Re: CPE as a consistent element of pkg annotations
Date: Mon, 12 May 2025 05:30:45 UTC
Dewayne Geraghty <dewayne@heuristicsystems.com.au> writes: > I don't recall the argument for adding a CPE (Common Platform > Enumeration) into USES for port building, nor why its inserted into > the annotation section when using "pkg info". Though on a lightly > configured machine, only 107 of the 265 ports actually had a CPE entry > in annotations. It gets added when a CVE has actually been issued. > So I wondered, if its important then shouldn't it be mandatory? No, because we can't just make up CPEs. > Is there a reason that inclusion of a cpe being available, is > determined by the port maintainer? Because the port maintainer needs to make sure it is correct. > Interestingly, after reviewing > https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf > its noteworthy that the ports team uses the "Other" field (described > in section 5.3.3.11) within the CPE structure for the port revision, > rather than the "Update" (refer 5.3.3.5) field, as given as an example > in the pdf. The port revision and epoch are specific to the FreeBSD ports system. The update field is intended for a patch level or such chosen by the original author of the software. > So using tmux as an example, the CPE would be > cpe:2.3:a:tmux_project:tmux:3.3a:1::::freebsd13:x64: > enabling the other field to be used for something else. That would be incorrect. > The question of why the "language" field isn't populated, is for > another day... You understand that we don't get to just make shit up, right? DES -- Dag-Erling Smørgrav - des@FreeBSD.org