Skip to content

Vulnerability Reporting

We use msys2-sbom to create a CycloneDX SBOM file based on the contents of the git repo in CI. We then use grype to scan the SBOM and create another SBOM file with VEX data. The msys2-web site then parses these files and displays the known potential vulnerabilities on https://packages.msys2.org/outofdate and https://packages.msys2.org/security.

graph LR;
    A[Extract PKGBUILD Metadata] --> B[Generate SBOM];
    B --> C[Scan SBOM with Grype];
    C --> D[packages.msys2.org];

Package Metadata

The following metadata is used to generate the SBOM file, so that CVEs etc. can be matched to our packages:

In the msys2_references field in each PKGBUILD file the cpe key, the purl and the pypi keys are used to match to CVEs. The more references the better. Language ecosystem specific references such as pypi and cargo are preferred. For more information about the fields see PKGBUILD.

Example:

msys2_references=(
  "cpe: cpe:/a:python-cryptography_project:python-cryptography"
  "cpe: cpe:2.3:a:cryptography_project:cryptography"
  "pypi: cryptography"
  "purl: pkg:pypi/cryptography"
)

If a discovered vulnerability doesn't affect our users in the first place (it's Unix only for example), or is already fixed (missing or wrong version information attached to the vulnerability info), or we have backported a fix for it, then we can mark it as ignored by adding the ID to the msys2_ignore_vulnerabilities list.

Example:

msys2_ignore_vulnerabilities=(
  "CVE-2006-2453"  # some reason why this should be ignored
)

Where to find CPEs and other IDs?

TODO

  • Some automated way to sync/update CPEs
  • Add metadata field for the real upstream version, in case we use a different format