all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* Introduce a cpe-vendor package property?
@ 2024-10-25 13:33 Nicolas Graves
  2024-10-26 15:08 ` Ludovic Courtès
  0 siblings, 1 reply; 3+ messages in thread
From: Nicolas Graves @ 2024-10-25 13:33 UTC (permalink / raw)
  To: guix-devel


Hi Guix,

As you've certainly noticed, I'm currently supplying some security
patches by checking every package that is linted on the cve checker.

I have a WIP patch series about adding lint-hidden-cve property to
packages where it is relevant.  While doing it, I noticed that there are
quite some packages with duplicated cpe-names (a few examples : xenon,
bolt, express, halibut, folders, portfolio...) in the NIST database.
I was wondering about handling a cpe-vendor property to handle such
cases, since cpe-name won't help here.

To note: Most of the time, this won't help and we'll still have to fill
hidden-lint-cve (since most of these packages have no CVEs and therefore
are not in the database at all, despite having similarly-named
packages).

-- 
Best regards,
Nicolas Graves


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Introduce a cpe-vendor package property?
  2024-10-25 13:33 Introduce a cpe-vendor package property? Nicolas Graves
@ 2024-10-26 15:08 ` Ludovic Courtès
  2024-10-27 18:29   ` Nicolas Graves
  0 siblings, 1 reply; 3+ messages in thread
From: Ludovic Courtès @ 2024-10-26 15:08 UTC (permalink / raw)
  To: Nicolas Graves; +Cc: guix-devel

Hi,

Nicolas Graves <ngraves@ngraves.fr> skribis:

> I was wondering about handling a cpe-vendor property to handle such
> cases, since cpe-name won't help here.

Yes, we need that.  (guix cve) currently blissfully ignores the “vendor”
part of CPE names; we can do better.

Thanks,
Ludo’.


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Introduce a cpe-vendor package property?
  2024-10-26 15:08 ` Ludovic Courtès
@ 2024-10-27 18:29   ` Nicolas Graves
  0 siblings, 0 replies; 3+ messages in thread
From: Nicolas Graves @ 2024-10-27 18:29 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel

On 2024-10-26 17:08, Ludovic Courtès wrote:

> Hi,
>
> Nicolas Graves <ngraves@ngraves.fr> skribis:
>
>> I was wondering about handling a cpe-vendor property to handle such
>> cases, since cpe-name won't help here.
>
> Yes, we need that.  (guix cve) currently blissfully ignores the “vendor”
> part of CPE names; we can do better.

I've done that in the v2 of 74034. I actually introduce two properties,
cpe-vendor and lint-hidden-cpe-vendors (akin to lint-hidden-cve). This
is because:
- most of the time we don't have a cpe-vendor but we know which
others cpe-vendors to ignore
- knowing which ones to ignore brings more information than
lint-hidden-cve since it's stable in time (future CVEs for other
packages won't get raised)

-- 
Best regards,
Nicolas Graves


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2024-10-27 18:29 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-10-25 13:33 Introduce a cpe-vendor package property? Nicolas Graves
2024-10-26 15:08 ` Ludovic Courtès
2024-10-27 18:29   ` Nicolas Graves

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.