secdb script misses some security fixes
The lua script for updating the secdb index checks for a line that begins with "# secfixes"
. However, a handful of CVE reports begin with "# security fixes"
instead of "secfixes"
. See, for example security fixes on master, or security fixes on 3.12.
Two options for fixes for this, that I see, are
- Updating all instances of
security fixes
, and changing it tosecfixes
. However, instances ofsecurity fixes
go back to as early as 3.2, and I imagine you wouldn't want to patch released Alpine versions. - Have the lua script also check for
# security fixes
. It would mean some inconsistency remains in the codebase, but seems like a fine solution.
Happy to make a PR with the lua fix if we agree on the solution.