From bb291e36d56a06e0e2642f2b81abd603f46ae50d Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 2 Aug 2024 12:35:48 +1000 Subject: [PATCH] doc: update examples to explain ghc-component and aliases --- EXAMPLE_ADVISORY.md | 11 +++++++++++ README.md | 16 +++++++++++++--- 2 files changed, 24 insertions(+), 3 deletions(-) diff --git a/EXAMPLE_ADVISORY.md b/EXAMPLE_ADVISORY.md index f51778b..f56c265 100644 --- a/EXAMPLE_ADVISORY.md +++ b/EXAMPLE_ADVISORY.md @@ -23,8 +23,19 @@ related = ["CVE-2022-YYYY", "CVE-2022-ZZZZ"] # You can declare multiple affected packages [[affected]] + +# Declare the affected package/component via ONE of the +# following options +# +# OPTION 1: package = hackage-package-name package = "package-name" +# +# OPTION 2: ghc-component = {ghc,ghci,rts,ghc-pkg,runghc,ghc-iserv,hp2ps,hpc,hsc2hs,haddock} +# ghc-component = "ghci" + +# CVSS vector. Accepted versions: 2.0, 3.0, 3.1 cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + # arch = ["x86", "x86_64"] # os = ["mingw32"] # declarations = { "Acme.Broken.function" = ">= 1.1.0 && < 1.2.0", "Acme.Broken.renamedFunction" = ">= 1.2.0 && < 1.2.0.5"} diff --git a/README.md b/README.md index 95d7539..47064f9 100644 --- a/README.md +++ b/README.md @@ -49,8 +49,13 @@ capec = [123] # particular class of vulnerabilities?" keywords = ["ssl", "mitm"] -# Vulnerability aliases, e.g. CVE IDs (optional but recommended) -# Request a CVE for your HSec vulns: https://iwantacve.org/ +# Vulnerability aliases, e.g. CVE or GHSA IDs. This field is +# optional, but it is strongly recommended to reference any known +# aliases. +# +# A corresponding CVE is not required, but you can request one if +# you want: https://iwantacve.org/ +# #aliases = ["CVE-2018-XXXX"] # Related vulnerabilities (optional) @@ -72,8 +77,13 @@ url = "https://github.com/username/package/pull/139" # and the `versions` table. [[affected]] -# Mandatory: name of the affected package on Hackage +# Mandatory package component identifier; ONE of the following: +# +# OPTION 1: name of the affected package on Hackage package = "acme-broken" +# +# OPTION 2: component of GHC compiler suite +# ghc-component = {ghc,ghci,rts,ghc-pkg,runghc,ghc-iserv,hp2ps,hpc,hsc2hs,haddock} # Mandatory: a Common Vulnerability Scoring System score. More information # can be found on the CVSS website, https://www.first.org/cvss/.