From nobody Mon May 12 04:23:24 2025 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZwmjT49C4z5vQ1S for ; Mon, 12 May 2025 04:25:01 +0000 (UTC) (envelope-from dewayne@heuristicsystems.com.au) Received: from heuristicsystems.com.au (hermes.heuristicsystems.com.au [203.41.22.115]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2560 bits) client-digest SHA256) (Client CN "hermes.heuristicsystems.com.au", Issuer "Heuristic Systems Type 4 Host CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZwmjP2RkVz48WW for ; Mon, 12 May 2025 04:24:56 +0000 (UTC) (envelope-from dewayne@heuristicsystems.com.au) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=heuristicsystems.com.au header.s=hsa header.b=WuwTuQku; spf=pass (mx1.freebsd.org: domain of dewayne@heuristicsystems.com.au designates 203.41.22.115 as permitted sender) smtp.mailfrom=dewayne@heuristicsystems.com.au; dmarc=none Received: from [10.0.5.4] (bigears.hs [10.0.5.4]) (authenticated bits=0) by heuristicsystems.com.au (8.15.2/8.15.2) with ESMTPA id 54C4NNIs015825 for ; Mon, 12 May 2025 14:23:24 +1000 (AEST) (envelope-from dewayne@heuristicsystems.com.au) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=heuristicsystems.com.au; s=hsa; t=1747023804; x=1747628605; bh=myf7df/H66OOEr42StBj80y8iQy5mxd+wYE4exJiGvo=; h=Message-ID:Date:From:Subject:To; b=WuwTuQkuJQXxMuQBdpC+3wqjkRTFIlyyxIKlb5FoFVFzCU0QUy+877GE8OQZMW/0O 8JQziKob2sQbegJw9d1Nq+t5Ud7ET9c4+RALWgxCG1VE3viRxAvr5kFJCcuz2RAh6w fDYd3nej3tl3qrgOIm5EQUfhQudp99VJi1Rg1QD4quY24+7NbetWh X-Authentication-Warning: b3.hs: Host bigears.hs [10.0.5.4] claimed to be [10.0.5.4] Message-ID: <72b26605-50ac-41c5-aca0-aaf93f091436@heuristicsystems.com.au> Date: Mon, 12 May 2025 14:23:24 +1000 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird From: Dewayne Geraghty Subject: CPE as a consistent element of pkg annotations To: questions@freebsd.org Content-Language: en-GB Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4ZwmjP2RkVz48WW X-Spamd-Bar: -- X-Spamd-Result: default: False [-2.19 / 15.00]; DWL_DNSWL_MED(-2.00)[heuristicsystems.com.au:dkim]; NEURAL_HAM_SHORT(-1.00)[-0.999]; NEURAL_SPAM_LONG(0.96)[0.955]; NEURAL_SPAM_MEDIUM(0.85)[0.850]; RCVD_DKIM_ARC_DNSWL_MED(-0.50)[]; ONCE_RECEIVED(0.20)[]; R_SPF_ALLOW(-0.20)[+mx]; R_DKIM_ALLOW(-0.20)[heuristicsystems.com.au:s=hsa]; RCVD_IN_DNSWL_MED(-0.20)[203.41.22.115:from]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[heuristicsystems.com.au]; PREVIOUSLY_DELIVERED(0.00)[questions@freebsd.org]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_TLS_LAST(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; TO_DN_NONE(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; MLMMJ_DEST(0.00)[questions@freebsd.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:1221, ipnet:203.40.0.0/13, country:AU]; DKIM_TRACE(0.00)[heuristicsystems.com.au:+]; HAS_XAW(0.00)[] I don't recall the argument for adding a CPE (Common Platform Enumeration) into USES for port building, nor why its inserted into the annotation section when using "pkg info". Though on a lightly configured machine, only 107 of the 265 ports actually had a CPE entry in annotations. So I wondered, if its important then shouldn't it be mandatory? So I added to /usr/ports/Mk/bsd.port.mk the following, so its applied to all ports .if empty(USES:Mcpe) USES+=cpe .endif And access it via "pkg-static query "%Av" $PKG I use it when checking against CVE lists and when upgrading major versions of the OS. Is there a reason that inclusion of a cpe being available, is determined by the port maintainer? Interestingly, after reviewing https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf its noteworthy that the ports team uses the "Other" field (described in section 5.3.3.11) within the CPE structure for the port revision, rather than the "Update" (refer 5.3.3.5) field, as given as an example in the pdf. So using tmux as an example, the CPE would be cpe:2.3:a:tmux_project:tmux:3.3a:1::::freebsd13:x64: enabling the other field to be used for something else. I have reconfigured my Mk/cpe.mk so that Other is used for CPUTYPE. The format becomes: cpe:2.3:o:freebsd:freebsd:14.3:beta2:en_AU:::freebsd14:x64:x86-64-v3 which I think, utilises the available fields a little better. As we can at a glance see if we've missed a port during upgrades or have an app for a different cputype installed via a simple 'pkg query "%Av"|grep cpe' The question of why the "language" field isn't populated, is for another day... For those with an interest to see how CPE's can be used, reference: https://nvd.nist.gov/products/cpe https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&orderBy=CPEURI&keyword=cpe%3A2.3%3Aa%3Afreebsd%3A&status=FINAL&startIndex=0 I've also created a PR to correct a minor CPE anomaly and a patch with my suggestions: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=286737 Regards, Dewayne PS It would be nice to see something like: cpe:2.3:o:nomadbsd:freebsd:14.3:Releng::en_US::freebsd14:x64:x86-64-v2 cpe:2.3:o:hardenedbsd:freebsd:14.3:Release::fr_FR::freebsd14:x64:x86-64-v4