version))
        (sha256
         (base32
-         "1f4gynjzfckm3rjfywwgz1c7icfx3zjqirf16aj73xv0c9ncpffj"))))
+         "1yj31bqz2bphvvyb0jkas7bxc2rw76rf1csz0mwmvah8pbc3hxaa"))))
     (build-system python-build-system)
     (arguments (list #:tests? #f)) ;test suite not shipped with the PyPI archive
     (inputs (list python-pyyaml python-radon python-requests))
@@ -1096,6 +1096,8 @@ (define-public xenon
 line options, various thresholds can be set for the complexity of code.  It
 will fail (i.e., it will exit with a non-zero exit code) when any of these
 requirements is not met.")
+    ;; This CVE is for another package named Xenon too.
+    (properties '((lint-hidden-cve . ("CVE-2023-39427"))))
     (license license:expat)))
 
 (define-public python-xenon
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH 11/21] gnu: bolt: Update to 0.9.8.
  2024-10-26 22:41 ` [bug#74034] [PATCH 01/21] gnu: libgda: Rename patch for guix lint Nicolas Graves via Guix-patches via
                     ` (8 preceding siblings ...)
  2024-10-26 22:41   ` [bug#74034] [PATCH 10/21] gnu: xenon: Update to 0.9.3 Nicolas Graves via Guix-patches via
@ 2024-10-26 22:41   ` Nicolas Graves via Guix-patches via
  2024-10-26 22:41   ` [bug#74034] [PATCH 12/21] gnu: sylpheed: Add release-monitoring-url property Nicolas Graves via Guix-patches via
                     ` (9 subsequent siblings)
  19 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-10-26 22:41 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/linux.scm (bolt): Update to 0.9.8.
[arguments]<#:phases>: Update phase 'replace-directories.
[properties]: Add lint-hidden-cve property.
---
 gnu/packages/linux.scm | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index e496f3c88d..f9f13ca28a 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -3366,7 +3366,7 @@ (define-public iptables-nft
 (define-public bolt
   (package
     (name "bolt")
-    (version "0.9.5")
+    (version "0.9.8")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -3375,7 +3375,7 @@ (define-public bolt
               (file-name (git-file-name name version))
               (sha256
                (base32
-                "1b9z0sfrz6bj0mddng9s0dx59g9239zmrl03hxx2x88mb7r0wmcg"))))
+                "1i9nyvx3qcf4m607qmpklpl9xqzsh423k8y3fr6c5n0k4ajy4cxh"))))
     (build-system meson-build-system)
     (arguments
      (list #:configure-flags '(list "--localstatedir=/var")
@@ -3384,12 +3384,11 @@ (define-public bolt
                         (add-after 'unpack 'replace-directories
                           (lambda* (#:key outputs #:allow-other-keys)
                             (substitute* "meson.build"
-                              (("udev.get_pkgconfig_variable..udevdir..")
-                               (string-append "'"
-                                              #$output "/lib/udev'")))
-                            (substitute* "scripts/meson-install.sh"
-                              (("mkdir.*")
-                               ""))))
+                              (("udev.get_variable\\(pkgconfig: 'udevdir'\\)")
+                               (string-append "'" #$output "/lib/udev'"))
+                              ;; Don't install in /var
+                              (("not systemd\\.found\\(\\)")
+                               "false"))))
                         (add-before 'install 'no-polkit-magic
                           (lambda* (#:key outputs #:allow-other-keys)
                             (setenv "PKEXEC_UID" "something"))))))
@@ -3411,6 +3410,12 @@ (define-public bolt
 @command{boltd}.  It can list devices, monitor changes, and initiate
 authorization of devices.")
     (home-page "https://gitlab.freedesktop.org/bolt/bolt")
+    (properties `((lint-hidden-cve . (;; These CVEs concern...
+                                      ;; ...the Bolt PHP cms
+                                      "CVE-2021-27367"
+                                      "CVE-2022-31321"
+                                      ;; ...the Bolt orchestration tool
+                                      "CVE-2023-5214"))))
     (license license:gpl2+)))
 
 (define-public jitterentropy-rngd
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH 12/21] gnu: sylpheed: Add release-monitoring-url property.
  2024-10-26 22:41 ` [bug#74034] [PATCH 01/21] gnu: libgda: Rename patch for guix lint Nicolas Graves via Guix-patches via
                     ` (9 preceding siblings ...)
  2024-10-26 22:41   ` [bug#74034] [PATCH 11/21] gnu: bolt: Update to 0.9.8 Nicolas Graves via Guix-patches via
@ 2024-10-26 22:41   ` Nicolas Graves via Guix-patches via
  2024-10-26 22:41   ` [bug#74034] [PATCH 13/21] gnu: openvswitch: Update to 3.4.0 Nicolas Graves via Guix-patches via
                     ` (8 subsequent siblings)
  19 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-10-26 22:41 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/mail.scm (sylpheed)[properties]: Add
release-monitoring-url.
---
 gnu/packages/mail.scm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/gnu/packages/mail.scm b/gnu/packages/mail.scm
index 2c69a7b818..77be7626a9 100644
--- a/gnu/packages/mail.scm
+++ b/gnu/packages/mail.scm
@@ -4561,6 +4561,8 @@ (define-public sylpheed
      "Sylpheed is a simple, lightweight but featureful, and easy-to-use e-mail
 client.  Sylpheed provides intuitive user-interface.  Sylpheed is also
 designed for keyboard-oriented operation.")
+    (properties '((release-monitoring-url
+                   . "https://sylpheed.sraoss.jp/en/download.html")))
     (license license:gpl2+)))
 
 (define-public python-authres
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH 13/21] gnu: openvswitch: Update to 3.4.0.
  2024-10-26 22:41 ` [bug#74034] [PATCH 01/21] gnu: libgda: Rename patch for guix lint Nicolas Graves via Guix-patches via
                     ` (10 preceding siblings ...)
  2024-10-26 22:41   ` [bug#74034] [PATCH 12/21] gnu: sylpheed: Add release-monitoring-url property Nicolas Graves via Guix-patches via
@ 2024-10-26 22:41   ` Nicolas Graves via Guix-patches via
  2024-10-26 22:41   ` [bug#74034] [PATCH 14/21] gnu: quagga: Fix build and hide CVE Nicolas Graves via Guix-patches via
                     ` (7 subsequent siblings)
  19 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-10-26 22:41 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/networking.scm (openvswitch): Update to 3.4.0.
[properties]: Add lint-hidden-cve property.
---
 gnu/packages/networking.scm | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index a56b574e97..d98179cf2f 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -2877,7 +2877,7 @@ (define-public nzbget
 (define-public openvswitch
   (package
     (name "openvswitch")
-    (version "3.2.0")
+    (version "3.4.0")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -2885,7 +2885,7 @@ (define-public openvswitch
                     version ".tar.gz"))
               (sha256
                (base32
-                "1i0lb40lwbakmmqklmfcgr01l1ymsawgdi7k9a1zzp8ariw7x4ff"))))
+                "10g84h6lis6fafyjhvmdrs8r539xcar04cc3rsk448gs6848hsqr"))))
     (build-system gnu-build-system)
     (arguments
      '(#:configure-flags
@@ -2961,7 +2961,9 @@ (define-public openvswitch
 supporting standard management interfaces and protocols (e.g. NetFlow, sFlow,
 IPFIX, RSPAN, CLI, LACP, 802.1ag).")
     (properties
-     '((release-monitoring-url . "https://www.openvswitch.org/download/")))
+     '((release-monitoring-url . "https://www.openvswitch.org/download/")
+       ;; This CVE is fixed since 3.2.0.
+       (lint-hidden-cve . ("CVE-2023-5366"))))
     (license                            ; see debian/copyright for detail
      (list license:lgpl2.1              ; xenserver and utilities/bugtool
            license:gpl2                 ; datapath
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH 14/21] gnu: quagga: Fix build and hide CVE.
  2024-10-26 22:41 ` [bug#74034] [PATCH 01/21] gnu: libgda: Rename patch for guix lint Nicolas Graves via Guix-patches via
                     ` (11 preceding siblings ...)
  2024-10-26 22:41   ` [bug#74034] [PATCH 13/21] gnu: openvswitch: Update to 3.4.0 Nicolas Graves via Guix-patches via
@ 2024-10-26 22:41   ` Nicolas Graves via Guix-patches via
  2024-10-26 22:41   ` [bug#74034] [PATCH 15/21] gnu: bwm-ng: Add lint-hidden-cve property Nicolas Graves via Guix-patches via
                     ` (6 subsequent siblings)
  19 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-10-26 22:41 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/networking.scm (quagga)
[inputs]: Add libxcrypt.
[properties]: Add lint-hidden-cve property.
---
 gnu/packages/networking.scm | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index d98179cf2f..53bc670c41 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -3138,7 +3138,7 @@ (define-public quagga
                         (delete-file "vtysh/extract.pl")))))
     (build-system gnu-build-system)
     (native-inputs (list gawk gcc-9 pkg-config perl dejagnu))
-    (inputs (list readline c-ares))
+    (inputs (list c-ares libxcrypt readline))
     (synopsis "Routing Software Suite")
     (description "Quagga is a routing software suite, providing implementations
 of OSPFv2, OSPFv3, RIP v1 and v2, RIPng and BGP-4 for Unix platforms.
@@ -3149,6 +3149,10 @@ (define-public quagga
 clients which typically implement a routing protocol and communicate routing
 updates to the zebra daemon.")
     (home-page "https://www.nongnu.org/quagga/")
+    ;; This CVE concerns systemd services files that we currently don't use.
+    ;; If we were to use them, a fixing patch can be found here:
+    ;; https://build.opensuse.org/request/show/1035188
+    (properties '((lint-hidden-cve . ("CVE-2021-44038"))))
     (license license:gpl2+)))
 
 (define-public bgpq3
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH 15/21] gnu: bwm-ng: Add lint-hidden-cve property.
  2024-10-26 22:41 ` [bug#74034] [PATCH 01/21] gnu: libgda: Rename patch for guix lint Nicolas Graves via Guix-patches via
                     ` (12 preceding siblings ...)
  2024-10-26 22:41   ` [bug#74034] [PATCH 14/21] gnu: quagga: Fix build and hide CVE Nicolas Graves via Guix-patches via
@ 2024-10-26 22:41   ` Nicolas Graves via Guix-patches via
  2024-10-26 22:41   ` [bug#74034] [PATCH 16/21] gnu: onedrive: Update to 2.5.2 Nicolas Graves via Guix-patches via
                     ` (5 subsequent siblings)
  19 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-10-26 22:41 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/networking.scm (bwm-ng)[properties]: Add
lint-hidden-cve property.
---
 gnu/packages/networking.scm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index 53bc670c41..7ed011a7f4 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -2152,6 +2152,8 @@ (define-public bwm-ng
     (description "Bandwidth Monitor NG is a small and simple console based
 live network and disk I/O bandwidth monitor.")
     (home-page "https://www.gropp.org/?id=projects&sub=bwm-ng")
+    ;; This CVE concerns the npm bwm-ng package rather than this one.
+    (properties '((lint-hidden-cve . ("CVE-2023-26129"))))
     (license license:gpl2)))
 
 (define-public aircrack-ng
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH 16/21] gnu: onedrive: Update to 2.5.2.
  2024-10-26 22:41 ` [bug#74034] [PATCH 01/21] gnu: libgda: Rename patch for guix lint Nicolas Graves via Guix-patches via
                     ` (13 preceding siblings ...)
  2024-10-26 22:41   ` [bug#74034] [PATCH 15/21] gnu: bwm-ng: Add lint-hidden-cve property Nicolas Graves via Guix-patches via
@ 2024-10-26 22:41   ` Nicolas Graves via Guix-patches via
  2024-10-26 22:41   ` [bug#74034] [PATCH 17/21] gnu: got: Update to 0.104 Nicolas Graves via Guix-patches via
                     ` (4 subsequent siblings)
  19 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-10-26 22:41 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/sync.scm (onedrive): Update to 2.5.2.
[properties]: Add lint-hidden-cve.
---
 gnu/packages/sync.scm | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/sync.scm b/gnu/packages/sync.scm
index af736d0c28..df3bcb6523 100644
--- a/gnu/packages/sync.scm
+++ b/gnu/packages/sync.scm
@@ -374,7 +374,7 @@ (define-public owncloud-client
 (define-public onedrive
   (package
     (name "onedrive")
-    (version "2.4.25")
+    (version "2.5.2")
     (source
       (origin
         (method git-fetch)
@@ -383,7 +383,7 @@ (define-public onedrive
                (commit (string-append "v" version))))
         (file-name (git-file-name name version))
         (sha256
-         (base32 "1i93mq4r9w8cqrdfsfv8wparfd3dbrppc5z04ab056545hk0x89k"))))
+         (base32 "0307qa3nncarn6r5837nn9z5nv8j60ycykq6pfn93qriabk65qlx"))))
     (build-system gnu-build-system)
     (arguments
      (list
@@ -420,6 +420,10 @@ (define-public onedrive
 Business, OneDrive for Office365 and SharePoint and fully supports Azure
 National Cloud Deployments.  It supports one-way and two-way sync capabilities
 and securely connects to Microsoft OneDrive services.")
+    ;; These CVEs concern another Microsoft product.
+    (properties '((lint-hidden-cve . ("CVE-2023-24882"
+                                      "CVE-2023-24890"
+                                      "CVE-2023-24923"))))
     (license license:gpl3)))
 
 (define-public lsyncd
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH 17/21] gnu: got: Update to 0.104.
  2024-10-26 22:41 ` [bug#74034] [PATCH 01/21] gnu: libgda: Rename patch for guix lint Nicolas Graves via Guix-patches via
                     ` (14 preceding siblings ...)
  2024-10-26 22:41   ` [bug#74034] [PATCH 16/21] gnu: onedrive: Update to 2.5.2 Nicolas Graves via Guix-patches via
@ 2024-10-26 22:41   ` Nicolas Graves via Guix-patches via
  2024-11-15 12:58     ` [bug#74034] [PATCH v2] gnu: got: Update to 0.105 ashish.is--- via Guix-patches via
  2024-10-26 22:41   ` [bug#74034] [PATCH 18/21] gnu: dex: Update to 0.10.1 Nicolas Graves via Guix-patches via
                     ` (3 subsequent siblings)
  19 siblings, 1 reply; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-10-26 22:41 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/version-control.scm (got): Update to 0.104.
[properties]: Add release-monitoring-url and lint-hidden-cve
properties.
---
 gnu/packages/version-control.scm | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index 6bd37fee82..9c8fdea0a6 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -971,7 +971,7 @@ (define-public git-tools
 (define-public got
   (package
     (name "got")
-    (version "0.103")
+    (version "0.104")
     (source (origin
               (method url-fetch)
               (uri
@@ -980,7 +980,7 @@ (define-public got
                   version ".tar.gz"))
               (sha256
                (base32
-                "0y18961xrj4rja850i31gadiaps2qnkfb4jlramlz9akyf9mwh1j"))))
+                "1jf8d7bd6jb09ci66n3rjfv94kvzgnqbw1js74hpajdw41wphbdk"))))
     (inputs
      (list libevent
            `(,util-linux "lib")
@@ -1016,7 +1016,12 @@ (define-public got
      "Game of Trees (Got) is a version control system which prioritizes ease of use
 and simplicity over flexibility.")
     (license license:isc)
-    (home-page "https://gameoftrees.org/")))
+    (home-page "https://gameoftrees.org/")
+    (properties
+     ;; Can lint for updates, but not update in place.
+     '((release-monitoring-url . "https://gameoftrees.org/releases/")
+       ;; This CVE is for another Node got package.
+       (lint-hidden-cve . "CVE-2022-33987")))))
 
 (define-public xdiff
   (let ((revision "0")
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH 18/21] gnu: dex: Update to 0.10.1.
  2024-10-26 22:41 ` [bug#74034] [PATCH 01/21] gnu: libgda: Rename patch for guix lint Nicolas Graves via Guix-patches via
                     ` (15 preceding siblings ...)
  2024-10-26 22:41   ` [bug#74034] [PATCH 17/21] gnu: got: Update to 0.104 Nicolas Graves via Guix-patches via
@ 2024-10-26 22:41   ` Nicolas Graves via Guix-patches via
  2024-10-26 22:41   ` [bug#74034] [PATCH 19/21] gnu: immer: Add lint-hidden-cve property Nicolas Graves via Guix-patches via
                     ` (2 subsequent siblings)
  19 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-10-26 22:41 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/xdisorg.scm (dex): Update to 0.10.1.
[arguments]: Improve style.
[properties]: Add lint-hidden-cve property.
---
 gnu/packages/xdisorg.scm | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm
index ca50bebab4..10c04fc4e8 100644
--- a/gnu/packages/xdisorg.scm
+++ b/gnu/packages/xdisorg.scm
@@ -3536,7 +3536,7 @@ (define-public nwg-launchers
 (define-public dex
   (package
     (name "dex")
-    (version "0.9.0")
+    (version "0.10.1")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -3544,15 +3544,16 @@ (define-public dex
                     (commit (string-append "v" version))))
               (sha256
                (base32
-                "03aapcywnz4kl548cygpi25m8adwbmqlmwgxa66v4156ax9dqs86"))
+                "1d7fqy63i4q0mw316i5ws1sgdq3f7h3bsf3avvmy0nzshz7i5y6m"))
               (file-name (git-file-name name version))))
     (build-system gnu-build-system)
     (arguments
-     `(#:make-flags (list (string-append "PREFIX=" (assoc-ref %outputs "out")))
-       #:phases
-       (modify-phases %standard-phases
-         (delete 'configure))
-       #:tests? #f))
+     (list
+      #:make-flags #~(list (string-append "PREFIX=" #$output))
+      #:phases
+      #~(modify-phases %standard-phases
+          (delete 'configure))
+      #:tests? #f))  ; No tests.
     (inputs
      (list python))
     (native-inputs
@@ -3562,6 +3563,10 @@ (define-public dex
     (description
      "@command{dex}, @dfn{DesktopEntry Execution}, is a program to generate
 and execute @file{.desktop} files of the Application type.")
+    (properties
+     ;; These CVEs concern...
+     '((lint-hidden-cve . ("CVE-2024-20802"  ; ...a dex Samsung package.
+                           "CVE-2022-39222")))) ; ...a OpenID connect tool.
     (license license:gpl3+)))
 
 (define-public sx
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH 19/21] gnu: immer: Add lint-hidden-cve property.
  2024-10-26 22:41 ` [bug#74034] [PATCH 01/21] gnu: libgda: Rename patch for guix lint Nicolas Graves via Guix-patches via
                     ` (16 preceding siblings ...)
  2024-10-26 22:41   ` [bug#74034] [PATCH 18/21] gnu: dex: Update to 0.10.1 Nicolas Graves via Guix-patches via
@ 2024-10-26 22:41   ` Nicolas Graves via Guix-patches via
  2024-10-26 22:41   ` [bug#74034] [PATCH 20/21] gnu: cvs: " Nicolas Graves via Guix-patches via
  2024-10-26 22:41   ` [bug#74034] [PATCH 21/21] gnu: gerbv: " Nicolas Graves via Guix-patches via
  19 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-10-26 22:41 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/cpp.scm (immer)[properties]: Add lint-hidden-cve
property.
---
 gnu/packages/cpp.scm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/gnu/packages/cpp.scm b/gnu/packages/cpp.scm
index e9c6dc096b..80eaa26b37 100644
--- a/gnu/packages/cpp.scm
+++ b/gnu/packages/cpp.scm
@@ -1864,6 +1864,8 @@ (define-public immer
    (synopsis "Immutable data structures")
    (description "Immer is a library of persistent and immutable data structures
 written in C++.")
+   ;; This CVEs concern the immer.js Node package.
+   (properties '((lint-hidden-cve . ("CVE-2021-23436" "CVE-2021-3757"))))
    (license license:boost1.0)))
 
 (define-public zug
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH 20/21] gnu: cvs: Add lint-hidden-cve property.
  2024-10-26 22:41 ` [bug#74034] [PATCH 01/21] gnu: libgda: Rename patch for guix lint Nicolas Graves via Guix-patches via
                     ` (17 preceding siblings ...)
  2024-10-26 22:41   ` [bug#74034] [PATCH 19/21] gnu: immer: Add lint-hidden-cve property Nicolas Graves via Guix-patches via
@ 2024-10-26 22:41   ` Nicolas Graves via Guix-patches via
  2024-10-26 22:41   ` [bug#74034] [PATCH 21/21] gnu: gerbv: " Nicolas Graves via Guix-patches via
  19 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-10-26 22:41 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/version-control.scm (cvs)[properties]: Add
lint-hidden-cve property.
---
 gnu/packages/version-control.scm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index 9c8fdea0a6..f4a0f577a9 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -2750,6 +2750,8 @@ (define-public cvs
 Configuration Management (SCM).  Using it, you can record the history of
 sources files, and documents.  It fills a similar role to the free software
 RCS, PRCS, and Aegis packages.")
+    ;; This CVE concerns the Jenkins CVS plugin.
+    (properties '((lint-hidden-cve . ("CVE-2022-29037"))))
     (license license:gpl1+)))
 
 (define-public cvs-fast-export
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH 21/21] gnu: gerbv: Add lint-hidden-cve property.
  2024-10-26 22:41 ` [bug#74034] [PATCH 01/21] gnu: libgda: Rename patch for guix lint Nicolas Graves via Guix-patches via
                     ` (18 preceding siblings ...)
  2024-10-26 22:41   ` [bug#74034] [PATCH 20/21] gnu: cvs: " Nicolas Graves via Guix-patches via
@ 2024-10-26 22:41   ` Nicolas Graves via Guix-patches via
  19 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-10-26 22:41 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/engineering.scm (gerbv)[properties]: Add
lint-hidden-cve property.
---
 gnu/packages/engineering.scm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/gnu/packages/engineering.scm b/gnu/packages/engineering.scm
index 6f449f0c39..89e60a7218 100644
--- a/gnu/packages/engineering.scm
+++ b/gnu/packages/engineering.scm
@@ -868,6 +868,8 @@ (define-public gerbv
 you load several files on top of each other, do measurements on the displayed
 image, etc.  Besides viewing Gerbers, you may also view Excellon drill files
 as well as pick-place files.")
+    ;; This CVE has been fixed in version 2.10.0.
+    (properties '((lint-hidden-cve . ("CVE-2023-4508"))))
     (license license:gpl2+)))
 
 (define-public translate2geda
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v2 00/16] Add cpe-vendor and lint-hidden-cpe-vendors properties.
  2024-10-26 22:21 [bug#74034] [PATCH 00/21] Add lint-hidden-cve property for near-leaf packages Nicolas Graves via Guix-patches via
  2024-10-26 22:41 ` [bug#74034] [PATCH 01/21] gnu: libgda: Rename patch for guix lint Nicolas Graves via Guix-patches via
@ 2024-10-27 18:16 ` Nicolas Graves via Guix-patches via
  2024-10-27 18:16   ` [bug#74034] [PATCH v2 01/16] guix: cve: " Nicolas Graves via Guix-patches via
  2024-10-27 18:16   ` [bug#74034] [PATCH v2 02/16] gnu: halibut: Add cpe-vendor property Nicolas Graves via Guix-patches via
  2024-10-27 18:20 ` [bug#74034] [PATCH v2 01/16] guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Nicolas Graves via Guix-patches via
                   ` (5 subsequent siblings)
  7 siblings, 2 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-10-27 18:16 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

This is a rewrite of 74034 after a new first commit introducing the
management of cpe-vendor data from the CVE database.

Nicolas Graves (16):
  guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.
  gnu: halibut: Add cpe-vendor property.
  gnu: portfolio: Update to 1.0.1.
  gnu: folders: Add lint-hidden-cpe-vendors property.
  gnu: spectra: Add lint-hidden-cpe-vendors property.
  gnu: express: Add lint-hidden-cpe-vendors property.
  gnu: cli: Add lint-hidden-cpe-vendors property.
  gnu: h2c: Add lint-hidden-cpe-vendors property.
  gnu: xenon: Update to 0.9.3.
  gnu: bolt: Update to 0.9.8.
  gnu: bwm-ng: Add lint-hidden-cpe-vendors property.
  gnu: onedrive: Update to 2.5.2.
  gnu: got: Update to 0.104.
  gnu: dex: Update to 0.10.1.
  gnu: immer: Add lint-hidden-cpe-vendors property.
  gnu: cvs: Add lint-hidden-cpe-vendors property.

 gnu/packages/algebra.scm         |  1 +
 gnu/packages/bioinformatics.scm  |  1 +
 gnu/packages/code.scm            |  5 ++-
 gnu/packages/cpp.scm             |  2 +
 gnu/packages/curl.scm            |  1 +
 gnu/packages/documentation.scm   | 14 ++++---
 gnu/packages/esolangs.scm        |  1 +
 gnu/packages/gnome-xyz.scm       |  5 ++-
 gnu/packages/linux.scm           | 16 +++----
 gnu/packages/networking.scm      |  1 +
 gnu/packages/sync.scm            |  5 ++-
 gnu/packages/version-control.scm | 11 +++--
 gnu/packages/xdisorg.scm         | 17 ++++----
 guix/cve.scm                     | 71 +++++++++++++++++++++-----------
 guix/lint.scm                    | 11 ++++-
 tests/cve.scm                    | 30 +++++++-------
 16 files changed, 120 insertions(+), 72 deletions(-)

-- 
2.46.0





^ permalink raw reply	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v2 01/16] guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.
  2024-10-27 18:16 ` [bug#74034] [PATCH v2 00/16] Add cpe-vendor and lint-hidden-cpe-vendors properties Nicolas Graves via Guix-patches via
@ 2024-10-27 18:16   ` Nicolas Graves via Guix-patches via
  2024-10-27 18:16   ` [bug#74034] [PATCH v2 02/16] gnu: halibut: Add cpe-vendor property Nicolas Graves via Guix-patches via
  1 sibling, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-10-27 18:16 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* guix/cve.scm: Exploit cpe vendors information.
(cpe->package-name): Rename to cpe->package and use
cpe_vendor:cpe_name in place or cpe_name.
(filter-vendors): Add helper function.
(vulnerabilities->lookup-proc): Extract cpe_name for table
hashes. Add vendor and hidden-vendor arguments. Adapt condition to
pass vulnerabilities to result in the fold.

* guix/lint.scm (package-vulnerabilities): Use additional arguments
from vulnerabilities->lookup-proc.

* tests/cve.scm: Adapt tests.
---
 guix/cve.scm  | 71 +++++++++++++++++++++++++++++++++------------------
 guix/lint.scm | 11 ++++++--
 tests/cve.scm | 30 +++++++++++-----------
 3 files changed, 70 insertions(+), 42 deletions(-)

diff --git a/guix/cve.scm b/guix/cve.scm
index 9e1cf5b587..a2335f15ef 100644
--- a/guix/cve.scm
+++ b/guix/cve.scm
@@ -106,22 +106,22 @@ (define (reference-data->cve-references alist)
 (define %cpe-package-rx
   ;; For applications: "cpe:2.3:a:VENDOR:PACKAGE:VERSION", or sometimes
   ;; "cpe:2.3:a:VENDOR:PACKAGE:VERSION:PATCH-LEVEL".
-  (make-regexp "^cpe:2\\.3:a:([^:]+):([^:]+):([^:]+):([^:]+):"))
+  (make-regexp "^cpe:2\\.3:a:([^:]+:[^:]+):([^:]+):([^:]+):"))
 
-(define (cpe->package-name cpe)
+(define (cpe->package cpe)
   "Converts the Common Platform Enumeration (CPE) string CPE to a package
-name, in a very naive way.  Return two values: the package name, and its
-version string.  Return #f and #f if CPE does not look like an application CPE
-string."
+name, in a very naive way.  Return two values: the package identifier
+(composed from the CPE vendor and the package name), and its version string.
+Return #f and #f if CPE does not look like an application CPE string."
   (cond ((regexp-exec %cpe-package-rx cpe)
          =>
          (lambda (matches)
-           (values (match:substring matches 2)
-                   (match (match:substring matches 3)
+           (values (match:substring matches 1)
+                   (match (match:substring matches 2)
                      ("*" '_)
                      (version
                       (string-append version
-                                     (match (match:substring matches 4)
+                                     (match (match:substring matches 3)
                                        ("" "")
                                        (patch-level
                                         ;; Drop the colon from things like
@@ -142,7 +142,7 @@ (define (cpe-match->cve-configuration alist)
     ;; Normally "cpe23Uri" is here in each "cpe_match" item, but CVE-2020-0534
     ;; has a configuration that lacks it.
     (and cpe
-         (let-values (((package version) (cpe->package-name cpe)))
+         (let-values (((package version) (cpe->package cpe)))
            (and package
                 `(,package
                    ,(cond ((and (or starti starte) (or endi ende))
@@ -228,6 +228,24 @@ (define (version-matches? version sexp)
     (('>= min)
      (version>=? version min))))
 
+(define (filter-vendors vuln vendor hidden-vendors)
+
+  (define (vendor-matches? vendor+name)
+    (if vendor
+        (string-prefix? (string-append vendor ":") vendor+name)
+        (if hidden-vendors
+            (not (any (lambda (v)
+                        (string-prefix? (string-append v ":") vendor+name))
+                      hidden-vendors))
+            #t)))
+
+  (match vuln
+    (($ <vulnerability> id packages)
+     (any (match-lambda
+            (((? vendor-matches? vendor+name) . _)  #t)
+            (_                                      #f))
+          packages))))
+
 \f
 ;;;
 ;;; High-level interface.
@@ -404,28 +422,31 @@ (define table
               (($ <vulnerability> id packages)
                (fold (lambda (package table)
                        (match package
-                         ((name . versions)
-                          (vhash-cons name (cons vuln versions)
+                         ((vendor+name . versions)
+                          (vhash-cons (match (string-split vendor+name #\:)
+                                        ((vendor name) name)
+                                        ((name)        name))
+                                      (cons vuln versions)
                                       table))))
                      table
                      packages))))
           vlist-null
           vulnerabilities))
 
-  (lambda* (package #:optional version)
-    (vhash-fold* (if version
-                     (lambda (pair result)
-                       (match pair
-                         ((vuln sexp)
-                          (if (version-matches? version sexp)
-                              (cons vuln result)
-                              result))))
-                     (lambda (pair result)
-                       (match pair
-                         ((vuln . _)
-                          (cons vuln result)))))
-                 '()
-                 package table)))
+  (lambda* (package #:key (version #f) (vendor #f) (hidden-vendors #f))
+    (vhash-fold*
+     (lambda (pair result)
+       (match pair
+         ((vuln sexp)
+          (if (and (or (not (or vendor hidden-vendors))
+                       (and (or vendor hidden-vendors)
+                            (filter-vendors vuln vendor hidden-vendors)))
+                   (or (not version)
+                       (and version (version-matches? version sexp))))
+              (cons vuln result)
+              result))))
+     '()
+     package table)))
 
 
 ;;; cve.scm ends here
diff --git a/guix/lint.scm b/guix/lint.scm
index 8c6c20c723..db3f59e3ec 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -1551,8 +1551,15 @@ (define package-vulnerabilities
                          (package-name package)))
             (version (or (assoc-ref (package-properties package)
                                     'cpe-version)
-                         (package-version package))))
-        ((force lookup) name version)))))
+                         (package-version package)))
+            (vendor (assoc-ref (package-properties package)
+                               'cpe-vendor))
+            (hidden-vendors (assoc-ref (package-properties package)
+                                       'lint-hidden-cpe-vendors)))
+        ((force lookup) name
+         #:version version
+         #:vendor vendor
+         #:hidden-vendors hidden-vendors)))))
 
 ;; Prevent Guile 3 from inlining this procedure so we can mock it in tests.
 (set! package-vulnerabilities package-vulnerabilities)
diff --git a/tests/cve.scm b/tests/cve.scm
index b69da0e120..0b6346a4d4 100644
--- a/tests/cve.scm
+++ b/tests/cve.scm
@@ -34,19 +34,19 @@ (define %expected-vulnerabilities
    (vulnerability "CVE-2019-0001"
                   ;; Only the "a" CPE configurations are kept; the "o"
                   ;; configurations are discarded.
-                  '(("junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
+                  '(("juniper:junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
    (vulnerability "CVE-2019-0005"
-                  '(("junos" (or "18.11" "18.1"))))
+                  '(("juniper:junos" (or "18.11" "18.1"))))
    ;; CVE-2019-0005 has no "a" configurations.
    (vulnerability "CVE-2019-14811"
-                  '(("ghostscript" (< "9.28"))))
+                  '(("artifex:ghostscript" (< "9.28"))))
    (vulnerability "CVE-2019-17365"
-                  '(("nix" (<= "2.3"))))
+                  '(("nixos:nix" (<= "2.3"))))
    (vulnerability "CVE-2019-1010180"
-                  '(("gdb" _)))                   ;any version
+                  '(("gnu:gdb" _)))                   ;any version
    (vulnerability "CVE-2019-1010204"
-                  '(("binutils" (and (>= "2.21") (<= "2.31.1")))
-                    ("binutils_gold" (and (>= "1.11") (<= "1.16")))))
+                  '(("gnu:binutils" (and (>= "2.21") (<= "2.31.1")))
+                    ("gnu:binutils_gold" (and (>= "1.11") (<= "1.16")))))
    ;; CVE-2019-18192 has no associated configurations.
    ))
 
@@ -92,15 +92,15 @@ (define %expected-vulnerabilities
   (let* ((vulns  (call-with-input-file %sample json->vulnerabilities))
          (lookup (vulnerabilities->lookup-proc vulns)))
     (list (lookup "ghostscript")
-          (lookup "ghostscript" "9.27")
-          (lookup "ghostscript" "9.28")
+          (lookup "ghostscript" #:version "9.27")
+          (lookup "ghostscript" #:version "9.28")
           (lookup "gdb")
-          (lookup "gdb" "42.0")
+          (lookup "gdb" #:version "42.0")
           (lookup "nix")
-          (lookup "nix" "2.4")
-          (lookup "binutils" "2.31.1")
-          (lookup "binutils" "2.10")
-          (lookup "binutils_gold" "1.11")
-          (lookup "binutils" "2.32"))))
+          (lookup "nix" #:version "2.4")
+          (lookup "binutils" #:version "2.31.1")
+          (lookup "binutils" #:version "2.10")
+          (lookup "binutils_gold" #:version "1.11")
+          (lookup "binutils" #:version "2.32"))))
 
 (test-end "cve")
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v2 02/16] gnu: halibut: Add cpe-vendor property.
  2024-10-27 18:16 ` [bug#74034] [PATCH v2 00/16] Add cpe-vendor and lint-hidden-cpe-vendors properties Nicolas Graves via Guix-patches via
  2024-10-27 18:16   ` [bug#74034] [PATCH v2 01/16] guix: cve: " Nicolas Graves via Guix-patches via
@ 2024-10-27 18:16   ` Nicolas Graves via Guix-patches via
  1 sibling, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-10-27 18:16 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/documentation.scm (halibut)
[description]: Reformat field to match max chars.
[properties]: Add cpe-vendor property.
---
 gnu/packages/documentation.scm | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/gnu/packages/documentation.scm b/gnu/packages/documentation.scm
index f0e37561f7..e1d563945a 100644
--- a/gnu/packages/documentation.scm
+++ b/gnu/packages/documentation.scm
@@ -264,12 +264,14 @@ (define-public halibut
     (home-page "https://www.chiark.greenend.org.uk/~sgtatham/halibut/")
     (synopsis "Documentation production system for software manuals")
     (description
-     "Halibut is a text formatting system designed primarily for writing software
-documentation.  It accepts a single source format and outputs any combination of
-plain text, HTML, Unix man or info pages, PostScript or PDF.  It has extensive
-support for indexing and cross-referencing, and generates hyperlinks within output
-documents wherever possible.  It supports Unicode, with the ability to fall back to
-an alternative representation if Unicode output is not available.")
+     "Halibut is a text formatting system designed primarily for writing
+software documentation.  It accepts a single source format and outputs any
+combination of plain text, HTML, Unix man or info pages, PostScript or PDF.
+It has extensive support for indexing and cross-referencing, and generates
+hyperlinks within output documents wherever possible.  It supports Unicode,
+with the ability to fall back to an alternative representation if Unicode
+output is not available.")
+    (properties `((cpe-vendor . "halibut_project")))
     (license license:expat)))
 
 (define-public doc++
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v2 01/16] guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.
  2024-10-26 22:21 [bug#74034] [PATCH 00/21] Add lint-hidden-cve property for near-leaf packages Nicolas Graves via Guix-patches via
  2024-10-26 22:41 ` [bug#74034] [PATCH 01/21] gnu: libgda: Rename patch for guix lint Nicolas Graves via Guix-patches via
  2024-10-27 18:16 ` [bug#74034] [PATCH v2 00/16] Add cpe-vendor and lint-hidden-cpe-vendors properties Nicolas Graves via Guix-patches via
@ 2024-10-27 18:20 ` Nicolas Graves via Guix-patches via
  2024-10-27 18:20   ` [bug#74034] [PATCH v2 02/16] gnu: halibut: Add cpe-vendor property Nicolas Graves via Guix-patches via
                     ` (15 more replies)
  2024-11-08 18:02 ` [bug#74034] [PATCH v3 01/17] " Nicolas Graves via Guix-patches via
                   ` (4 subsequent siblings)
  7 siblings, 16 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-10-27 18:20 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* guix/cve.scm: Exploit cpe vendors information.
(cpe->package-name): Rename to cpe->package and use
cpe_vendor:cpe_name in place or cpe_name.
(filter-vendors): Add helper function.
(vulnerabilities->lookup-proc): Extract cpe_name for table
hashes. Add vendor and hidden-vendor arguments. Adapt condition to
pass vulnerabilities to result in the fold.

* guix/lint.scm (package-vulnerabilities): Use additional arguments
from vulnerabilities->lookup-proc.

* tests/cve.scm: Adapt tests.
---
 guix/cve.scm  | 71 +++++++++++++++++++++++++++++++++------------------
 guix/lint.scm | 11 ++++++--
 tests/cve.scm | 30 +++++++++++-----------
 3 files changed, 70 insertions(+), 42 deletions(-)

diff --git a/guix/cve.scm b/guix/cve.scm
index 9e1cf5b587..a2335f15ef 100644
--- a/guix/cve.scm
+++ b/guix/cve.scm
@@ -106,22 +106,22 @@ (define (reference-data->cve-references alist)
 (define %cpe-package-rx
   ;; For applications: "cpe:2.3:a:VENDOR:PACKAGE:VERSION", or sometimes
   ;; "cpe:2.3:a:VENDOR:PACKAGE:VERSION:PATCH-LEVEL".
-  (make-regexp "^cpe:2\\.3:a:([^:]+):([^:]+):([^:]+):([^:]+):"))
+  (make-regexp "^cpe:2\\.3:a:([^:]+:[^:]+):([^:]+):([^:]+):"))
 
-(define (cpe->package-name cpe)
+(define (cpe->package cpe)
   "Converts the Common Platform Enumeration (CPE) string CPE to a package
-name, in a very naive way.  Return two values: the package name, and its
-version string.  Return #f and #f if CPE does not look like an application CPE
-string."
+name, in a very naive way.  Return two values: the package identifier
+(composed from the CPE vendor and the package name), and its version string.
+Return #f and #f if CPE does not look like an application CPE string."
   (cond ((regexp-exec %cpe-package-rx cpe)
          =>
          (lambda (matches)
-           (values (match:substring matches 2)
-                   (match (match:substring matches 3)
+           (values (match:substring matches 1)
+                   (match (match:substring matches 2)
                      ("*" '_)
                      (version
                       (string-append version
-                                     (match (match:substring matches 4)
+                                     (match (match:substring matches 3)
                                        ("" "")
                                        (patch-level
                                         ;; Drop the colon from things like
@@ -142,7 +142,7 @@ (define (cpe-match->cve-configuration alist)
     ;; Normally "cpe23Uri" is here in each "cpe_match" item, but CVE-2020-0534
     ;; has a configuration that lacks it.
     (and cpe
-         (let-values (((package version) (cpe->package-name cpe)))
+         (let-values (((package version) (cpe->package cpe)))
            (and package
                 `(,package
                    ,(cond ((and (or starti starte) (or endi ende))
@@ -228,6 +228,24 @@ (define (version-matches? version sexp)
     (('>= min)
      (version>=? version min))))
 
+(define (filter-vendors vuln vendor hidden-vendors)
+
+  (define (vendor-matches? vendor+name)
+    (if vendor
+        (string-prefix? (string-append vendor ":") vendor+name)
+        (if hidden-vendors
+            (not (any (lambda (v)
+                        (string-prefix? (string-append v ":") vendor+name))
+                      hidden-vendors))
+            #t)))
+
+  (match vuln
+    (($ <vulnerability> id packages)
+     (any (match-lambda
+            (((? vendor-matches? vendor+name) . _)  #t)
+            (_                                      #f))
+          packages))))
+
 \f
 ;;;
 ;;; High-level interface.
@@ -404,28 +422,31 @@ (define table
               (($ <vulnerability> id packages)
                (fold (lambda (package table)
                        (match package
-                         ((name . versions)
-                          (vhash-cons name (cons vuln versions)
+                         ((vendor+name . versions)
+                          (vhash-cons (match (string-split vendor+name #\:)
+                                        ((vendor name) name)
+                                        ((name)        name))
+                                      (cons vuln versions)
                                       table))))
                      table
                      packages))))
           vlist-null
           vulnerabilities))
 
-  (lambda* (package #:optional version)
-    (vhash-fold* (if version
-                     (lambda (pair result)
-                       (match pair
-                         ((vuln sexp)
-                          (if (version-matches? version sexp)
-                              (cons vuln result)
-                              result))))
-                     (lambda (pair result)
-                       (match pair
-                         ((vuln . _)
-                          (cons vuln result)))))
-                 '()
-                 package table)))
+  (lambda* (package #:key (version #f) (vendor #f) (hidden-vendors #f))
+    (vhash-fold*
+     (lambda (pair result)
+       (match pair
+         ((vuln sexp)
+          (if (and (or (not (or vendor hidden-vendors))
+                       (and (or vendor hidden-vendors)
+                            (filter-vendors vuln vendor hidden-vendors)))
+                   (or (not version)
+                       (and version (version-matches? version sexp))))
+              (cons vuln result)
+              result))))
+     '()
+     package table)))
 
 
 ;;; cve.scm ends here
diff --git a/guix/lint.scm b/guix/lint.scm
index 8c6c20c723..db3f59e3ec 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -1551,8 +1551,15 @@ (define package-vulnerabilities
                          (package-name package)))
             (version (or (assoc-ref (package-properties package)
                                     'cpe-version)
-                         (package-version package))))
-        ((force lookup) name version)))))
+                         (package-version package)))
+            (vendor (assoc-ref (package-properties package)
+                               'cpe-vendor))
+            (hidden-vendors (assoc-ref (package-properties package)
+                                       'lint-hidden-cpe-vendors)))
+        ((force lookup) name
+         #:version version
+         #:vendor vendor
+         #:hidden-vendors hidden-vendors)))))
 
 ;; Prevent Guile 3 from inlining this procedure so we can mock it in tests.
 (set! package-vulnerabilities package-vulnerabilities)
diff --git a/tests/cve.scm b/tests/cve.scm
index b69da0e120..0b6346a4d4 100644
--- a/tests/cve.scm
+++ b/tests/cve.scm
@@ -34,19 +34,19 @@ (define %expected-vulnerabilities
    (vulnerability "CVE-2019-0001"
                   ;; Only the "a" CPE configurations are kept; the "o"
                   ;; configurations are discarded.
-                  '(("junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
+                  '(("juniper:junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
    (vulnerability "CVE-2019-0005"
-                  '(("junos" (or "18.11" "18.1"))))
+                  '(("juniper:junos" (or "18.11" "18.1"))))
    ;; CVE-2019-0005 has no "a" configurations.
    (vulnerability "CVE-2019-14811"
-                  '(("ghostscript" (< "9.28"))))
+                  '(("artifex:ghostscript" (< "9.28"))))
    (vulnerability "CVE-2019-17365"
-                  '(("nix" (<= "2.3"))))
+                  '(("nixos:nix" (<= "2.3"))))
    (vulnerability "CVE-2019-1010180"
-                  '(("gdb" _)))                   ;any version
+                  '(("gnu:gdb" _)))                   ;any version
    (vulnerability "CVE-2019-1010204"
-                  '(("binutils" (and (>= "2.21") (<= "2.31.1")))
-                    ("binutils_gold" (and (>= "1.11") (<= "1.16")))))
+                  '(("gnu:binutils" (and (>= "2.21") (<= "2.31.1")))
+                    ("gnu:binutils_gold" (and (>= "1.11") (<= "1.16")))))
    ;; CVE-2019-18192 has no associated configurations.
    ))
 
@@ -92,15 +92,15 @@ (define %expected-vulnerabilities
   (let* ((vulns  (call-with-input-file %sample json->vulnerabilities))
          (lookup (vulnerabilities->lookup-proc vulns)))
     (list (lookup "ghostscript")
-          (lookup "ghostscript" "9.27")
-          (lookup "ghostscript" "9.28")
+          (lookup "ghostscript" #:version "9.27")
+          (lookup "ghostscript" #:version "9.28")
           (lookup "gdb")
-          (lookup "gdb" "42.0")
+          (lookup "gdb" #:version "42.0")
           (lookup "nix")
-          (lookup "nix" "2.4")
-          (lookup "binutils" "2.31.1")
-          (lookup "binutils" "2.10")
-          (lookup "binutils_gold" "1.11")
-          (lookup "binutils" "2.32"))))
+          (lookup "nix" #:version "2.4")
+          (lookup "binutils" #:version "2.31.1")
+          (lookup "binutils" #:version "2.10")
+          (lookup "binutils_gold" #:version "1.11")
+          (lookup "binutils" #:version "2.32"))))
 
 (test-end "cve")
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v2 02/16] gnu: halibut: Add cpe-vendor property.
  2024-10-27 18:20 ` [bug#74034] [PATCH v2 01/16] guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Nicolas Graves via Guix-patches via
@ 2024-10-27 18:20   ` Nicolas Graves via Guix-patches via
  2024-10-27 18:20   ` [bug#74034] [PATCH v2 03/16] gnu: portfolio: Update to 1.0.1 Nicolas Graves via Guix-patches via
                     ` (14 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-10-27 18:20 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/documentation.scm (halibut)
[description]: Reformat field to match max chars.
[properties]: Add cpe-vendor property.
---
 gnu/packages/documentation.scm | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/gnu/packages/documentation.scm b/gnu/packages/documentation.scm
index f0e37561f7..e1d563945a 100644
--- a/gnu/packages/documentation.scm
+++ b/gnu/packages/documentation.scm
@@ -264,12 +264,14 @@ (define-public halibut
     (home-page "https://www.chiark.greenend.org.uk/~sgtatham/halibut/")
     (synopsis "Documentation production system for software manuals")
     (description
-     "Halibut is a text formatting system designed primarily for writing software
-documentation.  It accepts a single source format and outputs any combination of
-plain text, HTML, Unix man or info pages, PostScript or PDF.  It has extensive
-support for indexing and cross-referencing, and generates hyperlinks within output
-documents wherever possible.  It supports Unicode, with the ability to fall back to
-an alternative representation if Unicode output is not available.")
+     "Halibut is a text formatting system designed primarily for writing
+software documentation.  It accepts a single source format and outputs any
+combination of plain text, HTML, Unix man or info pages, PostScript or PDF.
+It has extensive support for indexing and cross-referencing, and generates
+hyperlinks within output documents wherever possible.  It supports Unicode,
+with the ability to fall back to an alternative representation if Unicode
+output is not available.")
+    (properties `((cpe-vendor . "halibut_project")))
     (license license:expat)))
 
 (define-public doc++
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v2 03/16] gnu: portfolio: Update to 1.0.1.
  2024-10-27 18:20 ` [bug#74034] [PATCH v2 01/16] guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Nicolas Graves via Guix-patches via
  2024-10-27 18:20   ` [bug#74034] [PATCH v2 02/16] gnu: halibut: Add cpe-vendor property Nicolas Graves via Guix-patches via
@ 2024-10-27 18:20   ` Nicolas Graves via Guix-patches via
  2024-10-27 18:20   ` [bug#74034] [PATCH v2 04/16] gnu: folders: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
                     ` (13 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-10-27 18:20 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/gnome-xyz.scm (portfolio): Update to 1.0.1.
[properties]: Add lint-hidden-cpe-vendors property.
---
 gnu/packages/gnome-xyz.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/gnome-xyz.scm b/gnu/packages/gnome-xyz.scm
index a09c0befb0..74c2600b60 100644
--- a/gnu/packages/gnome-xyz.scm
+++ b/gnu/packages/gnome-xyz.scm
@@ -485,7 +485,7 @@ (define-public gnome-plots
 (define-public portfolio
   (package
     (name "portfolio")
-    (version "1.0.0")
+    (version "1.0.1")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -494,7 +494,7 @@ (define-public portfolio
               (file-name (git-file-name name version))
               (sha256
                (base32
-                "1ai9mx801m5lngkljg42vrpvhbvc3071sp4jypsvbzw55hxnn5ba"))))
+                "1s06kd2dhsb143piw89yzwfck7qwzlh4nlgjj2bxpsa3g68c1g11"))))
     (arguments
      (list #:glib-or-gtk? #t
            #:imported-modules `(,@%meson-build-system-modules
@@ -537,6 +537,7 @@ (define-public portfolio
      "Portfolio is a minimalist file manager for those who want to use Linux
 mobile devices.  Tap to activate and long press to select, to browse, open,
 copy, move, delete, or edit your files.")
+    (properties `((lint-hidden-cpe-vendors . ("radiustheme"))))
     (license license:gpl3+)))
 
 (define-public gnome-shell-extension-unite-shell
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v2 04/16] gnu: folders: Add lint-hidden-cpe-vendors property.
  2024-10-27 18:20 ` [bug#74034] [PATCH v2 01/16] guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Nicolas Graves via Guix-patches via
  2024-10-27 18:20   ` [bug#74034] [PATCH v2 02/16] gnu: halibut: Add cpe-vendor property Nicolas Graves via Guix-patches via
  2024-10-27 18:20   ` [bug#74034] [PATCH v2 03/16] gnu: portfolio: Update to 1.0.1 Nicolas Graves via Guix-patches via
@ 2024-10-27 18:20   ` Nicolas Graves via Guix-patches via
  2024-10-27 18:20   ` [bug#74034] [PATCH v2 05/16] gnu: spectra: " Nicolas Graves via Guix-patches via
                     ` (12 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-10-27 18:20 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/esolangs.scm (folders):
[properties]: Add lint-hindden-cpe-vendors property.
---
 gnu/packages/esolangs.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/esolangs.scm b/gnu/packages/esolangs.scm
index 796f8d3f23..58c5307fdc 100644
--- a/gnu/packages/esolangs.scm
+++ b/gnu/packages/esolangs.scm
@@ -117,6 +117,7 @@ (define-public folders
     (description "Folders is a programming language, in which programs
 are encoded as (nested) directories.  Note that the switches you pass to
 @command{du} may affect your score when code golfing.")
+    (properties `((lint-hidden-cpe-vendors . ("premio" "jenkins"))))
     (license license:expat)))
 
 (define-public shakespeare-spl
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v2 05/16] gnu: spectra: Add lint-hidden-cpe-vendors property.
  2024-10-27 18:20 ` [bug#74034] [PATCH v2 01/16] guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Nicolas Graves via Guix-patches via
                     ` (2 preceding siblings ...)
  2024-10-27 18:20   ` [bug#74034] [PATCH v2 04/16] gnu: folders: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
@ 2024-10-27 18:20   ` Nicolas Graves via Guix-patches via
  2024-10-27 18:20   ` [bug#74034] [PATCH v2 06/16] gnu: express: " Nicolas Graves via Guix-patches via
                     ` (11 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-10-27 18:20 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/algebra.scm (spectra)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/algebra.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/algebra.scm b/gnu/packages/algebra.scm
index 2187cd062d..5822431373 100644
--- a/gnu/packages/algebra.scm
+++ b/gnu/packages/algebra.scm
@@ -1317,6 +1317,7 @@ (define-public spectra
 built on top of Eigen.  It is implemented as a header-only C++ library and can
 be easily embedded in C++ projects that require calculating eigenvalues of
 large matrices.")
+    (properties `((lint-hidden-cpe-vendors . ("brainstormforce"))))
     (license license:mpl2.0)))
 
 (define-public gappa
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v2 06/16] gnu: express: Add lint-hidden-cpe-vendors property.
  2024-10-27 18:20 ` [bug#74034] [PATCH v2 01/16] guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Nicolas Graves via Guix-patches via
                     ` (3 preceding siblings ...)
  2024-10-27 18:20   ` [bug#74034] [PATCH v2 05/16] gnu: spectra: " Nicolas Graves via Guix-patches via
@ 2024-10-27 18:20   ` Nicolas Graves via Guix-patches via
  2024-10-27 18:20   ` [bug#74034] [PATCH v2 07/16] gnu: cli: " Nicolas Graves via Guix-patches via
                     ` (10 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-10-27 18:20 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/bioinformatics.scm (express)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/bioinformatics.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/bioinformatics.scm b/gnu/packages/bioinformatics.scm
index a2ffbd5155..bb356f4903 100644
--- a/gnu/packages/bioinformatics.scm
+++ b/gnu/packages/bioinformatics.scm
@@ -6924,6 +6924,7 @@ (define-public express
 transcript-level RNA-Seq quantification, allele-specific/haplotype expression
 analysis (from RNA-Seq), transcription factor binding quantification in
 ChIP-Seq, and analysis of metagenomic data.")
+    (properties `((lint-hidden-cpe-vendors . ("openjsf"))))
     (license license:artistic2.0)))
 
 (define-public express-beta-diversity
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v2 07/16] gnu: cli: Add lint-hidden-cpe-vendors property.
  2024-10-27 18:20 ` [bug#74034] [PATCH v2 01/16] guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Nicolas Graves via Guix-patches via
                     ` (4 preceding siblings ...)
  2024-10-27 18:20   ` [bug#74034] [PATCH v2 06/16] gnu: express: " Nicolas Graves via Guix-patches via
@ 2024-10-27 18:20   ` Nicolas Graves via Guix-patches via
  2024-10-27 18:20   ` [bug#74034] [PATCH v2 08/16] gnu: h2c: " Nicolas Graves via Guix-patches via
                     ` (9 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-10-27 18:20 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/cpp.scm (cli)[properties]: Add lint-hidden-cpe-vendors
property.
---
 gnu/packages/cpp.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/cpp.scm b/gnu/packages/cpp.scm
index 26fc169154..550f57c6bf 100644
--- a/gnu/packages/cpp.scm
+++ b/gnu/packages/cpp.scm
@@ -2304,6 +2304,7 @@ (define-public cli
 options that your program supports, their types, default values, and
 documentation.")
     (home-page "https://codesynthesis.com/projects/cli/")
+    (properties `((lint-hidden-cpe-vendors . ("snyk"))))
     (license license:expat)))
 
 (define-public xsd
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v2 08/16] gnu: h2c: Add lint-hidden-cpe-vendors property.
  2024-10-27 18:20 ` [bug#74034] [PATCH v2 01/16] guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Nicolas Graves via Guix-patches via
                     ` (5 preceding siblings ...)
  2024-10-27 18:20   ` [bug#74034] [PATCH v2 07/16] gnu: cli: " Nicolas Graves via Guix-patches via
@ 2024-10-27 18:20   ` Nicolas Graves via Guix-patches via
  2024-10-27 18:20   ` [bug#74034] [PATCH v2 09/16] gnu: xenon: Update to 0.9.3 Nicolas Graves via Guix-patches via
                     ` (8 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-10-27 18:20 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/curl.scm (h2c)[property]: Add lint-hidden-cpe-vendors property.
---
 gnu/packages/curl.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 9f74018205..2b4b7ebdd8 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -366,6 +366,7 @@ (define-public h2c
     (description
      "Provided a set of HTTP request headers, h2c outputs how to invoke
 curl to obtain exactly that HTTP request.")
+    (properties `((lint-hidden-cpe-vendors . ("golang"))))
     (license license:expat)))
 
 (define-public coeurl
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v2 09/16] gnu: xenon: Update to 0.9.3.
  2024-10-27 18:20 ` [bug#74034] [PATCH v2 01/16] guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Nicolas Graves via Guix-patches via
                     ` (6 preceding siblings ...)
  2024-10-27 18:20   ` [bug#74034] [PATCH v2 08/16] gnu: h2c: " Nicolas Graves via Guix-patches via
@ 2024-10-27 18:20   ` Nicolas Graves via Guix-patches via
  2024-10-27 18:20   ` [bug#74034] [PATCH v2 10/16] gnu: bolt: Update to 0.9.8 Nicolas Graves via Guix-patches via
                     ` (7 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-10-27 18:20 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/code.scm (xenon): Update to 0.9.3.
[properties]: Add lint-hidden-cpe-vendors property.
---
 gnu/packages/code.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/code.scm b/gnu/packages/code.scm
index 3f7a6de478..ed48119fe1 100644
--- a/gnu/packages/code.scm
+++ b/gnu/packages/code.scm
@@ -1077,14 +1077,14 @@ (define-public cscope
 (define-public xenon
   (package
     (name "xenon")
-    (version "0.9.0")
+    (version "0.9.3")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "xenon" version))
        (sha256
         (base32
-         "1f4gynjzfckm3rjfywwgz1c7icfx3zjqirf16aj73xv0c9ncpffj"))))
+         "1yj31bqz2bphvvyb0jkas7bxc2rw76rf1csz0mwmvah8pbc3hxaa"))))
     (build-system python-build-system)
     (arguments (list #:tests? #f)) ;test suite not shipped with the PyPI archive
     (inputs (list python-pyyaml python-radon python-requests))
@@ -1096,6 +1096,7 @@ (define-public xenon
 line options, various thresholds can be set for the complexity of code.  It
 will fail (i.e., it will exit with a non-zero exit code) when any of these
 requirements is not met.")
+    (properties '((lint-hidden-cpe-vendors . ("ashlar"))))
     (license license:expat)))
 
 (define-public python-xenon
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v2 10/16] gnu: bolt: Update to 0.9.8.
  2024-10-27 18:20 ` [bug#74034] [PATCH v2 01/16] guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Nicolas Graves via Guix-patches via
                     ` (7 preceding siblings ...)
  2024-10-27 18:20   ` [bug#74034] [PATCH v2 09/16] gnu: xenon: Update to 0.9.3 Nicolas Graves via Guix-patches via
@ 2024-10-27 18:20   ` Nicolas Graves via Guix-patches via
  2024-10-27 18:20   ` [bug#74034] [PATCH v2 11/16] gnu: bwm-ng: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
                     ` (6 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-10-27 18:20 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/linux.scm (bolt): Update to 0.9.8.
[arguments]<#:phases>: Update phase 'replace-directories.
[properties]: Add lint-hidden-cpe-vendors property.
---
 gnu/packages/linux.scm | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index e496f3c88d..9d16c0a9b3 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -3366,7 +3366,7 @@ (define-public iptables-nft
 (define-public bolt
   (package
     (name "bolt")
-    (version "0.9.5")
+    (version "0.9.8")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -3375,7 +3375,7 @@ (define-public bolt
               (file-name (git-file-name name version))
               (sha256
                (base32
-                "1b9z0sfrz6bj0mddng9s0dx59g9239zmrl03hxx2x88mb7r0wmcg"))))
+                "1i9nyvx3qcf4m607qmpklpl9xqzsh423k8y3fr6c5n0k4ajy4cxh"))))
     (build-system meson-build-system)
     (arguments
      (list #:configure-flags '(list "--localstatedir=/var")
@@ -3384,12 +3384,11 @@ (define-public bolt
                         (add-after 'unpack 'replace-directories
                           (lambda* (#:key outputs #:allow-other-keys)
                             (substitute* "meson.build"
-                              (("udev.get_pkgconfig_variable..udevdir..")
-                               (string-append "'"
-                                              #$output "/lib/udev'")))
-                            (substitute* "scripts/meson-install.sh"
-                              (("mkdir.*")
-                               ""))))
+                              (("udev.get_variable\\(pkgconfig: 'udevdir'\\)")
+                               (string-append "'" #$output "/lib/udev'"))
+                              ;; Don't install in /var
+                              (("not systemd\\.found\\(\\)")
+                               "false"))))
                         (add-before 'install 'no-polkit-magic
                           (lambda* (#:key outputs #:allow-other-keys)
                             (setenv "PKEXEC_UID" "something"))))))
@@ -3411,6 +3410,7 @@ (define-public bolt
 @command{boltd}.  It can list devices, monitor changes, and initiate
 authorization of devices.")
     (home-page "https://gitlab.freedesktop.org/bolt/bolt")
+    (properties `((lint-hidden-cpe-vendors . ("boltcms" "puppet"))))
     (license license:gpl2+)))
 
 (define-public jitterentropy-rngd
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v2 11/16] gnu: bwm-ng: Add lint-hidden-cpe-vendors property.
  2024-10-27 18:20 ` [bug#74034] [PATCH v2 01/16] guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Nicolas Graves via Guix-patches via
                     ` (8 preceding siblings ...)
  2024-10-27 18:20   ` [bug#74034] [PATCH v2 10/16] gnu: bolt: Update to 0.9.8 Nicolas Graves via Guix-patches via
@ 2024-10-27 18:20   ` Nicolas Graves via Guix-patches via
  2024-10-27 18:20   ` [bug#74034] [PATCH v2 12/16] gnu: onedrive: Update to 2.5.2 Nicolas Graves via Guix-patches via
                     ` (5 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-10-27 18:20 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/networking.scm (bwm-ng)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/networking.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index a56b574e97..8c5548323f 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -2152,6 +2152,7 @@ (define-public bwm-ng
     (description "Bandwidth Monitor NG is a small and simple console based
 live network and disk I/O bandwidth monitor.")
     (home-page "https://www.gropp.org/?id=projects&sub=bwm-ng")
+    (properties '((lint-hidden-cpe-vendors . ("bwm-ng_project"))))
     (license license:gpl2)))
 
 (define-public aircrack-ng
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v2 12/16] gnu: onedrive: Update to 2.5.2.
  2024-10-27 18:20 ` [bug#74034] [PATCH v2 01/16] guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Nicolas Graves via Guix-patches via
                     ` (9 preceding siblings ...)
  2024-10-27 18:20   ` [bug#74034] [PATCH v2 11/16] gnu: bwm-ng: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
@ 2024-10-27 18:20   ` Nicolas Graves via Guix-patches via
  2024-10-27 18:20   ` [bug#74034] [PATCH v2 13/16] gnu: got: Update to 0.104 Nicolas Graves via Guix-patches via
                     ` (4 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-10-27 18:20 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/sync.scm (onedrive): Update to 2.5.2.
[properties]: Add lint-hidden-cpe-vendors.
---
 gnu/packages/sync.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/sync.scm b/gnu/packages/sync.scm
index af736d0c28..b21993a639 100644
--- a/gnu/packages/sync.scm
+++ b/gnu/packages/sync.scm
@@ -374,7 +374,7 @@ (define-public owncloud-client
 (define-public onedrive
   (package
     (name "onedrive")
-    (version "2.4.25")
+    (version "2.5.2")
     (source
       (origin
         (method git-fetch)
@@ -383,7 +383,7 @@ (define-public onedrive
                (commit (string-append "v" version))))
         (file-name (git-file-name name version))
         (sha256
-         (base32 "1i93mq4r9w8cqrdfsfv8wparfd3dbrppc5z04ab056545hk0x89k"))))
+         (base32 "0307qa3nncarn6r5837nn9z5nv8j60ycykq6pfn93qriabk65qlx"))))
     (build-system gnu-build-system)
     (arguments
      (list
@@ -420,6 +420,7 @@ (define-public onedrive
 Business, OneDrive for Office365 and SharePoint and fully supports Azure
 National Cloud Deployments.  It supports one-way and two-way sync capabilities
 and securely connects to Microsoft OneDrive services.")
+    (properties '((lint-hidden-cpe-vendors . ("microsoft"))))
     (license license:gpl3)))
 
 (define-public lsyncd
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v2 13/16] gnu: got: Update to 0.104.
  2024-10-27 18:20 ` [bug#74034] [PATCH v2 01/16] guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Nicolas Graves via Guix-patches via
                     ` (10 preceding siblings ...)
  2024-10-27 18:20   ` [bug#74034] [PATCH v2 12/16] gnu: onedrive: Update to 2.5.2 Nicolas Graves via Guix-patches via
@ 2024-10-27 18:20   ` Nicolas Graves via Guix-patches via
  2024-10-27 18:20   ` [bug#74034] [PATCH v2 14/16] gnu: dex: Update to 0.10.1 Nicolas Graves via Guix-patches via
                     ` (3 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-10-27 18:20 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/version-control.scm (got): Update to 0.104.
[properties]: Add release-monitoring-url and lint-hidden-cpe-vendors
properties.
---
 gnu/packages/version-control.scm | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index 6bd37fee82..df0739a39c 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -971,7 +971,7 @@ (define-public git-tools
 (define-public got
   (package
     (name "got")
-    (version "0.103")
+    (version "0.104")
     (source (origin
               (method url-fetch)
               (uri
@@ -980,7 +980,7 @@ (define-public got
                   version ".tar.gz"))
               (sha256
                (base32
-                "0y18961xrj4rja850i31gadiaps2qnkfb4jlramlz9akyf9mwh1j"))))
+                "1jf8d7bd6jb09ci66n3rjfv94kvzgnqbw1js74hpajdw41wphbdk"))))
     (inputs
      (list libevent
            `(,util-linux "lib")
@@ -1016,7 +1016,11 @@ (define-public got
      "Game of Trees (Got) is a version control system which prioritizes ease of use
 and simplicity over flexibility.")
     (license license:isc)
-    (home-page "https://gameoftrees.org/")))
+    (home-page "https://gameoftrees.org/")
+    (properties
+     ;; Can lint for updates, but not update in place.
+     '((release-monitoring-url . "https://gameoftrees.org/releases/")
+       (lint-hidden-cpe-vendors . ("got_project"))))))
 
 (define-public xdiff
   (let ((revision "0")
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v2 14/16] gnu: dex: Update to 0.10.1.
  2024-10-27 18:20 ` [bug#74034] [PATCH v2 01/16] guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Nicolas Graves via Guix-patches via
                     ` (11 preceding siblings ...)
  2024-10-27 18:20   ` [bug#74034] [PATCH v2 13/16] gnu: got: Update to 0.104 Nicolas Graves via Guix-patches via
@ 2024-10-27 18:20   ` Nicolas Graves via Guix-patches via
  2024-10-27 18:20   ` [bug#74034] [PATCH v2 15/16] gnu: immer: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
                     ` (2 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-10-27 18:20 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/xdisorg.scm (dex): Update to 0.10.1.
[arguments]: Improve style.
[properties]: Add lint-hidden-cpe-vendors property.
---
 gnu/packages/xdisorg.scm | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm
index ca50bebab4..0977a856cb 100644
--- a/gnu/packages/xdisorg.scm
+++ b/gnu/packages/xdisorg.scm
@@ -3536,7 +3536,7 @@ (define-public nwg-launchers
 (define-public dex
   (package
     (name "dex")
-    (version "0.9.0")
+    (version "0.10.1")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -3544,15 +3544,16 @@ (define-public dex
                     (commit (string-append "v" version))))
               (sha256
                (base32
-                "03aapcywnz4kl548cygpi25m8adwbmqlmwgxa66v4156ax9dqs86"))
+                "1d7fqy63i4q0mw316i5ws1sgdq3f7h3bsf3avvmy0nzshz7i5y6m"))
               (file-name (git-file-name name version))))
     (build-system gnu-build-system)
     (arguments
-     `(#:make-flags (list (string-append "PREFIX=" (assoc-ref %outputs "out")))
-       #:phases
-       (modify-phases %standard-phases
-         (delete 'configure))
-       #:tests? #f))
+     (list
+      #:make-flags #~(list (string-append "PREFIX=" #$output))
+      #:phases
+      #~(modify-phases %standard-phases
+          (delete 'configure))
+      #:tests? #f))  ; No tests.
     (inputs
      (list python))
     (native-inputs
@@ -3562,6 +3563,8 @@ (define-public dex
     (description
      "@command{dex}, @dfn{DesktopEntry Execution}, is a program to generate
 and execute @file{.desktop} files of the Application type.")
+    (properties
+     '((lint-hidden-cpe-vendors . ("samsung" "linuxfoundation"))))
     (license license:gpl3+)))
 
 (define-public sx
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v2 15/16] gnu: immer: Add lint-hidden-cpe-vendors property.
  2024-10-27 18:20 ` [bug#74034] [PATCH v2 01/16] guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Nicolas Graves via Guix-patches via
                     ` (12 preceding siblings ...)
  2024-10-27 18:20   ` [bug#74034] [PATCH v2 14/16] gnu: dex: Update to 0.10.1 Nicolas Graves via Guix-patches via
@ 2024-10-27 18:20   ` Nicolas Graves via Guix-patches via
  2024-10-27 18:20   ` [bug#74034] [PATCH v2 16/16] gnu: cvs: " Nicolas Graves via Guix-patches via
  2024-11-06 21:43   ` [bug#74034] [PATCH v2 01/16] guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Ludovic Courtès
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-10-27 18:20 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/cpp.scm (immer)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/cpp.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/cpp.scm b/gnu/packages/cpp.scm
index 550f57c6bf..c0f9620f78 100644
--- a/gnu/packages/cpp.scm
+++ b/gnu/packages/cpp.scm
@@ -1864,6 +1864,7 @@ (define-public immer
    (synopsis "Immutable data structures")
    (description "Immer is a library of persistent and immutable data structures
 written in C++.")
+   (properties '((lint-hidden-cpe-vendors . ("immer_project"))))
    (license license:boost1.0)))
 
 (define-public zug
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v2 16/16] gnu: cvs: Add lint-hidden-cpe-vendors property.
  2024-10-27 18:20 ` [bug#74034] [PATCH v2 01/16] guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Nicolas Graves via Guix-patches via
                     ` (13 preceding siblings ...)
  2024-10-27 18:20   ` [bug#74034] [PATCH v2 15/16] gnu: immer: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
@ 2024-10-27 18:20   ` Nicolas Graves via Guix-patches via
  2024-11-06 21:43   ` [bug#74034] [PATCH v2 01/16] guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Ludovic Courtès
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-10-27 18:20 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/version-control.scm (cvs)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/version-control.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index df0739a39c..28ffd454df 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -2749,6 +2749,7 @@ (define-public cvs
 Configuration Management (SCM).  Using it, you can record the history of
 sources files, and documents.  It fills a similar role to the free software
 RCS, PRCS, and Aegis packages.")
+    (properties '((lint-hidden-cpe-vendors . ("jenkins"))))
     (license license:gpl1+)))
 
 (define-public cvs-fast-export
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v2 01/16] guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.
  2024-10-27 18:20 ` [bug#74034] [PATCH v2 01/16] guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Nicolas Graves via Guix-patches via
                     ` (14 preceding siblings ...)
  2024-10-27 18:20   ` [bug#74034] [PATCH v2 16/16] gnu: cvs: " Nicolas Graves via Guix-patches via
@ 2024-11-06 21:43   ` Ludovic Courtès
  2024-11-07  8:45     ` Nicolas Graves via Guix-patches via
  15 siblings, 1 reply; 119+ messages in thread
From: Ludovic Courtès @ 2024-11-06 21:43 UTC (permalink / raw)
  To: Nicolas Graves; +Cc: 74034

Hi,

Nicolas Graves <ngraves@ngraves.fr> skribis:

> * guix/cve.scm: Exploit cpe vendors information.
> (cpe->package-name): Rename to cpe->package and use
> cpe_vendor:cpe_name in place or cpe_name.
> (filter-vendors): Add helper function.
> (vulnerabilities->lookup-proc): Extract cpe_name for table
> hashes. Add vendor and hidden-vendor arguments. Adapt condition to
> pass vulnerabilities to result in the fold.
>
> * guix/lint.scm (package-vulnerabilities): Use additional arguments
> from vulnerabilities->lookup-proc.
>
> * tests/cve.scm: Adapt tests.

Nice!

Please mention the names of tests being change in the commit log (see
‘git log’ for examples).

> -(define (cpe->package-name cpe)
> +(define (cpe->package cpe)

Or ‘cpe->package-identifier’?

It’s unpleasant that said identifier is an unparsed “vendor:package”
string.  I wonder if we should instead leave ‘%cpe-package-rx’ unchanged
and return three values: package, version, vendor.

The downside is that it would lead to more changes down the road because
we’d have to carry the vendor bit along.

Thoughts?

> +(define (filter-vendors vuln vendor hidden-vendors)
> +

Always add a docstring for top-level procedures.

> +  (define (vendor-matches? vendor+name)
> +    (if vendor
> +        (string-prefix? (string-append vendor ":") vendor+name)
> +        (if hidden-vendors
> +            (not (any (lambda (v)
> +                        (string-prefix? (string-append v ":") vendor+name))
> +                      hidden-vendors))
> +            #t)))

(if x y #t) => (or (not x) y)
s/v/vendor/

> +  (lambda* (package #:key (version #f) (vendor #f) (hidden-vendors #f))

I’d keep ‘version’ option rather than keyword, for compatibility and
because it’s more commonly useful than the others.

‘hidden-vendors’ should always be a list, the empty list by default
(rule of thumb: avoid “#f | list” polymorphism if a list is as
expressive.)

> +    (vhash-fold*
> +     (lambda (pair result)
> +       (match pair
> +         ((vuln sexp)
> +          (if (and (or (not (or vendor hidden-vendors))
> +                       (and (or vendor hidden-vendors)
> +                            (filter-vendors vuln vendor hidden-vendors)))
> +                   (or (not version)
> +                       (and version (version-matches? version sexp))))

(or (not x) (and x y)) => (or (not x) y)

Thanks,
Ludo’.




^ permalink raw reply	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v2 01/16] guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.
  2024-11-06 21:43   ` [bug#74034] [PATCH v2 01/16] guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Ludovic Courtès
@ 2024-11-07  8:45     ` Nicolas Graves via Guix-patches via
  2024-11-07 20:07       ` Nicolas Graves via Guix-patches via
  0 siblings, 1 reply; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-07  8:45 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 74034

On 2024-11-06 22:43, Ludovic Courtès wrote:

> Hi,
>
> Nicolas Graves <ngraves@ngraves.fr> skribis:
>
>> * guix/cve.scm: Exploit cpe vendors information.
>> (cpe->package-name): Rename to cpe->package and use
>> cpe_vendor:cpe_name in place or cpe_name.
>> (filter-vendors): Add helper function.
>> (vulnerabilities->lookup-proc): Extract cpe_name for table
>> hashes. Add vendor and hidden-vendor arguments. Adapt condition to
>> pass vulnerabilities to result in the fold.
>>
>> * guix/lint.scm (package-vulnerabilities): Use additional arguments
>> from vulnerabilities->lookup-proc.
>>
>> * tests/cve.scm: Adapt tests.
>
> Nice!
>
> Please mention the names of tests being change in the commit log (see
> ‘git log’ for examples).
>
>> -(define (cpe->package-name cpe)
>> +(define (cpe->package cpe)
>
> Or ‘cpe->package-identifier’?
>
> It’s unpleasant that said identifier is an unparsed “vendor:package”
> string.  I wonder if we should instead leave ‘%cpe-package-rx’ unchanged
> and return three values: package, version, vendor.
>
> The downside is that it would lead to more changes down the road because
> we’d have to carry the vendor bit along.
>
> Thoughts?

I actually took this route first, then reverted back to editing the
regexp.  This was indeed for simplicity (rationale: make a first working
version with minimal changes, then if necessary improve).  Yes indeed
doing this makes a lot of changes in the code, although not complex.

I agree with the rest of the changes. I'll try to make a commit on top
of that, possibly this weekend.


-- 
Best regards,
Nicolas Graves




^ permalink raw reply	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v2 01/16] guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.
  2024-11-07  8:45     ` Nicolas Graves via Guix-patches via
@ 2024-11-07 20:07       ` Nicolas Graves via Guix-patches via
  0 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-07 20:07 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 74034

On 2024-11-07 09:45, Nicolas Graves via Guix-patches via wrote:


>
> I actually took this route first, then reverted back to editing the
> regexp.  This was indeed for simplicity (rationale: make a first working
> version with minimal changes, then if necessary improve).  Yes indeed
> doing this makes a lot of changes in the code, although not complex.
>
> I agree with the rest of the changes. I'll try to make a commit on top
> of that, possibly this weekend.

Indeed it's quite tedious to dig into nested folds.  Maybe we can just
leave a TODO comment inviting a courageous candidate to tackle this in
the future ?  I feel we should block this by perfectionism it we have a
suitable enough package-identifier.  Not that I don't like to dig,
rather than I'll me more at peace tackling this when I have more time.

-- 
Best regards,
Nicolas Graves




^ permalink raw reply	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v3 01/17] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.
  2024-10-26 22:21 [bug#74034] [PATCH 00/21] Add lint-hidden-cve property for near-leaf packages Nicolas Graves via Guix-patches via
                   ` (2 preceding siblings ...)
  2024-10-27 18:20 ` [bug#74034] [PATCH v2 01/16] guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Nicolas Graves via Guix-patches via
@ 2024-11-08 18:02 ` Nicolas Graves via Guix-patches via
  2024-11-08 18:02   ` [bug#74034] [PATCH v3 02/17] cve: Separate vendor and string Nicolas Graves via Guix-patches via
                     ` (15 more replies)
  2024-11-08 18:13 ` [bug#74034] [Nicolas Graves] [PATCH v3 02/17] cve: Separate vendor and string Nicolas Graves via Guix-patches via
                   ` (3 subsequent siblings)
  7 siblings, 16 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-08 18:02 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* guix/cve.scm: Exploit cpe vendors information.
(cpe->package-name): Rename to...
(cpe->package-identifier): Renamed from cpe->package-name. Use
cpe_vendor:cpe_name in place or cpe_name.
(vulnerabily-matches?): Add helper function.
(vulnerabilities->lookup-proc): Extract cpe_name for table
hashes. Add vendor and hidden-vendor arguments. Adapt condition to
pass vulnerabilities to result in the fold.

* guix/lint.scm (package-vulnerabilities): Use additional arguments
from vulnerabilities->lookup-proc.

* tests/cve.scm (%expected-vulnerabilities): Adapt variable to changes
in guix/cve.scm.
---
 guix/cve.scm  | 69 ++++++++++++++++++++++++++++++++-------------------
 guix/lint.scm | 10 ++++++--
 tests/cve.scm | 14 +++++------
 3 files changed, 59 insertions(+), 34 deletions(-)

diff --git a/guix/cve.scm b/guix/cve.scm
index 9e1cf5b587..f7984be0ad 100644
--- a/guix/cve.scm
+++ b/guix/cve.scm
@@ -106,22 +106,22 @@ (define (reference-data->cve-references alist)
 (define %cpe-package-rx
   ;; For applications: "cpe:2.3:a:VENDOR:PACKAGE:VERSION", or sometimes
   ;; "cpe:2.3:a:VENDOR:PACKAGE:VERSION:PATCH-LEVEL".
-  (make-regexp "^cpe:2\\.3:a:([^:]+):([^:]+):([^:]+):([^:]+):"))
+  (make-regexp "^cpe:2\\.3:a:([^:]+:[^:]+):([^:]+):([^:]+):"))
 
-(define (cpe->package-name cpe)
+(define (cpe->package-identifier cpe)
   "Converts the Common Platform Enumeration (CPE) string CPE to a package
-name, in a very naive way.  Return two values: the package name, and its
-version string.  Return #f and #f if CPE does not look like an application CPE
-string."
+identifier, in a very naive way.  Return two values: the package identifier
+(composed from the CPE vendor and the package name), and its version string.
+Return #f and #f if CPE does not look like an application CPE string."
   (cond ((regexp-exec %cpe-package-rx cpe)
          =>
          (lambda (matches)
-           (values (match:substring matches 2)
-                   (match (match:substring matches 3)
+           (values (match:substring matches 1)
+                   (match (match:substring matches 2)
                      ("*" '_)
                      (version
                       (string-append version
-                                     (match (match:substring matches 4)
+                                     (match (match:substring matches 3)
                                        ("" "")
                                        (patch-level
                                         ;; Drop the colon from things like
@@ -142,7 +142,7 @@ (define (cpe-match->cve-configuration alist)
     ;; Normally "cpe23Uri" is here in each "cpe_match" item, but CVE-2020-0534
     ;; has a configuration that lacks it.
     (and cpe
-         (let-values (((package version) (cpe->package-name cpe)))
+         (let-values (((package version) (cpe->package-identifier cpe)))
            (and package
                 `(,package
                    ,(cond ((and (or starti starte) (or endi ende))
@@ -228,6 +228,24 @@ (define (version-matches? version sexp)
     (('>= min)
      (version>=? version min))))
 
+(define (vulnerability-matches? vuln vendor hidden-vendors)
+  "Checks if a VENDOR matches at least one of <vulnerability> VULN
+packages.  When VENDOR is #f, ignore packages that have a vendor among
+HIDDEN-VENDORS."
+  (define (vendor-matches? vendor+name)
+    (if vendor
+        (string-prefix? (string-append vendor ":") vendor+name)
+        (or (null? hidden-vendors)
+            (not (any (cut string-prefix? (string-append <> ":") vendor+name)
+                  hidden-vendors)))))
+
+  (match vuln
+    (($ <vulnerability> id packages)
+     (any (match-lambda
+            (((? vendor-matches? vendor+name) . _)  #t)
+            (_                                      #f))
+          packages))))
+
 \f
 ;;;
 ;;; High-level interface.
@@ -404,28 +422,29 @@ (define table
               (($ <vulnerability> id packages)
                (fold (lambda (package table)
                        (match package
-                         ((name . versions)
-                          (vhash-cons name (cons vuln versions)
+                         ((vendor+name . versions)
+                          (vhash-cons (match (string-split vendor+name #\:)
+                                        ((vendor name) name)
+                                        ((name)        name))
+                                      (cons vuln versions)
                                       table))))
                      table
                      packages))))
           vlist-null
           vulnerabilities))
 
-  (lambda* (package #:optional version)
-    (vhash-fold* (if version
-                     (lambda (pair result)
-                       (match pair
-                         ((vuln sexp)
-                          (if (version-matches? version sexp)
-                              (cons vuln result)
-                              result))))
-                     (lambda (pair result)
-                       (match pair
-                         ((vuln . _)
-                          (cons vuln result)))))
-                 '()
-                 package table)))
+  (lambda* (package #:optional version #:key (vendor #f) (hidden-vendors '()))
+    (vhash-fold*
+     (lambda (pair result)
+       (match pair
+         ((vuln sexp)
+          (if (and (or (and (not vendor) (null? hidden-vendors))
+                       (vulnerability-matches? vuln vendor hidden-vendors))
+                   (or (not version) (version-matches? version sexp)))
+              (cons vuln result)
+              result))))
+     '()
+     package table)))
 
 
 ;;; cve.scm ends here
diff --git a/guix/lint.scm b/guix/lint.scm
index 8c6c20c723..bea6d0a194 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -1551,8 +1551,14 @@ (define package-vulnerabilities
                          (package-name package)))
             (version (or (assoc-ref (package-properties package)
                                     'cpe-version)
-                         (package-version package))))
-        ((force lookup) name version)))))
+                         (package-version package)))
+            (vendor (assoc-ref (package-properties package)
+                               'cpe-vendor))
+            (hidden-vendors (assoc-ref (package-properties package)
+                                       'lint-hidden-cpe-vendors)))
+        ((force lookup) name version
+         #:vendor vendor
+         #:hidden-vendors hidden-vendors)))))
 
 ;; Prevent Guile 3 from inlining this procedure so we can mock it in tests.
 (set! package-vulnerabilities package-vulnerabilities)
diff --git a/tests/cve.scm b/tests/cve.scm
index b69da0e120..6567d73c69 100644
--- a/tests/cve.scm
+++ b/tests/cve.scm
@@ -34,19 +34,19 @@ (define %expected-vulnerabilities
    (vulnerability "CVE-2019-0001"
                   ;; Only the "a" CPE configurations are kept; the "o"
                   ;; configurations are discarded.
-                  '(("junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
+                  '(("juniper:junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
    (vulnerability "CVE-2019-0005"
-                  '(("junos" (or "18.11" "18.1"))))
+                  '(("juniper:junos" (or "18.11" "18.1"))))
    ;; CVE-2019-0005 has no "a" configurations.
    (vulnerability "CVE-2019-14811"
-                  '(("ghostscript" (< "9.28"))))
+                  '(("artifex:ghostscript" (< "9.28"))))
    (vulnerability "CVE-2019-17365"
-                  '(("nix" (<= "2.3"))))
+                  '(("nixos:nix" (<= "2.3"))))
    (vulnerability "CVE-2019-1010180"
-                  '(("gdb" _)))                   ;any version
+                  '(("gnu:gdb" _)))                   ;any version
    (vulnerability "CVE-2019-1010204"
-                  '(("binutils" (and (>= "2.21") (<= "2.31.1")))
-                    ("binutils_gold" (and (>= "1.11") (<= "1.16")))))
+                  '(("gnu:binutils" (and (>= "2.21") (<= "2.31.1")))
+                    ("gnu:binutils_gold" (and (>= "1.11") (<= "1.16")))))
    ;; CVE-2019-18192 has no associated configurations.
    ))
 
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v3 02/17] cve: Separate vendor and string.
  2024-11-08 18:02 ` [bug#74034] [PATCH v3 01/17] " Nicolas Graves via Guix-patches via
@ 2024-11-08 18:02   ` Nicolas Graves via Guix-patches via
  2024-11-08 18:02   ` [bug#74034] [PATCH v3 03/17] gnu: halibut: Add cpe-vendor property Nicolas Graves via Guix-patches via
                     ` (14 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-08 18:02 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

---
 guix/cve.scm  | 111 +++++++++++++++++++++++++-------------------------
 tests/cve.scm |  14 +++----
 2 files changed, 63 insertions(+), 62 deletions(-)

diff --git a/guix/cve.scm b/guix/cve.scm
index f7984be0ad..4f410ccc5e 100644
--- a/guix/cve.scm
+++ b/guix/cve.scm
@@ -25,11 +25,11 @@ (define-module (guix cve)
   #:use-module (web uri)
   #:use-module (srfi srfi-1)
   #:use-module (srfi srfi-9)
-  #:use-module (srfi srfi-11)
   #:use-module (srfi srfi-19)
   #:use-module (srfi srfi-26)
   #:use-module (srfi srfi-34)
   #:use-module (srfi srfi-35)
+  #:use-module (srfi srfi-71)
   #:use-module (ice-9 match)
   #:use-module (ice-9 regex)
   #:use-module (ice-9 vlist)
@@ -106,7 +106,7 @@ (define (reference-data->cve-references alist)
 (define %cpe-package-rx
   ;; For applications: "cpe:2.3:a:VENDOR:PACKAGE:VERSION", or sometimes
   ;; "cpe:2.3:a:VENDOR:PACKAGE:VERSION:PATCH-LEVEL".
-  (make-regexp "^cpe:2\\.3:a:([^:]+:[^:]+):([^:]+):([^:]+):"))
+  (make-regexp "^cpe:2\\.3:a:([^:]+):([^:]+):([^:]+):([^:]+):"))
 
 (define (cpe->package-identifier cpe)
   "Converts the Common Platform Enumeration (CPE) string CPE to a package
@@ -117,18 +117,19 @@ (define (cpe->package-identifier cpe)
          =>
          (lambda (matches)
            (values (match:substring matches 1)
-                   (match (match:substring matches 2)
+                   (match:substring matches 2)
+                   (match (match:substring matches 3)
                      ("*" '_)
                      (version
                       (string-append version
-                                     (match (match:substring matches 3)
+                                     (match (match:substring matches 4)
                                        ("" "")
                                        (patch-level
                                         ;; Drop the colon from things like
                                         ;; "cpe:2.3:a:openbsd:openssh:6.8:p1".
                                         (string-drop patch-level 1)))))))))
         (else
-         (values #f #f))))
+         (values #f #f #f))))
 
 (define (cpe-match->cve-configuration alist)
   "Convert ALIST, a \"cpe_match\" alist, into an sexp representing the package
@@ -142,17 +143,18 @@ (define (cpe-match->cve-configuration alist)
     ;; Normally "cpe23Uri" is here in each "cpe_match" item, but CVE-2020-0534
     ;; has a configuration that lacks it.
     (and cpe
-         (let-values (((package version) (cpe->package-identifier cpe)))
+         (let ((vendor package version (cpe->package-identifier cpe)))
            (and package
-                `(,package
-                   ,(cond ((and (or starti starte) (or endi ende))
-                           `(and ,(if starti `(>= ,starti) `(> ,starte))
-                                 ,(if endi `(<= ,endi) `(< ,ende))))
-                          (starti `(>= ,starti))
-                          (starte `(> ,starte))
-                          (endi   `(<= ,endi))
-                          (ende   `(< ,ende))
-                          (else   version))))))))
+                `(,vendor
+                  ,package
+                  ,(cond ((and (or starti starte) (or endi ende))
+                          `(and ,(if starti `(>= ,starti) `(> ,starte))
+                                ,(if endi `(<= ,endi) `(< ,ende))))
+                         (starti `(>= ,starti))
+                         (starte `(> ,starte))
+                         (endi   `(<= ,endi))
+                         (ende   `(< ,ende))
+                         (else   version))))))))
 
 (define (configuration-data->cve-configurations alist)
   "Given ALIST, a JSON dictionary for the baroque \"configurations\"
@@ -232,18 +234,12 @@ (define (vulnerability-matches? vuln vendor hidden-vendors)
   "Checks if a VENDOR matches at least one of <vulnerability> VULN
 packages.  When VENDOR is #f, ignore packages that have a vendor among
 HIDDEN-VENDORS."
-  (define (vendor-matches? vendor+name)
-    (if vendor
-        (string-prefix? (string-append vendor ":") vendor+name)
-        (or (null? hidden-vendors)
-            (not (any (cut string-prefix? (string-append <> ":") vendor+name)
-                  hidden-vendors)))))
-
   (match vuln
     (($ <vulnerability> id packages)
      (any (match-lambda
-            (((? vendor-matches? vendor+name) . _)  #t)
-            (_                                      #f))
+            (((? (cut string=? <> vendor)) _)        #t)
+            (((? (cut member <> hidden-vendors)) _)  #t)
+            (_                                       #f))
           packages))))
 
 \f
@@ -290,39 +286,47 @@ (define sexp->vulnerability
      (vulnerability id packages))))
 
 (define (cve-configuration->package-list config)
-  "Parse CONFIG, a config sexp, and return a list of the form (P SEXP)
-where P is a package name and SEXP expresses constraints on the matching
-versions."
+  "Parse CONFIG, a config sexp, and return a list of the form (V P SEXP)
+where V is a CPE vendor, P is a package name and SEXP expresses constraints on
+the matching versions."
   (let loop ((config config)
-             (packages '()))
+             (vendor+package-list '()))
     (match config
       (('or configs ...)
-       (fold loop packages configs))
-      (('and config _ ...)                        ;XXX
-       (loop config packages))
-      (((? string? package) '_)                   ;any version
-       (cons `(,package _)
-             (alist-delete package packages)))
-      (((? string? package) sexp)
-       (let ((previous (assoc-ref packages package)))
-         (if previous
-             (cons `(,package (or ,sexp ,@previous))
-                   (alist-delete package packages))
-             (cons `(,package ,sexp) packages)))))))
+       (fold loop vendor+package-list configs))
+      (('and config _ ...)                            ;XXX
+       (loop config vendor+package-list))
+      (((? string? vendor) (? string? package) sexp)
+       (let ((filtered-list (filter (match-lambda
+                                      ((vendor package _)  #f)
+                                      (otherwise           otherwise))
+                                    vendor+package-list)))
+         (match sexp
+           ('_  ;any version
+            (cons `(,vendor ,package _) filtered-list))
+           (_
+            (match (assoc-ref (assoc-ref vendor+package-list vendor) package)
+              ((previous)
+               (cons `(,vendor ,package (or ,sexp ,previous)) filtered-list))
+              (_
+               (cons `(,vendor ,package ,sexp) vendor+package-list))))))))))
 
 (define (merge-package-lists lst)
-  "Merge the list in LST, each of which has the form (p sexp), where P
-is the name of a package and SEXP is an sexp that constrains matching
-versions."
+  "Merge the list in LST, each of which has the form (V P SEXP), where V is a
+CPE vendor, P is the name of a package and SEXP is an sexp that constrains
+matching versions."
   (fold (lambda (plist result)                    ;XXX: quadratic
           (fold (match-lambda*
-                  (((package version) result)
-                   (match (assoc-ref result package)
-                     (#f
-                      (cons `(,package ,version) result))
-                     ((previous)
-                      (cons `(,package (or ,version ,previous))
-                            (alist-delete package result))))))
+                  (((vendor package version) result)
+                   (match (assoc-ref result vendor)
+                     (((? (cut string=? package <>)) previous)
+                      (cons `(,vendor ,package (or ,version ,previous))
+                            (filter (match-lambda
+                                      ((vendor package _)  #f)
+                                      (otherwise           otherwise))
+                                    result)))
+                     (_
+                      (cons `(,vendor ,package ,version) result)))))
                 result
                 plist))
         '()
@@ -422,11 +426,8 @@ (define table
               (($ <vulnerability> id packages)
                (fold (lambda (package table)
                        (match package
-                         ((vendor+name . versions)
-                          (vhash-cons (match (string-split vendor+name #\:)
-                                        ((vendor name) name)
-                                        ((name)        name))
-                                      (cons vuln versions)
+                         ((vendor name versions)
+                          (vhash-cons name (cons vuln `(,versions))
                                       table))))
                      table
                      packages))))
diff --git a/tests/cve.scm b/tests/cve.scm
index 6567d73c69..90ada2b647 100644
--- a/tests/cve.scm
+++ b/tests/cve.scm
@@ -34,19 +34,19 @@ (define %expected-vulnerabilities
    (vulnerability "CVE-2019-0001"
                   ;; Only the "a" CPE configurations are kept; the "o"
                   ;; configurations are discarded.
-                  '(("juniper:junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
+                  '(("juniper" "junos" (or "18.2" (or "18.21-s3" "18.21-s4")))))
    (vulnerability "CVE-2019-0005"
-                  '(("juniper:junos" (or "18.11" "18.1"))))
+                  '(("juniper" "junos" (or "18.1" "18.11"))))
    ;; CVE-2019-0005 has no "a" configurations.
    (vulnerability "CVE-2019-14811"
-                  '(("artifex:ghostscript" (< "9.28"))))
+                  '(("artifex" "ghostscript" (< "9.28"))))
    (vulnerability "CVE-2019-17365"
-                  '(("nixos:nix" (<= "2.3"))))
+                  '(("nixos" "nix" (<= "2.3"))))
    (vulnerability "CVE-2019-1010180"
-                  '(("gnu:gdb" _)))                   ;any version
+                  '(("gnu" "gdb" _)))                   ;any version
    (vulnerability "CVE-2019-1010204"
-                  '(("gnu:binutils" (and (>= "2.21") (<= "2.31.1")))
-                    ("gnu:binutils_gold" (and (>= "1.11") (<= "1.16")))))
+                  '(("gnu" "binutils" (and (>= "2.21") (<= "2.31.1")))
+                    ("gnu" "binutils_gold" (and (>= "1.11") (<= "1.16")))))
    ;; CVE-2019-18192 has no associated configurations.
    ))
 
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v3 03/17] gnu: halibut: Add cpe-vendor property.
  2024-11-08 18:02 ` [bug#74034] [PATCH v3 01/17] " Nicolas Graves via Guix-patches via
  2024-11-08 18:02   ` [bug#74034] [PATCH v3 02/17] cve: Separate vendor and string Nicolas Graves via Guix-patches via
@ 2024-11-08 18:02   ` Nicolas Graves via Guix-patches via
  2024-11-08 18:02   ` [bug#74034] [PATCH v3 04/17] gnu: portfolio: Update to 1.0.1 Nicolas Graves via Guix-patches via
                     ` (13 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-08 18:02 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/documentation.scm (halibut)
[description]: Reformat field to match max chars.
[properties]: Add cpe-vendor property.
---
 gnu/packages/documentation.scm | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/gnu/packages/documentation.scm b/gnu/packages/documentation.scm
index f0e37561f7..e1d563945a 100644
--- a/gnu/packages/documentation.scm
+++ b/gnu/packages/documentation.scm
@@ -264,12 +264,14 @@ (define-public halibut
     (home-page "https://www.chiark.greenend.org.uk/~sgtatham/halibut/")
     (synopsis "Documentation production system for software manuals")
     (description
-     "Halibut is a text formatting system designed primarily for writing software
-documentation.  It accepts a single source format and outputs any combination of
-plain text, HTML, Unix man or info pages, PostScript or PDF.  It has extensive
-support for indexing and cross-referencing, and generates hyperlinks within output
-documents wherever possible.  It supports Unicode, with the ability to fall back to
-an alternative representation if Unicode output is not available.")
+     "Halibut is a text formatting system designed primarily for writing
+software documentation.  It accepts a single source format and outputs any
+combination of plain text, HTML, Unix man or info pages, PostScript or PDF.
+It has extensive support for indexing and cross-referencing, and generates
+hyperlinks within output documents wherever possible.  It supports Unicode,
+with the ability to fall back to an alternative representation if Unicode
+output is not available.")
+    (properties `((cpe-vendor . "halibut_project")))
     (license license:expat)))
 
 (define-public doc++
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v3 04/17] gnu: portfolio: Update to 1.0.1.
  2024-11-08 18:02 ` [bug#74034] [PATCH v3 01/17] " Nicolas Graves via Guix-patches via
  2024-11-08 18:02   ` [bug#74034] [PATCH v3 02/17] cve: Separate vendor and string Nicolas Graves via Guix-patches via
  2024-11-08 18:02   ` [bug#74034] [PATCH v3 03/17] gnu: halibut: Add cpe-vendor property Nicolas Graves via Guix-patches via
@ 2024-11-08 18:02   ` Nicolas Graves via Guix-patches via
  2024-11-08 18:02   ` [bug#74034] [PATCH v3 05/17] gnu: folders: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
                     ` (12 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-08 18:02 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/gnome-xyz.scm (portfolio): Update to 1.0.1.
[properties]: Add lint-hidden-cpe-vendors property.
---
 gnu/packages/gnome-xyz.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/gnome-xyz.scm b/gnu/packages/gnome-xyz.scm
index a09c0befb0..74c2600b60 100644
--- a/gnu/packages/gnome-xyz.scm
+++ b/gnu/packages/gnome-xyz.scm
@@ -485,7 +485,7 @@ (define-public gnome-plots
 (define-public portfolio
   (package
     (name "portfolio")
-    (version "1.0.0")
+    (version "1.0.1")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -494,7 +494,7 @@ (define-public portfolio
               (file-name (git-file-name name version))
               (sha256
                (base32
-                "1ai9mx801m5lngkljg42vrpvhbvc3071sp4jypsvbzw55hxnn5ba"))))
+                "1s06kd2dhsb143piw89yzwfck7qwzlh4nlgjj2bxpsa3g68c1g11"))))
     (arguments
      (list #:glib-or-gtk? #t
            #:imported-modules `(,@%meson-build-system-modules
@@ -537,6 +537,7 @@ (define-public portfolio
      "Portfolio is a minimalist file manager for those who want to use Linux
 mobile devices.  Tap to activate and long press to select, to browse, open,
 copy, move, delete, or edit your files.")
+    (properties `((lint-hidden-cpe-vendors . ("radiustheme"))))
     (license license:gpl3+)))
 
 (define-public gnome-shell-extension-unite-shell
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v3 05/17] gnu: folders: Add lint-hidden-cpe-vendors property.
  2024-11-08 18:02 ` [bug#74034] [PATCH v3 01/17] " Nicolas Graves via Guix-patches via
                     ` (2 preceding siblings ...)
  2024-11-08 18:02   ` [bug#74034] [PATCH v3 04/17] gnu: portfolio: Update to 1.0.1 Nicolas Graves via Guix-patches via
@ 2024-11-08 18:02   ` Nicolas Graves via Guix-patches via
  2024-11-08 18:02   ` [bug#74034] [PATCH v3 06/17] gnu: spectra: " Nicolas Graves via Guix-patches via
                     ` (11 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-08 18:02 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/esolangs.scm (folders):
[properties]: Add lint-hindden-cpe-vendors property.
---
 gnu/packages/esolangs.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/esolangs.scm b/gnu/packages/esolangs.scm
index 796f8d3f23..58c5307fdc 100644
--- a/gnu/packages/esolangs.scm
+++ b/gnu/packages/esolangs.scm
@@ -117,6 +117,7 @@ (define-public folders
     (description "Folders is a programming language, in which programs
 are encoded as (nested) directories.  Note that the switches you pass to
 @command{du} may affect your score when code golfing.")
+    (properties `((lint-hidden-cpe-vendors . ("premio" "jenkins"))))
     (license license:expat)))
 
 (define-public shakespeare-spl
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v3 06/17] gnu: spectra: Add lint-hidden-cpe-vendors property.
  2024-11-08 18:02 ` [bug#74034] [PATCH v3 01/17] " Nicolas Graves via Guix-patches via
                     ` (3 preceding siblings ...)
  2024-11-08 18:02   ` [bug#74034] [PATCH v3 05/17] gnu: folders: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
@ 2024-11-08 18:02   ` Nicolas Graves via Guix-patches via
  2024-11-08 18:02   ` [bug#74034] [PATCH v3 07/17] gnu: express: " Nicolas Graves via Guix-patches via
                     ` (10 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-08 18:02 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/algebra.scm (spectra)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/algebra.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/algebra.scm b/gnu/packages/algebra.scm
index 2187cd062d..5822431373 100644
--- a/gnu/packages/algebra.scm
+++ b/gnu/packages/algebra.scm
@@ -1317,6 +1317,7 @@ (define-public spectra
 built on top of Eigen.  It is implemented as a header-only C++ library and can
 be easily embedded in C++ projects that require calculating eigenvalues of
 large matrices.")
+    (properties `((lint-hidden-cpe-vendors . ("brainstormforce"))))
     (license license:mpl2.0)))
 
 (define-public gappa
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v3 07/17] gnu: express: Add lint-hidden-cpe-vendors property.
  2024-11-08 18:02 ` [bug#74034] [PATCH v3 01/17] " Nicolas Graves via Guix-patches via
                     ` (4 preceding siblings ...)
  2024-11-08 18:02   ` [bug#74034] [PATCH v3 06/17] gnu: spectra: " Nicolas Graves via Guix-patches via
@ 2024-11-08 18:02   ` Nicolas Graves via Guix-patches via
  2024-11-08 18:02   ` [bug#74034] [PATCH v3 08/17] gnu: cli: " Nicolas Graves via Guix-patches via
                     ` (9 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-08 18:02 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/bioinformatics.scm (express)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/bioinformatics.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/bioinformatics.scm b/gnu/packages/bioinformatics.scm
index 35ff96ce42..34b58a5511 100644
--- a/gnu/packages/bioinformatics.scm
+++ b/gnu/packages/bioinformatics.scm
@@ -7047,6 +7047,7 @@ (define-public express
 transcript-level RNA-Seq quantification, allele-specific/haplotype expression
 analysis (from RNA-Seq), transcription factor binding quantification in
 ChIP-Seq, and analysis of metagenomic data.")
+    (properties `((lint-hidden-cpe-vendors . ("openjsf"))))
     (license license:artistic2.0)))
 
 (define-public express-beta-diversity
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v3 08/17] gnu: cli: Add lint-hidden-cpe-vendors property.
  2024-11-08 18:02 ` [bug#74034] [PATCH v3 01/17] " Nicolas Graves via Guix-patches via
                     ` (5 preceding siblings ...)
  2024-11-08 18:02   ` [bug#74034] [PATCH v3 07/17] gnu: express: " Nicolas Graves via Guix-patches via
@ 2024-11-08 18:02   ` Nicolas Graves via Guix-patches via
  2024-11-08 18:02   ` [bug#74034] [PATCH v3 09/17] gnu: h2c: " Nicolas Graves via Guix-patches via
                     ` (8 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-08 18:02 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/cpp.scm (cli)[properties]: Add lint-hidden-cpe-vendors
property.
---
 gnu/packages/cpp.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/cpp.scm b/gnu/packages/cpp.scm
index f8e8557ef1..bb6872d7e3 100644
--- a/gnu/packages/cpp.scm
+++ b/gnu/packages/cpp.scm
@@ -2327,6 +2327,7 @@ (define-public cli
 options that your program supports, their types, default values, and
 documentation.")
     (home-page "https://codesynthesis.com/projects/cli/")
+    (properties `((lint-hidden-cpe-vendors . ("snyk"))))
     (license license:expat)))
 
 (define-public xsd
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v3 09/17] gnu: h2c: Add lint-hidden-cpe-vendors property.
  2024-11-08 18:02 ` [bug#74034] [PATCH v3 01/17] " Nicolas Graves via Guix-patches via
                     ` (6 preceding siblings ...)
  2024-11-08 18:02   ` [bug#74034] [PATCH v3 08/17] gnu: cli: " Nicolas Graves via Guix-patches via
@ 2024-11-08 18:02   ` Nicolas Graves via Guix-patches via
  2024-11-08 18:02   ` [bug#74034] [PATCH v3 10/17] gnu: xenon: Update to 0.9.3 Nicolas Graves via Guix-patches via
                     ` (7 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-08 18:02 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/curl.scm (h2c)[property]: Add lint-hidden-cpe-vendors property.
---
 gnu/packages/curl.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 9f74018205..2b4b7ebdd8 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -366,6 +366,7 @@ (define-public h2c
     (description
      "Provided a set of HTTP request headers, h2c outputs how to invoke
 curl to obtain exactly that HTTP request.")
+    (properties `((lint-hidden-cpe-vendors . ("golang"))))
     (license license:expat)))
 
 (define-public coeurl
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v3 10/17] gnu: xenon: Update to 0.9.3.
  2024-11-08 18:02 ` [bug#74034] [PATCH v3 01/17] " Nicolas Graves via Guix-patches via
                     ` (7 preceding siblings ...)
  2024-11-08 18:02   ` [bug#74034] [PATCH v3 09/17] gnu: h2c: " Nicolas Graves via Guix-patches via
@ 2024-11-08 18:02   ` Nicolas Graves via Guix-patches via
  2024-11-08 18:02   ` [bug#74034] [PATCH v3 11/17] gnu: bolt: Update to 0.9.8 Nicolas Graves via Guix-patches via
                     ` (6 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-08 18:02 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/code.scm (xenon): Update to 0.9.3.
[properties]: Add lint-hidden-cpe-vendors property.
---
 gnu/packages/code.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/code.scm b/gnu/packages/code.scm
index 04ca4dfd6b..5ed2126225 100644
--- a/gnu/packages/code.scm
+++ b/gnu/packages/code.scm
@@ -1054,14 +1054,14 @@ (define-public cscope
 (define-public xenon
   (package
     (name "xenon")
-    (version "0.9.0")
+    (version "0.9.3")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "xenon" version))
        (sha256
         (base32
-         "1f4gynjzfckm3rjfywwgz1c7icfx3zjqirf16aj73xv0c9ncpffj"))))
+         "1yj31bqz2bphvvyb0jkas7bxc2rw76rf1csz0mwmvah8pbc3hxaa"))))
     (build-system python-build-system)
     (arguments (list #:tests? #f)) ;test suite not shipped with the PyPI archive
     (inputs (list python-pyyaml python-radon python-requests))
@@ -1073,6 +1073,7 @@ (define-public xenon
 line options, various thresholds can be set for the complexity of code.  It
 will fail (i.e., it will exit with a non-zero exit code) when any of these
 requirements is not met.")
+    (properties '((lint-hidden-cpe-vendors . ("ashlar"))))
     (license license:expat)))
 
 (define-public python-xenon
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v3 11/17] gnu: bolt: Update to 0.9.8.
  2024-11-08 18:02 ` [bug#74034] [PATCH v3 01/17] " Nicolas Graves via Guix-patches via
                     ` (8 preceding siblings ...)
  2024-11-08 18:02   ` [bug#74034] [PATCH v3 10/17] gnu: xenon: Update to 0.9.3 Nicolas Graves via Guix-patches via
@ 2024-11-08 18:02   ` Nicolas Graves via Guix-patches via
  2024-11-08 18:02   ` [bug#74034] [PATCH v3 12/17] gnu: bwm-ng: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
                     ` (5 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-08 18:02 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/linux.scm (bolt): Update to 0.9.8.
[arguments]<#:phases>: Update phase 'replace-directories.
[properties]: Add lint-hidden-cpe-vendors property.
---
 gnu/packages/linux.scm | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 992790188a..6b79efa91f 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -3366,7 +3366,7 @@ (define-public iptables-nft
 (define-public bolt
   (package
     (name "bolt")
-    (version "0.9.5")
+    (version "0.9.8")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -3375,7 +3375,7 @@ (define-public bolt
               (file-name (git-file-name name version))
               (sha256
                (base32
-                "1b9z0sfrz6bj0mddng9s0dx59g9239zmrl03hxx2x88mb7r0wmcg"))))
+                "1i9nyvx3qcf4m607qmpklpl9xqzsh423k8y3fr6c5n0k4ajy4cxh"))))
     (build-system meson-build-system)
     (arguments
      (list #:configure-flags '(list "--localstatedir=/var")
@@ -3384,12 +3384,11 @@ (define-public bolt
                         (add-after 'unpack 'replace-directories
                           (lambda* (#:key outputs #:allow-other-keys)
                             (substitute* "meson.build"
-                              (("udev.get_pkgconfig_variable..udevdir..")
-                               (string-append "'"
-                                              #$output "/lib/udev'")))
-                            (substitute* "scripts/meson-install.sh"
-                              (("mkdir.*")
-                               ""))))
+                              (("udev.get_variable\\(pkgconfig: 'udevdir'\\)")
+                               (string-append "'" #$output "/lib/udev'"))
+                              ;; Don't install in /var
+                              (("not systemd\\.found\\(\\)")
+                               "false"))))
                         (add-before 'install 'no-polkit-magic
                           (lambda* (#:key outputs #:allow-other-keys)
                             (setenv "PKEXEC_UID" "something"))))))
@@ -3411,6 +3410,7 @@ (define-public bolt
 @command{boltd}.  It can list devices, monitor changes, and initiate
 authorization of devices.")
     (home-page "https://gitlab.freedesktop.org/bolt/bolt")
+    (properties `((lint-hidden-cpe-vendors . ("boltcms" "puppet"))))
     (license license:gpl2+)))
 
 (define-public jitterentropy-rngd
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v3 12/17] gnu: bwm-ng: Add lint-hidden-cpe-vendors property.
  2024-11-08 18:02 ` [bug#74034] [PATCH v3 01/17] " Nicolas Graves via Guix-patches via
                     ` (9 preceding siblings ...)
  2024-11-08 18:02   ` [bug#74034] [PATCH v3 11/17] gnu: bolt: Update to 0.9.8 Nicolas Graves via Guix-patches via
@ 2024-11-08 18:02   ` Nicolas Graves via Guix-patches via
  2024-11-08 18:02   ` [bug#74034] [PATCH v3 13/17] gnu: onedrive: Update to 2.5.2 Nicolas Graves via Guix-patches via
                     ` (4 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-08 18:02 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/networking.scm (bwm-ng)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/networking.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index 6e3a355bd4..2bdf011f34 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -2157,6 +2157,7 @@ (define-public bwm-ng
     (description "Bandwidth Monitor NG is a small and simple console based
 live network and disk I/O bandwidth monitor.")
     (home-page "https://www.gropp.org/?id=projects&sub=bwm-ng")
+    (properties '((lint-hidden-cpe-vendors . ("bwm-ng_project"))))
     (license license:gpl2)))
 
 (define-public aircrack-ng
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v3 13/17] gnu: onedrive: Update to 2.5.2.
  2024-11-08 18:02 ` [bug#74034] [PATCH v3 01/17] " Nicolas Graves via Guix-patches via
                     ` (10 preceding siblings ...)
  2024-11-08 18:02   ` [bug#74034] [PATCH v3 12/17] gnu: bwm-ng: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
@ 2024-11-08 18:02   ` Nicolas Graves via Guix-patches via
  2024-11-08 18:02   ` [bug#74034] [PATCH v3 14/17] gnu: got: Update to 0.104 Nicolas Graves via Guix-patches via
                     ` (3 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-08 18:02 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/sync.scm (onedrive): Update to 2.5.2.
[properties]: Add lint-hidden-cpe-vendors.
---
 gnu/packages/sync.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/sync.scm b/gnu/packages/sync.scm
index af736d0c28..b21993a639 100644
--- a/gnu/packages/sync.scm
+++ b/gnu/packages/sync.scm
@@ -374,7 +374,7 @@ (define-public owncloud-client
 (define-public onedrive
   (package
     (name "onedrive")
-    (version "2.4.25")
+    (version "2.5.2")
     (source
       (origin
         (method git-fetch)
@@ -383,7 +383,7 @@ (define-public onedrive
                (commit (string-append "v" version))))
         (file-name (git-file-name name version))
         (sha256
-         (base32 "1i93mq4r9w8cqrdfsfv8wparfd3dbrppc5z04ab056545hk0x89k"))))
+         (base32 "0307qa3nncarn6r5837nn9z5nv8j60ycykq6pfn93qriabk65qlx"))))
     (build-system gnu-build-system)
     (arguments
      (list
@@ -420,6 +420,7 @@ (define-public onedrive
 Business, OneDrive for Office365 and SharePoint and fully supports Azure
 National Cloud Deployments.  It supports one-way and two-way sync capabilities
 and securely connects to Microsoft OneDrive services.")
+    (properties '((lint-hidden-cpe-vendors . ("microsoft"))))
     (license license:gpl3)))
 
 (define-public lsyncd
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v3 14/17] gnu: got: Update to 0.104.
  2024-11-08 18:02 ` [bug#74034] [PATCH v3 01/17] " Nicolas Graves via Guix-patches via
                     ` (11 preceding siblings ...)
  2024-11-08 18:02   ` [bug#74034] [PATCH v3 13/17] gnu: onedrive: Update to 2.5.2 Nicolas Graves via Guix-patches via
@ 2024-11-08 18:02   ` Nicolas Graves via Guix-patches via
  2024-11-08 18:02   ` [bug#74034] [PATCH v3 15/17] gnu: dex: Update to 0.10.1 Nicolas Graves via Guix-patches via
                     ` (2 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-08 18:02 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/version-control.scm (got): Update to 0.104.
[properties]: Add release-monitoring-url and lint-hidden-cpe-vendors
properties.
---
 gnu/packages/version-control.scm | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index a15f274c37..f323766579 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -975,7 +975,7 @@ (define-public git-tools
 (define-public got
   (package
     (name "got")
-    (version "0.103")
+    (version "0.104")
     (source (origin
               (method url-fetch)
               (uri
@@ -984,7 +984,7 @@ (define-public got
                   version ".tar.gz"))
               (sha256
                (base32
-                "0y18961xrj4rja850i31gadiaps2qnkfb4jlramlz9akyf9mwh1j"))))
+                "1jf8d7bd6jb09ci66n3rjfv94kvzgnqbw1js74hpajdw41wphbdk"))))
     (inputs
      (list libevent
            `(,util-linux "lib")
@@ -1020,7 +1020,11 @@ (define-public got
      "Game of Trees (Got) is a version control system which prioritizes ease of use
 and simplicity over flexibility.")
     (license license:isc)
-    (home-page "https://gameoftrees.org/")))
+    (home-page "https://gameoftrees.org/")
+    (properties
+     ;; Can lint for updates, but not update in place.
+     '((release-monitoring-url . "https://gameoftrees.org/releases/")
+       (lint-hidden-cpe-vendors . ("got_project"))))))
 
 (define-public xdiff
   (let ((revision "0")
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v3 15/17] gnu: dex: Update to 0.10.1.
  2024-11-08 18:02 ` [bug#74034] [PATCH v3 01/17] " Nicolas Graves via Guix-patches via
                     ` (12 preceding siblings ...)
  2024-11-08 18:02   ` [bug#74034] [PATCH v3 14/17] gnu: got: Update to 0.104 Nicolas Graves via Guix-patches via
@ 2024-11-08 18:02   ` Nicolas Graves via Guix-patches via
  2024-11-08 18:02   ` [bug#74034] [PATCH v3 16/17] gnu: immer: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
  2024-11-08 18:02   ` [bug#74034] [PATCH v3 17/17] gnu: cvs: " Nicolas Graves via Guix-patches via
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-08 18:02 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/xdisorg.scm (dex): Update to 0.10.1.
[arguments]: Improve style.
[properties]: Add lint-hidden-cpe-vendors property.
---
 gnu/packages/xdisorg.scm | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm
index a75e9cd6ba..859d37d4b7 100644
--- a/gnu/packages/xdisorg.scm
+++ b/gnu/packages/xdisorg.scm
@@ -3536,7 +3536,7 @@ (define-public nwg-launchers
 (define-public dex
   (package
     (name "dex")
-    (version "0.9.0")
+    (version "0.10.1")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -3544,15 +3544,16 @@ (define-public dex
                     (commit (string-append "v" version))))
               (sha256
                (base32
-                "03aapcywnz4kl548cygpi25m8adwbmqlmwgxa66v4156ax9dqs86"))
+                "1d7fqy63i4q0mw316i5ws1sgdq3f7h3bsf3avvmy0nzshz7i5y6m"))
               (file-name (git-file-name name version))))
     (build-system gnu-build-system)
     (arguments
-     `(#:make-flags (list (string-append "PREFIX=" (assoc-ref %outputs "out")))
-       #:phases
-       (modify-phases %standard-phases
-         (delete 'configure))
-       #:tests? #f))
+     (list
+      #:make-flags #~(list (string-append "PREFIX=" #$output))
+      #:phases
+      #~(modify-phases %standard-phases
+          (delete 'configure))
+      #:tests? #f))  ; No tests.
     (inputs
      (list python))
     (native-inputs
@@ -3562,6 +3563,8 @@ (define-public dex
     (description
      "@command{dex}, @dfn{DesktopEntry Execution}, is a program to generate
 and execute @file{.desktop} files of the Application type.")
+    (properties
+     '((lint-hidden-cpe-vendors . ("samsung" "linuxfoundation"))))
     (license license:gpl3+)))
 
 (define-public sx
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v3 16/17] gnu: immer: Add lint-hidden-cpe-vendors property.
  2024-11-08 18:02 ` [bug#74034] [PATCH v3 01/17] " Nicolas Graves via Guix-patches via
                     ` (13 preceding siblings ...)
  2024-11-08 18:02   ` [bug#74034] [PATCH v3 15/17] gnu: dex: Update to 0.10.1 Nicolas Graves via Guix-patches via
@ 2024-11-08 18:02   ` Nicolas Graves via Guix-patches via
  2024-11-08 18:02   ` [bug#74034] [PATCH v3 17/17] gnu: cvs: " Nicolas Graves via Guix-patches via
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-08 18:02 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/cpp.scm (immer)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/cpp.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/cpp.scm b/gnu/packages/cpp.scm
index bb6872d7e3..5c686db532 100644
--- a/gnu/packages/cpp.scm
+++ b/gnu/packages/cpp.scm
@@ -1887,6 +1887,7 @@ (define-public immer
    (synopsis "Immutable data structures")
    (description "Immer is a library of persistent and immutable data structures
 written in C++.")
+   (properties '((lint-hidden-cpe-vendors . ("immer_project"))))
    (license license:boost1.0)))
 
 (define-public zug
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v3 17/17] gnu: cvs: Add lint-hidden-cpe-vendors property.
  2024-11-08 18:02 ` [bug#74034] [PATCH v3 01/17] " Nicolas Graves via Guix-patches via
                     ` (14 preceding siblings ...)
  2024-11-08 18:02   ` [bug#74034] [PATCH v3 16/17] gnu: immer: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
@ 2024-11-08 18:02   ` Nicolas Graves via Guix-patches via
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-08 18:02 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/version-control.scm (cvs)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/version-control.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index f323766579..505be48d17 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -2774,6 +2774,7 @@ (define-public cvs
 Configuration Management (SCM).  Using it, you can record the history of
 sources files, and documents.  It fills a similar role to the free software
 RCS, PRCS, and Aegis packages.")
+    (properties '((lint-hidden-cpe-vendors . ("jenkins"))))
     (license license:gpl1+)))
 
 (define-public cvs-fast-export
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [Nicolas Graves] [PATCH v3 02/17] cve: Separate vendor and string.
  2024-10-26 22:21 [bug#74034] [PATCH 00/21] Add lint-hidden-cve property for near-leaf packages Nicolas Graves via Guix-patches via
                   ` (3 preceding siblings ...)
  2024-11-08 18:02 ` [bug#74034] [PATCH v3 01/17] " Nicolas Graves via Guix-patches via
@ 2024-11-08 18:13 ` Nicolas Graves via Guix-patches via
  2024-11-13  2:53   ` Maxim Cournoyer
  2024-11-13 10:23 ` [bug#74034] [PATCH v4 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Nicolas Graves via Guix-patches via
                   ` (2 subsequent siblings)
  7 siblings, 1 reply; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-08 18:13 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 74034


This commit has currently no proper commit message, but it's because it
should probably be squashed if we want to go this way.

In the end, I've done it, quite tedious (for me at least!) but done.
I'm not super sure however that it's clearer (vulnerability-matches?
definitely is, but the whole, I doubt that).  Just pick your preference
I guess!

Nicolas

-------------------- Start of forwarded message --------------------
From: Nicolas Graves <ngraves@ngraves.fr>
To: 74034@debbugs.gnu.org
Cc: Nicolas Graves <ngraves@ngraves.fr>
Subject: [PATCH v3 02/17] cve: Separate vendor and string.
Date: Fri,  8 Nov 2024 19:02:25 +0100

---
 guix/cve.scm  | 111 +++++++++++++++++++++++++-------------------------
 tests/cve.scm |  14 +++----
 2 files changed, 63 insertions(+), 62 deletions(-)

diff --git a/guix/cve.scm b/guix/cve.scm
index f7984be0ad..4f410ccc5e 100644
--- a/guix/cve.scm
+++ b/guix/cve.scm
@@ -25,11 +25,11 @@ (define-module (guix cve)
   #:use-module (web uri)
   #:use-module (srfi srfi-1)
   #:use-module (srfi srfi-9)
-  #:use-module (srfi srfi-11)
   #:use-module (srfi srfi-19)
   #:use-module (srfi srfi-26)
   #:use-module (srfi srfi-34)
   #:use-module (srfi srfi-35)
+  #:use-module (srfi srfi-71)
   #:use-module (ice-9 match)
   #:use-module (ice-9 regex)
   #:use-module (ice-9 vlist)
@@ -106,7 +106,7 @@ (define (reference-data->cve-references alist)
 (define %cpe-package-rx
   ;; For applications: "cpe:2.3:a:VENDOR:PACKAGE:VERSION", or sometimes
   ;; "cpe:2.3:a:VENDOR:PACKAGE:VERSION:PATCH-LEVEL".
-  (make-regexp "^cpe:2\\.3:a:([^:]+:[^:]+):([^:]+):([^:]+):"))
+  (make-regexp "^cpe:2\\.3:a:([^:]+):([^:]+):([^:]+):([^:]+):"))
 
 (define (cpe->package-identifier cpe)
   "Converts the Common Platform Enumeration (CPE) string CPE to a package
@@ -117,18 +117,19 @@ (define (cpe->package-identifier cpe)
          =>
          (lambda (matches)
            (values (match:substring matches 1)
-                   (match (match:substring matches 2)
+                   (match:substring matches 2)
+                   (match (match:substring matches 3)
                      ("*" '_)
                      (version
                       (string-append version
-                                     (match (match:substring matches 3)
+                                     (match (match:substring matches 4)
                                        ("" "")
                                        (patch-level
                                         ;; Drop the colon from things like
                                         ;; "cpe:2.3:a:openbsd:openssh:6.8:p1".
                                         (string-drop patch-level 1)))))))))
         (else
-         (values #f #f))))
+         (values #f #f #f))))
 
 (define (cpe-match->cve-configuration alist)
   "Convert ALIST, a \"cpe_match\" alist, into an sexp representing the package
@@ -142,17 +143,18 @@ (define (cpe-match->cve-configuration alist)
     ;; Normally "cpe23Uri" is here in each "cpe_match" item, but CVE-2020-0534
     ;; has a configuration that lacks it.
     (and cpe
-         (let-values (((package version) (cpe->package-identifier cpe)))
+         (let ((vendor package version (cpe->package-identifier cpe)))
            (and package
-                `(,package
-                   ,(cond ((and (or starti starte) (or endi ende))
-                           `(and ,(if starti `(>= ,starti) `(> ,starte))
-                                 ,(if endi `(<= ,endi) `(< ,ende))))
-                          (starti `(>= ,starti))
-                          (starte `(> ,starte))
-                          (endi   `(<= ,endi))
-                          (ende   `(< ,ende))
-                          (else   version))))))))
+                `(,vendor
+                  ,package
+                  ,(cond ((and (or starti starte) (or endi ende))
+                          `(and ,(if starti `(>= ,starti) `(> ,starte))
+                                ,(if endi `(<= ,endi) `(< ,ende))))
+                         (starti `(>= ,starti))
+                         (starte `(> ,starte))
+                         (endi   `(<= ,endi))
+                         (ende   `(< ,ende))
+                         (else   version))))))))
 
 (define (configuration-data->cve-configurations alist)
   "Given ALIST, a JSON dictionary for the baroque \"configurations\"
@@ -232,18 +234,12 @@ (define (vulnerability-matches? vuln vendor hidden-vendors)
   "Checks if a VENDOR matches at least one of <vulnerability> VULN
 packages.  When VENDOR is #f, ignore packages that have a vendor among
 HIDDEN-VENDORS."
-  (define (vendor-matches? vendor+name)
-    (if vendor
-        (string-prefix? (string-append vendor ":") vendor+name)
-        (or (null? hidden-vendors)
-            (not (any (cut string-prefix? (string-append <> ":") vendor+name)
-                  hidden-vendors)))))
-
   (match vuln
     (($ <vulnerability> id packages)
      (any (match-lambda
-            (((? vendor-matches? vendor+name) . _)  #t)
-            (_                                      #f))
+            (((? (cut string=? <> vendor)) _)        #t)
+            (((? (cut member <> hidden-vendors)) _)  #t)
+            (_                                       #f))
           packages))))
 
 \f
@@ -290,39 +286,47 @@ (define sexp->vulnerability
      (vulnerability id packages))))
 
 (define (cve-configuration->package-list config)
-  "Parse CONFIG, a config sexp, and return a list of the form (P SEXP)
-where P is a package name and SEXP expresses constraints on the matching
-versions."
+  "Parse CONFIG, a config sexp, and return a list of the form (V P SEXP)
+where V is a CPE vendor, P is a package name and SEXP expresses constraints on
+the matching versions."
   (let loop ((config config)
-             (packages '()))
+             (vendor+package-list '()))
     (match config
       (('or configs ...)
-       (fold loop packages configs))
-      (('and config _ ...)                        ;XXX
-       (loop config packages))
-      (((? string? package) '_)                   ;any version
-       (cons `(,package _)
-             (alist-delete package packages)))
-      (((? string? package) sexp)
-       (let ((previous (assoc-ref packages package)))
-         (if previous
-             (cons `(,package (or ,sexp ,@previous))
-                   (alist-delete package packages))
-             (cons `(,package ,sexp) packages)))))))
+       (fold loop vendor+package-list configs))
+      (('and config _ ...)                            ;XXX
+       (loop config vendor+package-list))
+      (((? string? vendor) (? string? package) sexp)
+       (let ((filtered-list (filter (match-lambda
+                                      ((vendor package _)  #f)
+                                      (otherwise           otherwise))
+                                    vendor+package-list)))
+         (match sexp
+           ('_  ;any version
+            (cons `(,vendor ,package _) filtered-list))
+           (_
+            (match (assoc-ref (assoc-ref vendor+package-list vendor) package)
+              ((previous)
+               (cons `(,vendor ,package (or ,sexp ,previous)) filtered-list))
+              (_
+               (cons `(,vendor ,package ,sexp) vendor+package-list))))))))))
 
 (define (merge-package-lists lst)
-  "Merge the list in LST, each of which has the form (p sexp), where P
-is the name of a package and SEXP is an sexp that constrains matching
-versions."
+  "Merge the list in LST, each of which has the form (V P SEXP), where V is a
+CPE vendor, P is the name of a package and SEXP is an sexp that constrains
+matching versions."
   (fold (lambda (plist result)                    ;XXX: quadratic
           (fold (match-lambda*
-                  (((package version) result)
-                   (match (assoc-ref result package)
-                     (#f
-                      (cons `(,package ,version) result))
-                     ((previous)
-                      (cons `(,package (or ,version ,previous))
-                            (alist-delete package result))))))
+                  (((vendor package version) result)
+                   (match (assoc-ref result vendor)
+                     (((? (cut string=? package <>)) previous)
+                      (cons `(,vendor ,package (or ,version ,previous))
+                            (filter (match-lambda
+                                      ((vendor package _)  #f)
+                                      (otherwise           otherwise))
+                                    result)))
+                     (_
+                      (cons `(,vendor ,package ,version) result)))))
                 result
                 plist))
         '()
@@ -422,11 +426,8 @@ (define table
               (($ <vulnerability> id packages)
                (fold (lambda (package table)
                        (match package
-                         ((vendor+name . versions)
-                          (vhash-cons (match (string-split vendor+name #\:)
-                                        ((vendor name) name)
-                                        ((name)        name))
-                                      (cons vuln versions)
+                         ((vendor name versions)
+                          (vhash-cons name (cons vuln `(,versions))
                                       table))))
                      table
                      packages))))
diff --git a/tests/cve.scm b/tests/cve.scm
index 6567d73c69..90ada2b647 100644
--- a/tests/cve.scm
+++ b/tests/cve.scm
@@ -34,19 +34,19 @@ (define %expected-vulnerabilities
    (vulnerability "CVE-2019-0001"
                   ;; Only the "a" CPE configurations are kept; the "o"
                   ;; configurations are discarded.
-                  '(("juniper:junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
+                  '(("juniper" "junos" (or "18.2" (or "18.21-s3" "18.21-s4")))))
    (vulnerability "CVE-2019-0005"
-                  '(("juniper:junos" (or "18.11" "18.1"))))
+                  '(("juniper" "junos" (or "18.1" "18.11"))))
    ;; CVE-2019-0005 has no "a" configurations.
    (vulnerability "CVE-2019-14811"
-                  '(("artifex:ghostscript" (< "9.28"))))
+                  '(("artifex" "ghostscript" (< "9.28"))))
    (vulnerability "CVE-2019-17365"
-                  '(("nixos:nix" (<= "2.3"))))
+                  '(("nixos" "nix" (<= "2.3"))))
    (vulnerability "CVE-2019-1010180"
-                  '(("gnu:gdb" _)))                   ;any version
+                  '(("gnu" "gdb" _)))                   ;any version
    (vulnerability "CVE-2019-1010204"
-                  '(("gnu:binutils" (and (>= "2.21") (<= "2.31.1")))
-                    ("gnu:binutils_gold" (and (>= "1.11") (<= "1.16")))))
+                  '(("gnu" "binutils" (and (>= "2.21") (<= "2.31.1")))
+                    ("gnu" "binutils_gold" (and (>= "1.11") (<= "1.16")))))
    ;; CVE-2019-18192 has no associated configurations.
    ))
 
-- 
2.46.0

-------------------- End of forwarded message --------------------

-- 
Best regards,
Nicolas Graves




^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [Nicolas Graves] [PATCH v3 02/17] cve: Separate vendor and string.
  2024-11-08 18:13 ` [bug#74034] [Nicolas Graves] [PATCH v3 02/17] cve: Separate vendor and string Nicolas Graves via Guix-patches via
@ 2024-11-13  2:53   ` Maxim Cournoyer
  2024-11-13  8:08     ` Nicolas Graves via Guix-patches via
  0 siblings, 1 reply; 119+ messages in thread
From: Maxim Cournoyer @ 2024-11-13  2:53 UTC (permalink / raw)
  To: Nicolas Graves; +Cc: Ludovic Courtès, 74034

Hi Nicolas,

Nicolas Graves <ngraves@ngraves.fr> writes:

> This commit has currently no proper commit message, but it's because it
> should probably be squashed if we want to go this way.
>
> In the end, I've done it, quite tedious (for me at least!) but done.
> I'm not super sure however that it's clearer (vulnerability-matches?
> definitely is, but the whole, I doubt that).  Just pick your preference
> I guess!

I think this one looks nicer without the parsing of colons every time we
need to extract the vendor/package name, thanks for having taken the
time to adjust it based on Ludovic's feedback.

[...]

>  (define (configuration-data->cve-configurations alist)
>    "Given ALIST, a JSON dictionary for the baroque \"configurations\"
> @@ -232,18 +234,12 @@ (define (vulnerability-matches? vuln vendor hidden-vendors)
>    "Checks if a VENDOR matches at least one of <vulnerability> VULN
>  packages.  When VENDOR is #f, ignore packages that have a vendor among
>  HIDDEN-VENDORS."
> -  (define (vendor-matches? vendor+name)
> -    (if vendor
> -        (string-prefix? (string-append vendor ":") vendor+name)
> -        (or (null? hidden-vendors)
> -            (not (any (cut string-prefix? (string-append <> ":") vendor+name)
> -                  hidden-vendors)))))
> -
>    (match vuln
>      (($ <vulnerability> id packages)
>       (any (match-lambda
> -            (((? vendor-matches? vendor+name) . _)  #t)
> -            (_                                      #f))
> +            (((? (cut string=? <> vendor)) _)        #t)
> +            (((? (cut member <> hidden-vendors)) _)  #t)

We are comparing <vulnerability> packages to the vendor strings; is this
correct?

At least I'd expect a hidden-vendors match to return #f, since I assume
we do not want to process these further?

> +            (_                                       #f))
>            packages))))
>
>  \f
> @@ -290,39 +286,47 @@ (define sexp->vulnerability
>       (vulnerability id packages))))
>
>  (define (cve-configuration->package-list config)
> -  "Parse CONFIG, a config sexp, and return a list of the form (P SEXP)
> -where P is a package name and SEXP expresses constraints on the matching
> -versions."
> +  "Parse CONFIG, a config sexp, and return a list of the form (V P SEXP)
> +where V is a CPE vendor, P is a package name and SEXP expresses constraints on
> +the matching versions."
>    (let loop ((config config)
> -             (packages '()))
> +             (vendor+package-list '()))

nitpick: I'm not too found of using the variable type in its name (here,
'list').  Perhaps just 'results' could do (plural to denote it's a
list).

>      (match config
>        (('or configs ...)
> -       (fold loop packages configs))
> -      (('and config _ ...)                        ;XXX
> -       (loop config packages))
> -      (((? string? package) '_)                   ;any version
> -       (cons `(,package _)
> -             (alist-delete package packages)))
> -      (((? string? package) sexp)
> -       (let ((previous (assoc-ref packages package)))
> -         (if previous
> -             (cons `(,package (or ,sexp ,@previous))
> -                   (alist-delete package packages))
> -             (cons `(,package ,sexp) packages)))))))
> +       (fold loop vendor+package-list configs))
> +      (('and config _ ...)                            ;XXX
> +       (loop config vendor+package-list))
> +      (((? string? vendor) (? string? package) sexp)
> +       (let ((filtered-list (filter (match-lambda
> +                                      ((vendor package _)  #f)

I'd use 'remove' to inverse the negative logic.  Assuming
'vendor+package-list' becomes 'results', the let-bound variable could
be named (let ((pruned-results (remove ...))) ...)).  Also,
shouldn't the '_' in the match-lambda be quoted to denote it's a literal
underscore character, not a "don't-care" pattern?

> +                                      (otherwise           otherwise))
> +                                    vendor+package-list)))
> +         (match sexp
> +           ('_  ;any version
> +            (cons `(,vendor ,package _) filtered-list))
> +           (_
> +            (match (assoc-ref (assoc-ref vendor+package-list vendor) package)
> +              ((previous)
> +               (cons `(,vendor ,package (or ,sexp ,previous)) filtered-list))
> +              (_
> +               (cons `(,vendor ,package ,sexp) vendor+package-list))))))))))

I find the logic expressed in this procedure a bit hard to follow, but
that's been inherited from the previous code, so OK.

>  (define (merge-package-lists lst)
> -  "Merge the list in LST, each of which has the form (p sexp), where P
> -is the name of a package and SEXP is an sexp that constrains matching
> -versions."
> +  "Merge the list in LST, each of which has the form (V P SEXP), where V is a
> +CPE vendor, P is the name of a package and SEXP is an sexp that constrains
> +matching versions."
>    (fold (lambda (plist result)                    ;XXX: quadratic
>            (fold (match-lambda*
> -                  (((package version) result)
> -                   (match (assoc-ref result package)
> -                     (#f
> -                      (cons `(,package ,version) result))
> -                     ((previous)
> -                      (cons `(,package (or ,version ,previous))
> -                            (alist-delete package result))))))
> +                  (((vendor package version) result)
> +                   (match (assoc-ref result vendor)
> +                     (((? (cut string=? package <>)) previous)
> +                      (cons `(,vendor ,package (or ,version ,previous))
> +                            (filter (match-lambda
> +                                      ((vendor package _)  #f)
> +                                      (otherwise           otherwise))
> +                                    result)))

This should use SRFI 1's 'remove' instead of 'filter'.

The rest looks good to me.

Could you please address my questions/suggestions and squash this into
the previous commit (with the accompanied changelog commit message
adjustment) ?

-- 
Thanks,
Maxim




^ permalink raw reply	[flat|nested] 119+ messages in thread

* [bug#74034] [Nicolas Graves] [PATCH v3 02/17] cve: Separate vendor and string.
  2024-11-13  2:53   ` Maxim Cournoyer
@ 2024-11-13  8:08     ` Nicolas Graves via Guix-patches via
  0 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-13  8:08 UTC (permalink / raw)
  To: Maxim Cournoyer; +Cc: Ludovic Courtès, 74034

On 2024-11-13 11:53, Maxim Cournoyer wrote:

> Hi Nicolas,
>
> I think this one looks nicer without the parsing of colons every time we
> need to extract the vendor/package name, thanks for having taken the
> time to adjust it based on Ludovic's feedback.

Ok, will squash both commits then. 
>
> [...]
>
>>  (define (configuration-data->cve-configurations alist)
>>    "Given ALIST, a JSON dictionary for the baroque \"configurations\"
>> @@ -232,18 +234,12 @@ (define (vulnerability-matches? vuln vendor hidden-vendors)
>>    "Checks if a VENDOR matches at least one of <vulnerability> VULN
>>  packages.  When VENDOR is #f, ignore packages that have a vendor among
>>  HIDDEN-VENDORS."
>> -  (define (vendor-matches? vendor+name)
>> -    (if vendor
>> -        (string-prefix? (string-append vendor ":") vendor+name)
>> -        (or (null? hidden-vendors)
>> -            (not (any (cut string-prefix? (string-append <> ":") vendor+name)
>> -                  hidden-vendors)))))
>> -
>>    (match vuln
>>      (($ <vulnerability> id packages)
>>       (any (match-lambda
>> -            (((? vendor-matches? vendor+name) . _)  #t)
>> -            (_                                      #f))
>> +            (((? (cut string=? <> vendor)) _)        #t)
>> +            (((? (cut member <> hidden-vendors)) _)  #t)
>
> We are comparing <vulnerability> packages to the vendor strings; is this
> correct?

Actually the first sexp element of <vulnerability> packages (hence the
_). 
>
> At least I'd expect a hidden-vendors match to return #f, since I assume
> we do not want to process these further?

Indeed it looks like a mistake / forgotten not.  Will check the logic.


> The rest looks good to me.
>
> Could you please address my questions/suggestions and squash this into
> the previous commit (with the accompanied changelog commit message
> adjustment) ?

Yep.

-- 
Best regards,
Nicolas Graves




^ permalink raw reply	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v4 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.
  2024-10-26 22:21 [bug#74034] [PATCH 00/21] Add lint-hidden-cve property for near-leaf packages Nicolas Graves via Guix-patches via
                   ` (4 preceding siblings ...)
  2024-11-08 18:13 ` [bug#74034] [Nicolas Graves] [PATCH v3 02/17] cve: Separate vendor and string Nicolas Graves via Guix-patches via
@ 2024-11-13 10:23 ` Nicolas Graves via Guix-patches via
  2024-11-13 10:23   ` [bug#74034] [PATCH v4 03/16] gnu: portfolio: Update to 1.0.1 Nicolas Graves via Guix-patches via
                     ` (12 more replies)
  2024-11-19  7:45 ` [bug#74034] [PATCH v5 " Nicolas Graves via Guix-patches via
  2024-11-24 20:16 ` [bug#74034] [PATCH v6 " Nicolas Graves via Guix-patches via
  7 siblings, 13 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-13 10:23 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* guix/cve.scm: Exploit cpe vendors information.
(cpe->package-name): Rename to...
(cpe->package-identifier): Renamed from cpe->package-name. Use
cpe_vendor:cpe_name in place or cpe_name.
(vulnerabily-matches?): Add helper function.
(vulnerabilities->lookup-proc): Extract cpe_name for table
hashes. Add vendor and hidden-vendor arguments. Adapt condition to
pass vulnerabilities to result in the fold.

* guix/lint.scm (package-vulnerabilities): Use additional arguments
from vulnerabilities->lookup-proc.

* tests/cve.scm (%expected-vulnerabilities): Adapt variable to changes
in guix/cve.scm.
---
 guix/cve.scm  | 143 +++++++++++++++++++++++++++++---------------------
 guix/lint.scm |  10 +++-
 tests/cve.scm |  14 ++---
 3 files changed, 99 insertions(+), 68 deletions(-)

diff --git a/guix/cve.scm b/guix/cve.scm
index 9e1cf5b587..ecf96e0659 100644
--- a/guix/cve.scm
+++ b/guix/cve.scm
@@ -25,11 +25,11 @@ (define-module (guix cve)
   #:use-module (web uri)
   #:use-module (srfi srfi-1)
   #:use-module (srfi srfi-9)
-  #:use-module (srfi srfi-11)
   #:use-module (srfi srfi-19)
   #:use-module (srfi srfi-26)
   #:use-module (srfi srfi-34)
   #:use-module (srfi srfi-35)
+  #:use-module (srfi srfi-71)
   #:use-module (ice-9 match)
   #:use-module (ice-9 regex)
   #:use-module (ice-9 vlist)
@@ -108,15 +108,16 @@ (define %cpe-package-rx
   ;; "cpe:2.3:a:VENDOR:PACKAGE:VERSION:PATCH-LEVEL".
   (make-regexp "^cpe:2\\.3:a:([^:]+):([^:]+):([^:]+):([^:]+):"))
 
-(define (cpe->package-name cpe)
+(define (cpe->package-identifier cpe)
   "Converts the Common Platform Enumeration (CPE) string CPE to a package
-name, in a very naive way.  Return two values: the package name, and its
-version string.  Return #f and #f if CPE does not look like an application CPE
-string."
+identifier, in a very naive way.  Return two values: the package identifier
+(composed from the CPE vendor and the package name), and its version string.
+Return #f and #f if CPE does not look like an application CPE string."
   (cond ((regexp-exec %cpe-package-rx cpe)
          =>
          (lambda (matches)
-           (values (match:substring matches 2)
+           (values (match:substring matches 1)
+                   (match:substring matches 2)
                    (match (match:substring matches 3)
                      ("*" '_)
                      (version
@@ -128,7 +129,7 @@ (define (cpe->package-name cpe)
                                         ;; "cpe:2.3:a:openbsd:openssh:6.8:p1".
                                         (string-drop patch-level 1)))))))))
         (else
-         (values #f #f))))
+         (values #f #f #f))))
 
 (define (cpe-match->cve-configuration alist)
   "Convert ALIST, a \"cpe_match\" alist, into an sexp representing the package
@@ -142,17 +143,18 @@ (define (cpe-match->cve-configuration alist)
     ;; Normally "cpe23Uri" is here in each "cpe_match" item, but CVE-2020-0534
     ;; has a configuration that lacks it.
     (and cpe
-         (let-values (((package version) (cpe->package-name cpe)))
+         (let ((vendor package version (cpe->package-identifier cpe)))
            (and package
-                `(,package
-                   ,(cond ((and (or starti starte) (or endi ende))
-                           `(and ,(if starti `(>= ,starti) `(> ,starte))
-                                 ,(if endi `(<= ,endi) `(< ,ende))))
-                          (starti `(>= ,starti))
-                          (starte `(> ,starte))
-                          (endi   `(<= ,endi))
-                          (ende   `(< ,ende))
-                          (else   version))))))))
+                `(,vendor
+                  ,package
+                  ,(cond ((and (or starti starte) (or endi ende))
+                          `(and ,(if starti `(>= ,starti) `(> ,starte))
+                                ,(if endi `(<= ,endi) `(< ,ende))))
+                         (starti `(>= ,starti))
+                         (starte `(> ,starte))
+                         (endi   `(<= ,endi))
+                         (ende   `(< ,ende))
+                         (else   version))))))))
 
 (define (configuration-data->cve-configurations alist)
   "Given ALIST, a JSON dictionary for the baroque \"configurations\"
@@ -228,6 +230,23 @@ (define (version-matches? version sexp)
     (('>= min)
      (version>=? version min))))
 
+(define (vulnerability-matches? vuln vendor hidden-vendors)
+  "Checks if a VENDOR matches at least one of <vulnerability> VULN
+packages.  When VENDOR is #f, ignore packages that have a vendor among
+HIDDEN-VENDORS."
+  (define hidden-vendor?
+    (if (list? hidden-vendors)
+        (cut member <> hidden-vendors)
+        (const #f)))
+
+  (match vuln
+    (($ <vulnerability> id packages)
+     (any (match-lambda
+            ((? (cut string=? <> vendor))   #t)
+            ((? hidden-vendor?)             #f)
+            (otherwise                      (not vendor)))
+          (map car packages)))))  ;candidate vendors
+
 \f
 ;;;
 ;;; High-level interface.
@@ -272,39 +291,47 @@ (define sexp->vulnerability
      (vulnerability id packages))))
 
 (define (cve-configuration->package-list config)
-  "Parse CONFIG, a config sexp, and return a list of the form (P SEXP)
-where P is a package name and SEXP expresses constraints on the matching
-versions."
+  "Parse CONFIG, a config sexp, and return a list of the form (V P SEXP)
+where V is a CPE vendor, P is a package name and SEXP expresses constraints on
+the matching versions."
   (let loop ((config config)
-             (packages '()))
+             (results '()))
     (match config
       (('or configs ...)
-       (fold loop packages configs))
-      (('and config _ ...)                        ;XXX
-       (loop config packages))
-      (((? string? package) '_)                   ;any version
-       (cons `(,package _)
-             (alist-delete package packages)))
-      (((? string? package) sexp)
-       (let ((previous (assoc-ref packages package)))
-         (if previous
-             (cons `(,package (or ,sexp ,@previous))
-                   (alist-delete package packages))
-             (cons `(,package ,sexp) packages)))))))
+       (fold loop results configs))
+      (('and config _ ...)                            ;XXX
+       (loop config results))
+      (((? string? vendor) (? string? package) sexp)
+       (let ((pruned-results (remove (match-lambda
+                                       ((vendor package _)  #t)
+                                       (otherwise           #f))
+                                     results)))
+         (match sexp
+           ('_  ;any version
+            (cons `(,vendor ,package _) pruned-results))
+           (_
+            (match (assoc-ref (assoc-ref results vendor) package)
+              ((previous)
+               (cons `(,vendor ,package (or ,sexp ,previous)) pruned-results))
+              (_
+               (cons `(,vendor ,package ,sexp) results))))))))))
 
 (define (merge-package-lists lst)
-  "Merge the list in LST, each of which has the form (p sexp), where P
-is the name of a package and SEXP is an sexp that constrains matching
-versions."
+  "Merge the list in LST, each of which has the form (V P SEXP), where V is a
+CPE vendor, P is the name of a package and SEXP is an sexp that constrains
+matching versions."
   (fold (lambda (plist result)                    ;XXX: quadratic
           (fold (match-lambda*
-                  (((package version) result)
-                   (match (assoc-ref result package)
-                     (#f
-                      (cons `(,package ,version) result))
-                     ((previous)
-                      (cons `(,package (or ,version ,previous))
-                            (alist-delete package result))))))
+                  (((vendor package version) result)
+                   (match (assoc-ref result vendor)
+                     (((? (cut string=? package <>)) previous)
+                      (cons `(,vendor ,package (or ,version ,previous))
+                            (remove (match-lambda
+                                      ((vendor package _)  #t)
+                                      (otherwise           #f))
+                                    result)))
+                     (_
+                      (cons `(,vendor ,package ,version) result)))))
                 result
                 plist))
         '()
@@ -404,28 +431,26 @@ (define table
               (($ <vulnerability> id packages)
                (fold (lambda (package table)
                        (match package
-                         ((name . versions)
-                          (vhash-cons name (cons vuln versions)
+                         ((vendor name versions)
+                          (vhash-cons name (cons vuln `(,versions))
                                       table))))
                      table
                      packages))))
           vlist-null
           vulnerabilities))
 
-  (lambda* (package #:optional version)
-    (vhash-fold* (if version
-                     (lambda (pair result)
-                       (match pair
-                         ((vuln sexp)
-                          (if (version-matches? version sexp)
-                              (cons vuln result)
-                              result))))
-                     (lambda (pair result)
-                       (match pair
-                         ((vuln . _)
-                          (cons vuln result)))))
-                 '()
-                 package table)))
+  (lambda* (package #:optional version #:key (vendor #f) (hidden-vendors '()))
+    (vhash-fold*
+     (lambda (pair result)
+       (match pair
+         ((vuln sexp)
+          (if (and (or (and (not vendor) (null? hidden-vendors))
+                       (vulnerability-matches? vuln vendor hidden-vendors))
+                   (or (not version) (version-matches? version sexp)))
+              (cons vuln result)
+              result))))
+     '()
+     package table)))
 
 
 ;;; cve.scm ends here
diff --git a/guix/lint.scm b/guix/lint.scm
index 8c6c20c723..bea6d0a194 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -1551,8 +1551,14 @@ (define package-vulnerabilities
                          (package-name package)))
             (version (or (assoc-ref (package-properties package)
                                     'cpe-version)
-                         (package-version package))))
-        ((force lookup) name version)))))
+                         (package-version package)))
+            (vendor (assoc-ref (package-properties package)
+                               'cpe-vendor))
+            (hidden-vendors (assoc-ref (package-properties package)
+                                       'lint-hidden-cpe-vendors)))
+        ((force lookup) name version
+         #:vendor vendor
+         #:hidden-vendors hidden-vendors)))))
 
 ;; Prevent Guile 3 from inlining this procedure so we can mock it in tests.
 (set! package-vulnerabilities package-vulnerabilities)
diff --git a/tests/cve.scm b/tests/cve.scm
index b69da0e120..90ada2b647 100644
--- a/tests/cve.scm
+++ b/tests/cve.scm
@@ -34,19 +34,19 @@ (define %expected-vulnerabilities
    (vulnerability "CVE-2019-0001"
                   ;; Only the "a" CPE configurations are kept; the "o"
                   ;; configurations are discarded.
-                  '(("junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
+                  '(("juniper" "junos" (or "18.2" (or "18.21-s3" "18.21-s4")))))
    (vulnerability "CVE-2019-0005"
-                  '(("junos" (or "18.11" "18.1"))))
+                  '(("juniper" "junos" (or "18.1" "18.11"))))
    ;; CVE-2019-0005 has no "a" configurations.
    (vulnerability "CVE-2019-14811"
-                  '(("ghostscript" (< "9.28"))))
+                  '(("artifex" "ghostscript" (< "9.28"))))
    (vulnerability "CVE-2019-17365"
-                  '(("nix" (<= "2.3"))))
+                  '(("nixos" "nix" (<= "2.3"))))
    (vulnerability "CVE-2019-1010180"
-                  '(("gdb" _)))                   ;any version
+                  '(("gnu" "gdb" _)))                   ;any version
    (vulnerability "CVE-2019-1010204"
-                  '(("binutils" (and (>= "2.21") (<= "2.31.1")))
-                    ("binutils_gold" (and (>= "1.11") (<= "1.16")))))
+                  '(("gnu" "binutils" (and (>= "2.21") (<= "2.31.1")))
+                    ("gnu" "binutils_gold" (and (>= "1.11") (<= "1.16")))))
    ;; CVE-2019-18192 has no associated configurations.
    ))
 
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v4 03/16] gnu: portfolio: Update to 1.0.1.
  2024-11-13 10:23 ` [bug#74034] [PATCH v4 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Nicolas Graves via Guix-patches via
@ 2024-11-13 10:23   ` Nicolas Graves via Guix-patches via
  2024-11-13 10:23   ` [bug#74034] [PATCH v4 05/16] gnu: spectra: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
                     ` (11 subsequent siblings)
  12 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-13 10:23 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/gnome-xyz.scm (portfolio): Update to 1.0.1.
[properties]: Add lint-hidden-cpe-vendors property.
---
 gnu/packages/gnome-xyz.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/gnome-xyz.scm b/gnu/packages/gnome-xyz.scm
index a09c0befb0..74c2600b60 100644
--- a/gnu/packages/gnome-xyz.scm
+++ b/gnu/packages/gnome-xyz.scm
@@ -485,7 +485,7 @@ (define-public gnome-plots
 (define-public portfolio
   (package
     (name "portfolio")
-    (version "1.0.0")
+    (version "1.0.1")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -494,7 +494,7 @@ (define-public portfolio
               (file-name (git-file-name name version))
               (sha256
                (base32
-                "1ai9mx801m5lngkljg42vrpvhbvc3071sp4jypsvbzw55hxnn5ba"))))
+                "1s06kd2dhsb143piw89yzwfck7qwzlh4nlgjj2bxpsa3g68c1g11"))))
     (arguments
      (list #:glib-or-gtk? #t
            #:imported-modules `(,@%meson-build-system-modules
@@ -537,6 +537,7 @@ (define-public portfolio
      "Portfolio is a minimalist file manager for those who want to use Linux
 mobile devices.  Tap to activate and long press to select, to browse, open,
 copy, move, delete, or edit your files.")
+    (properties `((lint-hidden-cpe-vendors . ("radiustheme"))))
     (license license:gpl3+)))
 
 (define-public gnome-shell-extension-unite-shell
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v4 05/16] gnu: spectra: Add lint-hidden-cpe-vendors property.
  2024-11-13 10:23 ` [bug#74034] [PATCH v4 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Nicolas Graves via Guix-patches via
  2024-11-13 10:23   ` [bug#74034] [PATCH v4 03/16] gnu: portfolio: Update to 1.0.1 Nicolas Graves via Guix-patches via
@ 2024-11-13 10:23   ` Nicolas Graves via Guix-patches via
  2024-11-13 10:23   ` [bug#74034] [PATCH v4 06/16] gnu: express: " Nicolas Graves via Guix-patches via
                     ` (10 subsequent siblings)
  12 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-13 10:23 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/algebra.scm (spectra)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/algebra.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/algebra.scm b/gnu/packages/algebra.scm
index 2187cd062d..5822431373 100644
--- a/gnu/packages/algebra.scm
+++ b/gnu/packages/algebra.scm
@@ -1317,6 +1317,7 @@ (define-public spectra
 built on top of Eigen.  It is implemented as a header-only C++ library and can
 be easily embedded in C++ projects that require calculating eigenvalues of
 large matrices.")
+    (properties `((lint-hidden-cpe-vendors . ("brainstormforce"))))
     (license license:mpl2.0)))
 
 (define-public gappa
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v4 06/16] gnu: express: Add lint-hidden-cpe-vendors property.
  2024-11-13 10:23 ` [bug#74034] [PATCH v4 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Nicolas Graves via Guix-patches via
  2024-11-13 10:23   ` [bug#74034] [PATCH v4 03/16] gnu: portfolio: Update to 1.0.1 Nicolas Graves via Guix-patches via
  2024-11-13 10:23   ` [bug#74034] [PATCH v4 05/16] gnu: spectra: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
@ 2024-11-13 10:23   ` Nicolas Graves via Guix-patches via
  2024-11-13 10:23   ` [bug#74034] [PATCH v4 08/16] gnu: h2c: " Nicolas Graves via Guix-patches via
                     ` (9 subsequent siblings)
  12 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-13 10:23 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/bioinformatics.scm (express)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/bioinformatics.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/bioinformatics.scm b/gnu/packages/bioinformatics.scm
index 599d22c51e..4174364a08 100644
--- a/gnu/packages/bioinformatics.scm
+++ b/gnu/packages/bioinformatics.scm
@@ -7265,6 +7265,7 @@ (define-public express
 transcript-level RNA-Seq quantification, allele-specific/haplotype expression
 analysis (from RNA-Seq), transcription factor binding quantification in
 ChIP-Seq, and analysis of metagenomic data.")
+    (properties `((lint-hidden-cpe-vendors . ("openjsf"))))
     (license license:artistic2.0)))
 
 (define-public express-beta-diversity
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v4 08/16] gnu: h2c: Add lint-hidden-cpe-vendors property.
  2024-11-13 10:23 ` [bug#74034] [PATCH v4 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Nicolas Graves via Guix-patches via
                     ` (2 preceding siblings ...)
  2024-11-13 10:23   ` [bug#74034] [PATCH v4 06/16] gnu: express: " Nicolas Graves via Guix-patches via
@ 2024-11-13 10:23   ` Nicolas Graves via Guix-patches via
  2024-11-13 10:24   ` [bug#74034] [PATCH v4 10/16] gnu: bolt: Update to 0.9.8 Nicolas Graves via Guix-patches via
                     ` (8 subsequent siblings)
  12 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-13 10:23 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/curl.scm (h2c)[property]: Add lint-hidden-cpe-vendors property.
---
 gnu/packages/curl.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 96f993d99a..d238479769 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -377,6 +377,7 @@ (define-public h2c
     (description
      "Provided a set of HTTP request headers, h2c outputs how to invoke
 curl to obtain exactly that HTTP request.")
+    (properties `((lint-hidden-cpe-vendors . ("golang"))))
     (license license:expat)))
 
 (define-public coeurl
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v4 10/16] gnu: bolt: Update to 0.9.8.
  2024-11-13 10:23 ` [bug#74034] [PATCH v4 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Nicolas Graves via Guix-patches via
                     ` (3 preceding siblings ...)
  2024-11-13 10:23   ` [bug#74034] [PATCH v4 08/16] gnu: h2c: " Nicolas Graves via Guix-patches via
@ 2024-11-13 10:24   ` Nicolas Graves via Guix-patches via
  2024-11-13 10:24   ` [bug#74034] [PATCH v4 11/16] gnu: bwm-ng: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
                     ` (7 subsequent siblings)
  12 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-13 10:24 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/linux.scm (bolt): Update to 0.9.8.
[arguments]<#:phases>: Update phase 'replace-directories.
[properties]: Add lint-hidden-cpe-vendors property.
---
 gnu/packages/linux.scm | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index a2a0359055..9c2cfa7ddf 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -3333,7 +3333,7 @@ (define-public iptables-nft
 (define-public bolt
   (package
     (name "bolt")
-    (version "0.9.5")
+    (version "0.9.8")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -3342,7 +3342,7 @@ (define-public bolt
               (file-name (git-file-name name version))
               (sha256
                (base32
-                "1b9z0sfrz6bj0mddng9s0dx59g9239zmrl03hxx2x88mb7r0wmcg"))))
+                "1i9nyvx3qcf4m607qmpklpl9xqzsh423k8y3fr6c5n0k4ajy4cxh"))))
     (build-system meson-build-system)
     (arguments
      (list #:configure-flags '(list "--localstatedir=/var")
@@ -3351,12 +3351,11 @@ (define-public bolt
                         (add-after 'unpack 'replace-directories
                           (lambda* (#:key outputs #:allow-other-keys)
                             (substitute* "meson.build"
-                              (("udev.get_pkgconfig_variable..udevdir..")
-                               (string-append "'"
-                                              #$output "/lib/udev'")))
-                            (substitute* "scripts/meson-install.sh"
-                              (("mkdir.*")
-                               ""))))
+                              (("udev.get_variable\\(pkgconfig: 'udevdir'\\)")
+                               (string-append "'" #$output "/lib/udev'"))
+                              ;; Don't install in /var
+                              (("not systemd\\.found\\(\\)")
+                               "false"))))
                         (add-before 'install 'no-polkit-magic
                           (lambda* (#:key outputs #:allow-other-keys)
                             (setenv "PKEXEC_UID" "something"))))))
@@ -3378,6 +3377,7 @@ (define-public bolt
 @command{boltd}.  It can list devices, monitor changes, and initiate
 authorization of devices.")
     (home-page "https://gitlab.freedesktop.org/bolt/bolt")
+    (properties `((lint-hidden-cpe-vendors . ("boltcms" "puppet"))))
     (license license:gpl2+)))
 
 (define-public jitterentropy-rngd
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v4 11/16] gnu: bwm-ng: Add lint-hidden-cpe-vendors property.
  2024-11-13 10:23 ` [bug#74034] [PATCH v4 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Nicolas Graves via Guix-patches via
                     ` (4 preceding siblings ...)
  2024-11-13 10:24   ` [bug#74034] [PATCH v4 10/16] gnu: bolt: Update to 0.9.8 Nicolas Graves via Guix-patches via
@ 2024-11-13 10:24   ` Nicolas Graves via Guix-patches via
  2024-11-13 10:24   ` [bug#74034] [PATCH v4 12/16] gnu: onedrive: Update to 2.5.2 Nicolas Graves via Guix-patches via
                     ` (6 subsequent siblings)
  12 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-13 10:24 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/networking.scm (bwm-ng)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/networking.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index f0f0619161..8115c989aa 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -2157,6 +2157,7 @@ (define-public bwm-ng
     (description "Bandwidth Monitor NG is a small and simple console based
 live network and disk I/O bandwidth monitor.")
     (home-page "https://www.gropp.org/?id=projects&sub=bwm-ng")
+    (properties '((lint-hidden-cpe-vendors . ("bwm-ng_project"))))
     (license license:gpl2)))
 
 (define-public aircrack-ng
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v4 12/16] gnu: onedrive: Update to 2.5.2.
  2024-11-13 10:23 ` [bug#74034] [PATCH v4 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Nicolas Graves via Guix-patches via
                     ` (5 preceding siblings ...)
  2024-11-13 10:24   ` [bug#74034] [PATCH v4 11/16] gnu: bwm-ng: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
@ 2024-11-13 10:24   ` Nicolas Graves via Guix-patches via
  2024-11-13 10:24   ` [bug#74034] [PATCH v4 13/16] gnu: got: Update to 0.104 Nicolas Graves via Guix-patches via
                     ` (5 subsequent siblings)
  12 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-13 10:24 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/sync.scm (onedrive): Update to 2.5.2.
[properties]: Add lint-hidden-cpe-vendors.
---
 gnu/packages/sync.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/sync.scm b/gnu/packages/sync.scm
index af736d0c28..b21993a639 100644
--- a/gnu/packages/sync.scm
+++ b/gnu/packages/sync.scm
@@ -374,7 +374,7 @@ (define-public owncloud-client
 (define-public onedrive
   (package
     (name "onedrive")
-    (version "2.4.25")
+    (version "2.5.2")
     (source
       (origin
         (method git-fetch)
@@ -383,7 +383,7 @@ (define-public onedrive
                (commit (string-append "v" version))))
         (file-name (git-file-name name version))
         (sha256
-         (base32 "1i93mq4r9w8cqrdfsfv8wparfd3dbrppc5z04ab056545hk0x89k"))))
+         (base32 "0307qa3nncarn6r5837nn9z5nv8j60ycykq6pfn93qriabk65qlx"))))
     (build-system gnu-build-system)
     (arguments
      (list
@@ -420,6 +420,7 @@ (define-public onedrive
 Business, OneDrive for Office365 and SharePoint and fully supports Azure
 National Cloud Deployments.  It supports one-way and two-way sync capabilities
 and securely connects to Microsoft OneDrive services.")
+    (properties '((lint-hidden-cpe-vendors . ("microsoft"))))
     (license license:gpl3)))
 
 (define-public lsyncd
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v4 13/16] gnu: got: Update to 0.104.
  2024-11-13 10:23 ` [bug#74034] [PATCH v4 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Nicolas Graves via Guix-patches via
                     ` (6 preceding siblings ...)
  2024-11-13 10:24   ` [bug#74034] [PATCH v4 12/16] gnu: onedrive: Update to 2.5.2 Nicolas Graves via Guix-patches via
@ 2024-11-13 10:24   ` Nicolas Graves via Guix-patches via
  2024-11-13 10:24   ` [bug#74034] [PATCH v4 14/16] gnu: dex: Update to 0.10.1 Nicolas Graves via Guix-patches via
                     ` (4 subsequent siblings)
  12 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-13 10:24 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/version-control.scm (got): Update to 0.104.
[properties]: Add release-monitoring-url and lint-hidden-cpe-vendors
properties.
---
 gnu/packages/version-control.scm | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index c892a83a98..27c14422d1 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -975,7 +975,7 @@ (define-public git-tools
 (define-public got
   (package
     (name "got")
-    (version "0.103")
+    (version "0.104")
     (source (origin
               (method url-fetch)
               (uri
@@ -984,7 +984,7 @@ (define-public got
                   version ".tar.gz"))
               (sha256
                (base32
-                "0y18961xrj4rja850i31gadiaps2qnkfb4jlramlz9akyf9mwh1j"))))
+                "1jf8d7bd6jb09ci66n3rjfv94kvzgnqbw1js74hpajdw41wphbdk"))))
     (inputs
      (list libevent
            `(,util-linux "lib")
@@ -1020,7 +1020,11 @@ (define-public got
      "Game of Trees (Got) is a version control system which prioritizes ease of use
 and simplicity over flexibility.")
     (license license:isc)
-    (home-page "https://gameoftrees.org/")))
+    (home-page "https://gameoftrees.org/")
+    (properties
+     ;; Can lint for updates, but not update in place.
+     '((release-monitoring-url . "https://gameoftrees.org/releases/")
+       (lint-hidden-cpe-vendors . ("got_project"))))))
 
 (define-public xdiff
   (let ((revision "0")
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v4 14/16] gnu: dex: Update to 0.10.1.
  2024-11-13 10:23 ` [bug#74034] [PATCH v4 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Nicolas Graves via Guix-patches via
                     ` (7 preceding siblings ...)
  2024-11-13 10:24   ` [bug#74034] [PATCH v4 13/16] gnu: got: Update to 0.104 Nicolas Graves via Guix-patches via
@ 2024-11-13 10:24   ` Nicolas Graves via Guix-patches via
  2024-11-13 10:24   ` [bug#74034] [PATCH v4 15/16] gnu: immer: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
                     ` (3 subsequent siblings)
  12 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-13 10:24 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/xdisorg.scm (dex): Update to 0.10.1.
[arguments]: Improve style.
[properties]: Add lint-hidden-cpe-vendors property.
---
 gnu/packages/xdisorg.scm | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm
index a75e9cd6ba..859d37d4b7 100644
--- a/gnu/packages/xdisorg.scm
+++ b/gnu/packages/xdisorg.scm
@@ -3536,7 +3536,7 @@ (define-public nwg-launchers
 (define-public dex
   (package
     (name "dex")
-    (version "0.9.0")
+    (version "0.10.1")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -3544,15 +3544,16 @@ (define-public dex
                     (commit (string-append "v" version))))
               (sha256
                (base32
-                "03aapcywnz4kl548cygpi25m8adwbmqlmwgxa66v4156ax9dqs86"))
+                "1d7fqy63i4q0mw316i5ws1sgdq3f7h3bsf3avvmy0nzshz7i5y6m"))
               (file-name (git-file-name name version))))
     (build-system gnu-build-system)
     (arguments
-     `(#:make-flags (list (string-append "PREFIX=" (assoc-ref %outputs "out")))
-       #:phases
-       (modify-phases %standard-phases
-         (delete 'configure))
-       #:tests? #f))
+     (list
+      #:make-flags #~(list (string-append "PREFIX=" #$output))
+      #:phases
+      #~(modify-phases %standard-phases
+          (delete 'configure))
+      #:tests? #f))  ; No tests.
     (inputs
      (list python))
     (native-inputs
@@ -3562,6 +3563,8 @@ (define-public dex
     (description
      "@command{dex}, @dfn{DesktopEntry Execution}, is a program to generate
 and execute @file{.desktop} files of the Application type.")
+    (properties
+     '((lint-hidden-cpe-vendors . ("samsung" "linuxfoundation"))))
     (license license:gpl3+)))
 
 (define-public sx
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v4 15/16] gnu: immer: Add lint-hidden-cpe-vendors property.
  2024-11-13 10:23 ` [bug#74034] [PATCH v4 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Nicolas Graves via Guix-patches via
                     ` (8 preceding siblings ...)
  2024-11-13 10:24   ` [bug#74034] [PATCH v4 14/16] gnu: dex: Update to 0.10.1 Nicolas Graves via Guix-patches via
@ 2024-11-13 10:24   ` Nicolas Graves via Guix-patches via
  2024-11-13 10:24   ` [bug#74034] [PATCH v4 16/16] gnu: cvs: " Nicolas Graves via Guix-patches via
                     ` (2 subsequent siblings)
  12 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-13 10:24 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/cpp.scm (immer)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/cpp.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/cpp.scm b/gnu/packages/cpp.scm
index bb6872d7e3..5c686db532 100644
--- a/gnu/packages/cpp.scm
+++ b/gnu/packages/cpp.scm
@@ -1887,6 +1887,7 @@ (define-public immer
    (synopsis "Immutable data structures")
    (description "Immer is a library of persistent and immutable data structures
 written in C++.")
+   (properties '((lint-hidden-cpe-vendors . ("immer_project"))))
    (license license:boost1.0)))
 
 (define-public zug
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v4 16/16] gnu: cvs: Add lint-hidden-cpe-vendors property.
  2024-11-13 10:23 ` [bug#74034] [PATCH v4 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Nicolas Graves via Guix-patches via
                     ` (9 preceding siblings ...)
  2024-11-13 10:24   ` [bug#74034] [PATCH v4 15/16] gnu: immer: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
@ 2024-11-13 10:24   ` Nicolas Graves via Guix-patches via
  2024-11-17 17:19   ` [bug#74034] [PATCH v4 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Ludovic Courtès
  2024-11-17 17:20   ` Ludovic Courtès
  12 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-13 10:24 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/version-control.scm (cvs)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/version-control.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index 27c14422d1..a0eb9f32d2 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -2774,6 +2774,7 @@ (define-public cvs
 Configuration Management (SCM).  Using it, you can record the history of
 sources files, and documents.  It fills a similar role to the free software
 RCS, PRCS, and Aegis packages.")
+    (properties '((lint-hidden-cpe-vendors . ("jenkins"))))
     (license license:gpl1+)))
 
 (define-public cvs-fast-export
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v2] gnu: got: Update to 0.105.
  2024-10-26 22:41   ` [bug#74034] [PATCH 17/21] gnu: got: Update to 0.104 Nicolas Graves via Guix-patches via
@ 2024-11-15 12:58     ` ashish.is--- via Guix-patches via
  2024-11-30 10:24       ` [bug#74034] [PATCH v2] gnu: got: Update to 0.106 ashish.is--- via Guix-patches via
  0 siblings, 1 reply; 119+ messages in thread
From: ashish.is--- via Guix-patches via @ 2024-11-15 12:58 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves, Ashish SHUKLA

From: Ashish SHUKLA <ashish.is@lostca.se>

* gnu/packages/version-control.scm (got): Update to 0.105.

Change-Id: I7846536927717b1a7cc79e8a3a70e9254eade22a
---
 gnu/packages/version-control.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index 3e66163253..531d4827dc 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -975,7 +975,7 @@ (define-public git-tools
 (define-public got
   (package
     (name "got")
-    (version "0.104")
+    (version "0.105")
     (source (origin
               (method url-fetch)
               (uri
@@ -984,7 +984,7 @@ (define-public got
                   version ".tar.gz"))
               (sha256
                (base32
-                "1jf8d7bd6jb09ci66n3rjfv94kvzgnqbw1js74hpajdw41wphbdk"))))
+                "0i52bkyhs2v8h1b6045hybnzyhr8hvgw87y3pr0s4vyhvihf6wri"))))
     (inputs
      (list libevent
            `(,util-linux "lib")

base-commit: b8d654f60a278790d0d65266b063b08c204ee15e
-- 
2.47.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v4 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.
  2024-11-13 10:23 ` [bug#74034] [PATCH v4 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Nicolas Graves via Guix-patches via
                     ` (10 preceding siblings ...)
  2024-11-13 10:24   ` [bug#74034] [PATCH v4 16/16] gnu: cvs: " Nicolas Graves via Guix-patches via
@ 2024-11-17 17:19   ` Ludovic Courtès
  2024-11-17 17:20   ` Ludovic Courtès
  12 siblings, 0 replies; 119+ messages in thread
From: Ludovic Courtès @ 2024-11-17 17:19 UTC (permalink / raw)
  To: Nicolas Graves; +Cc: 74034

Hi!

Nicolas Graves <ngraves@ngraves.fr> skribis:

> * guix/cve.scm: Exploit cpe vendors information.
> (cpe->package-name): Rename to...
> (cpe->package-identifier): Renamed from cpe->package-name. Use
> cpe_vendor:cpe_name in place or cpe_name.
> (vulnerabily-matches?): Add helper function.
> (vulnerabilities->lookup-proc): Extract cpe_name for table
> hashes. Add vendor and hidden-vendor arguments. Adapt condition to
> pass vulnerabilities to result in the fold.
>
> * guix/lint.scm (package-vulnerabilities): Use additional arguments
> from vulnerabilities->lookup-proc.
>
> * tests/cve.scm (%expected-vulnerabilities): Adapt variable to changes
> in guix/cve.scm.

[...]

> -(define (cpe->package-name cpe)
> +(define (cpe->package-identifier cpe)
>    "Converts the Common Platform Enumeration (CPE) string CPE to a package
> -name, in a very naive way.  Return two values: the package name, and its
> -version string.  Return #f and #f if CPE does not look like an application CPE
> -string."
> +identifier, in a very naive way.  Return two values: the package identifier
> +(composed from the CPE vendor and the package name), and its version string.
> +Return #f and #f if CPE does not look like an application CPE string."

It returns three values now.  :-)  (Nice!)

>  (define (merge-package-lists lst)
> -  "Merge the list in LST, each of which has the form (p sexp), where P
> -is the name of a package and SEXP is an sexp that constrains matching
> -versions."
> +  "Merge the list in LST, each of which has the form (V P SEXP), where V is a
> +CPE vendor, P is the name of a package and SEXP is an sexp that constrains
> +matching versions."

Am I right that ‘vulnerability->sexp’ now includes the vendor?

In that case, the format version in ‘write-cache’ should be bumped and
‘fetch-vulnerabilities’ should be adjusted accordingly (to support v1
sexps that lack vendor info).

Ludo’.




^ permalink raw reply	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v4 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.
  2024-11-13 10:23 ` [bug#74034] [PATCH v4 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Nicolas Graves via Guix-patches via
                     ` (11 preceding siblings ...)
  2024-11-17 17:19   ` [bug#74034] [PATCH v4 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Ludovic Courtès
@ 2024-11-17 17:20   ` Ludovic Courtès
  12 siblings, 0 replies; 119+ messages in thread
From: Ludovic Courtès @ 2024-11-17 17:20 UTC (permalink / raw)
  To: Nicolas Graves; +Cc: 74034

The rest of this series LGTM!  Almost there! :-)




^ permalink raw reply	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v5 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.
  2024-10-26 22:21 [bug#74034] [PATCH 00/21] Add lint-hidden-cve property for near-leaf packages Nicolas Graves via Guix-patches via
                   ` (5 preceding siblings ...)
  2024-11-13 10:23 ` [bug#74034] [PATCH v4 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Nicolas Graves via Guix-patches via
@ 2024-11-19  7:45 ` Nicolas Graves via Guix-patches via
  2024-11-19  7:45   ` [bug#74034] [PATCH v5 02/16] gnu: halibut: Add cpe-vendor property Nicolas Graves via Guix-patches via
                     ` (15 more replies)
  2024-11-24 20:16 ` [bug#74034] [PATCH v6 " Nicolas Graves via Guix-patches via
  7 siblings, 16 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-19  7:45 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* guix/cve.scm: Exploit cpe vendors information.
(cpe->package-name): Rename to...
(cpe->package-identifier): Renamed from cpe->package-name. Use
cpe_vendor:cpe_name in place or cpe_name.
(vulnerabily-matches?): Add helper function.
(vulnerabilities->lookup-proc): Extract cpe_name for table
hashes. Add vendor and hidden-vendor arguments. Adapt condition to
pass vulnerabilities to result in the fold.
(write-cache): Update the format version.

* guix/lint.scm (package-vulnerabilities): Use additional arguments
from vulnerabilities->lookup-proc.

* tests/cve.scm (%expected-vulnerabilities): Adapt variable to changes
in guix/cve.scm.
---
 guix/cve.scm  | 147 +++++++++++++++++++++++++++++---------------------
 guix/lint.scm |  10 +++-
 tests/cve.scm |  14 ++---
 3 files changed, 101 insertions(+), 70 deletions(-)

diff --git a/guix/cve.scm b/guix/cve.scm
index 9e1cf5b587..ed4665d727 100644
--- a/guix/cve.scm
+++ b/guix/cve.scm
@@ -25,11 +25,11 @@ (define-module (guix cve)
   #:use-module (web uri)
   #:use-module (srfi srfi-1)
   #:use-module (srfi srfi-9)
-  #:use-module (srfi srfi-11)
   #:use-module (srfi srfi-19)
   #:use-module (srfi srfi-26)
   #:use-module (srfi srfi-34)
   #:use-module (srfi srfi-35)
+  #:use-module (srfi srfi-71)
   #:use-module (ice-9 match)
   #:use-module (ice-9 regex)
   #:use-module (ice-9 vlist)
@@ -108,15 +108,16 @@ (define %cpe-package-rx
   ;; "cpe:2.3:a:VENDOR:PACKAGE:VERSION:PATCH-LEVEL".
   (make-regexp "^cpe:2\\.3:a:([^:]+):([^:]+):([^:]+):([^:]+):"))
 
-(define (cpe->package-name cpe)
+(define (cpe->package-identifier cpe)
   "Converts the Common Platform Enumeration (CPE) string CPE to a package
-name, in a very naive way.  Return two values: the package name, and its
-version string.  Return #f and #f if CPE does not look like an application CPE
-string."
+identifier, in a very naive way.  Return three values: the CPE vendor, the
+package name, and its version string.
+Return three #f values if CPE does not look like an application CPE string."
   (cond ((regexp-exec %cpe-package-rx cpe)
          =>
          (lambda (matches)
-           (values (match:substring matches 2)
+           (values (match:substring matches 1)
+                   (match:substring matches 2)
                    (match (match:substring matches 3)
                      ("*" '_)
                      (version
@@ -128,7 +129,7 @@ (define (cpe->package-name cpe)
                                         ;; "cpe:2.3:a:openbsd:openssh:6.8:p1".
                                         (string-drop patch-level 1)))))))))
         (else
-         (values #f #f))))
+         (values #f #f #f))))
 
 (define (cpe-match->cve-configuration alist)
   "Convert ALIST, a \"cpe_match\" alist, into an sexp representing the package
@@ -142,17 +143,18 @@ (define (cpe-match->cve-configuration alist)
     ;; Normally "cpe23Uri" is here in each "cpe_match" item, but CVE-2020-0534
     ;; has a configuration that lacks it.
     (and cpe
-         (let-values (((package version) (cpe->package-name cpe)))
+         (let ((vendor package version (cpe->package-identifier cpe)))
            (and package
-                `(,package
-                   ,(cond ((and (or starti starte) (or endi ende))
-                           `(and ,(if starti `(>= ,starti) `(> ,starte))
-                                 ,(if endi `(<= ,endi) `(< ,ende))))
-                          (starti `(>= ,starti))
-                          (starte `(> ,starte))
-                          (endi   `(<= ,endi))
-                          (ende   `(< ,ende))
-                          (else   version))))))))
+                `(,vendor
+                  ,package
+                  ,(cond ((and (or starti starte) (or endi ende))
+                          `(and ,(if starti `(>= ,starti) `(> ,starte))
+                                ,(if endi `(<= ,endi) `(< ,ende))))
+                         (starti `(>= ,starti))
+                         (starte `(> ,starte))
+                         (endi   `(<= ,endi))
+                         (ende   `(< ,ende))
+                         (else   version))))))))
 
 (define (configuration-data->cve-configurations alist)
   "Given ALIST, a JSON dictionary for the baroque \"configurations\"
@@ -228,6 +230,23 @@ (define (version-matches? version sexp)
     (('>= min)
      (version>=? version min))))
 
+(define (vulnerability-matches? vuln vendor hidden-vendors)
+  "Checks if a VENDOR matches at least one of <vulnerability> VULN
+packages.  When VENDOR is #f, ignore packages that have a vendor among
+HIDDEN-VENDORS."
+  (define hidden-vendor?
+    (if (list? hidden-vendors)
+        (cut member <> hidden-vendors)
+        (const #f)))
+
+  (match vuln
+    (($ <vulnerability> id packages)
+     (any (match-lambda
+            ((? (cut string=? <> vendor))   #t)
+            ((? hidden-vendor?)             #f)
+            (otherwise                      (not vendor)))
+          (map car packages)))))  ;candidate vendors
+
 \f
 ;;;
 ;;; High-level interface.
@@ -259,7 +278,7 @@ (define-record-type <vulnerability>
   (vulnerability id packages)
   vulnerability?
   (id         vulnerability-id)             ;string
-  (packages   vulnerability-packages))      ;((p1 sexp1) (p2 sexp2) ...)
+  (packages   vulnerability-packages))      ;((v1 p1 sexp1) (v2 p2 sexp2) ...)
 
 (define vulnerability->sexp
   (match-lambda
@@ -272,39 +291,47 @@ (define sexp->vulnerability
      (vulnerability id packages))))
 
 (define (cve-configuration->package-list config)
-  "Parse CONFIG, a config sexp, and return a list of the form (P SEXP)
-where P is a package name and SEXP expresses constraints on the matching
-versions."
+  "Parse CONFIG, a config sexp, and return a list of the form (V P SEXP)
+where V is a CPE vendor, P is a package name and SEXP expresses constraints on
+the matching versions."
   (let loop ((config config)
-             (packages '()))
+             (results '()))
     (match config
       (('or configs ...)
-       (fold loop packages configs))
-      (('and config _ ...)                        ;XXX
-       (loop config packages))
-      (((? string? package) '_)                   ;any version
-       (cons `(,package _)
-             (alist-delete package packages)))
-      (((? string? package) sexp)
-       (let ((previous (assoc-ref packages package)))
-         (if previous
-             (cons `(,package (or ,sexp ,@previous))
-                   (alist-delete package packages))
-             (cons `(,package ,sexp) packages)))))))
+       (fold loop results configs))
+      (('and config _ ...)                            ;XXX
+       (loop config results))
+      (((? string? vendor) (? string? package) sexp)
+       (let ((pruned-results (remove (match-lambda
+                                       ((vendor package _)  #t)
+                                       (otherwise           #f))
+                                     results)))
+         (match sexp
+           ('_  ;any version
+            (cons `(,vendor ,package _) pruned-results))
+           (_
+            (match (assoc-ref (assoc-ref results vendor) package)
+              ((previous)
+               (cons `(,vendor ,package (or ,sexp ,previous)) pruned-results))
+              (_
+               (cons `(,vendor ,package ,sexp) results))))))))))
 
 (define (merge-package-lists lst)
-  "Merge the list in LST, each of which has the form (p sexp), where P
-is the name of a package and SEXP is an sexp that constrains matching
-versions."
+  "Merge the list in LST, each of which has the form (V P SEXP), where V is a
+CPE vendor, P is the name of a package and SEXP is an sexp that constrains
+matching versions."
   (fold (lambda (plist result)                    ;XXX: quadratic
           (fold (match-lambda*
-                  (((package version) result)
-                   (match (assoc-ref result package)
-                     (#f
-                      (cons `(,package ,version) result))
-                     ((previous)
-                      (cons `(,package (or ,version ,previous))
-                            (alist-delete package result))))))
+                  (((vendor package version) result)
+                   (match (assoc-ref result vendor)
+                     (((? (cut string=? package <>)) previous)
+                      (cons `(,vendor ,package (or ,version ,previous))
+                            (remove (match-lambda
+                                      ((vendor package _)  #t)
+                                      (otherwise           #f))
+                                    result)))
+                     (_
+                      (cons `(,vendor ,package ,version) result)))))
                 result
                 plist))
         '()
@@ -337,7 +364,7 @@ (define vulns
         (json->vulnerabilities input))
 
       (write `(vulnerabilities
-               1                                  ;format version
+               2                                  ;format version
                ,(map vulnerability->sexp vulns))
              cache))))
 
@@ -404,28 +431,26 @@ (define table
               (($ <vulnerability> id packages)
                (fold (lambda (package table)
                        (match package
-                         ((name . versions)
-                          (vhash-cons name (cons vuln versions)
+                         ((vendor name versions)
+                          (vhash-cons name (cons vuln `(,versions))
                                       table))))
                      table
                      packages))))
           vlist-null
           vulnerabilities))
 
-  (lambda* (package #:optional version)
-    (vhash-fold* (if version
-                     (lambda (pair result)
-                       (match pair
-                         ((vuln sexp)
-                          (if (version-matches? version sexp)
-                              (cons vuln result)
-                              result))))
-                     (lambda (pair result)
-                       (match pair
-                         ((vuln . _)
-                          (cons vuln result)))))
-                 '()
-                 package table)))
+  (lambda* (package #:optional version #:key (vendor #f) (hidden-vendors '()))
+    (vhash-fold*
+     (lambda (pair result)
+       (match pair
+         ((vuln sexp)
+          (if (and (or (and (not vendor) (null? hidden-vendors))
+                       (vulnerability-matches? vuln vendor hidden-vendors))
+                   (or (not version) (version-matches? version sexp)))
+              (cons vuln result)
+              result))))
+     '()
+     package table)))
 
 
 ;;; cve.scm ends here
diff --git a/guix/lint.scm b/guix/lint.scm
index 8c6c20c723..bea6d0a194 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -1551,8 +1551,14 @@ (define package-vulnerabilities
                          (package-name package)))
             (version (or (assoc-ref (package-properties package)
                                     'cpe-version)
-                         (package-version package))))
-        ((force lookup) name version)))))
+                         (package-version package)))
+            (vendor (assoc-ref (package-properties package)
+                               'cpe-vendor))
+            (hidden-vendors (assoc-ref (package-properties package)
+                                       'lint-hidden-cpe-vendors)))
+        ((force lookup) name version
+         #:vendor vendor
+         #:hidden-vendors hidden-vendors)))))
 
 ;; Prevent Guile 3 from inlining this procedure so we can mock it in tests.
 (set! package-vulnerabilities package-vulnerabilities)
diff --git a/tests/cve.scm b/tests/cve.scm
index b69da0e120..90ada2b647 100644
--- a/tests/cve.scm
+++ b/tests/cve.scm
@@ -34,19 +34,19 @@ (define %expected-vulnerabilities
    (vulnerability "CVE-2019-0001"
                   ;; Only the "a" CPE configurations are kept; the "o"
                   ;; configurations are discarded.
-                  '(("junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
+                  '(("juniper" "junos" (or "18.2" (or "18.21-s3" "18.21-s4")))))
    (vulnerability "CVE-2019-0005"
-                  '(("junos" (or "18.11" "18.1"))))
+                  '(("juniper" "junos" (or "18.1" "18.11"))))
    ;; CVE-2019-0005 has no "a" configurations.
    (vulnerability "CVE-2019-14811"
-                  '(("ghostscript" (< "9.28"))))
+                  '(("artifex" "ghostscript" (< "9.28"))))
    (vulnerability "CVE-2019-17365"
-                  '(("nix" (<= "2.3"))))
+                  '(("nixos" "nix" (<= "2.3"))))
    (vulnerability "CVE-2019-1010180"
-                  '(("gdb" _)))                   ;any version
+                  '(("gnu" "gdb" _)))                   ;any version
    (vulnerability "CVE-2019-1010204"
-                  '(("binutils" (and (>= "2.21") (<= "2.31.1")))
-                    ("binutils_gold" (and (>= "1.11") (<= "1.16")))))
+                  '(("gnu" "binutils" (and (>= "2.21") (<= "2.31.1")))
+                    ("gnu" "binutils_gold" (and (>= "1.11") (<= "1.16")))))
    ;; CVE-2019-18192 has no associated configurations.
    ))
 
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v5 02/16] gnu: halibut: Add cpe-vendor property.
  2024-11-19  7:45 ` [bug#74034] [PATCH v5 " Nicolas Graves via Guix-patches via
@ 2024-11-19  7:45   ` Nicolas Graves via Guix-patches via
  2024-11-19  7:45   ` [bug#74034] [PATCH v5 03/16] gnu: portfolio: Update to 1.0.1 Nicolas Graves via Guix-patches via
                     ` (14 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-19  7:45 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/documentation.scm (halibut)
[description]: Reformat field to match max chars.
[properties]: Add cpe-vendor property.
---
 gnu/packages/documentation.scm | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/gnu/packages/documentation.scm b/gnu/packages/documentation.scm
index f0e37561f7..e1d563945a 100644
--- a/gnu/packages/documentation.scm
+++ b/gnu/packages/documentation.scm
@@ -264,12 +264,14 @@ (define-public halibut
     (home-page "https://www.chiark.greenend.org.uk/~sgtatham/halibut/")
     (synopsis "Documentation production system for software manuals")
     (description
-     "Halibut is a text formatting system designed primarily for writing software
-documentation.  It accepts a single source format and outputs any combination of
-plain text, HTML, Unix man or info pages, PostScript or PDF.  It has extensive
-support for indexing and cross-referencing, and generates hyperlinks within output
-documents wherever possible.  It supports Unicode, with the ability to fall back to
-an alternative representation if Unicode output is not available.")
+     "Halibut is a text formatting system designed primarily for writing
+software documentation.  It accepts a single source format and outputs any
+combination of plain text, HTML, Unix man or info pages, PostScript or PDF.
+It has extensive support for indexing and cross-referencing, and generates
+hyperlinks within output documents wherever possible.  It supports Unicode,
+with the ability to fall back to an alternative representation if Unicode
+output is not available.")
+    (properties `((cpe-vendor . "halibut_project")))
     (license license:expat)))
 
 (define-public doc++
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v5 03/16] gnu: portfolio: Update to 1.0.1.
  2024-11-19  7:45 ` [bug#74034] [PATCH v5 " Nicolas Graves via Guix-patches via
  2024-11-19  7:45   ` [bug#74034] [PATCH v5 02/16] gnu: halibut: Add cpe-vendor property Nicolas Graves via Guix-patches via
@ 2024-11-19  7:45   ` Nicolas Graves via Guix-patches via
  2024-11-19  7:45   ` [bug#74034] [PATCH v5 04/16] gnu: folders: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
                     ` (13 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-19  7:45 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/gnome-xyz.scm (portfolio): Update to 1.0.1.
[properties]: Add lint-hidden-cpe-vendors property.
---
 gnu/packages/gnome-xyz.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/gnome-xyz.scm b/gnu/packages/gnome-xyz.scm
index a09c0befb0..74c2600b60 100644
--- a/gnu/packages/gnome-xyz.scm
+++ b/gnu/packages/gnome-xyz.scm
@@ -485,7 +485,7 @@ (define-public gnome-plots
 (define-public portfolio
   (package
     (name "portfolio")
-    (version "1.0.0")
+    (version "1.0.1")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -494,7 +494,7 @@ (define-public portfolio
               (file-name (git-file-name name version))
               (sha256
                (base32
-                "1ai9mx801m5lngkljg42vrpvhbvc3071sp4jypsvbzw55hxnn5ba"))))
+                "1s06kd2dhsb143piw89yzwfck7qwzlh4nlgjj2bxpsa3g68c1g11"))))
     (arguments
      (list #:glib-or-gtk? #t
            #:imported-modules `(,@%meson-build-system-modules
@@ -537,6 +537,7 @@ (define-public portfolio
      "Portfolio is a minimalist file manager for those who want to use Linux
 mobile devices.  Tap to activate and long press to select, to browse, open,
 copy, move, delete, or edit your files.")
+    (properties `((lint-hidden-cpe-vendors . ("radiustheme"))))
     (license license:gpl3+)))
 
 (define-public gnome-shell-extension-unite-shell
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v5 04/16] gnu: folders: Add lint-hidden-cpe-vendors property.
  2024-11-19  7:45 ` [bug#74034] [PATCH v5 " Nicolas Graves via Guix-patches via
  2024-11-19  7:45   ` [bug#74034] [PATCH v5 02/16] gnu: halibut: Add cpe-vendor property Nicolas Graves via Guix-patches via
  2024-11-19  7:45   ` [bug#74034] [PATCH v5 03/16] gnu: portfolio: Update to 1.0.1 Nicolas Graves via Guix-patches via
@ 2024-11-19  7:45   ` Nicolas Graves via Guix-patches via
  2024-11-19  7:45   ` [bug#74034] [PATCH v5 05/16] gnu: spectra: " Nicolas Graves via Guix-patches via
                     ` (12 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-19  7:45 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/esolangs.scm (folders):
[properties]: Add lint-hindden-cpe-vendors property.
---
 gnu/packages/esolangs.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/esolangs.scm b/gnu/packages/esolangs.scm
index 796f8d3f23..58c5307fdc 100644
--- a/gnu/packages/esolangs.scm
+++ b/gnu/packages/esolangs.scm
@@ -117,6 +117,7 @@ (define-public folders
     (description "Folders is a programming language, in which programs
 are encoded as (nested) directories.  Note that the switches you pass to
 @command{du} may affect your score when code golfing.")
+    (properties `((lint-hidden-cpe-vendors . ("premio" "jenkins"))))
     (license license:expat)))
 
 (define-public shakespeare-spl
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v5 05/16] gnu: spectra: Add lint-hidden-cpe-vendors property.
  2024-11-19  7:45 ` [bug#74034] [PATCH v5 " Nicolas Graves via Guix-patches via
                     ` (2 preceding siblings ...)
  2024-11-19  7:45   ` [bug#74034] [PATCH v5 04/16] gnu: folders: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
@ 2024-11-19  7:45   ` Nicolas Graves via Guix-patches via
  2024-11-19  7:45   ` [bug#74034] [PATCH v5 06/16] gnu: express: " Nicolas Graves via Guix-patches via
                     ` (11 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-19  7:45 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/algebra.scm (spectra)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/algebra.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/algebra.scm b/gnu/packages/algebra.scm
index 2187cd062d..5822431373 100644
--- a/gnu/packages/algebra.scm
+++ b/gnu/packages/algebra.scm
@@ -1317,6 +1317,7 @@ (define-public spectra
 built on top of Eigen.  It is implemented as a header-only C++ library and can
 be easily embedded in C++ projects that require calculating eigenvalues of
 large matrices.")
+    (properties `((lint-hidden-cpe-vendors . ("brainstormforce"))))
     (license license:mpl2.0)))
 
 (define-public gappa
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v5 06/16] gnu: express: Add lint-hidden-cpe-vendors property.
  2024-11-19  7:45 ` [bug#74034] [PATCH v5 " Nicolas Graves via Guix-patches via
                     ` (3 preceding siblings ...)
  2024-11-19  7:45   ` [bug#74034] [PATCH v5 05/16] gnu: spectra: " Nicolas Graves via Guix-patches via
@ 2024-11-19  7:45   ` Nicolas Graves via Guix-patches via
  2024-11-19  7:45   ` [bug#74034] [PATCH v5 07/16] gnu: cli: " Nicolas Graves via Guix-patches via
                     ` (10 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-19  7:45 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/bioinformatics.scm (express)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/bioinformatics.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/bioinformatics.scm b/gnu/packages/bioinformatics.scm
index f84306b6b9..5695ef12dd 100644
--- a/gnu/packages/bioinformatics.scm
+++ b/gnu/packages/bioinformatics.scm
@@ -7320,6 +7320,7 @@ (define-public express
 transcript-level RNA-Seq quantification, allele-specific/haplotype expression
 analysis (from RNA-Seq), transcription factor binding quantification in
 ChIP-Seq, and analysis of metagenomic data.")
+    (properties `((lint-hidden-cpe-vendors . ("openjsf"))))
     (license license:artistic2.0)))
 
 (define-public express-beta-diversity
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v5 07/16] gnu: cli: Add lint-hidden-cpe-vendors property.
  2024-11-19  7:45 ` [bug#74034] [PATCH v5 " Nicolas Graves via Guix-patches via
                     ` (4 preceding siblings ...)
  2024-11-19  7:45   ` [bug#74034] [PATCH v5 06/16] gnu: express: " Nicolas Graves via Guix-patches via
@ 2024-11-19  7:45   ` Nicolas Graves via Guix-patches via
  2024-11-19  7:45   ` [bug#74034] [PATCH v5 08/16] gnu: h2c: " Nicolas Graves via Guix-patches via
                     ` (9 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-19  7:45 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/cpp.scm (cli)[properties]: Add lint-hidden-cpe-vendors
property.
---
 gnu/packages/cpp.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/cpp.scm b/gnu/packages/cpp.scm
index 2c0b575a84..43ec57a970 100644
--- a/gnu/packages/cpp.scm
+++ b/gnu/packages/cpp.scm
@@ -2327,6 +2327,7 @@ (define-public cli
 options that your program supports, their types, default values, and
 documentation.")
     (home-page "https://codesynthesis.com/projects/cli/")
+    (properties `((lint-hidden-cpe-vendors . ("snyk"))))
     (license license:expat)))
 
 (define-public xsd
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v5 08/16] gnu: h2c: Add lint-hidden-cpe-vendors property.
  2024-11-19  7:45 ` [bug#74034] [PATCH v5 " Nicolas Graves via Guix-patches via
                     ` (5 preceding siblings ...)
  2024-11-19  7:45   ` [bug#74034] [PATCH v5 07/16] gnu: cli: " Nicolas Graves via Guix-patches via
@ 2024-11-19  7:45   ` Nicolas Graves via Guix-patches via
  2024-11-19  7:45   ` [bug#74034] [PATCH v5 09/16] gnu: xenon: Update to 0.9.3 Nicolas Graves via Guix-patches via
                     ` (8 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-19  7:45 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/curl.scm (h2c)[property]: Add lint-hidden-cpe-vendors property.
---
 gnu/packages/curl.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index e5e3342b6d..d782f89d9f 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -378,6 +378,7 @@ (define-public h2c
     (description
      "Provided a set of HTTP request headers, h2c outputs how to invoke
 curl to obtain exactly that HTTP request.")
+    (properties `((lint-hidden-cpe-vendors . ("golang"))))
     (license license:expat)))
 
 (define-public coeurl
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v5 09/16] gnu: xenon: Update to 0.9.3.
  2024-11-19  7:45 ` [bug#74034] [PATCH v5 " Nicolas Graves via Guix-patches via
                     ` (6 preceding siblings ...)
  2024-11-19  7:45   ` [bug#74034] [PATCH v5 08/16] gnu: h2c: " Nicolas Graves via Guix-patches via
@ 2024-11-19  7:45   ` Nicolas Graves via Guix-patches via
  2024-11-19  7:45   ` [bug#74034] [PATCH v5 10/16] gnu: bolt: Update to 0.9.8 Nicolas Graves via Guix-patches via
                     ` (7 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-19  7:45 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/code.scm (xenon): Update to 0.9.3.
[properties]: Add lint-hidden-cpe-vendors property.
---
 gnu/packages/code.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/code.scm b/gnu/packages/code.scm
index 04ca4dfd6b..5ed2126225 100644
--- a/gnu/packages/code.scm
+++ b/gnu/packages/code.scm
@@ -1054,14 +1054,14 @@ (define-public cscope
 (define-public xenon
   (package
     (name "xenon")
-    (version "0.9.0")
+    (version "0.9.3")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "xenon" version))
        (sha256
         (base32
-         "1f4gynjzfckm3rjfywwgz1c7icfx3zjqirf16aj73xv0c9ncpffj"))))
+         "1yj31bqz2bphvvyb0jkas7bxc2rw76rf1csz0mwmvah8pbc3hxaa"))))
     (build-system python-build-system)
     (arguments (list #:tests? #f)) ;test suite not shipped with the PyPI archive
     (inputs (list python-pyyaml python-radon python-requests))
@@ -1073,6 +1073,7 @@ (define-public xenon
 line options, various thresholds can be set for the complexity of code.  It
 will fail (i.e., it will exit with a non-zero exit code) when any of these
 requirements is not met.")
+    (properties '((lint-hidden-cpe-vendors . ("ashlar"))))
     (license license:expat)))
 
 (define-public python-xenon
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v5 10/16] gnu: bolt: Update to 0.9.8.
  2024-11-19  7:45 ` [bug#74034] [PATCH v5 " Nicolas Graves via Guix-patches via
                     ` (7 preceding siblings ...)
  2024-11-19  7:45   ` [bug#74034] [PATCH v5 09/16] gnu: xenon: Update to 0.9.3 Nicolas Graves via Guix-patches via
@ 2024-11-19  7:45   ` Nicolas Graves via Guix-patches via
  2024-11-19  7:45   ` [bug#74034] [PATCH v5 11/16] gnu: bwm-ng: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
                     ` (6 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-19  7:45 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/linux.scm (bolt): Update to 0.9.8.
[arguments]<#:phases>: Update phase 'replace-directories.
[properties]: Add lint-hidden-cpe-vendors property.
---
 gnu/packages/linux.scm | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 7a856c4721..3cd0f0381c 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -3333,7 +3333,7 @@ (define-public iptables-nft
 (define-public bolt
   (package
     (name "bolt")
-    (version "0.9.5")
+    (version "0.9.8")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -3342,7 +3342,7 @@ (define-public bolt
               (file-name (git-file-name name version))
               (sha256
                (base32
-                "1b9z0sfrz6bj0mddng9s0dx59g9239zmrl03hxx2x88mb7r0wmcg"))))
+                "1i9nyvx3qcf4m607qmpklpl9xqzsh423k8y3fr6c5n0k4ajy4cxh"))))
     (build-system meson-build-system)
     (arguments
      (list #:configure-flags '(list "--localstatedir=/var")
@@ -3351,12 +3351,11 @@ (define-public bolt
                         (add-after 'unpack 'replace-directories
                           (lambda* (#:key outputs #:allow-other-keys)
                             (substitute* "meson.build"
-                              (("udev.get_pkgconfig_variable..udevdir..")
-                               (string-append "'"
-                                              #$output "/lib/udev'")))
-                            (substitute* "scripts/meson-install.sh"
-                              (("mkdir.*")
-                               ""))))
+                              (("udev.get_variable\\(pkgconfig: 'udevdir'\\)")
+                               (string-append "'" #$output "/lib/udev'"))
+                              ;; Don't install in /var
+                              (("not systemd\\.found\\(\\)")
+                               "false"))))
                         (add-before 'install 'no-polkit-magic
                           (lambda* (#:key outputs #:allow-other-keys)
                             (setenv "PKEXEC_UID" "something"))))))
@@ -3378,6 +3377,7 @@ (define-public bolt
 @command{boltd}.  It can list devices, monitor changes, and initiate
 authorization of devices.")
     (home-page "https://gitlab.freedesktop.org/bolt/bolt")
+    (properties `((lint-hidden-cpe-vendors . ("boltcms" "puppet"))))
     (license license:gpl2+)))
 
 (define-public jitterentropy-rngd
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v5 11/16] gnu: bwm-ng: Add lint-hidden-cpe-vendors property.
  2024-11-19  7:45 ` [bug#74034] [PATCH v5 " Nicolas Graves via Guix-patches via
                     ` (8 preceding siblings ...)
  2024-11-19  7:45   ` [bug#74034] [PATCH v5 10/16] gnu: bolt: Update to 0.9.8 Nicolas Graves via Guix-patches via
@ 2024-11-19  7:45   ` Nicolas Graves via Guix-patches via
  2024-11-19  7:46   ` [bug#74034] [PATCH v5 12/16] gnu: onedrive: Update to 2.5.2 Nicolas Graves via Guix-patches via
                     ` (5 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-19  7:45 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/networking.scm (bwm-ng)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/networking.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index f0f0619161..8115c989aa 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -2157,6 +2157,7 @@ (define-public bwm-ng
     (description "Bandwidth Monitor NG is a small and simple console based
 live network and disk I/O bandwidth monitor.")
     (home-page "https://www.gropp.org/?id=projects&sub=bwm-ng")
+    (properties '((lint-hidden-cpe-vendors . ("bwm-ng_project"))))
     (license license:gpl2)))
 
 (define-public aircrack-ng
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v5 12/16] gnu: onedrive: Update to 2.5.2.
  2024-11-19  7:45 ` [bug#74034] [PATCH v5 " Nicolas Graves via Guix-patches via
                     ` (9 preceding siblings ...)
  2024-11-19  7:45   ` [bug#74034] [PATCH v5 11/16] gnu: bwm-ng: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
@ 2024-11-19  7:46   ` Nicolas Graves via Guix-patches via
  2024-11-19  7:46   ` [bug#74034] [PATCH v5 13/16] gnu: got: Update to 0.104 Nicolas Graves via Guix-patches via
                     ` (4 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-19  7:46 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/sync.scm (onedrive): Update to 2.5.2.
[properties]: Add lint-hidden-cpe-vendors.
---
 gnu/packages/sync.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/sync.scm b/gnu/packages/sync.scm
index af736d0c28..b21993a639 100644
--- a/gnu/packages/sync.scm
+++ b/gnu/packages/sync.scm
@@ -374,7 +374,7 @@ (define-public owncloud-client
 (define-public onedrive
   (package
     (name "onedrive")
-    (version "2.4.25")
+    (version "2.5.2")
     (source
       (origin
         (method git-fetch)
@@ -383,7 +383,7 @@ (define-public onedrive
                (commit (string-append "v" version))))
         (file-name (git-file-name name version))
         (sha256
-         (base32 "1i93mq4r9w8cqrdfsfv8wparfd3dbrppc5z04ab056545hk0x89k"))))
+         (base32 "0307qa3nncarn6r5837nn9z5nv8j60ycykq6pfn93qriabk65qlx"))))
     (build-system gnu-build-system)
     (arguments
      (list
@@ -420,6 +420,7 @@ (define-public onedrive
 Business, OneDrive for Office365 and SharePoint and fully supports Azure
 National Cloud Deployments.  It supports one-way and two-way sync capabilities
 and securely connects to Microsoft OneDrive services.")
+    (properties '((lint-hidden-cpe-vendors . ("microsoft"))))
     (license license:gpl3)))
 
 (define-public lsyncd
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v5 13/16] gnu: got: Update to 0.104.
  2024-11-19  7:45 ` [bug#74034] [PATCH v5 " Nicolas Graves via Guix-patches via
                     ` (10 preceding siblings ...)
  2024-11-19  7:46   ` [bug#74034] [PATCH v5 12/16] gnu: onedrive: Update to 2.5.2 Nicolas Graves via Guix-patches via
@ 2024-11-19  7:46   ` Nicolas Graves via Guix-patches via
  2024-11-19  7:46   ` [bug#74034] [PATCH v5 14/16] gnu: dex: Update to 0.10.1 Nicolas Graves via Guix-patches via
                     ` (3 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-19  7:46 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/version-control.scm (got): Update to 0.104.
[properties]: Add release-monitoring-url and lint-hidden-cpe-vendors
properties.
---
 gnu/packages/version-control.scm | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index c892a83a98..27c14422d1 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -975,7 +975,7 @@ (define-public git-tools
 (define-public got
   (package
     (name "got")
-    (version "0.103")
+    (version "0.104")
     (source (origin
               (method url-fetch)
               (uri
@@ -984,7 +984,7 @@ (define-public got
                   version ".tar.gz"))
               (sha256
                (base32
-                "0y18961xrj4rja850i31gadiaps2qnkfb4jlramlz9akyf9mwh1j"))))
+                "1jf8d7bd6jb09ci66n3rjfv94kvzgnqbw1js74hpajdw41wphbdk"))))
     (inputs
      (list libevent
            `(,util-linux "lib")
@@ -1020,7 +1020,11 @@ (define-public got
      "Game of Trees (Got) is a version control system which prioritizes ease of use
 and simplicity over flexibility.")
     (license license:isc)
-    (home-page "https://gameoftrees.org/")))
+    (home-page "https://gameoftrees.org/")
+    (properties
+     ;; Can lint for updates, but not update in place.
+     '((release-monitoring-url . "https://gameoftrees.org/releases/")
+       (lint-hidden-cpe-vendors . ("got_project"))))))
 
 (define-public xdiff
   (let ((revision "0")
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v5 14/16] gnu: dex: Update to 0.10.1.
  2024-11-19  7:45 ` [bug#74034] [PATCH v5 " Nicolas Graves via Guix-patches via
                     ` (11 preceding siblings ...)
  2024-11-19  7:46   ` [bug#74034] [PATCH v5 13/16] gnu: got: Update to 0.104 Nicolas Graves via Guix-patches via
@ 2024-11-19  7:46   ` Nicolas Graves via Guix-patches via
  2024-11-19  7:46   ` [bug#74034] [PATCH v5 15/16] gnu: immer: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
                     ` (2 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-19  7:46 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/xdisorg.scm (dex): Update to 0.10.1.
[arguments]: Improve style.
[properties]: Add lint-hidden-cpe-vendors property.
---
 gnu/packages/xdisorg.scm | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm
index a75e9cd6ba..859d37d4b7 100644
--- a/gnu/packages/xdisorg.scm
+++ b/gnu/packages/xdisorg.scm
@@ -3536,7 +3536,7 @@ (define-public nwg-launchers
 (define-public dex
   (package
     (name "dex")
-    (version "0.9.0")
+    (version "0.10.1")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -3544,15 +3544,16 @@ (define-public dex
                     (commit (string-append "v" version))))
               (sha256
                (base32
-                "03aapcywnz4kl548cygpi25m8adwbmqlmwgxa66v4156ax9dqs86"))
+                "1d7fqy63i4q0mw316i5ws1sgdq3f7h3bsf3avvmy0nzshz7i5y6m"))
               (file-name (git-file-name name version))))
     (build-system gnu-build-system)
     (arguments
-     `(#:make-flags (list (string-append "PREFIX=" (assoc-ref %outputs "out")))
-       #:phases
-       (modify-phases %standard-phases
-         (delete 'configure))
-       #:tests? #f))
+     (list
+      #:make-flags #~(list (string-append "PREFIX=" #$output))
+      #:phases
+      #~(modify-phases %standard-phases
+          (delete 'configure))
+      #:tests? #f))  ; No tests.
     (inputs
      (list python))
     (native-inputs
@@ -3562,6 +3563,8 @@ (define-public dex
     (description
      "@command{dex}, @dfn{DesktopEntry Execution}, is a program to generate
 and execute @file{.desktop} files of the Application type.")
+    (properties
+     '((lint-hidden-cpe-vendors . ("samsung" "linuxfoundation"))))
     (license license:gpl3+)))
 
 (define-public sx
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v5 15/16] gnu: immer: Add lint-hidden-cpe-vendors property.
  2024-11-19  7:45 ` [bug#74034] [PATCH v5 " Nicolas Graves via Guix-patches via
                     ` (12 preceding siblings ...)
  2024-11-19  7:46   ` [bug#74034] [PATCH v5 14/16] gnu: dex: Update to 0.10.1 Nicolas Graves via Guix-patches via
@ 2024-11-19  7:46   ` Nicolas Graves via Guix-patches via
  2024-11-19  7:46   ` [bug#74034] [PATCH v5 16/16] gnu: cvs: " Nicolas Graves via Guix-patches via
  2024-11-20 22:10   ` [bug#74034] [PATCH v5 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Ludovic Courtès
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-19  7:46 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/cpp.scm (immer)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/cpp.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/cpp.scm b/gnu/packages/cpp.scm
index 43ec57a970..a3a89d3313 100644
--- a/gnu/packages/cpp.scm
+++ b/gnu/packages/cpp.scm
@@ -1887,6 +1887,7 @@ (define-public immer
    (synopsis "Immutable data structures")
    (description "Immer is a library of persistent and immutable data structures
 written in C++.")
+   (properties '((lint-hidden-cpe-vendors . ("immer_project"))))
    (license license:boost1.0)))
 
 (define-public zug
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v5 16/16] gnu: cvs: Add lint-hidden-cpe-vendors property.
  2024-11-19  7:45 ` [bug#74034] [PATCH v5 " Nicolas Graves via Guix-patches via
                     ` (13 preceding siblings ...)
  2024-11-19  7:46   ` [bug#74034] [PATCH v5 15/16] gnu: immer: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
@ 2024-11-19  7:46   ` Nicolas Graves via Guix-patches via
  2024-11-20 22:10   ` [bug#74034] [PATCH v5 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Ludovic Courtès
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-19  7:46 UTC (permalink / raw)
  To: 74034; +Cc: Nicolas Graves

* gnu/packages/version-control.scm (cvs)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/version-control.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index 27c14422d1..a0eb9f32d2 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -2774,6 +2774,7 @@ (define-public cvs
 Configuration Management (SCM).  Using it, you can record the history of
 sources files, and documents.  It fills a similar role to the free software
 RCS, PRCS, and Aegis packages.")
+    (properties '((lint-hidden-cpe-vendors . ("jenkins"))))
     (license license:gpl1+)))
 
 (define-public cvs-fast-export
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v5 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.
  2024-11-19  7:45 ` [bug#74034] [PATCH v5 " Nicolas Graves via Guix-patches via
                     ` (14 preceding siblings ...)
  2024-11-19  7:46   ` [bug#74034] [PATCH v5 16/16] gnu: cvs: " Nicolas Graves via Guix-patches via
@ 2024-11-20 22:10   ` Ludovic Courtès
  15 siblings, 0 replies; 119+ messages in thread
From: Ludovic Courtès @ 2024-11-20 22:10 UTC (permalink / raw)
  To: Nicolas Graves; +Cc: 74034

Nicolas Graves <ngraves@ngraves.fr> skribis:

> * guix/cve.scm: Exploit cpe vendors information.
> (cpe->package-name): Rename to...
> (cpe->package-identifier): Renamed from cpe->package-name. Use
> cpe_vendor:cpe_name in place or cpe_name.
> (vulnerabily-matches?): Add helper function.
> (vulnerabilities->lookup-proc): Extract cpe_name for table
> hashes. Add vendor and hidden-vendor arguments. Adapt condition to
> pass vulnerabilities to result in the fold.
> (write-cache): Update the format version.
>
> * guix/lint.scm (package-vulnerabilities): Use additional arguments
> from vulnerabilities->lookup-proc.
>
> * tests/cve.scm (%expected-vulnerabilities): Adapt variable to changes
> in guix/cve.scm.

[...]

>        (write `(vulnerabilities
> -               1                                  ;format version
> +               2                                  ;format version
>                 ,(map vulnerability->sexp vulns))
>               cache))))

This is good, but like I wrote, ‘fetch-vulnerabilities’ must be update
symmetrically, ideally to recognize both v1 and v2 sexps:

    (match sexp
      (('vulnerabilities 2 vulns)
       (map sexp->vulnerability vulns))
      (('vulnerabilities 1 vulns)  ;old format, lacks vendor info
       (map sexp-v1->vulnerability vulns)))

(This is the format used in ~/.cache/guix/cve.)

That’s the only thing missing IMO.

Ludo’.




^ permalink raw reply	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v6 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.
  2024-10-26 22:21 [bug#74034] [PATCH 00/21] Add lint-hidden-cve property for near-leaf packages Nicolas Graves via Guix-patches via
                   ` (6 preceding siblings ...)
  2024-11-19  7:45 ` [bug#74034] [PATCH v5 " Nicolas Graves via Guix-patches via
@ 2024-11-24 20:16 ` Nicolas Graves via Guix-patches via
  2024-11-24 20:16   ` [bug#74034] [PATCH v6 02/16] gnu: halibut: Add cpe-vendor property Nicolas Graves via Guix-patches via
                     ` (15 more replies)
  7 siblings, 16 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-24 20:16 UTC (permalink / raw)
  To: 74034; +Cc: ludo, Nicolas Graves

* guix/cve.scm: Exploit cpe vendors information.
(cpe->package-name): Rename to...
(cpe->package-identifier): Renamed from cpe->package-name. Use
cpe_vendor:cpe_name in place or cpe_name.
(vulnerabily-matches?): Add helper function.
(vulnerabilities->lookup-proc): Extract cpe_name for table
hashes. Add vendor and hidden-vendor arguments. Adapt condition to
pass vulnerabilities to result in the fold.
(write-cache, fetch-vulnerabilities): Update the format version.

* guix/lint.scm (package-vulnerabilities): Use additional arguments
from vulnerabilities->lookup-proc.

* tests/cve.scm (%expected-vulnerabilities): Adapt variable to changes
in guix/cve.scm.
---
 guix/cve.scm  | 153 +++++++++++++++++++++++++++++---------------------
 guix/lint.scm |  10 +++-
 tests/cve.scm |  14 ++---
 3 files changed, 105 insertions(+), 72 deletions(-)

diff --git a/guix/cve.scm b/guix/cve.scm
index 9e1cf5b587..098fdf0a05 100644
--- a/guix/cve.scm
+++ b/guix/cve.scm
@@ -25,11 +25,11 @@ (define-module (guix cve)
   #:use-module (web uri)
   #:use-module (srfi srfi-1)
   #:use-module (srfi srfi-9)
-  #:use-module (srfi srfi-11)
   #:use-module (srfi srfi-19)
   #:use-module (srfi srfi-26)
   #:use-module (srfi srfi-34)
   #:use-module (srfi srfi-35)
+  #:use-module (srfi srfi-71)
   #:use-module (ice-9 match)
   #:use-module (ice-9 regex)
   #:use-module (ice-9 vlist)
@@ -108,15 +108,16 @@ (define %cpe-package-rx
   ;; "cpe:2.3:a:VENDOR:PACKAGE:VERSION:PATCH-LEVEL".
   (make-regexp "^cpe:2\\.3:a:([^:]+):([^:]+):([^:]+):([^:]+):"))
 
-(define (cpe->package-name cpe)
+(define (cpe->package-identifier cpe)
   "Converts the Common Platform Enumeration (CPE) string CPE to a package
-name, in a very naive way.  Return two values: the package name, and its
-version string.  Return #f and #f if CPE does not look like an application CPE
-string."
+identifier, in a very naive way.  Return three values: the CPE vendor, the
+package name, and its version string.
+Return three #f values if CPE does not look like an application CPE string."
   (cond ((regexp-exec %cpe-package-rx cpe)
          =>
          (lambda (matches)
-           (values (match:substring matches 2)
+           (values (match:substring matches 1)
+                   (match:substring matches 2)
                    (match (match:substring matches 3)
                      ("*" '_)
                      (version
@@ -128,7 +129,7 @@ (define (cpe->package-name cpe)
                                         ;; "cpe:2.3:a:openbsd:openssh:6.8:p1".
                                         (string-drop patch-level 1)))))))))
         (else
-         (values #f #f))))
+         (values #f #f #f))))
 
 (define (cpe-match->cve-configuration alist)
   "Convert ALIST, a \"cpe_match\" alist, into an sexp representing the package
@@ -142,17 +143,18 @@ (define (cpe-match->cve-configuration alist)
     ;; Normally "cpe23Uri" is here in each "cpe_match" item, but CVE-2020-0534
     ;; has a configuration that lacks it.
     (and cpe
-         (let-values (((package version) (cpe->package-name cpe)))
+         (let ((vendor package version (cpe->package-identifier cpe)))
            (and package
-                `(,package
-                   ,(cond ((and (or starti starte) (or endi ende))
-                           `(and ,(if starti `(>= ,starti) `(> ,starte))
-                                 ,(if endi `(<= ,endi) `(< ,ende))))
-                          (starti `(>= ,starti))
-                          (starte `(> ,starte))
-                          (endi   `(<= ,endi))
-                          (ende   `(< ,ende))
-                          (else   version))))))))
+                `(,vendor
+                  ,package
+                  ,(cond ((and (or starti starte) (or endi ende))
+                          `(and ,(if starti `(>= ,starti) `(> ,starte))
+                                ,(if endi `(<= ,endi) `(< ,ende))))
+                         (starti `(>= ,starti))
+                         (starte `(> ,starte))
+                         (endi   `(<= ,endi))
+                         (ende   `(< ,ende))
+                         (else   version))))))))
 
 (define (configuration-data->cve-configurations alist)
   "Given ALIST, a JSON dictionary for the baroque \"configurations\"
@@ -228,6 +230,23 @@ (define (version-matches? version sexp)
     (('>= min)
      (version>=? version min))))
 
+(define (vulnerability-matches? vuln vendor hidden-vendors)
+  "Checks if a VENDOR matches at least one of <vulnerability> VULN
+packages.  When VENDOR is #f, ignore packages that have a vendor among
+HIDDEN-VENDORS."
+  (define hidden-vendor?
+    (if (list? hidden-vendors)
+        (cut member <> hidden-vendors)
+        (const #f)))
+
+  (match vuln
+    (($ <vulnerability> id packages)
+     (any (match-lambda
+            ((? (cut string=? <> vendor))   #t)
+            ((? hidden-vendor?)             #f)
+            (otherwise                      (not vendor)))
+          (map car packages)))))  ;candidate vendors
+
 \f
 ;;;
 ;;; High-level interface.
@@ -259,7 +278,7 @@ (define-record-type <vulnerability>
   (vulnerability id packages)
   vulnerability?
   (id         vulnerability-id)             ;string
-  (packages   vulnerability-packages))      ;((p1 sexp1) (p2 sexp2) ...)
+  (packages   vulnerability-packages))      ;((v1 p1 sexp1) (v2 p2 sexp2) ...)
 
 (define vulnerability->sexp
   (match-lambda
@@ -272,39 +291,47 @@ (define sexp->vulnerability
      (vulnerability id packages))))
 
 (define (cve-configuration->package-list config)
-  "Parse CONFIG, a config sexp, and return a list of the form (P SEXP)
-where P is a package name and SEXP expresses constraints on the matching
-versions."
+  "Parse CONFIG, a config sexp, and return a list of the form (V P SEXP)
+where V is a CPE vendor, P is a package name and SEXP expresses constraints on
+the matching versions."
   (let loop ((config config)
-             (packages '()))
+             (results '()))
     (match config
       (('or configs ...)
-       (fold loop packages configs))
-      (('and config _ ...)                        ;XXX
-       (loop config packages))
-      (((? string? package) '_)                   ;any version
-       (cons `(,package _)
-             (alist-delete package packages)))
-      (((? string? package) sexp)
-       (let ((previous (assoc-ref packages package)))
-         (if previous
-             (cons `(,package (or ,sexp ,@previous))
-                   (alist-delete package packages))
-             (cons `(,package ,sexp) packages)))))))
+       (fold loop results configs))
+      (('and config _ ...)                            ;XXX
+       (loop config results))
+      (((? string? vendor) (? string? package) sexp)
+       (let ((pruned-results (remove (match-lambda
+                                       ((vendor package _)  #t)
+                                       (otherwise           #f))
+                                     results)))
+         (match sexp
+           ('_  ;any version
+            (cons `(,vendor ,package _) pruned-results))
+           (_
+            (match (assoc-ref (assoc-ref results vendor) package)
+              ((previous)
+               (cons `(,vendor ,package (or ,sexp ,previous)) pruned-results))
+              (_
+               (cons `(,vendor ,package ,sexp) results))))))))))
 
 (define (merge-package-lists lst)
-  "Merge the list in LST, each of which has the form (p sexp), where P
-is the name of a package and SEXP is an sexp that constrains matching
-versions."
+  "Merge the list in LST, each of which has the form (V P SEXP), where V is a
+CPE vendor, P is the name of a package and SEXP is an sexp that constrains
+matching versions."
   (fold (lambda (plist result)                    ;XXX: quadratic
           (fold (match-lambda*
-                  (((package version) result)
-                   (match (assoc-ref result package)
-                     (#f
-                      (cons `(,package ,version) result))
-                     ((previous)
-                      (cons `(,package (or ,version ,previous))
-                            (alist-delete package result))))))
+                  (((vendor package version) result)
+                   (match (assoc-ref result vendor)
+                     (((? (cut string=? package <>)) previous)
+                      (cons `(,vendor ,package (or ,version ,previous))
+                            (remove (match-lambda
+                                      ((vendor package _)  #t)
+                                      (otherwise           #f))
+                                    result)))
+                     (_
+                      (cons `(,vendor ,package ,version) result)))))
                 result
                 plist))
         '()
@@ -337,7 +364,7 @@ (define vulns
         (json->vulnerabilities input))
 
       (write `(vulnerabilities
-               1                                  ;format version
+               2                                  ;format version
                ,(map vulnerability->sexp vulns))
              cache))))
 
@@ -371,8 +398,10 @@ (define (read* port)
          (sexp (read* port)))
     (close-port port)
     (match sexp
-      (('vulnerabilities 1 vulns)
-       (map sexp->vulnerability vulns)))))
+      (('vulnerabilities 2 vulns)
+       (map sexp->vulnerability vulns))
+      (('vulnerabilities 1 vulns)  ;old format, lacks vendor info
+       (map sexp-v1->vulnerability vulns)))))
 
 (define* (current-vulnerabilities #:key (timeout 10))
   "Return the current list of Common Vulnerabilities and Exposures (CVE) as
@@ -404,28 +433,26 @@ (define table
               (($ <vulnerability> id packages)
                (fold (lambda (package table)
                        (match package
-                         ((name . versions)
-                          (vhash-cons name (cons vuln versions)
+                         ((vendor name versions)
+                          (vhash-cons name (cons vuln `(,versions))
                                       table))))
                      table
                      packages))))
           vlist-null
           vulnerabilities))
 
-  (lambda* (package #:optional version)
-    (vhash-fold* (if version
-                     (lambda (pair result)
-                       (match pair
-                         ((vuln sexp)
-                          (if (version-matches? version sexp)
-                              (cons vuln result)
-                              result))))
-                     (lambda (pair result)
-                       (match pair
-                         ((vuln . _)
-                          (cons vuln result)))))
-                 '()
-                 package table)))
+  (lambda* (package #:optional version #:key (vendor #f) (hidden-vendors '()))
+    (vhash-fold*
+     (lambda (pair result)
+       (match pair
+         ((vuln sexp)
+          (if (and (or (and (not vendor) (null? hidden-vendors))
+                       (vulnerability-matches? vuln vendor hidden-vendors))
+                   (or (not version) (version-matches? version sexp)))
+              (cons vuln result)
+              result))))
+     '()
+     package table)))
 
 
 ;;; cve.scm ends here
diff --git a/guix/lint.scm b/guix/lint.scm
index 8c6c20c723..bea6d0a194 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -1551,8 +1551,14 @@ (define package-vulnerabilities
                          (package-name package)))
             (version (or (assoc-ref (package-properties package)
                                     'cpe-version)
-                         (package-version package))))
-        ((force lookup) name version)))))
+                         (package-version package)))
+            (vendor (assoc-ref (package-properties package)
+                               'cpe-vendor))
+            (hidden-vendors (assoc-ref (package-properties package)
+                                       'lint-hidden-cpe-vendors)))
+        ((force lookup) name version
+         #:vendor vendor
+         #:hidden-vendors hidden-vendors)))))
 
 ;; Prevent Guile 3 from inlining this procedure so we can mock it in tests.
 (set! package-vulnerabilities package-vulnerabilities)
diff --git a/tests/cve.scm b/tests/cve.scm
index b69da0e120..90ada2b647 100644
--- a/tests/cve.scm
+++ b/tests/cve.scm
@@ -34,19 +34,19 @@ (define %expected-vulnerabilities
    (vulnerability "CVE-2019-0001"
                   ;; Only the "a" CPE configurations are kept; the "o"
                   ;; configurations are discarded.
-                  '(("junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
+                  '(("juniper" "junos" (or "18.2" (or "18.21-s3" "18.21-s4")))))
    (vulnerability "CVE-2019-0005"
-                  '(("junos" (or "18.11" "18.1"))))
+                  '(("juniper" "junos" (or "18.1" "18.11"))))
    ;; CVE-2019-0005 has no "a" configurations.
    (vulnerability "CVE-2019-14811"
-                  '(("ghostscript" (< "9.28"))))
+                  '(("artifex" "ghostscript" (< "9.28"))))
    (vulnerability "CVE-2019-17365"
-                  '(("nix" (<= "2.3"))))
+                  '(("nixos" "nix" (<= "2.3"))))
    (vulnerability "CVE-2019-1010180"
-                  '(("gdb" _)))                   ;any version
+                  '(("gnu" "gdb" _)))                   ;any version
    (vulnerability "CVE-2019-1010204"
-                  '(("binutils" (and (>= "2.21") (<= "2.31.1")))
-                    ("binutils_gold" (and (>= "1.11") (<= "1.16")))))
+                  '(("gnu" "binutils" (and (>= "2.21") (<= "2.31.1")))
+                    ("gnu" "binutils_gold" (and (>= "1.11") (<= "1.16")))))
    ;; CVE-2019-18192 has no associated configurations.
    ))
 
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v6 02/16] gnu: halibut: Add cpe-vendor property.
  2024-11-24 20:16 ` [bug#74034] [PATCH v6 " Nicolas Graves via Guix-patches via
@ 2024-11-24 20:16   ` Nicolas Graves via Guix-patches via
  2024-11-24 20:16   ` [bug#74034] [PATCH v6 03/16] gnu: portfolio: Update to 1.0.1 Nicolas Graves via Guix-patches via
                     ` (14 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-24 20:16 UTC (permalink / raw)
  To: 74034; +Cc: ludo, Nicolas Graves

* gnu/packages/documentation.scm (halibut)
[description]: Reformat field to match max chars.
[properties]: Add cpe-vendor property.
---
 gnu/packages/documentation.scm | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/gnu/packages/documentation.scm b/gnu/packages/documentation.scm
index f0e37561f7..e1d563945a 100644
--- a/gnu/packages/documentation.scm
+++ b/gnu/packages/documentation.scm
@@ -264,12 +264,14 @@ (define-public halibut
     (home-page "https://www.chiark.greenend.org.uk/~sgtatham/halibut/")
     (synopsis "Documentation production system for software manuals")
     (description
-     "Halibut is a text formatting system designed primarily for writing software
-documentation.  It accepts a single source format and outputs any combination of
-plain text, HTML, Unix man or info pages, PostScript or PDF.  It has extensive
-support for indexing and cross-referencing, and generates hyperlinks within output
-documents wherever possible.  It supports Unicode, with the ability to fall back to
-an alternative representation if Unicode output is not available.")
+     "Halibut is a text formatting system designed primarily for writing
+software documentation.  It accepts a single source format and outputs any
+combination of plain text, HTML, Unix man or info pages, PostScript or PDF.
+It has extensive support for indexing and cross-referencing, and generates
+hyperlinks within output documents wherever possible.  It supports Unicode,
+with the ability to fall back to an alternative representation if Unicode
+output is not available.")
+    (properties `((cpe-vendor . "halibut_project")))
     (license license:expat)))
 
 (define-public doc++
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v6 03/16] gnu: portfolio: Update to 1.0.1.
  2024-11-24 20:16 ` [bug#74034] [PATCH v6 " Nicolas Graves via Guix-patches via
  2024-11-24 20:16   ` [bug#74034] [PATCH v6 02/16] gnu: halibut: Add cpe-vendor property Nicolas Graves via Guix-patches via
@ 2024-11-24 20:16   ` Nicolas Graves via Guix-patches via
  2024-11-24 20:16   ` [bug#74034] [PATCH v6 04/16] gnu: folders: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
                     ` (13 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-24 20:16 UTC (permalink / raw)
  To: 74034; +Cc: ludo, Nicolas Graves

* gnu/packages/gnome-xyz.scm (portfolio): Update to 1.0.1.
[properties]: Add lint-hidden-cpe-vendors property.
---
 gnu/packages/gnome-xyz.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/gnome-xyz.scm b/gnu/packages/gnome-xyz.scm
index a09c0befb0..74c2600b60 100644
--- a/gnu/packages/gnome-xyz.scm
+++ b/gnu/packages/gnome-xyz.scm
@@ -485,7 +485,7 @@ (define-public gnome-plots
 (define-public portfolio
   (package
     (name "portfolio")
-    (version "1.0.0")
+    (version "1.0.1")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -494,7 +494,7 @@ (define-public portfolio
               (file-name (git-file-name name version))
               (sha256
                (base32
-                "1ai9mx801m5lngkljg42vrpvhbvc3071sp4jypsvbzw55hxnn5ba"))))
+                "1s06kd2dhsb143piw89yzwfck7qwzlh4nlgjj2bxpsa3g68c1g11"))))
     (arguments
      (list #:glib-or-gtk? #t
            #:imported-modules `(,@%meson-build-system-modules
@@ -537,6 +537,7 @@ (define-public portfolio
      "Portfolio is a minimalist file manager for those who want to use Linux
 mobile devices.  Tap to activate and long press to select, to browse, open,
 copy, move, delete, or edit your files.")
+    (properties `((lint-hidden-cpe-vendors . ("radiustheme"))))
     (license license:gpl3+)))
 
 (define-public gnome-shell-extension-unite-shell
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v6 04/16] gnu: folders: Add lint-hidden-cpe-vendors property.
  2024-11-24 20:16 ` [bug#74034] [PATCH v6 " Nicolas Graves via Guix-patches via
  2024-11-24 20:16   ` [bug#74034] [PATCH v6 02/16] gnu: halibut: Add cpe-vendor property Nicolas Graves via Guix-patches via
  2024-11-24 20:16   ` [bug#74034] [PATCH v6 03/16] gnu: portfolio: Update to 1.0.1 Nicolas Graves via Guix-patches via
@ 2024-11-24 20:16   ` Nicolas Graves via Guix-patches via
  2024-11-24 20:16   ` [bug#74034] [PATCH v6 05/16] gnu: spectra: " Nicolas Graves via Guix-patches via
                     ` (12 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-24 20:16 UTC (permalink / raw)
  To: 74034; +Cc: ludo, Nicolas Graves

* gnu/packages/esolangs.scm (folders):
[properties]: Add lint-hindden-cpe-vendors property.
---
 gnu/packages/esolangs.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/esolangs.scm b/gnu/packages/esolangs.scm
index 796f8d3f23..58c5307fdc 100644
--- a/gnu/packages/esolangs.scm
+++ b/gnu/packages/esolangs.scm
@@ -117,6 +117,7 @@ (define-public folders
     (description "Folders is a programming language, in which programs
 are encoded as (nested) directories.  Note that the switches you pass to
 @command{du} may affect your score when code golfing.")
+    (properties `((lint-hidden-cpe-vendors . ("premio" "jenkins"))))
     (license license:expat)))
 
 (define-public shakespeare-spl
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v6 05/16] gnu: spectra: Add lint-hidden-cpe-vendors property.
  2024-11-24 20:16 ` [bug#74034] [PATCH v6 " Nicolas Graves via Guix-patches via
                     ` (2 preceding siblings ...)
  2024-11-24 20:16   ` [bug#74034] [PATCH v6 04/16] gnu: folders: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
@ 2024-11-24 20:16   ` Nicolas Graves via Guix-patches via
  2024-11-24 20:16   ` [bug#74034] [PATCH v6 06/16] gnu: express: " Nicolas Graves via Guix-patches via
                     ` (11 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-24 20:16 UTC (permalink / raw)
  To: 74034; +Cc: ludo, Nicolas Graves

* gnu/packages/algebra.scm (spectra)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/algebra.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/algebra.scm b/gnu/packages/algebra.scm
index 2187cd062d..5822431373 100644
--- a/gnu/packages/algebra.scm
+++ b/gnu/packages/algebra.scm
@@ -1317,6 +1317,7 @@ (define-public spectra
 built on top of Eigen.  It is implemented as a header-only C++ library and can
 be easily embedded in C++ projects that require calculating eigenvalues of
 large matrices.")
+    (properties `((lint-hidden-cpe-vendors . ("brainstormforce"))))
     (license license:mpl2.0)))
 
 (define-public gappa
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v6 06/16] gnu: express: Add lint-hidden-cpe-vendors property.
  2024-11-24 20:16 ` [bug#74034] [PATCH v6 " Nicolas Graves via Guix-patches via
                     ` (3 preceding siblings ...)
  2024-11-24 20:16   ` [bug#74034] [PATCH v6 05/16] gnu: spectra: " Nicolas Graves via Guix-patches via
@ 2024-11-24 20:16   ` Nicolas Graves via Guix-patches via
  2024-11-24 20:16   ` [bug#74034] [PATCH v6 07/16] gnu: cli: " Nicolas Graves via Guix-patches via
                     ` (10 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-24 20:16 UTC (permalink / raw)
  To: 74034; +Cc: ludo, Nicolas Graves

* gnu/packages/bioinformatics.scm (express)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/bioinformatics.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/bioinformatics.scm b/gnu/packages/bioinformatics.scm
index 27b7d3f5c8..5c24ca4664 100644
--- a/gnu/packages/bioinformatics.scm
+++ b/gnu/packages/bioinformatics.scm
@@ -7389,6 +7389,7 @@ (define-public express
 transcript-level RNA-Seq quantification, allele-specific/haplotype expression
 analysis (from RNA-Seq), transcription factor binding quantification in
 ChIP-Seq, and analysis of metagenomic data.")
+    (properties `((lint-hidden-cpe-vendors . ("openjsf"))))
     (license license:artistic2.0)))
 
 (define-public express-beta-diversity
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v6 07/16] gnu: cli: Add lint-hidden-cpe-vendors property.
  2024-11-24 20:16 ` [bug#74034] [PATCH v6 " Nicolas Graves via Guix-patches via
                     ` (4 preceding siblings ...)
  2024-11-24 20:16   ` [bug#74034] [PATCH v6 06/16] gnu: express: " Nicolas Graves via Guix-patches via
@ 2024-11-24 20:16   ` Nicolas Graves via Guix-patches via
  2024-11-24 20:16   ` [bug#74034] [PATCH v6 08/16] gnu: h2c: " Nicolas Graves via Guix-patches via
                     ` (9 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-24 20:16 UTC (permalink / raw)
  To: 74034; +Cc: ludo, Nicolas Graves

* gnu/packages/cpp.scm (cli)[properties]: Add lint-hidden-cpe-vendors
property.
---
 gnu/packages/cpp.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/cpp.scm b/gnu/packages/cpp.scm
index eacc6e46ab..657b83c434 100644
--- a/gnu/packages/cpp.scm
+++ b/gnu/packages/cpp.scm
@@ -2327,6 +2327,7 @@ (define-public cli
 options that your program supports, their types, default values, and
 documentation.")
     (home-page "https://codesynthesis.com/projects/cli/")
+    (properties `((lint-hidden-cpe-vendors . ("snyk"))))
     (license license:expat)))
 
 (define-public xsd
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v6 08/16] gnu: h2c: Add lint-hidden-cpe-vendors property.
  2024-11-24 20:16 ` [bug#74034] [PATCH v6 " Nicolas Graves via Guix-patches via
                     ` (5 preceding siblings ...)
  2024-11-24 20:16   ` [bug#74034] [PATCH v6 07/16] gnu: cli: " Nicolas Graves via Guix-patches via
@ 2024-11-24 20:16   ` Nicolas Graves via Guix-patches via
  2024-11-24 20:16   ` [bug#74034] [PATCH v6 09/16] gnu: xenon: Update to 0.9.3 Nicolas Graves via Guix-patches via
                     ` (8 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-24 20:16 UTC (permalink / raw)
  To: 74034; +Cc: ludo, Nicolas Graves

* gnu/packages/curl.scm (h2c)[property]: Add lint-hidden-cpe-vendors property.
---
 gnu/packages/curl.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index e5e3342b6d..d782f89d9f 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -378,6 +378,7 @@ (define-public h2c
     (description
      "Provided a set of HTTP request headers, h2c outputs how to invoke
 curl to obtain exactly that HTTP request.")
+    (properties `((lint-hidden-cpe-vendors . ("golang"))))
     (license license:expat)))
 
 (define-public coeurl
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v6 09/16] gnu: xenon: Update to 0.9.3.
  2024-11-24 20:16 ` [bug#74034] [PATCH v6 " Nicolas Graves via Guix-patches via
                     ` (6 preceding siblings ...)
  2024-11-24 20:16   ` [bug#74034] [PATCH v6 08/16] gnu: h2c: " Nicolas Graves via Guix-patches via
@ 2024-11-24 20:16   ` Nicolas Graves via Guix-patches via
  2024-11-24 20:16   ` [bug#74034] [PATCH v6 10/16] gnu: bolt: Update to 0.9.8 Nicolas Graves via Guix-patches via
                     ` (7 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-24 20:16 UTC (permalink / raw)
  To: 74034; +Cc: ludo, Nicolas Graves

* gnu/packages/code.scm (xenon): Update to 0.9.3.
[properties]: Add lint-hidden-cpe-vendors property.
---
 gnu/packages/code.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/code.scm b/gnu/packages/code.scm
index 04ca4dfd6b..5ed2126225 100644
--- a/gnu/packages/code.scm
+++ b/gnu/packages/code.scm
@@ -1054,14 +1054,14 @@ (define-public cscope
 (define-public xenon
   (package
     (name "xenon")
-    (version "0.9.0")
+    (version "0.9.3")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "xenon" version))
        (sha256
         (base32
-         "1f4gynjzfckm3rjfywwgz1c7icfx3zjqirf16aj73xv0c9ncpffj"))))
+         "1yj31bqz2bphvvyb0jkas7bxc2rw76rf1csz0mwmvah8pbc3hxaa"))))
     (build-system python-build-system)
     (arguments (list #:tests? #f)) ;test suite not shipped with the PyPI archive
     (inputs (list python-pyyaml python-radon python-requests))
@@ -1073,6 +1073,7 @@ (define-public xenon
 line options, various thresholds can be set for the complexity of code.  It
 will fail (i.e., it will exit with a non-zero exit code) when any of these
 requirements is not met.")
+    (properties '((lint-hidden-cpe-vendors . ("ashlar"))))
     (license license:expat)))
 
 (define-public python-xenon
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v6 10/16] gnu: bolt: Update to 0.9.8.
  2024-11-24 20:16 ` [bug#74034] [PATCH v6 " Nicolas Graves via Guix-patches via
                     ` (7 preceding siblings ...)
  2024-11-24 20:16   ` [bug#74034] [PATCH v6 09/16] gnu: xenon: Update to 0.9.3 Nicolas Graves via Guix-patches via
@ 2024-11-24 20:16   ` Nicolas Graves via Guix-patches via
  2024-11-24 20:16   ` [bug#74034] [PATCH v6 11/16] gnu: bwm-ng: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
                     ` (6 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-24 20:16 UTC (permalink / raw)
  To: 74034; +Cc: ludo, Nicolas Graves

* gnu/packages/linux.scm (bolt): Update to 0.9.8.
[arguments]<#:phases>: Update phase 'replace-directories.
[properties]: Add lint-hidden-cpe-vendors property.
---
 gnu/packages/linux.scm | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 0e29aae2bd..76fb92f793 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -3333,7 +3333,7 @@ (define-public iptables-nft
 (define-public bolt
   (package
     (name "bolt")
-    (version "0.9.5")
+    (version "0.9.8")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -3342,7 +3342,7 @@ (define-public bolt
               (file-name (git-file-name name version))
               (sha256
                (base32
-                "1b9z0sfrz6bj0mddng9s0dx59g9239zmrl03hxx2x88mb7r0wmcg"))))
+                "1i9nyvx3qcf4m607qmpklpl9xqzsh423k8y3fr6c5n0k4ajy4cxh"))))
     (build-system meson-build-system)
     (arguments
      (list #:configure-flags '(list "--localstatedir=/var")
@@ -3351,12 +3351,11 @@ (define-public bolt
                         (add-after 'unpack 'replace-directories
                           (lambda* (#:key outputs #:allow-other-keys)
                             (substitute* "meson.build"
-                              (("udev.get_pkgconfig_variable..udevdir..")
-                               (string-append "'"
-                                              #$output "/lib/udev'")))
-                            (substitute* "scripts/meson-install.sh"
-                              (("mkdir.*")
-                               ""))))
+                              (("udev.get_variable\\(pkgconfig: 'udevdir'\\)")
+                               (string-append "'" #$output "/lib/udev'"))
+                              ;; Don't install in /var
+                              (("not systemd\\.found\\(\\)")
+                               "false"))))
                         (add-before 'install 'no-polkit-magic
                           (lambda* (#:key outputs #:allow-other-keys)
                             (setenv "PKEXEC_UID" "something"))))))
@@ -3378,6 +3377,7 @@ (define-public bolt
 @command{boltd}.  It can list devices, monitor changes, and initiate
 authorization of devices.")
     (home-page "https://gitlab.freedesktop.org/bolt/bolt")
+    (properties `((lint-hidden-cpe-vendors . ("boltcms" "puppet"))))
     (license license:gpl2+)))
 
 (define-public jitterentropy-rngd
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v6 11/16] gnu: bwm-ng: Add lint-hidden-cpe-vendors property.
  2024-11-24 20:16 ` [bug#74034] [PATCH v6 " Nicolas Graves via Guix-patches via
                     ` (8 preceding siblings ...)
  2024-11-24 20:16   ` [bug#74034] [PATCH v6 10/16] gnu: bolt: Update to 0.9.8 Nicolas Graves via Guix-patches via
@ 2024-11-24 20:16   ` Nicolas Graves via Guix-patches via
  2024-11-24 20:16   ` [bug#74034] [PATCH v6 12/16] gnu: onedrive: Update to 2.5.2 Nicolas Graves via Guix-patches via
                     ` (5 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-24 20:16 UTC (permalink / raw)
  To: 74034; +Cc: ludo, Nicolas Graves

* gnu/packages/networking.scm (bwm-ng)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/networking.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index 23cf36006f..3251493b07 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -2157,6 +2157,7 @@ (define-public bwm-ng
     (description "Bandwidth Monitor NG is a small and simple console based
 live network and disk I/O bandwidth monitor.")
     (home-page "https://www.gropp.org/?id=projects&sub=bwm-ng")
+    (properties '((lint-hidden-cpe-vendors . ("bwm-ng_project"))))
     (license license:gpl2)))
 
 (define-public aircrack-ng
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v6 12/16] gnu: onedrive: Update to 2.5.2.
  2024-11-24 20:16 ` [bug#74034] [PATCH v6 " Nicolas Graves via Guix-patches via
                     ` (9 preceding siblings ...)
  2024-11-24 20:16   ` [bug#74034] [PATCH v6 11/16] gnu: bwm-ng: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
@ 2024-11-24 20:16   ` Nicolas Graves via Guix-patches via
  2024-11-24 20:16   ` [bug#74034] [PATCH v6 13/16] gnu: got: Update to 0.104 Nicolas Graves via Guix-patches via
                     ` (4 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-24 20:16 UTC (permalink / raw)
  To: 74034; +Cc: ludo, Nicolas Graves

* gnu/packages/sync.scm (onedrive): Update to 2.5.2.
[properties]: Add lint-hidden-cpe-vendors.
---
 gnu/packages/sync.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/sync.scm b/gnu/packages/sync.scm
index af736d0c28..b21993a639 100644
--- a/gnu/packages/sync.scm
+++ b/gnu/packages/sync.scm
@@ -374,7 +374,7 @@ (define-public owncloud-client
 (define-public onedrive
   (package
     (name "onedrive")
-    (version "2.4.25")
+    (version "2.5.2")
     (source
       (origin
         (method git-fetch)
@@ -383,7 +383,7 @@ (define-public onedrive
                (commit (string-append "v" version))))
         (file-name (git-file-name name version))
         (sha256
-         (base32 "1i93mq4r9w8cqrdfsfv8wparfd3dbrppc5z04ab056545hk0x89k"))))
+         (base32 "0307qa3nncarn6r5837nn9z5nv8j60ycykq6pfn93qriabk65qlx"))))
     (build-system gnu-build-system)
     (arguments
      (list
@@ -420,6 +420,7 @@ (define-public onedrive
 Business, OneDrive for Office365 and SharePoint and fully supports Azure
 National Cloud Deployments.  It supports one-way and two-way sync capabilities
 and securely connects to Microsoft OneDrive services.")
+    (properties '((lint-hidden-cpe-vendors . ("microsoft"))))
     (license license:gpl3)))
 
 (define-public lsyncd
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v6 13/16] gnu: got: Update to 0.104.
  2024-11-24 20:16 ` [bug#74034] [PATCH v6 " Nicolas Graves via Guix-patches via
                     ` (10 preceding siblings ...)
  2024-11-24 20:16   ` [bug#74034] [PATCH v6 12/16] gnu: onedrive: Update to 2.5.2 Nicolas Graves via Guix-patches via
@ 2024-11-24 20:16   ` Nicolas Graves via Guix-patches via
  2024-11-24 20:16   ` [bug#74034] [PATCH v6 14/16] gnu: dex: Update to 0.10.1 Nicolas Graves via Guix-patches via
                     ` (3 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-24 20:16 UTC (permalink / raw)
  To: 74034; +Cc: ludo, Nicolas Graves

* gnu/packages/version-control.scm (got): Update to 0.104.
[properties]: Add release-monitoring-url and lint-hidden-cpe-vendors
properties.
---
 gnu/packages/version-control.scm | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index c892a83a98..27c14422d1 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -975,7 +975,7 @@ (define-public git-tools
 (define-public got
   (package
     (name "got")
-    (version "0.103")
+    (version "0.104")
     (source (origin
               (method url-fetch)
               (uri
@@ -984,7 +984,7 @@ (define-public got
                   version ".tar.gz"))
               (sha256
                (base32
-                "0y18961xrj4rja850i31gadiaps2qnkfb4jlramlz9akyf9mwh1j"))))
+                "1jf8d7bd6jb09ci66n3rjfv94kvzgnqbw1js74hpajdw41wphbdk"))))
     (inputs
      (list libevent
            `(,util-linux "lib")
@@ -1020,7 +1020,11 @@ (define-public got
      "Game of Trees (Got) is a version control system which prioritizes ease of use
 and simplicity over flexibility.")
     (license license:isc)
-    (home-page "https://gameoftrees.org/")))
+    (home-page "https://gameoftrees.org/")
+    (properties
+     ;; Can lint for updates, but not update in place.
+     '((release-monitoring-url . "https://gameoftrees.org/releases/")
+       (lint-hidden-cpe-vendors . ("got_project"))))))
 
 (define-public xdiff
   (let ((revision "0")
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v6 14/16] gnu: dex: Update to 0.10.1.
  2024-11-24 20:16 ` [bug#74034] [PATCH v6 " Nicolas Graves via Guix-patches via
                     ` (11 preceding siblings ...)
  2024-11-24 20:16   ` [bug#74034] [PATCH v6 13/16] gnu: got: Update to 0.104 Nicolas Graves via Guix-patches via
@ 2024-11-24 20:16   ` Nicolas Graves via Guix-patches via
  2024-11-24 20:16   ` [bug#74034] [PATCH v6 15/16] gnu: immer: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
                     ` (2 subsequent siblings)
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-24 20:16 UTC (permalink / raw)
  To: 74034; +Cc: ludo, Nicolas Graves

* gnu/packages/xdisorg.scm (dex): Update to 0.10.1.
[arguments]: Improve style.
[properties]: Add lint-hidden-cpe-vendors property.
---
 gnu/packages/xdisorg.scm | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm
index a75e9cd6ba..859d37d4b7 100644
--- a/gnu/packages/xdisorg.scm
+++ b/gnu/packages/xdisorg.scm
@@ -3536,7 +3536,7 @@ (define-public nwg-launchers
 (define-public dex
   (package
     (name "dex")
-    (version "0.9.0")
+    (version "0.10.1")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -3544,15 +3544,16 @@ (define-public dex
                     (commit (string-append "v" version))))
               (sha256
                (base32
-                "03aapcywnz4kl548cygpi25m8adwbmqlmwgxa66v4156ax9dqs86"))
+                "1d7fqy63i4q0mw316i5ws1sgdq3f7h3bsf3avvmy0nzshz7i5y6m"))
               (file-name (git-file-name name version))))
     (build-system gnu-build-system)
     (arguments
-     `(#:make-flags (list (string-append "PREFIX=" (assoc-ref %outputs "out")))
-       #:phases
-       (modify-phases %standard-phases
-         (delete 'configure))
-       #:tests? #f))
+     (list
+      #:make-flags #~(list (string-append "PREFIX=" #$output))
+      #:phases
+      #~(modify-phases %standard-phases
+          (delete 'configure))
+      #:tests? #f))  ; No tests.
     (inputs
      (list python))
     (native-inputs
@@ -3562,6 +3563,8 @@ (define-public dex
     (description
      "@command{dex}, @dfn{DesktopEntry Execution}, is a program to generate
 and execute @file{.desktop} files of the Application type.")
+    (properties
+     '((lint-hidden-cpe-vendors . ("samsung" "linuxfoundation"))))
     (license license:gpl3+)))
 
 (define-public sx
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v6 15/16] gnu: immer: Add lint-hidden-cpe-vendors property.
  2024-11-24 20:16 ` [bug#74034] [PATCH v6 " Nicolas Graves via Guix-patches via
                     ` (12 preceding siblings ...)
  2024-11-24 20:16   ` [bug#74034] [PATCH v6 14/16] gnu: dex: Update to 0.10.1 Nicolas Graves via Guix-patches via
@ 2024-11-24 20:16   ` Nicolas Graves via Guix-patches via
  2024-11-24 20:16   ` [bug#74034] [PATCH v6 16/16] gnu: cvs: " Nicolas Graves via Guix-patches via
  2024-11-29 12:51   ` [bug#74034] [PATCH v6 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Ludovic Courtès
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-24 20:16 UTC (permalink / raw)
  To: 74034; +Cc: ludo, Nicolas Graves

* gnu/packages/cpp.scm (immer)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/cpp.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/cpp.scm b/gnu/packages/cpp.scm
index 657b83c434..0a44991e20 100644
--- a/gnu/packages/cpp.scm
+++ b/gnu/packages/cpp.scm
@@ -1887,6 +1887,7 @@ (define-public immer
    (synopsis "Immutable data structures")
    (description "Immer is a library of persistent and immutable data structures
 written in C++.")
+   (properties '((lint-hidden-cpe-vendors . ("immer_project"))))
    (license license:boost1.0)))
 
 (define-public zug
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v6 16/16] gnu: cvs: Add lint-hidden-cpe-vendors property.
  2024-11-24 20:16 ` [bug#74034] [PATCH v6 " Nicolas Graves via Guix-patches via
                     ` (13 preceding siblings ...)
  2024-11-24 20:16   ` [bug#74034] [PATCH v6 15/16] gnu: immer: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
@ 2024-11-24 20:16   ` Nicolas Graves via Guix-patches via
  2024-11-29 12:51   ` [bug#74034] [PATCH v6 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Ludovic Courtès
  15 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-24 20:16 UTC (permalink / raw)
  To: 74034; +Cc: ludo, Nicolas Graves

* gnu/packages/version-control.scm (cvs)[properties]: Add
lint-hidden-cpe-vendors property.
---
 gnu/packages/version-control.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index 27c14422d1..a0eb9f32d2 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -2774,6 +2774,7 @@ (define-public cvs
 Configuration Management (SCM).  Using it, you can record the history of
 sources files, and documents.  It fills a similar role to the free software
 RCS, PRCS, and Aegis packages.")
+    (properties '((lint-hidden-cpe-vendors . ("jenkins"))))
     (license license:gpl1+)))
 
 (define-public cvs-fast-export
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v6 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.
  2024-11-24 20:16 ` [bug#74034] [PATCH v6 " Nicolas Graves via Guix-patches via
                     ` (14 preceding siblings ...)
  2024-11-24 20:16   ` [bug#74034] [PATCH v6 16/16] gnu: cvs: " Nicolas Graves via Guix-patches via
@ 2024-11-29 12:51   ` Ludovic Courtès
  2024-11-30 10:58     ` Nicolas Graves via Guix-patches via
  15 siblings, 1 reply; 119+ messages in thread
From: Ludovic Courtès @ 2024-11-29 12:51 UTC (permalink / raw)
  To: Nicolas Graves; +Cc: 74034

Nicolas Graves <ngraves@ngraves.fr> skribis:

> * guix/cve.scm: Exploit cpe vendors information.
> (cpe->package-name): Rename to...
> (cpe->package-identifier): Renamed from cpe->package-name. Use
> cpe_vendor:cpe_name in place or cpe_name.
> (vulnerabily-matches?): Add helper function.
> (vulnerabilities->lookup-proc): Extract cpe_name for table
> hashes. Add vendor and hidden-vendor arguments. Adapt condition to
> pass vulnerabilities to result in the fold.
> (write-cache, fetch-vulnerabilities): Update the format version.
>
> * guix/lint.scm (package-vulnerabilities): Use additional arguments
> from vulnerabilities->lookup-proc.
>
> * tests/cve.scm (%expected-vulnerabilities): Adapt variable to changes
> in guix/cve.scm.

[...]

>      (match sexp
> -      (('vulnerabilities 1 vulns)
> -       (map sexp->vulnerability vulns)))))
> +      (('vulnerabilities 2 vulns)
> +       (map sexp->vulnerability vulns))
> +      (('vulnerabilities 1 vulns)  ;old format, lacks vendor info
> +       (map sexp-v1->vulnerability vulns)))))

‘sexp-v1->vulnerability’ has yet to be written, if I’m not mistaken.

(Perhaps I wasn’t clear: you need to implement this procedure such that,
when reading v1 data from ~/.cache, you still get valid <vulnerability>
records.)

Ludo’.




^ permalink raw reply	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v2] gnu: got: Update to 0.106.
  2024-11-15 12:58     ` [bug#74034] [PATCH v2] gnu: got: Update to 0.105 ashish.is--- via Guix-patches via
@ 2024-11-30 10:24       ` ashish.is--- via Guix-patches via
  0 siblings, 0 replies; 119+ messages in thread
From: ashish.is--- via Guix-patches via @ 2024-11-30 10:24 UTC (permalink / raw)
  To: 74034; +Cc: Ashish SHUKLA

From: Ashish SHUKLA <ashish.is@lostca.se>

* gnu/packages/version-control.scm (got): Update to 0.106.

Change-Id: Ifa00cd959e92bfc0d5e22d0e3f22013e591f415c
---
 gnu/packages/version-control.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index 531d4827dc..1d3e0afcca 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -975,7 +975,7 @@ (define-public git-tools
 (define-public got
   (package
     (name "got")
-    (version "0.105")
+    (version "0.106")
     (source (origin
               (method url-fetch)
               (uri
@@ -984,7 +984,7 @@ (define-public got
                   version ".tar.gz"))
               (sha256
                (base32
-                "0i52bkyhs2v8h1b6045hybnzyhr8hvgw87y3pr0s4vyhvihf6wri"))))
+                "1k07vcmi2vgkiv87wmjb79d9jq5rs1skv4nx77ips115q51dfy9h"))))
     (inputs
      (list libevent
            `(,util-linux "lib")

base-commit: 660fc2f9f3179d7d1d66e701d3362943f366264f
-- 
2.47.1





^ permalink raw reply related	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v6 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.
  2024-11-29 12:51   ` [bug#74034] [PATCH v6 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Ludovic Courtès
@ 2024-11-30 10:58     ` Nicolas Graves via Guix-patches via
  2024-12-14 14:28       ` Maxim Cournoyer
  2024-12-26 21:24       ` Ludovic Courtès
  0 siblings, 2 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2024-11-30 10:58 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 74034

On 2024-11-29 13:51, Ludovic Courtès wrote:

> Nicolas Graves <ngraves@ngraves.fr> skribis:
>
>
> ‘sexp-v1->vulnerability’ has yet to be written, if I’m not mistaken.
>
> (Perhaps I wasn’t clear: you need to implement this procedure such that,
> when reading v1 data from ~/.cache, you still get valid <vulnerability>
> records.)

My bad, I probably got lazy for this one after spending more time than
expected on the cpe-vendor/cpe-name split.

Will take a look at it today.

-- 
Best regards,
Nicolas Graves




^ permalink raw reply	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v6 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.
  2024-11-30 10:58     ` Nicolas Graves via Guix-patches via
@ 2024-12-14 14:28       ` Maxim Cournoyer
  2024-12-26 21:24       ` Ludovic Courtès
  1 sibling, 0 replies; 119+ messages in thread
From: Maxim Cournoyer @ 2024-12-14 14:28 UTC (permalink / raw)
  To: Nicolas Graves; +Cc: Ludovic Courtès, 74034

Hello Nicolas,

Nicolas Graves <ngraves@ngraves.fr> writes:

> On 2024-11-29 13:51, Ludovic Courtès wrote:
>
>> Nicolas Graves <ngraves@ngraves.fr> skribis:
>>
>>
>> ‘sexp-v1->vulnerability’ has yet to be written, if I’m not mistaken.
>>
>> (Perhaps I wasn’t clear: you need to implement this procedure such that,
>> when reading v1 data from ~/.cache, you still get valid <vulnerability>
>> records.)
>
> My bad, I probably got lazy for this one after spending more time than
> expected on the cpe-vendor/cpe-name split.
>
> Will take a look at it today.

I was looking into applying this series, but it seems the nit above
needs to be looked into.

Sorry for the back and forth and thank you for your patientce!

-- 
Thanks,
Maxim




^ permalink raw reply	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v6 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.
  2024-11-30 10:58     ` Nicolas Graves via Guix-patches via
  2024-12-14 14:28       ` Maxim Cournoyer
@ 2024-12-26 21:24       ` Ludovic Courtès
       [not found]         ` <871pxcp7ss.fsf@ngraves.fr>
  1 sibling, 1 reply; 119+ messages in thread
From: Ludovic Courtès @ 2024-12-26 21:24 UTC (permalink / raw)
  To: Nicolas Graves; +Cc: 74034

Hello,

Nicolas Graves <ngraves@ngraves.fr> skribis:

> On 2024-11-29 13:51, Ludovic Courtès wrote:
>
>> Nicolas Graves <ngraves@ngraves.fr> skribis:
>>
>>
>> ‘sexp-v1->vulnerability’ has yet to be written, if I’m not mistaken.
>>
>> (Perhaps I wasn’t clear: you need to implement this procedure such that,
>> when reading v1 data from ~/.cache, you still get valid <vulnerability>
>> records.)
>
> My bad, I probably got lazy for this one after spending more time than
> expected on the cpe-vendor/cpe-name split.
>
> Will take a look at it today.

Did you have a chance to look into it?  The series is almost ready and
it’s a useful improvement.  (You mentioned elsewhere that you had
troubles with your laptop, I hope you fully recovered!)

Ludo’.




^ permalink raw reply	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v6 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.
       [not found]         ` <871pxcp7ss.fsf@ngraves.fr>
@ 2025-01-09 13:48           ` Ludovic Courtès
  2025-01-09 14:06             ` Nicolas Graves via Guix-patches via
  0 siblings, 1 reply; 119+ messages in thread
From: Ludovic Courtès @ 2025-01-09 13:48 UTC (permalink / raw)
  To: Nicolas Graves; +Cc: 74034

Hi,

Nicolas Graves <ngraves@ngraves.fr> skribis:

>>> On 2024-11-29 13:51, Ludovic Courtès wrote:
>>>
>>>> Nicolas Graves <ngraves@ngraves.fr> skribis:
>>>>
>>>>
>>>> ‘sexp-v1->vulnerability’ has yet to be written, if I’m not mistaken.
>>>>
>>>> (Perhaps I wasn’t clear: you need to implement this procedure such that,
>>>> when reading v1 data from ~/.cache, you still get valid <vulnerability>
>>>> records.)
>
> Is that actually necessary ?  Since the vulnerability-packages field is
> an sexp, vulnerability->sexp would be the same for v1 and v2.
>
> Seems like the place to handle this is rather the second match in the
> vulnerabilities->lookup-proc procedure, that should have a second case
> match (the previous one from version history most probably) that is
> accounting for the v1.
>
> WDYT?

What I’m suggesting here is a pattern commonly used in Guix where:

  1. There’s only one in-memory representation.

  2. There may be several on-disk representations, but we convert them
     once for all when reading them.

You can find this pattern in manifests, for instance with
‘sexp->manifest’.

That’s why I’m suggesting that ‘vulnerability->sexp’ converts to the
right in-memory representation when it’s reading a v1 sexp.

Does that make sense?

Ludo’.




^ permalink raw reply	[flat|nested] 119+ messages in thread

* [bug#74034] [PATCH v6 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties.
  2025-01-09 13:48           ` Ludovic Courtès
@ 2025-01-09 14:06             ` Nicolas Graves via Guix-patches via
  0 siblings, 0 replies; 119+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2025-01-09 14:06 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 74034

On 2025-01-09 14:48, Ludovic Courtès wrote:

> Hi,
>
>>
>> Is that actually necessary ?  Since the vulnerability-packages field is
>> an sexp, vulnerability->sexp would be the same for v1 and v2.
>>
>> Seems like the place to handle this is rather the second match in the
>> vulnerabilities->lookup-proc procedure, that should have a second case
>> match (the previous one from version history most probably) that is
>> accounting for the v1.
>>
>> WDYT?
>
> What I’m suggesting here is a pattern commonly used in Guix where:
>
>   1. There’s only one in-memory representation.
>
>   2. There may be several on-disk representations, but we convert them
>      once for all when reading them.
>
> You can find this pattern in manifests, for instance with
> ‘sexp->manifest’.
>
> That’s why I’m suggesting that ‘vulnerability->sexp’ converts to the
> right in-memory representation when it’s reading a v1 sexp.
>
> Does that make sense?

So convert v1-sexp to v2-sexp before passing it further?  The issue is
that we don't necessarily have the vendor in v1 to be able to convert it
to v2.  There are some cases where there's no vendor (don't remember if
it's #f or 'none or something else), I can put that value by default. 

-- 
Best regards,
Nicolas Graves




^ permalink raw reply	[flat|nested] 119+ messages in thread

end of thread, other threads:[~2025-01-09 14:07 UTC | newest]

Thread overview: 119+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-10-26 22:21 [bug#74034] [PATCH 00/21] Add lint-hidden-cve property for near-leaf packages Nicolas Graves via Guix-patches via
2024-10-26 22:41 ` [bug#74034] [PATCH 01/21] gnu: libgda: Rename patch for guix lint Nicolas Graves via Guix-patches via
2024-10-26 22:41   ` [bug#74034] [PATCH 02/21] gnu: upx: Update to 4.2.4 Nicolas Graves via Guix-patches via
2024-10-26 22:41   ` [bug#74034] [PATCH 03/21] gnu: halibut: Add lint-hidden-cve property Nicolas Graves via Guix-patches via
2024-10-26 22:41   ` [bug#74034] [PATCH 04/21] gnu: portfolio: Update to 1.0.1 Nicolas Graves via Guix-patches via
2024-10-26 22:41   ` [bug#74034] [PATCH 05/21] gnu: folders: Add lint-hidden-cve property Nicolas Graves via Guix-patches via
2024-10-26 22:41   ` [bug#74034] [PATCH 06/21] gnu: spectra: " Nicolas Graves via Guix-patches via
2024-10-26 22:41   ` [bug#74034] [PATCH 07/21] gnu: express: " Nicolas Graves via Guix-patches via
2024-10-26 22:41   ` [bug#74034] [PATCH 08/21] gnu: cli: " Nicolas Graves via Guix-patches via
2024-10-26 22:41   ` [bug#74034] [PATCH 09/21] gnu: h2c: " Nicolas Graves via Guix-patches via
2024-10-26 22:41   ` [bug#74034] [PATCH 10/21] gnu: xenon: Update to 0.9.3 Nicolas Graves via Guix-patches via
2024-10-26 22:41   ` [bug#74034] [PATCH 11/21] gnu: bolt: Update to 0.9.8 Nicolas Graves via Guix-patches via
2024-10-26 22:41   ` [bug#74034] [PATCH 12/21] gnu: sylpheed: Add release-monitoring-url property Nicolas Graves via Guix-patches via
2024-10-26 22:41   ` [bug#74034] [PATCH 13/21] gnu: openvswitch: Update to 3.4.0 Nicolas Graves via Guix-patches via
2024-10-26 22:41   ` [bug#74034] [PATCH 14/21] gnu: quagga: Fix build and hide CVE Nicolas Graves via Guix-patches via
2024-10-26 22:41   ` [bug#74034] [PATCH 15/21] gnu: bwm-ng: Add lint-hidden-cve property Nicolas Graves via Guix-patches via
2024-10-26 22:41   ` [bug#74034] [PATCH 16/21] gnu: onedrive: Update to 2.5.2 Nicolas Graves via Guix-patches via
2024-10-26 22:41   ` [bug#74034] [PATCH 17/21] gnu: got: Update to 0.104 Nicolas Graves via Guix-patches via
2024-11-15 12:58     ` [bug#74034] [PATCH v2] gnu: got: Update to 0.105 ashish.is--- via Guix-patches via
2024-11-30 10:24       ` [bug#74034] [PATCH v2] gnu: got: Update to 0.106 ashish.is--- via Guix-patches via
2024-10-26 22:41   ` [bug#74034] [PATCH 18/21] gnu: dex: Update to 0.10.1 Nicolas Graves via Guix-patches via
2024-10-26 22:41   ` [bug#74034] [PATCH 19/21] gnu: immer: Add lint-hidden-cve property Nicolas Graves via Guix-patches via
2024-10-26 22:41   ` [bug#74034] [PATCH 20/21] gnu: cvs: " Nicolas Graves via Guix-patches via
2024-10-26 22:41   ` [bug#74034] [PATCH 21/21] gnu: gerbv: " Nicolas Graves via Guix-patches via
2024-10-27 18:16 ` [bug#74034] [PATCH v2 00/16] Add cpe-vendor and lint-hidden-cpe-vendors properties Nicolas Graves via Guix-patches via
2024-10-27 18:16   ` [bug#74034] [PATCH v2 01/16] guix: cve: " Nicolas Graves via Guix-patches via
2024-10-27 18:16   ` [bug#74034] [PATCH v2 02/16] gnu: halibut: Add cpe-vendor property Nicolas Graves via Guix-patches via
2024-10-27 18:20 ` [bug#74034] [PATCH v2 01/16] guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Nicolas Graves via Guix-patches via
2024-10-27 18:20   ` [bug#74034] [PATCH v2 02/16] gnu: halibut: Add cpe-vendor property Nicolas Graves via Guix-patches via
2024-10-27 18:20   ` [bug#74034] [PATCH v2 03/16] gnu: portfolio: Update to 1.0.1 Nicolas Graves via Guix-patches via
2024-10-27 18:20   ` [bug#74034] [PATCH v2 04/16] gnu: folders: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
2024-10-27 18:20   ` [bug#74034] [PATCH v2 05/16] gnu: spectra: " Nicolas Graves via Guix-patches via
2024-10-27 18:20   ` [bug#74034] [PATCH v2 06/16] gnu: express: " Nicolas Graves via Guix-patches via
2024-10-27 18:20   ` [bug#74034] [PATCH v2 07/16] gnu: cli: " Nicolas Graves via Guix-patches via
2024-10-27 18:20   ` [bug#74034] [PATCH v2 08/16] gnu: h2c: " Nicolas Graves via Guix-patches via
2024-10-27 18:20   ` [bug#74034] [PATCH v2 09/16] gnu: xenon: Update to 0.9.3 Nicolas Graves via Guix-patches via
2024-10-27 18:20   ` [bug#74034] [PATCH v2 10/16] gnu: bolt: Update to 0.9.8 Nicolas Graves via Guix-patches via
2024-10-27 18:20   ` [bug#74034] [PATCH v2 11/16] gnu: bwm-ng: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
2024-10-27 18:20   ` [bug#74034] [PATCH v2 12/16] gnu: onedrive: Update to 2.5.2 Nicolas Graves via Guix-patches via
2024-10-27 18:20   ` [bug#74034] [PATCH v2 13/16] gnu: got: Update to 0.104 Nicolas Graves via Guix-patches via
2024-10-27 18:20   ` [bug#74034] [PATCH v2 14/16] gnu: dex: Update to 0.10.1 Nicolas Graves via Guix-patches via
2024-10-27 18:20   ` [bug#74034] [PATCH v2 15/16] gnu: immer: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
2024-10-27 18:20   ` [bug#74034] [PATCH v2 16/16] gnu: cvs: " Nicolas Graves via Guix-patches via
2024-11-06 21:43   ` [bug#74034] [PATCH v2 01/16] guix: cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Ludovic Courtès
2024-11-07  8:45     ` Nicolas Graves via Guix-patches via
2024-11-07 20:07       ` Nicolas Graves via Guix-patches via
2024-11-08 18:02 ` [bug#74034] [PATCH v3 01/17] " Nicolas Graves via Guix-patches via
2024-11-08 18:02   ` [bug#74034] [PATCH v3 02/17] cve: Separate vendor and string Nicolas Graves via Guix-patches via
2024-11-08 18:02   ` [bug#74034] [PATCH v3 03/17] gnu: halibut: Add cpe-vendor property Nicolas Graves via Guix-patches via
2024-11-08 18:02   ` [bug#74034] [PATCH v3 04/17] gnu: portfolio: Update to 1.0.1 Nicolas Graves via Guix-patches via
2024-11-08 18:02   ` [bug#74034] [PATCH v3 05/17] gnu: folders: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
2024-11-08 18:02   ` [bug#74034] [PATCH v3 06/17] gnu: spectra: " Nicolas Graves via Guix-patches via
2024-11-08 18:02   ` [bug#74034] [PATCH v3 07/17] gnu: express: " Nicolas Graves via Guix-patches via
2024-11-08 18:02   ` [bug#74034] [PATCH v3 08/17] gnu: cli: " Nicolas Graves via Guix-patches via
2024-11-08 18:02   ` [bug#74034] [PATCH v3 09/17] gnu: h2c: " Nicolas Graves via Guix-patches via
2024-11-08 18:02   ` [bug#74034] [PATCH v3 10/17] gnu: xenon: Update to 0.9.3 Nicolas Graves via Guix-patches via
2024-11-08 18:02   ` [bug#74034] [PATCH v3 11/17] gnu: bolt: Update to 0.9.8 Nicolas Graves via Guix-patches via
2024-11-08 18:02   ` [bug#74034] [PATCH v3 12/17] gnu: bwm-ng: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
2024-11-08 18:02   ` [bug#74034] [PATCH v3 13/17] gnu: onedrive: Update to 2.5.2 Nicolas Graves via Guix-patches via
2024-11-08 18:02   ` [bug#74034] [PATCH v3 14/17] gnu: got: Update to 0.104 Nicolas Graves via Guix-patches via
2024-11-08 18:02   ` [bug#74034] [PATCH v3 15/17] gnu: dex: Update to 0.10.1 Nicolas Graves via Guix-patches via
2024-11-08 18:02   ` [bug#74034] [PATCH v3 16/17] gnu: immer: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
2024-11-08 18:02   ` [bug#74034] [PATCH v3 17/17] gnu: cvs: " Nicolas Graves via Guix-patches via
2024-11-08 18:13 ` [bug#74034] [Nicolas Graves] [PATCH v3 02/17] cve: Separate vendor and string Nicolas Graves via Guix-patches via
2024-11-13  2:53   ` Maxim Cournoyer
2024-11-13  8:08     ` Nicolas Graves via Guix-patches via
2024-11-13 10:23 ` [bug#74034] [PATCH v4 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Nicolas Graves via Guix-patches via
2024-11-13 10:23   ` [bug#74034] [PATCH v4 03/16] gnu: portfolio: Update to 1.0.1 Nicolas Graves via Guix-patches via
2024-11-13 10:23   ` [bug#74034] [PATCH v4 05/16] gnu: spectra: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
2024-11-13 10:23   ` [bug#74034] [PATCH v4 06/16] gnu: express: " Nicolas Graves via Guix-patches via
2024-11-13 10:23   ` [bug#74034] [PATCH v4 08/16] gnu: h2c: " Nicolas Graves via Guix-patches via
2024-11-13 10:24   ` [bug#74034] [PATCH v4 10/16] gnu: bolt: Update to 0.9.8 Nicolas Graves via Guix-patches via
2024-11-13 10:24   ` [bug#74034] [PATCH v4 11/16] gnu: bwm-ng: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
2024-11-13 10:24   ` [bug#74034] [PATCH v4 12/16] gnu: onedrive: Update to 2.5.2 Nicolas Graves via Guix-patches via
2024-11-13 10:24   ` [bug#74034] [PATCH v4 13/16] gnu: got: Update to 0.104 Nicolas Graves via Guix-patches via
2024-11-13 10:24   ` [bug#74034] [PATCH v4 14/16] gnu: dex: Update to 0.10.1 Nicolas Graves via Guix-patches via
2024-11-13 10:24   ` [bug#74034] [PATCH v4 15/16] gnu: immer: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
2024-11-13 10:24   ` [bug#74034] [PATCH v4 16/16] gnu: cvs: " Nicolas Graves via Guix-patches via
2024-11-17 17:19   ` [bug#74034] [PATCH v4 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Ludovic Courtès
2024-11-17 17:20   ` Ludovic Courtès
2024-11-19  7:45 ` [bug#74034] [PATCH v5 " Nicolas Graves via Guix-patches via
2024-11-19  7:45   ` [bug#74034] [PATCH v5 02/16] gnu: halibut: Add cpe-vendor property Nicolas Graves via Guix-patches via
2024-11-19  7:45   ` [bug#74034] [PATCH v5 03/16] gnu: portfolio: Update to 1.0.1 Nicolas Graves via Guix-patches via
2024-11-19  7:45   ` [bug#74034] [PATCH v5 04/16] gnu: folders: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
2024-11-19  7:45   ` [bug#74034] [PATCH v5 05/16] gnu: spectra: " Nicolas Graves via Guix-patches via
2024-11-19  7:45   ` [bug#74034] [PATCH v5 06/16] gnu: express: " Nicolas Graves via Guix-patches via
2024-11-19  7:45   ` [bug#74034] [PATCH v5 07/16] gnu: cli: " Nicolas Graves via Guix-patches via
2024-11-19  7:45   ` [bug#74034] [PATCH v5 08/16] gnu: h2c: " Nicolas Graves via Guix-patches via
2024-11-19  7:45   ` [bug#74034] [PATCH v5 09/16] gnu: xenon: Update to 0.9.3 Nicolas Graves via Guix-patches via
2024-11-19  7:45   ` [bug#74034] [PATCH v5 10/16] gnu: bolt: Update to 0.9.8 Nicolas Graves via Guix-patches via
2024-11-19  7:45   ` [bug#74034] [PATCH v5 11/16] gnu: bwm-ng: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
2024-11-19  7:46   ` [bug#74034] [PATCH v5 12/16] gnu: onedrive: Update to 2.5.2 Nicolas Graves via Guix-patches via
2024-11-19  7:46   ` [bug#74034] [PATCH v5 13/16] gnu: got: Update to 0.104 Nicolas Graves via Guix-patches via
2024-11-19  7:46   ` [bug#74034] [PATCH v5 14/16] gnu: dex: Update to 0.10.1 Nicolas Graves via Guix-patches via
2024-11-19  7:46   ` [bug#74034] [PATCH v5 15/16] gnu: immer: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
2024-11-19  7:46   ` [bug#74034] [PATCH v5 16/16] gnu: cvs: " Nicolas Graves via Guix-patches via
2024-11-20 22:10   ` [bug#74034] [PATCH v5 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Ludovic Courtès
2024-11-24 20:16 ` [bug#74034] [PATCH v6 " Nicolas Graves via Guix-patches via
2024-11-24 20:16   ` [bug#74034] [PATCH v6 02/16] gnu: halibut: Add cpe-vendor property Nicolas Graves via Guix-patches via
2024-11-24 20:16   ` [bug#74034] [PATCH v6 03/16] gnu: portfolio: Update to 1.0.1 Nicolas Graves via Guix-patches via
2024-11-24 20:16   ` [bug#74034] [PATCH v6 04/16] gnu: folders: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
2024-11-24 20:16   ` [bug#74034] [PATCH v6 05/16] gnu: spectra: " Nicolas Graves via Guix-patches via
2024-11-24 20:16   ` [bug#74034] [PATCH v6 06/16] gnu: express: " Nicolas Graves via Guix-patches via
2024-11-24 20:16   ` [bug#74034] [PATCH v6 07/16] gnu: cli: " Nicolas Graves via Guix-patches via
2024-11-24 20:16   ` [bug#74034] [PATCH v6 08/16] gnu: h2c: " Nicolas Graves via Guix-patches via
2024-11-24 20:16   ` [bug#74034] [PATCH v6 09/16] gnu: xenon: Update to 0.9.3 Nicolas Graves via Guix-patches via
2024-11-24 20:16   ` [bug#74034] [PATCH v6 10/16] gnu: bolt: Update to 0.9.8 Nicolas Graves via Guix-patches via
2024-11-24 20:16   ` [bug#74034] [PATCH v6 11/16] gnu: bwm-ng: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
2024-11-24 20:16   ` [bug#74034] [PATCH v6 12/16] gnu: onedrive: Update to 2.5.2 Nicolas Graves via Guix-patches via
2024-11-24 20:16   ` [bug#74034] [PATCH v6 13/16] gnu: got: Update to 0.104 Nicolas Graves via Guix-patches via
2024-11-24 20:16   ` [bug#74034] [PATCH v6 14/16] gnu: dex: Update to 0.10.1 Nicolas Graves via Guix-patches via
2024-11-24 20:16   ` [bug#74034] [PATCH v6 15/16] gnu: immer: Add lint-hidden-cpe-vendors property Nicolas Graves via Guix-patches via
2024-11-24 20:16   ` [bug#74034] [PATCH v6 16/16] gnu: cvs: " Nicolas Graves via Guix-patches via
2024-11-29 12:51   ` [bug#74034] [PATCH v6 01/16] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties Ludovic Courtès
2024-11-30 10:58     ` Nicolas Graves via Guix-patches via
2024-12-14 14:28       ` Maxim Cournoyer
2024-12-26 21:24       ` Ludovic Courtès
     [not found]         ` <871pxcp7ss.fsf@ngraves.fr>
2025-01-09 13:48           ` Ludovic Courtès
2025-01-09 14:06             ` Nicolas Graves via Guix-patches via

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.