[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Auditing CPE names
From: |
Leo Famulari |
Subject: |
Re: Auditing CPE names |
Date: |
Sun, 12 Feb 2017 10:38:11 -0500 |
User-agent: |
Mutt/1.7.2 (2016-11-26) |
On Sat, Feb 11, 2017 at 02:53:46PM -0500, Leo Famulari wrote:
> It's important to name the package in accordance with the CPE or set
> the cpe-name property, or else `guix lint -c cve` won't work for that
> package.
In commit 84b60a7cdfc (gnu: lcms: Fix an out-of-bounds read.) I tried to
set the cpe-name but couldn't get it to work, and then I forgot to
remove it from the commit message before pushing.
Anyways, I still can't get it to work after trying again today.
This package should be reported as vulnerable to CVE-2016-10165. The CVE
database for 2016 includes this line in the entry for that CVE:
<cpe-lang:fact-ref name="cpe:/a:littlecms:little_cms_color_engine"/>
But when setting the cpe-name to little_cms_color_engine, the linter
still doesn't report the vulnerability.
Any ideas?
signature.asc
Description: PGP signature