[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: GNOME Orca 'orca' package mislabeled by 'guix lint -c cve'
From: |
Ludovic Courtès |
Subject: |
Re: GNOME Orca 'orca' package mislabeled by 'guix lint -c cve' |
Date: |
Mon, 15 Mar 2021 17:42:27 +0100 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) |
Hi Léo,
Léo Le Bouter <lle-bout@zaclys.net> skribis:
> Currently CVE-2020-9298 is being wrongly reported by 'guix lint -c cve'
> because vendor is not taken into account, therefore:
> "cpe:2.3:a:spinnaker:orca" also matches.
>
> Reminder that we need cpe-vendor property as told in <
> https://issues.guix.gnu.org/40142>.
>
> I would like to tag the package but currently cannot because cpe-vendor
> does not exist yet.
As a workaround, you could tag it with ‘lint-hidden-cve’ with an “XXX”
comment explaining the situation.
Thanks for looking into all this!
Ludo’.