Re: Adding CPE information

From: Bernhard_Fröhlich <decke_at_freebsd.org>
Date: Thu, 14 Oct 2021 13:58:01 UTC
On Thu, Oct 14, 2021 at 3:44 PM Yasuhiro Kimura <yasu@freebsd.org> wrote:
>
> From: Guido Falsi <mad@madpilot.net>
> Subject: Re: Adding CPE information
> Date: Thu, 14 Oct 2021 14:58:04 +0200
>
> >> It seems recently some committers are working to add CPE information
> >> to many ports. I don't know why it started. But if it is intended to
> >> add CPE information to all (or most of ) ports, isn't it better to
> >> modify ports framework so CPE intormation is added to each ports by
> >> default?
> >>
> >
> > AFAIK that's already in the tree. The framework tries to extrapolate
> > CPE information from PORTNAME and other variables.
>
> Yes, but it isn't enabled by default. You need to add 'USES=cpe` to
> Makefile if you want to add CPE information to specific port. What I
> proposed is to change framework so CPE information is added to all
> ports without adding 'USES=cpe' to Makefile of each port.
>
> > Unluckily most of the time it is actually impossible to get correct
> > information and some other variables with the correct details, which
> > are not necessarily logical or in any way connected with the
> > information already present) need to be added by hand after manual
> > discovery.
>
> I understand manual work is required to set the value of related
> variables correctly. But it is always necessary whether we add CPE
> information by changing framework of we do it by adding 'USES=cpe' to
> Makefile of each port. And assuming that it is intended to add CPE
> information to all ports, I think the former requires less work volume
> than the latter.

No, that does not work because valid CPE entries only exist if the software
product was mentioned in a CVE or the CPE entry was reserved which is
a rare case.

-- 
Bernhard Froehlich
http://www.bluelife.at/