CPE as a consistent element of pkg annotations
- Reply: Dag-Erling_Smørgrav : "Re: CPE as a consistent element of pkg annotations"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 12 May 2025 04:23:24 UTC
I don't recall the argument for adding a CPE (Common Platform Enumeration) into USES for port building, nor why its inserted into the annotation section when using "pkg info". Though on a lightly configured machine, only 107 of the 265 ports actually had a CPE entry in annotations. So I wondered, if its important then shouldn't it be mandatory? So I added to /usr/ports/Mk/bsd.port.mk the following, so its applied to all ports .if empty(USES:Mcpe) USES+=cpe .endif And access it via "pkg-static query "%Av" $PKG I use it when checking against CVE lists and when upgrading major versions of the OS. Is there a reason that inclusion of a cpe being available, is determined by the port maintainer? Interestingly, after reviewing https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf its noteworthy that the ports team uses the "Other" field (described in section 5.3.3.11) within the CPE structure for the port revision, rather than the "Update" (refer 5.3.3.5) field, as given as an example in the pdf. So using tmux as an example, the CPE would be cpe:2.3:a:tmux_project:tmux:3.3a:1::::freebsd13:x64: enabling the other field to be used for something else. I have reconfigured my Mk/cpe.mk so that Other is used for CPUTYPE. The format becomes: cpe:2.3:o:freebsd:freebsd:14.3:beta2:en_AU:::freebsd14:x64:x86-64-v3 which I think, utilises the available fields a little better. As we can at a glance see if we've missed a port during upgrades or have an app for a different cputype installed via a simple 'pkg query "%Av"|grep cpe' The question of why the "language" field isn't populated, is for another day... For those with an interest to see how CPE's can be used, reference: https://nvd.nist.gov/products/cpe https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&orderBy=CPEURI&keyword=cpe%3A2.3%3Aa%3Afreebsd%3A&status=FINAL&startIndex=0 I've also created a PR to correct a minor CPE anomaly and a patch with my suggestions: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=286737 Regards, Dewayne PS It would be nice to see something like: cpe:2.3:o:nomadbsd:freebsd:14.3:Releng::en_US::freebsd14:x64:x86-64-v2 cpe:2.3:o:hardenedbsd:freebsd:14.3:Release::fr_FR::freebsd14:x64:x86-64-v4