Document msys2_ignore_vulnerabilities

web/dev/pkgbuild.md

@@ -9,15 +9,16 @@ format. We have some minor extensions to the format, which are documented here.
 Variables starting with `msys2_` and `mingw_` can be used to add additional metadata to a package, which will be read and used by our tools.
 The following variables are recognized:
 
-| Variable                   | Type    | Description |
-|--------------------------- |---------|-------------|
-| `mingw_arch`               | array   | A list of MSYS2 environments the package is built for. Defaults to an empty list. |
-| `msys2_references`         | mapping | Maps the package to external resources, such as other package repositories. |
-| `msys2_changelog_url`      | string  | NEWS file in git or the GitHub releases page. In case there are multiple, the one that is more useful for packagers. |
-| `msys2_documentation_url`  | string  | URL to the documentation for the API, tools, etc., in case it's a different website than the homepage. |
-| `msys2_repository_url`     | string  | URL to the web view of the repository, e.g., on GitHub or GitLab. |
-| `msys2_issue_tracker_url`  | string  | URL to the bug tracker, mailing list archive, etc. |
-| `msys2_pgp_keys_url`       | string  | URL to a website containing which keys are used to sign releases. |
+| Variable                       | Type    | Description                                                                                                          |
+|--------------------------------|---------|----------------------------------------------------------------------------------------------------------------------|
+| `mingw_arch`                   | array   | A list of MSYS2 environments the package is built for. Defaults to an empty list.                                    |
+| `msys2_references`             | mapping | Maps the package to external resources, such as other package repositories.                                          |
+| `msys2_changelog_url`          | string  | NEWS file in git or the GitHub releases page. In case there are multiple, the one that is more useful for packagers. |
+| `msys2_documentation_url`      | string  | URL to the documentation for the API, tools, etc., in case it's a different website than the homepage.               |
+| `msys2_repository_url`         | string  | URL to the web view of the repository, e.g., on GitHub or GitLab.                                                    |
+| `msys2_issue_tracker_url`      | string  | URL to the bug tracker, mailing list archive, etc.                                                                   |
+| `msys2_pgp_keys_url`           | string  | URL to a website containing which keys are used to sign releases.                                                    |
+| `msys2_ignore_vulnerabilities` | array   | A list of CVE and/or GHSA IDs which should be ignored.                                                               |
 
 For `msys2_references` the following keys are recognized:
 

web/dev/vulnerabilities.md

@@ -28,6 +28,20 @@ msys2_references=(
 )
 ```
 
+If a discovered vulnerability doesn't affect our users in the first place (it's
+Unix only for example), or is already fixed (missing or wrong version
+information attached to the vulnerability info), or we have backported a fix for
+it, then we can mark it as ignored by adding the ID to the
+`msys2_ignore_vulnerabilities` list.
+
+Example:
+
+```bash
+msys2_ignore_vulnerabilities=(
+  "CVE-2006-2453"  # some reason why this should be ignored
+)
+```
+
 ## Where to find CPEs and other IDs?
 
 * For Python packages search the package on https://pypi.org
@@ -39,5 +53,4 @@ msys2_references=(
 ## TODO
 
 * Some automated way to sync/update CPEs
-* Add metadata field to ignore certain CVEs for certain packages
 * Add metadata field for the real upstream version, in case we use a different format