bug#40142: (guix cve) discards configuration "vendor", leading to false

bug-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#40142: (guix cve) discards configuration "vendor", leading to false

From:	Ludovic Courtès
Subject:	bug#40142: (guix cve) discards configuration "vendor", leading to false positives
Date:	Thu, 02 Apr 2020 12:38:16 +0200
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)

Hi,

Brice Waegeneire <address@hidden> skribis:

> It looks like, for most free software the name of the software is used
> as
>  the vendor too, but I'm guessing that's not always the case in
> particular
>  when two project are using the same name. So we can't just filter the
>  entries where the vendor name isn't the name of the package or we could
>  end up with false negatives which seems worse than false positive for a
>  vulnerability checker.

Yeah.

> One solution would be to display the name of the vendor when it doesn't
> correspond to the name of the package. Such solution would still output
> false positives but at least it will be quicker to identify then as
> such,
> compared to looking up and reading trough each CVE.

Yes, though I think that (guix cve) should simply preserve the vendor
part, and leave it up to its user, ‘guix lint’, to display vendor
mismatches.

Thanks,
Ludo’.

[Prev in Thread]

Current Thread

[Next in Thread]

bug#40142: (guix cve) discards configuration "vendor", leading to false positives, Brice Waegeneire, 2020/04/01
- bug#40142: (guix cve) discards configuration "vendor", leading to false positives, Ludovic Courtès <=

Prev by Date: bug#40369: guix environment messed up shell
Next by Date: bug#40381: Guix shouldn't request substitutes for profile derivations
Previous by thread: bug#40142: (guix cve) discards configuration "vendor", leading to false positives
Next by thread: bug#40377: guix build --with-commit is broken
Index(es):
- Date
- Thread