tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Use CPE (Common Platform Enumeration) for pkgsrc?

Hi Thomas,

all in all and especially as a member of pkgsrc-security I would love
that. I expect it would help us a lot to reduce the workload and
automate more of our work.

> Is anyone interested in working on this?

As I would love to have it I could also have a look how to implement
it. I might need some help to understand the best way of

All the best,

* Thomas Klausner <> [2021-11-18 11:59]:
> Hi!
> MITRE/NIST publish a list of strings that define software
> projects. This list is called Common Platform Enumeration (CPE).
> These strings can be used to look up security problems in the National
> Vulnerability Database (NVD).
> FreeBSD has a page describing this in more detail:
> I think this might be useful to add to pkgsrc, to be able to use the
> vulnerability data provided by NVD more directly and reduce the
> workload for pkgsrc-security.
> FreeBSD uses the following variables:
> CPE_VENDOR - the publisher of the software
> CPE_PRODUCT - the product name of the software
> CPE_VERSION - the (major) version
> CPE_UPDATE - the (minor) version
> The full CPE string then should be added to the pkg_info database.
> Are there any opinions on this (for pkgsrc)?
> Is anyone interested in working on this?
>  Thomas

Home | Main Index | Thread Index | Old Index