Re: CPE as a consistent element of pkg annotations

Reply: Dag-Erling_Smørgrav : "Re: CPE as a consistent element of pkg annotations"
In reply to: Dag-Erling_Smørgrav : "Re: CPE as a consistent element of pkg annotations"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Dewayne Geraghty <dewayne_at_heuristicsystems.com.au>
Date: Tue, 13 May 2025 00:28:00 UTC

Subsequent to an offline discussion with DES, I'm sharing the conclusion:

NIST 7695 provides the necessary guidance for CPE content.  The 
structure of the CPE is defined in section 6.2.  The inclusion of a CPE 
can't be automated because the port maintainer must review the National 
Vulnerability Database per instructions in the Porters Handbook section 
17.19 to maintain alignment in the event of a vulnerability.

References:
1. https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf
2. https://docs.freebsd.org/en/books/porters-handbook/book/#uses-cpe