Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Vulnerability Reporting

We usemsys2-sbom to create aCycloneDX SBOM file based on the contents of the git repoin CI. We then usegrype to scan the SBOM and create another SBOM file withVEX data. Themsys2-web site then parses these files and displaysthe known potential vulnerabilities onhttps://packages.msys2.org/outofdate andhttps://packages.msys2.org/security.

graph LR;    A[Extract PKGBUILD Metadata] --> B[Generate SBOM];    B --> C[Scan SBOM with Grype];    C --> D[Add Vulnerability Assessment Status & Add Fixed Versions Info];    D --> E[packages.msys2.org];    A --> D;

Package Metadata

The following metadata is used to generate the SBOM file, so that CVEs etc. can be matched to our packages:

In themsys2_references field in eachPKGBUILD file thecpe andpurl entries are used to match to CVEs.The more references the better. Language ecosystem specific references such as pypi and cargo are preferred. For more information about the fields seePKGBUILD.

Example:

msys2_references=("purl: pkg:pypi/cryptography""cpe: cpe:/a:python-cryptography_project:python-cryptography""cpe: cpe:2.3:a:cryptography_project:cryptography")

In case the version format of the referenced ecosystem is different from the PKGBUILD version, you can specify the version:

pkgver=1.0dev1_pypiver=1.0.dev1msys2_references=("purl: pkg:pypi/example@${_pypiver}""cpe: cpe:/a:example:example:${_pypiver}""cpe: cpe:2.3:a:example:example:${_pypiver}")

If a discovered vulnerability doesn't affect our users in the first place (it'sUnix only for example), or is already fixed (missing or wrong versioninformation attached to the vulnerability info), or we have backported a fix forit, then we can mark it as ignored by adding the ID to themsys2_ignore_vulnerabilities list.

Example:

msys2_ignore_vulnerabilities=("CVE-2006-2453"# some reason why this should be ignored)

Where to find CPEs and other IDs?

TODO

  • Some automated way to sync/update CPEs
[8]ページ先頭
©2009-2025 Movatter.jp