bartronx7/guix
1
0
Fork 0
mirror of https://codeberg.org/guix/guix.git synced 2026-01-25 03:55:08 -06:00
Code Issues Projects Releases Packages Wiki Activity Actions

doc: Update CVE documentation.

Browse source 
* doc/guix.texi (Invoking guix lint): Document ‘cpe-vendor’ and
‘lint-hidden-cpe-vendors’.

Change-Id: I5f3054c9f6e2d1e85a1ccb293a2471439f5e5f44
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
This commit is contained in:
Nicolas Graves 2025-06-23 10:36:14 +02:00 committed by Ludovic Courtès
parent 9df0238e06
commit 76a19b08b0
No known key found for this signature in database
GPG key ID: 090B11993D9AEBB5
1 changed files with 22 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
doc/guix.texi
View file

@ -15863,11 +15863,29 @@ that Guix uses, as in this example:
(cpe-version . "2.3"))))
@end lisp
A CVE alert can be a false positive when its CPE name matches the one in
Guix, while actually referring to a distinct product. These alerts can
be addressed by setting the correct CPE vendor, or when no vendors
apply, by ignoring alerts from irrelevant vendors, as in these examples:
@lisp
(package
(name "halibut")
;; @dots{}
(properties '((cpe-vendor . "halibut_project"))))
(package
(name "cvs")
;; @dots{}
(properties '((lint-hidden-cpe-vendors . ("jenkins"
"vendor2")))))
@end lisp
@c See <https://www.openwall.com/lists/oss-security/2017/03/15/3>.
Some entries in the CVE database do not specify which version of a
package they apply to, and would thus ``stick around'' forever. Package
developers who found CVE alerts and verified they can be ignored can
declare them as in this example:
Finally, some entries in the CVE database do not specify which version
of a package they apply to, and would thus ``stick around'' forever.
Package developers who found CVE alerts and verified they can be ignored
can declare them as in this example:
@lisp
(package