Hello! On IRC earlier today we were looking at and wondering about the CPE suggestions (which are nice!). I tried the attached hack, which produces a few useless and sometimes erroneous suggestions, by comparing the “references” of each CVE (usually URLs of a security advisory or bug report) to the home page of the package: --8<---------------cut here---------------start------------->8--- $ ./pre-inst-env guix lint -c cpe gnu/packages/admin.scm:1103:2: tcpdump@4.9.3: suggested CPE name: 'libpcap' gnu/packages/admin.scm:1103:2: tcpdump@4.9.3: suggested CPE name: 'libpcap' gnu/packages/admin.scm:1103:2: tcpdump@4.9.3: suggested CPE name: 'libpcap' gnu/packages/admin.scm:1103:2: tcpdump@4.9.3: suggested CPE name: 'libpcap' gnu/packages/admin.scm:1103:2: tcpdump@4.9.3: suggested CPE name: 'libpcap' gnu/packages/admin.scm:2866:2: pam-krb5@4.8: suggested CPE name: 'pam-krb5' gnu/packages/admin.scm:1075:2: libpcap@1.9.1: suggested CPE name: 'libpcap' gnu/packages/admin.scm:1075:2: libpcap@1.9.1: suggested CPE name: 'libpcap' gnu/packages/admin.scm:1075:2: libpcap@1.9.1: suggested CPE name: 'libpcap' gnu/packages/admin.scm:1075:2: libpcap@1.9.1: suggested CPE name: 'libpcap' gnu/packages/admin.scm:1075:2: libpcap@1.9.1: suggested CPE name: 'libpcap' gnu/packages/admin.scm:1367:2: sudo@1.9.1: suggested CPE name: 'element_software_management_node' gnu/packages/admin.scm:1367:2: sudo@1.9.1: suggested CPE name: 'sudo' gnu/packages/admin.scm:1367:2: sudo@1.9.1: suggested CPE name: 'sudo' gnu/packages/admin.scm:1367:2: sudo@1.9.1: suggested CPE name: 'sudo' gnu/packages/admin.scm:614:2: shadow@4.8.1: suggested CPE name: 'shadow' gnu/packages/aspell.scm:99:2: aspell-dict-ar@1.2-0: suggested CPE name: 'aspell' gnu/packages/aspell.scm:99:2: aspell-dict-mi@0.50-0: suggested CPE name: 'aspell' gnu/packages/aspell.scm:99:2: aspell-dict-pl@0.51-0: suggested CPE name: 'aspell' gnu/packages/aspell.scm:99:2: aspell-dict-ru@0.99f7-1: suggested CPE name: 'aspell' gnu/packages/aspell.scm:99:2: aspell-dict-sv@0.51-0: suggested CPE name: 'aspell' gnu/packages/aspell.scm:99:2: aspell-dict-fr@0.50-3: suggested CPE name: 'aspell' gnu/packages/aspell.scm:99:2: aspell-dict-pt-br@20131030-12-0: suggested CPE name: 'aspell' gnu/packages/aspell.scm:99:2: aspell-dict-el@0.08-0: suggested CPE name: 'aspell' gnu/packages/aspell.scm:99:2: aspell-dict-hi@0.02-0: suggested CPE name: 'aspell' gnu/packages/aspell.scm:99:2: aspell-dict-de@20161207-7-0: suggested CPE name: 'aspell' gnu/packages/aspell.scm:99:2: aspell-dict-be@0.01: suggested CPE name: 'aspell' gnu/packages/aspell.scm:99:2: aspell-dict-es@1.11-2: suggested CPE name: 'aspell' gnu/packages/aspell.scm:99:2: aspell-dict-grc@0.02-0: suggested CPE name: 'aspell' gnu/packages/aspell.scm:99:2: aspell-dict-fi@0.7-0: suggested CPE name: 'aspell' gnu/packages/aspell.scm:99:2: aspell-dict-da@1.6.36-11-0: suggested CPE name: 'aspell' gnu/packages/aspell.scm:99:2: aspell-dict-nl@0.50-2: suggested CPE name: 'aspell' gnu/packages/aspell.scm:41:2: aspell@0.60.8: suggested CPE name: 'aspell' […] --8<---------------cut here---------------end--------------->8--- The conclusion is that, to make good suggestions, we need to parse the CPE dictionary as well: https://nvd.nist.gov/Products/CPE This one is still XML (not JSON) and we’d have to merge duplicates, as in this example: --8<---------------cut here---------------start------------->8--- GNU cpio GNU cpio 1.0 GNU cpio 1.1 GNU cpio 1.2 GNU cpio 1.3 GNU cpio 2.4.2 GNU cpio 2.5 GNU cpio 2.5.90 GNU cpio 2.6 GNU cpio 2.7 Change Log --8<---------------cut here---------------end--------------->8--- The references are not always useful, as above, but sometimes there’s a “Product” reference that is the package home page. Anyway, would be nice to add that to (guix cve) instead of succumbing to the convenience of SaaSS! Ludo’.