[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#40142: (guix cve) discards configuration "vendor", leading to false
From: |
Ludovic Courtès |
Subject: |
bug#40142: (guix cve) discards configuration "vendor", leading to false positives |
Date: |
Thu, 02 Apr 2020 12:38:16 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) |
Hi,
Brice Waegeneire <address@hidden> skribis:
> It looks like, for most free software the name of the software is used
> as
> the vendor too, but I'm guessing that's not always the case in
> particular
> when two project are using the same name. So we can't just filter the
> entries where the vendor name isn't the name of the package or we could
> end up with false negatives which seems worse than false positive for a
> vulnerability checker.
Yeah.
> One solution would be to display the name of the vendor when it doesn't
> correspond to the name of the package. Such solution would still output
> false positives but at least it will be quicker to identify then as
> such,
> compared to looking up and reading trough each CVE.
Yes, though I think that (guix cve) should simply preserve the vendor
part, and leave it up to its user, ‘guix lint’, to display vendor
mismatches.
Thanks,
Ludo’.