Dear F-Droid fans, users and maintainers,
I am trying to understand the Security Vulnerability Process. It seems like if an App uses a code library with a known vulnerability, the version can be tagged with
antifeatures:
- KnownVuln
This was broadly added in one previous Merge Request last year: https://gitlab.com/fdroid/fdroiddata/-/commit/b90b2c53e5de4d1e30c5a883eb41faa74ed6c0f7
It seems like the corresponding CVE identifiers (https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) are not listed when an App is tagged. So a user just sees a generic warning, and needs to investigate on it’s own to check the severity and details.
Any thoughts or additions?
thanks!
You must log in or # to comment.