Re: GNOME Orca 'orca' package mislabeled by 'guix lint -c cve'

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GNOME Orca 'orca' package mislabeled by 'guix lint -c cve'

From:	Ludovic Courtès
Subject:	Re: GNOME Orca 'orca' package mislabeled by 'guix lint -c cve'
Date:	Mon, 15 Mar 2021 17:42:27 +0100
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)

Hi Léo,

Léo Le Bouter <lle-bout@zaclys.net> skribis:

> Currently CVE-2020-9298 is being wrongly reported by 'guix lint -c cve'
> because vendor is not taken into account, therefore:
> "cpe:2.3:a:spinnaker:orca" also matches.
>
> Reminder that we need cpe-vendor property as told in <
> https://issues.guix.gnu.org/40142>.
>
> I would like to tag the package but currently cannot because cpe-vendor 
> does not exist yet.

As a workaround, you could tag it with ‘lint-hidden-cve’ with an “XXX”
comment explaining the situation.

Thanks for looking into all this!

Ludo’.

[Prev in Thread]

Current Thread

[Next in Thread]

GNOME Orca 'orca' package mislabeled by 'guix lint -c cve', Léo Le Bouter, 2021/03/10
- Re: GNOME Orca 'orca' package mislabeled by 'guix lint -c cve', Ludovic Courtès <=

Prev by Date: Re: Release 1.2.1: remove clang@3.6?
Next by Date: Re: guix home
Previous by thread: GNOME Orca 'orca' package mislabeled by 'guix lint -c cve'
Next by thread: pjproject package is vulnerable to CVE-2021-21375 and CVE-2020-15260
Index(es):
- Date
- Thread