Hi, Léo Le Bouter <[email protected]> skribis:
> ./pre-inst-env guix lint -c cve [email protected] > Here this should return at least CVE-2021-28363 but it does not because > the CVE database contains urllib3 and not python-urllib3 (which AFAICT > the cve linter searches for). > > Annotating each and every python-, go-, and rust- package with cpe-name > properties is going to be very annoying. I suggest we add some > heuristics that try both the full name and prefix-trimmed name. python- > urllib3's cpe name and vendor is python (vendor) urllib3 (name). > > Same story for CVE-2021-28305 and rust-diesel, though it doesnt even > have a CPE entry yet. Yes, that’s an issue. We can address these by adding a ‘cpe-name’ property (info "(guix) Invoking guix lint"), but that’s going to be tedious. We can at least add it to high-profile packages for now. Tooling that suggests or deduces the CPE name would help a lot: https://issues.guix.gnu.org/42299 Ludo’.
