Unverified Commit 7460006a authored by Philip Taron's avatar Philip Taron Committed by GitHub
Browse files

doc: add knownVulnerabilities (#403157)

parents 67d52968 c0a2db75

doc/redirects.json

+3 −0
Original line number Diff line number Diff line
@@ -1101,6 +1101,9 @@ 
  "var-meta-broken": [

    "index.html#var-meta-broken"

  ],

  "var-meta-knownVulnerabilities": [

    "index.html#var-meta-knownVulnerabilities"

  ],

  "sec-meta-license": [

    "index.html#sec-meta-license"

  ],

doc/stdenv/meta.chapter.md

+16 −0
Original line number Diff line number Diff line
@@ -185,6 +185,22 @@ This means that `broken` can be used to express constraints, for example: 
This makes `broken` strictly more powerful than `meta.badPlatforms`.

However `meta.availableOn` currently examines only `meta.platforms` and `meta.badPlatforms`, so `meta.broken` does not influence the default values for optional dependencies.



## `knownVulnerabilities` {#var-meta-knownVulnerabilities}



A list of known vulnerabilities affecting the package, usually identified by CVE identifiers.



This metadata allows users and tools to be aware of unresolved security issues before using the package, for example:



```nix

{

  meta.knownVulnerabilities = [

    "CVE-2024-3094: Malicious backdoor allowing unauthorized remote code execution"

  ];

}

```



If this list is not empty, the package is marked as "insecure", meaning that it cannot be built or installed unless the environment variable [`NIXPKGS_ALLOW_INSECURE`](#sec-allow-insecure) is set.



## Licenses {#sec-meta-license}



The `meta.license` attribute should preferably contain a value from `lib.licenses` defined in [`nixpkgs/lib/licenses.nix`](https://github.com/NixOS/nixpkgs/blob/master/lib/licenses.nix), or in-place license description of the same format if the license is unlikely to be useful in another expression.

pkgs/stdenv/generic/check-meta.nix

+2 −2
Original line number Diff line number Diff line
@@ -390,6 +390,8 @@ let 
            (isDerivation x && x ? meta.timeout);

      };

      timeout = int;

      knownVulnerabilities = listOf str;

      badPlatforms = platforms;



      # Needed for Hydra to expose channel tarballs:

      # https://github.com/NixOS/hydra/blob/53335323ae79ca1a42643f58e520b376898ce641/doc/manual/src/jobs.md#meta-fields
@@ -397,7 +399,6 @@ let 


      # Weirder stuff that doesn't appear in the documentation?

      maxSilent = int;

      knownVulnerabilities = listOf str;

      name = str;

      version = str;

      tag = str;
@@ -410,7 +411,6 @@ let 
      isFcitxEngine = bool;

      isIbusEngine = bool;

      isGutenprint = bool;

      badPlatforms = platforms;

    };



  checkMetaAttr =