From 39341ed38be4695623893222b4b82873b348bb61 Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Tue, 25 Jan 2022 13:46:22 +0100
Subject: [PATCH] xen: mark unsupported versions as vulnerable

Our support for Xen lacks maintenance and since Xen has monthly security
advisories it is reasonable to assume our version is affected by a
multitude of security problems that are fixed upstream.

How many advisories? Browsing oss-security shows the following number of
advisories in each of the following years:

2022: 3
2021: 53
2020: 54
2019: 46 <-- we are *here*

https://xenbits.xen.org/docs/unstable/support-matrix.html
---
 pkgs/applications/virtualization/xen/generic.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pkgs/applications/virtualization/xen/generic.nix b/pkgs/applications/virtualization/xen/generic.nix
index 8299304045d0..0a2febd0589f 100644
--- a/pkgs/applications/virtualization/xen/generic.nix
+++ b/pkgs/applications/virtualization/xen/generic.nix
@@ -254,5 +254,9 @@ stdenv.mkDerivation (rec {
     platforms = [ "x86_64-linux" ];
     maintainers = with lib.maintainers; [ eelco tstrobel oxij ];
     license = lib.licenses.gpl2;
+    # https://xenbits.xen.org/docs/unstable/support-matrix.html
+    knownVulnerabilities = lib.optionals (lib.versionOlder version "4.13") [
+      "This version of Xen has reached its end of life. See https://xenbits.xen.org/docs/unstable/support-matrix.html"
+    ];
   } // (config.meta or {});
 } // removeAttrs config [ "xenfiles" "buildInputs" "patches" "postPatch" "meta" ])