Re: Auditing CPE names

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Auditing CPE names

From:	Leo Famulari
Subject:	Re: Auditing CPE names
Date:	Sun, 12 Feb 2017 10:38:11 -0500
User-agent:	Mutt/1.7.2 (2016-11-26)

On Sat, Feb 11, 2017 at 02:53:46PM -0500, Leo Famulari wrote:
> It's important to name the package in accordance with the CPE or set
> the cpe-name property, or else `guix lint -c cve` won't work for that
> package.

In commit 84b60a7cdfc (gnu: lcms: Fix an out-of-bounds read.) I tried to
set the cpe-name but couldn't get it to work, and then I forgot to
remove it from the commit message before pushing.

Anyways, I still can't get it to work after trying again today.

This package should be reported as vulnerable to CVE-2016-10165. The CVE
database for 2016 includes this line in the entry for that CVE:

<cpe-lang:fact-ref name="cpe:/a:littlecms:little_cms_color_engine"/>

But when setting the cpe-name to little_cms_color_engine, the linter
still doesn't report the vulnerability.

Any ideas?

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

Auditing CPE names, Leo Famulari, 2017/02/11
- Re: Auditing CPE names, Ludovic Courtès, 2017/02/12
- Re: Auditing CPE names, Leo Famulari <=
  - Re: Auditing CPE names, Ludovic Courtès, 2017/02/13

Prev by Date: Re: Auditing CPE names
Next by Date: FAIL: tests/cpan.scm, tests/gem.scm, tests/pypi.scm, tests/crate.scm
Previous by thread: Re: Auditing CPE names
Next by thread: Re: Auditing CPE names
Index(es):
- Date
- Thread