From 76a19b08b0691f51af461a176289ab7efb9cd12d Mon Sep 17 00:00:00 2001
From: Nicolas Graves <ngraves@ngraves.fr>
Date: Mon, 23 Jun 2025 10:36:14 +0200
Subject: [PATCH] doc: Update CVE documentation.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* doc/guix.texi (Invoking guix lint): Document ‘cpe-vendor’ and
‘lint-hidden-cpe-vendors’.

Change-Id: I5f3054c9f6e2d1e85a1ccb293a2471439f5e5f44
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
---
 doc/guix.texi | 26 ++++++++++++++++++++++----
 1 file changed, 22 insertions(+), 4 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 7bbb36e7e3e..a9f64bd9e42 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -15863,11 +15863,29 @@ that Guix uses, as in this example:
                 (cpe-version . "2.3"))))
 @end lisp
 
+A CVE alert can be a false positive when its CPE name matches the one in
+Guix, while actually referring to a distinct product.  These alerts can
+be addressed by setting the correct CPE vendor, or when no vendors
+apply, by ignoring alerts from irrelevant vendors, as in these examples:
+
+@lisp
+(package
+  (name "halibut")
+  ;; @dots{}
+  (properties '((cpe-vendor . "halibut_project"))))
+
+(package
+  (name "cvs")
+  ;; @dots{}
+  (properties '((lint-hidden-cpe-vendors . ("jenkins"
+                                            "vendor2")))))
+@end lisp
+
 @c See <https://www.openwall.com/lists/oss-security/2017/03/15/3>.
-Some entries in the CVE database do not specify which version of a
-package they apply to, and would thus ``stick around'' forever.  Package
-developers who found CVE alerts and verified they can be ignored can
-declare them as in this example:
+Finally, some entries in the CVE database do not specify which version
+of a package they apply to, and would thus ``stick around'' forever.
+Package developers who found CVE alerts and verified they can be ignored
+can declare them as in this example:
 
 @lisp
 (package