Hi Guix,
As you've certainly noticed, I'm currently supplying some security patches by checking every package that is linted on the cve checker. I have a WIP patch series about adding lint-hidden-cve property to packages where it is relevant. While doing it, I noticed that there are quite some packages with duplicated cpe-names (a few examples : xenon, bolt, express, halibut, folders, portfolio...) in the NIST database. I was wondering about handling a cpe-vendor property to handle such cases, since cpe-name won't help here. To note: Most of the time, this won't help and we'll still have to fill hidden-lint-cve (since most of these packages have no CVEs and therefore are not in the database at all, despite having similarly-named packages). -- Best regards, Nicolas Graves
