[AppStream] Adding CVE information to <releases>
Matthias Klumpp
matthias at tenstral.net
Mon Sep 16 11:09:03 UTC 2019
Am Mo., 16. Sept. 2019 um 11:14 Uhr schrieb Richard Hughes
<hughsient at gmail.com>:
>
> On Sun, 15 Sep 2019 at 17:41, Matthias Klumpp <matthias at tenstral.net> wrote:
> > > <issues>
> > > <issue type="cve"
> > > url="https://nvd.nist.gov/vuln/detail/CVE-2016-00000">CVE-2016-00000</issue>
> > > </issues>
> > This ^ is the one I actually prefer, it is very in line with how the
> > AppStream spec generally outlines information like this in other
> > places.
>
> Works for me, thanks! I've added the LVFS bits here:
> https://github.com/fwupd/lvfs-website/pull/402
LVFS parses metainfo files directly, neat! Another reason to keep the
format stable (although it doesn't seem to support the "artifact"
group yet, unless I looked at it wrong).
I think I can still add this to the AppStream 0.12.9 release.
Are you okay with the following assumptions?:
* If no "type" property is given, and issue type of "generic" is
assumed, and the "url" property as well as a tag value are mandatory
* For CVEs, the "url" property is optional, and the type must be set to "cve"
Now I wonder whether libappstream needs an AsIssue class for this...
Probably yes (to store an enum, and URL and a value - a bit of a waste
^^), which makes me really glad that I once named the issue type of
the validator AsValidatorIssue :-P
Cheers,
Matthias
--
I welcome VSRE emails. See http://vsre.info/
More information about the AppStream
mailing list