doc: add knownVulnerabilities

2025-06-09 09:36:20 +09:00 · 2025-04-30 23:23:03 +02:00 · 2025-04-30 23:23:03 +02:00 · c0a2db752e
commit c0a2db752e
parent 33a6127986
3 changed files with 21 additions and 2 deletions
--- a/doc/redirects.json
+++ b/doc/redirects.json
@ -1101,6 +1101,9 @@
  "var-meta-broken": [
    "index.html#var-meta-broken"
  ],
+  "var-meta-knownVulnerabilities": [
+    "index.html#var-meta-knownVulnerabilities"
+  ],
  "sec-meta-license": [
    "index.html#sec-meta-license"
  ],
--- a/doc/stdenv/meta.chapter.md
+++ b/doc/stdenv/meta.chapter.md
@ -185,6 +185,22 @@ This means that `broken` can be used to express constraints, for example:
 This makes `broken` strictly more powerful than `meta.badPlatforms`.
 However `meta.availableOn` currently examines only `meta.platforms` and `meta.badPlatforms`, so `meta.broken` does not influence the default values for optional dependencies.

+## `knownVulnerabilities` {#var-meta-knownVulnerabilities}
+
+A list of known vulnerabilities affecting the package, usually identified by CVE identifiers.
+
+This metadata allows users and tools to be aware of unresolved security issues before using the package, for example:
+
+```nix
+{
+  meta.knownVulnerabilities = [
+    "CVE-2024-3094: Malicious backdoor allowing unauthorized remote code execution"
+  ];
+}
+```
+
+If this list is not empty, the package is marked as "insecure", meaning that it cannot be built or installed unless the environment variable [`NIXPKGS_ALLOW_INSECURE`](#sec-allow-insecure) is set.
+
 ## Licenses {#sec-meta-license}

 The `meta.license` attribute should preferably contain a value from `lib.licenses` defined in [`nixpkgs/lib/licenses.nix`](https://github.com/NixOS/nixpkgs/blob/master/lib/licenses.nix), or in-place license description of the same format if the license is unlikely to be useful in another expression.
--- a/pkgs/stdenv/generic/check-meta.nix
+++ b/pkgs/stdenv/generic/check-meta.nix
@ -390,6 +390,8 @@ let
            (isDerivation x && x ? meta.timeout);
      };
      timeout = int;
+      knownVulnerabilities = listOf str;
+      badPlatforms = platforms;

      # Needed for Hydra to expose channel tarballs:
      # https://github.com/NixOS/hydra/blob/53335323ae79ca1a42643f58e520b376898ce641/doc/manual/src/jobs.md#meta-fields
@ -397,7 +399,6 @@ let

      # Weirder stuff that doesn't appear in the documentation?
      maxSilent = int;
-      knownVulnerabilities = listOf str;
      name = str;
      version = str;
      tag = str;
@ -410,7 +411,6 @@ let
      isFcitxEngine = bool;
      isIbusEngine = bool;
      isGutenprint = bool;
-      badPlatforms = platforms;
    };

  checkMetaAttr =