This is GNOME Orca in the CPE database: 
https://nvd.nist.gov/products/cpe/detail/660937?namingFormat=2.3&orderBy=CPEURI&keyword=orca&status=FINAL

Currently CVE-2020-9298 is being wrongly reported by 'guix lint -c cve'
because vendor is not taken into account, therefore:
"cpe:2.3:a:spinnaker:orca" also matches.

Reminder that we need cpe-vendor property as told in <
https://issues.guix.gnu.org/40142>.

I would like to tag the package but currently cannot because cpe-vendor 
does not exist yet.