Hi, On Tue, 16 Mar 2021 at 10:30, Léo Le Bouter via Bug reports for GNU Guix wrote: > ./pre-inst-env guix lint -c cve python-urllib3@1.26.2 > Here this should return at least CVE-2021-28363 but it does not because > the CVE database contains urllib3 and not python-urllib3 (which AFAICT > the cve linter searches for). Does the CVE use the upstream name? Or a normalized name? I mean, in the R world, packages can have names as 'org.EcK12.eg.db' which becomes "r-org-eck12-eg-db". To easy the mapping for updating and co, the package definition contains: (properties `((upstream-name . "org.EcK12.eg.db"))) Maybe, it could be worth to have similar things. WDYT? All the best, simon