Re: Use CPE (Common Platform Enumeration) for pkgsrc?

To: Thomas Merkel <tm%netbsd.org@localhost>
Subject: Re: Use CPE (Common Platform Enumeration) for pkgsrc?
From: Hubert Feyrer <hubertf%gmx.de@localhost>
Date: Wed, 20 Apr 2022 19:26:17 +0200

Hi,

does this produce proper values for all pkgs in pkgsrc, or will some manual fixes be needed? 
What is the plan to add this to pkg_info? Last time I looked it was already possible to query variables with -B/-Q

 - Hubert


> Am 20.04.2022 um 14:12 schrieb Thomas Merkel <tm%netbsd.org@localhost>:
> 
> Dear all,
> Dear Thomas,
> 
> I started a bit on working on this and adapted the cpe.mk from
> FreeBSD. As this would be my first commit to an mk-File I'm looking
> for some feedback.
> 
> I assume after this is present we could have a look for adding it into
> pkg_info?
> 
> All the best,
> Thomas
> 
> * Thomas Merkel <tm%NetBSD.org@localhost> [2021-11-24 23:45]:
>> Hi Thomas,
>> 
>> all in all and especially as a member of pkgsrc-security I would love
>> that. I expect it would help us a lot to reduce the workload and
>> automate more of our work.
>> 
>>> Is anyone interested in working on this?
>> 
>> As I would love to have it I could also have a look how to implement
>> it. I might need some help to understand the best way of
>> implementation.
>> 
>> All the best,
>> Thomas
>> 
>> * Thomas Klausner <wiz%NetBSD.org@localhost> [2021-11-18 11:59]:
>>> Hi!
>>> 
>>> MITRE/NIST publish a list of strings that define software
>>> projects. This list is called Common Platform Enumeration (CPE).
>>> 
>>> These strings can be used to look up security problems in the National
>>> Vulnerability Database (NVD).
>>> 
>>> FreeBSD has a page describing this in more detail:
>>> 
>>> https://wiki.freebsd.org/Ports/CPE
>>> 
>>> I think this might be useful to add to pkgsrc, to be able to use the
>>> vulnerability data provided by NVD more directly and reduce the
>>> workload for pkgsrc-security.
>>> 
>>> FreeBSD uses the following variables:
>>> CPE_VENDOR - the publisher of the software
>>> CPE_PRODUCT - the product name of the software
>>> CPE_VERSION - the (major) version
>>> CPE_UPDATE - the (minor) version
>>> 
>>> The full CPE string then should be added to the pkg_info database.
>>> 
>>> Are there any opinions on this (for pkgsrc)?
>>> Is anyone interested in working on this?
>>> Thomas

Attachment: cpe.mk
Description: Binary data

Follow-Ups:
- Re: Use CPE (Common Platform Enumeration) for pkgsrc?
  - From: Thomas Merkel

References:
- Re: Use CPE (Common Platform Enumeration) for pkgsrc?
  - From: Thomas Merkel

Prev by Date: daily pkgsrc CVS update output
Next by Date: daily pkgsrc CVS update output
Previous by Thread: Re: Use CPE (Common Platform Enumeration) for pkgsrc?
Next by Thread: Re: Use CPE (Common Platform Enumeration) for pkgsrc?
Indexes:

Home | Main Index | Thread Index | Old Index