You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: proposals/accepted/037-advisory-db.md
+5-1Lines changed: 5 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -84,7 +84,9 @@ The people involved in executing this proposal, if accepted, are:
84
84
85
85
The file format for advisories is based on that of RustSec, with changes made for compatibility with Haskell tooling and concepts. An advisory consists of a Markdown file, the first element of which must be a fenced code block written in the `toml` language. This block contains the advisory's structured metadata.
86
86
87
-
The TOML frontmatter must contain a table called `advisory` and a table called `versions`, and it may contain a table called `affected`. The `advisory` table contains the following fields, all of which are mandatory unless otherwise indicated:
87
+
The TOML frontmatter must contain a table called `advisory` and a table called `versions`, and it may contain a table called `affected`.
88
+
89
+
The `advisory` table contains the following fields, all of which are mandatory unless otherwise indicated:
88
90
*`id`, a string, which is a unique identifier. This string should have the form `HSEC-YYYY-NNNN`, where `YYYY` is the year and `NNNN` is a sequential numbering beginning at `0001`.
89
91
*`package`, a string, the name of the affected Hackage package
90
92
*`date`, a TOML local date, which is the disclosure date.
@@ -94,10 +96,12 @@ The TOML frontmatter must contain a table called `advisory` and a table called `
94
96
*`keywords`, an optional array of strings, which may be any string that the submitter finds relevant. By convention, they are written in lowercase.
95
97
*`aliases`, an optional array of strings, each of which is another identifier such as a CVE
96
98
*`related`, an optional array of strings, each of which is an identifier for a related advisory (such as for a wrapped C library)
99
+
97
100
The `affected` table, if present, contains the following fields, all of which are optional:
98
101
*`arch`, an array of strings, each of which is the value of `System.Info.arch` on the affected systems. The advisory only applies to the specified architectures. If this key is absent, then the advisory applies to all architectures.
99
102
*`os`, an array of strings, each of which is the value of `System.Info.os` on the affected systems. The advisory only applies to the specified operating systems. If this key is absent, then the advisory applies to all operating systems.
100
103
*`declarations`, a table that maps fully-qualified names from the package to Cabal v2.0 version ranges. These ranges must all be contained in the affected versions (specified later), and they specify that the given name is the source of the advisory in that sub-range. This allows one advisory to mention a function or datatype that is renamed at some point during development.
104
+
101
105
The `versions` table contains a single mandatory key, `affected`, whose value is a string that contains a Cabal v2.0 version range.
102
106
103
107
Cabal v2.0 version ranges are specified using the following grammar:
0 commit comments