You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: web/news.md
+32Lines changed: 32 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,6 +5,38 @@ summary: Important events happening.
5
5
6
6
This page lists important changes or issues affecting MSYS2 users. We also post them to [Twitter](https://twitter.com/msys2org) and [Mastodon](https://fosstodon.org/@msys2org), including some not-so-important things :)
7
7
8
+
### 2024-04-02 - Automated Vulnerability Reporting System
9
+
10
+
The [package index](https://packages.msys2.org/security) now has some
11
+
rudimentary support for detecting and displaying
12
+
[CVEs](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) and
13
+
other vulnerability reports for the packages included in MSYS2.
14
+
15
+
We piggyback on existing security scanner tools by using the metadata in the
16
+
package recipes to create a dummy
17
+
[SBOM](https://www.ntia.gov/page/software-bill-materials) file and then feed the
18
+
scan results to our website. This gives us some insight into which
19
+
packages have potential vulnerabilities or which updates should be prioritized.
20
+
For more information on the process see [Vulnerability
21
+
Reporting](./dev/vulnerabilities.md).
22
+
23
+
Some caveats:
24
+
25
+
* Only about half of our packages have the necessary metadata to be scanned at
26
+
all. This is mainly because packages that have never had a CVE assigned also
27
+
don't have a [CPE](https://nvd.nist.gov/products/cpe) to link to, and partly
0 commit comments