ckauhaus
commented
4 years ago Discussion about standardised vulnerability metadata has not come to a conclusion yet. I'd close that for now.
Closed matthewbauer closed 4 years ago
ckauhaus
commented
4 years ago Discussion about standardised vulnerability metadata has not come to a conclusion yet. I'd close that for now.
I'm not sure if this has been looked into, but this could be a neat feature.
So, alongside the weekly updates, why not directly append to meta.knownVulnerabilities of vulnerable packages? The generated PR could be merged very quickly and let us avoid including vulnerable software (especially when patches are not immediately available).
I am not sure what the best way to modify Nix expressions is in Python.