Use CPE (Common Platform Enumeration) for pkgsrc?

To: tech-pkg%NetBSD.org@localhost
Subject: Use CPE (Common Platform Enumeration) for pkgsrc?
From: Thomas Klausner <wiz%NetBSD.org@localhost>
Date: Thu, 18 Nov 2021 11:59:42 +0100

Hi!

MITRE/NIST publish a list of strings that define software
projects. This list is called Common Platform Enumeration (CPE).

These strings can be used to look up security problems in the National
Vulnerability Database (NVD).

FreeBSD has a page describing this in more detail:

https://wiki.freebsd.org/Ports/CPE

I think this might be useful to add to pkgsrc, to be able to use the
vulnerability data provided by NVD more directly and reduce the
workload for pkgsrc-security.

FreeBSD uses the following variables:
CPE_VENDOR - the publisher of the software
CPE_PRODUCT - the product name of the software
CPE_VERSION - the (major) version
CPE_UPDATE - the (minor) version

The full CPE string then should be added to the pkg_info database.

Are there any opinions on this (for pkgsrc)?
Is anyone interested in working on this?
 Thomas

Follow-Ups:
- Re: Use CPE (Common Platform Enumeration) for pkgsrc?
  - From: Thomas Merkel

Prev by Date: daily pkgsrc CVS update output
Next by Date: shells/bash package upgrade
Previous by Thread: syncthing crashes on macOS 10.13 with go 1.17
Next by Thread: Re: Use CPE (Common Platform Enumeration) for pkgsrc?
Indexes:

Home | Main Index | Thread Index | Old Index