CPE as a consistent element of pkg annotations

From: Dewayne Geraghty <dewayne_at_heuristicsystems.com.au>
Date: Mon, 12 May 2025 04:23:24 UTC
I don't recall the argument for adding a CPE (Common Platform 
Enumeration) into USES for port building, nor why its inserted into the 
annotation section when using "pkg info".  Though on a lightly 
configured machine, only 107 of the 265 ports actually had a CPE entry 
in annotations.

So I wondered, if its important then shouldn't it be mandatory?  So I 
added to /usr/ports/Mk/bsd.port.mk the following, so its applied to all 
ports

.if empty(USES:Mcpe)
USES+=cpe
.endif

And access it via
"pkg-static query "%Av" $PKG

I use it when checking against CVE lists and when upgrading major 
versions of the OS.

Is there a reason that inclusion of a cpe being available, is determined 
by the port maintainer?

Interestingly, after reviewing
https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf
its noteworthy that the ports team uses the "Other" field (described in 
section 5.3.3.11) within the CPE structure for the port revision, rather 
than the "Update" (refer 5.3.3.5) field, as given as an example in the pdf.

So using tmux as an example, the CPE would be
cpe:2.3:a:tmux_project:tmux:3.3a:1::::freebsd13:x64:
enabling the other field to be used for something else.


I have reconfigured my Mk/cpe.mk so that Other is used for CPUTYPE. The 
format becomes:
cpe:2.3:o:freebsd:freebsd:14.3:beta2:en_AU:::freebsd14:x64:x86-64-v3
which I think, utilises the available fields a little better.  As we can 
at a glance see if we've missed a port during upgrades or have an app 
for a different cputype installed via a simple 'pkg query "%Av"|grep cpe'

The question of why the "language" field isn't populated, is for another 
day...

For those with an interest to see how CPE's can be used, reference:
https://nvd.nist.gov/products/cpe
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&orderBy=CPEURI&keyword=cpe%3A2.3%3Aa%3Afreebsd%3A&status=FINAL&startIndex=0

I've also created a PR to correct a minor CPE anomaly and a patch with 
my suggestions:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=286737

Regards, Dewayne
PS It would be nice to see something like:
cpe:2.3:o:nomadbsd:freebsd:14.3:Releng::en_US::freebsd14:x64:x86-64-v2
cpe:2.3:o:hardenedbsd:freebsd:14.3:Release::fr_FR::freebsd14:x64:x86-64-v4