Re: Use CPE (Common Platform Enumeration) for pkgsrc?

[Thomas Merkel <tm%NetBSD.org@localhost>]

Hi Thomas,

all in all and especially as a member of pkgsrc-security I would love
that. I expect it would help us a lot to reduce the workload and
automate more of our work.

> Is anyone interested in working on this?

As I would love to have it I could also have a look how to implement
it. I might need some help to understand the best way of
implementation.

All the best,
Thomas

* Thomas Klausner <wiz%NetBSD.org@localhost> [2021-11-18 11:59]:
> Hi!
> 
> MITRE/NIST publish a list of strings that define software
> projects. This list is called Common Platform Enumeration (CPE).
> 
> These strings can be used to look up security problems in the National
> Vulnerability Database (NVD).
> 
> FreeBSD has a page describing this in more detail:
> 
> https://wiki.freebsd.org/Ports/CPE
> 
> I think this might be useful to add to pkgsrc, to be able to use the
> vulnerability data provided by NVD more directly and reduce the
> workload for pkgsrc-security.
> 
> FreeBSD uses the following variables:
> CPE_VENDOR - the publisher of the software
> CPE_PRODUCT - the product name of the software
> CPE_VERSION - the (major) version
> CPE_UPDATE - the (minor) version
> 
> The full CPE string then should be added to the pkg_info database.
> 
> Are there any opinions on this (for pkgsrc)?
> Is anyone interested in working on this?
>  Thomas