omnibus manifest version information
The version-manifest.json
file generated by the build process is consumed by the dependency_scanning job.
The job uses the locked_version
attribute to try and find if there are any open CVEs against the version we are installing. For software we build against a git tag, locked_version
then gets set to the SHA of the git commit of the tag.
The described_version
field matches what we specify for default_version
in the config/softweare/FOO.rb
files, but this doesn't always correspond to a proper version either.
Ideally, we should provide an improvement so that version-manifest.json
contains a proper version number, that can be searched against in CVE dbs, and elsewhere.