On 2024-10-26 17:08, Ludovic Courtès wrote: > Hi, > > Nicolas Graves <ngra...@ngraves.fr> skribis: > >> I was wondering about handling a cpe-vendor property to handle such >> cases, since cpe-name won't help here. > > Yes, we need that. (guix cve) currently blissfully ignores the “vendor” > part of CPE names; we can do better.
I've done that in the v2 of 74034. I actually introduce two properties, cpe-vendor and lint-hidden-cpe-vendors (akin to lint-hidden-cve). This is because: - most of the time we don't have a cpe-vendor but we know which others cpe-vendors to ignore - knowing which ones to ignore brings more information than lint-hidden-cve since it's stable in time (future CVEs for other packages won't get raised) -- Best regards, Nicolas Graves
