Skip to content

Commit 1371304

Browse files
committed
Document msys2_ignore_vulnerabilities
1 parent edfd5fe commit 1371304

File tree

2 files changed

+24
-10
lines changed

2 files changed

+24
-10
lines changed

web/dev/pkgbuild.md

Lines changed: 10 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -9,15 +9,16 @@ format. We have some minor extensions to the format, which are documented here.
99
Variables starting with `msys2_` and `mingw_` can be used to add additional metadata to a package, which will be read and used by our tools.
1010
The following variables are recognized:
1111

12-
| Variable | Type | Description |
13-
|--------------------------- |---------|-------------|
14-
| `mingw_arch` | array | A list of MSYS2 environments the package is built for. Defaults to an empty list. |
15-
| `msys2_references` | mapping | Maps the package to external resources, such as other package repositories. |
16-
| `msys2_changelog_url` | string | NEWS file in git or the GitHub releases page. In case there are multiple, the one that is more useful for packagers. |
17-
| `msys2_documentation_url` | string | URL to the documentation for the API, tools, etc., in case it's a different website than the homepage. |
18-
| `msys2_repository_url` | string | URL to the web view of the repository, e.g., on GitHub or GitLab. |
19-
| `msys2_issue_tracker_url` | string | URL to the bug tracker, mailing list archive, etc. |
20-
| `msys2_pgp_keys_url` | string | URL to a website containing which keys are used to sign releases. |
12+
| Variable | Type | Description |
13+
|--------------------------------|---------|----------------------------------------------------------------------------------------------------------------------|
14+
| `mingw_arch` | array | A list of MSYS2 environments the package is built for. Defaults to an empty list. |
15+
| `msys2_references` | mapping | Maps the package to external resources, such as other package repositories. |
16+
| `msys2_changelog_url` | string | NEWS file in git or the GitHub releases page. In case there are multiple, the one that is more useful for packagers. |
17+
| `msys2_documentation_url` | string | URL to the documentation for the API, tools, etc., in case it's a different website than the homepage. |
18+
| `msys2_repository_url` | string | URL to the web view of the repository, e.g., on GitHub or GitLab. |
19+
| `msys2_issue_tracker_url` | string | URL to the bug tracker, mailing list archive, etc. |
20+
| `msys2_pgp_keys_url` | string | URL to a website containing which keys are used to sign releases. |
21+
| `msys2_ignore_vulnerabilities` | array | A list of CVE and/or GHSA IDs which should be ignored. |
2122

2223
For `msys2_references` the following keys are recognized:
2324

web/dev/vulnerabilities.md

Lines changed: 14 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,20 @@ msys2_references=(
2828
)
2929
```
3030

31+
If a discovered vulnerability doesn't affect our users in the first place (it's
32+
Unix only for example), or is already fixed (missing or wrong version
33+
information attached to the vulnerability info), or we have backported a fix for
34+
it, then we can mark it as ignored by adding the ID to the
35+
`msys2_ignore_vulnerabilities` list.
36+
37+
Example:
38+
39+
```bash
40+
msys2_ignore_vulnerabilities=(
41+
"CVE-2006-2453" # some reason why this should be ignored
42+
)
43+
```
44+
3145
## Where to find CPEs and other IDs?
3246

3347
* For Python packages search the package on https://pypi.org
@@ -39,5 +53,4 @@ msys2_references=(
3953
## TODO
4054

4155
* Some automated way to sync/update CPEs
42-
* Add metadata field to ignore certain CVEs for certain packages
4356
* Add metadata field for the real upstream version, in case we use a different format

0 commit comments

Comments
 (0)