guix_mirror_bot pushed a commit to branch master
in repository guix.
commit 76a19b08b0691f51af461a176289ab7efb9cd12d
Author: Nicolas Graves <[email protected]>
AuthorDate: Mon Jun 23 10:36:14 2025 +0200
doc: Update CVE documentation.
* doc/guix.texi (Invoking guix lint): Document ‘cpe-vendor’ and
‘lint-hidden-cpe-vendors’.
Change-Id: I5f3054c9f6e2d1e85a1ccb293a2471439f5e5f44
Signed-off-by: Ludovic Courtès <[email protected]>
---
doc/guix.texi | 26 ++++++++++++++++++++++----
1 file changed, 22 insertions(+), 4 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 7bbb36e7e3..a9f64bd9e4 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -15863,11 +15863,29 @@ that Guix uses, as in this example:
(cpe-version . "2.3"))))
@end lisp
+A CVE alert can be a false positive when its CPE name matches the one in
+Guix, while actually referring to a distinct product. These alerts can
+be addressed by setting the correct CPE vendor, or when no vendors
+apply, by ignoring alerts from irrelevant vendors, as in these examples:
+
+@lisp
+(package
+ (name "halibut")
+ ;; @dots{}
+ (properties '((cpe-vendor . "halibut_project"))))
+
+(package
+ (name "cvs")
+ ;; @dots{}
+ (properties '((lint-hidden-cpe-vendors . ("jenkins"
+ "vendor2")))))
+@end lisp
+
@c See <https://www.openwall.com/lists/oss-security/2017/03/15/3>.
-Some entries in the CVE database do not specify which version of a
-package they apply to, and would thus ``stick around'' forever. Package
-developers who found CVE alerts and verified they can be ignored can
-declare them as in this example:
+Finally, some entries in the CVE database do not specify which version
+of a package they apply to, and would thus ``stick around'' forever.
+Package developers who found CVE alerts and verified they can be ignored
+can declare them as in this example:
@lisp
(package
