Leo Famulari <l...@famulari.name> skribis: > On Thu, Sep 29, 2016 at 08:52:34PM +0200, David Craven wrote: >> Ah just checked our linter doesn't flag a CVE, so I think we're ok... > > The linter is a good tool for catching things that we miss, but it's not > a substitute for manual investigation :)
+1 > First, our package's name might not match the name used by the Common > Platform Enumeration [0], which is the name that the linter looks up. We > can give packages a cpe-name property [1], which tells the linter to use > something besides the package's name. > > Second, I've noticed that sometimes bugs are publicized on oss-sec or > elsewhere, but then they don't show up in the CVE database for a while. Often, vulnerabilities and CVE IDs are publicized when the CVE ID is still marked as “reserved” without additional info; reserved CVE IDs don’t show up in the CVE database that ‘guix lint’ fetches. > An aside, the CVE linter gives false positives for grafted packages. For > example, try `guix lint -c cve openssl@1.0`. That’s been annoying me for some time so I’d like to see if we can improve grafting in a way that would allow us to use a different version number in the package replacement, which in turn would allow ‘guix lint’ to see the right version number of the replacement. Ludo’.
