tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Use CPE (Common Platform Enumeration) for pkgsrc?



Hi,

it produce proper values for "some" packages in pkgsrc but manual work
is required. As an example is nginx which required CPE_VENDOR set to
f5.

Maybe we do not need to add anything to pkg_info if the -Q option is
enough.

All the best,
Thomas

* Hubert Feyrer <hubertf%gmx.de@localhost> [2022-04-20 19:26]:
> Hi,
> 
> does this produce proper values for all pkgs in pkgsrc, or will some manual fixes be needed? 
> What is the plan to add this to pkg_info? Last time I looked it was already possible to query variables with -B/-Q
> 
>  - Hubert
> 
> 
> > Am 20.04.2022 um 14:12 schrieb Thomas Merkel <tm%netbsd.org@localhost>:
> > 
> > Dear all,
> > Dear Thomas,
> > 
> > I started a bit on working on this and adapted the cpe.mk from
> > FreeBSD. As this would be my first commit to an mk-File I'm looking
> > for some feedback.
> > 
> > I assume after this is present we could have a look for adding it into
> > pkg_info?
> > 
> > All the best,
> > Thomas
> > 
> > * Thomas Merkel <tm%NetBSD.org@localhost> [2021-11-24 23:45]:
> >> Hi Thomas,
> >> 
> >> all in all and especially as a member of pkgsrc-security I would love
> >> that. I expect it would help us a lot to reduce the workload and
> >> automate more of our work.
> >> 
> >>> Is anyone interested in working on this?
> >> 
> >> As I would love to have it I could also have a look how to implement
> >> it. I might need some help to understand the best way of
> >> implementation.
> >> 
> >> All the best,
> >> Thomas
> >> 
> >> * Thomas Klausner <wiz%NetBSD.org@localhost> [2021-11-18 11:59]:
> >>> Hi!
> >>> 
> >>> MITRE/NIST publish a list of strings that define software
> >>> projects. This list is called Common Platform Enumeration (CPE).
> >>> 
> >>> These strings can be used to look up security problems in the National
> >>> Vulnerability Database (NVD).
> >>> 
> >>> FreeBSD has a page describing this in more detail:
> >>> 
> >>> https://wiki.freebsd.org/Ports/CPE
> >>> 
> >>> I think this might be useful to add to pkgsrc, to be able to use the
> >>> vulnerability data provided by NVD more directly and reduce the
> >>> workload for pkgsrc-security.
> >>> 
> >>> FreeBSD uses the following variables:
> >>> CPE_VENDOR - the publisher of the software
> >>> CPE_PRODUCT - the product name of the software
> >>> CPE_VERSION - the (major) version
> >>> CPE_UPDATE - the (minor) version
> >>> 
> >>> The full CPE string then should be added to the pkg_info database.
> >>> 
> >>> Are there any opinions on this (for pkgsrc)?
> >>> Is anyone interested in working on this?
> >>> Thomas




Home | Main Index | Thread Index | Old Index