Re: Use CPE (Common Platform Enumeration) for pkgsrc?

[Thomas Merkel <tm%NetBSD.org@localhost>]

Dear all,
Dear Thomas,

I started a bit on working on this and adapted the cpe.mk from
FreeBSD. As this would be my first commit to an mk-File I'm looking
for some feedback.

I assume after this is present we could have a look for adding it into
pkg_info?

All the best,
Thomas

* Thomas Merkel <tm%NetBSD.org@localhost> [2021-11-24 23:45]:
> Hi Thomas,
> 
> all in all and especially as a member of pkgsrc-security I would love
> that. I expect it would help us a lot to reduce the workload and
> automate more of our work.
> 
> > Is anyone interested in working on this?
> 
> As I would love to have it I could also have a look how to implement
> it. I might need some help to understand the best way of
> implementation.
> 
> All the best,
> Thomas
> 
> * Thomas Klausner <wiz%NetBSD.org@localhost> [2021-11-18 11:59]:
> > Hi!
> > 
> > MITRE/NIST publish a list of strings that define software
> > projects. This list is called Common Platform Enumeration (CPE).
> > 
> > These strings can be used to look up security problems in the National
> > Vulnerability Database (NVD).
> > 
> > FreeBSD has a page describing this in more detail:
> > 
> > https://wiki.freebsd.org/Ports/CPE
> > 
> > I think this might be useful to add to pkgsrc, to be able to use the
> > vulnerability data provided by NVD more directly and reduce the
> > workload for pkgsrc-security.
> > 
> > FreeBSD uses the following variables:
> > CPE_VENDOR - the publisher of the software
> > CPE_PRODUCT - the product name of the software
> > CPE_VERSION - the (major) version
> > CPE_UPDATE - the (minor) version
> > 
> > The full CPE string then should be added to the pkg_info database.
> > 
> > Are there any opinions on this (for pkgsrc)?
> > Is anyone interested in working on this?
> >  Thomas

# $NetBSD: $
# Derived from: FreeBSD MK/Uses/cpe.mk (3e1b730be0f27, 2014-07-26)
# 
# This Makefile fragment includes CPE information into packages based on the
# CPE 2.3 formatting string. Additional information could be found on the
# official NIST documentation:
#
# https://csrc.nist.gov/projects/security-content-automation-protocol/specifications/cpe
#
# User-settable variables:
#
# (none)
#
# Package-settable variables:
#
# CPE_PART
#	This is sometimes referred as "type" of CPE. Character describing the
#	type. Could be "a" for application, "h" for hardware and "o" for
#	operating system.
#	Default: "a"
#
# CPE_VENDOR
#	Should describe or identify the organisation that created the product.
#	Default: ${CPE_PRODUCT} (below)
#
# CPE_PRODUCT
#	Name of the system/package or component. Should not contains any
#	special characters. On applications CPE_VENDOR and CPE_PRODUCT may be
#	identical.
#	Default: ${PKGBASE}
#
# CPE_VERSION
#	The version of the system/package or component.
#	Default: ${PKGVERSION_NOREV}
#
# CPE_UPDATE
#	Used for updates, service pack information or sometimes minor versions.
#	Most often left blank.
#	Default: empty
#
# CPE_EDITION
#	Further granularity describing the build of the system/package or
#	component, beyond version.
#	Default: empty
#
# CPE_LANG
#	A valid language tag as defined by IETF RFC 4646. Not relevant for
#	pkgsrc at the moment.
#	Default: empty
#
# CPE_SW_EDITION
#	Characterise how the product is tailored to a particular market or
#	class of end users.
#	Default: empty
#
# CPE_TARGET_SW
#	Describe the software computing environment within which the product
#	operates.
#	Default: operating system (${OPSYS}) and version (${OS_VERSION})
#
# CPE_TARGET_HW
#	Instruction set architecture (e.g. x86) on which the product being
#	described or identified by the WFN operates. 
#	Default: x86 for i386, x64 for amd64, otherwise ${MACHINE_ARCH}
#
# CPE_OTHER
#	Any other general descriptive or identifying information. Used for
#	PKGREVISION in pkgsrc.
#	Default: ${PKGREVISION} if exists
#
#
# Variables defined by this file:
# 
# CPE_URI
#	The CPE URI uniquely identifies a device or program by its vendor,
#	product name, version, revision. Based on the above variables.
#
# Keywords: cpe

.if !defined(CPE_MK)
CPE_MK=			# defined

CPE_PART?=		a
CPE_PRODUCT?=		${PKGBASE:Q}
CPE_VENDOR?=		${CPE_PRODUCT}
CPE_VERSION?=		${PKGVERSION_NOREV}
CPE_UPDATE?=
CPE_EDITION?=
CPE_LANG?=
CPE_SW_EDITION?=
CPE_TARGET_SW?=		${OPSYS:tl}${OS_VERSION:C/\..*//}
CPE_TARGET_HW?=		${MACHINE_ARCH:S/i386/x86/:S/amd64/x64/}
CPE_OTHER?=		${PKGREVISION}

_CPE_STR=		cpe:2.3:${CPE_PART}:${CPE_VENDOR}:${CPE_PRODUCT}:${CPE_VERSION}:${CPE_UPDATE}:${CPE_EDITION}:${CPE_LANG}:${CPE_SW_EDITION}:${CPE_TARGET_SW}:${CPE_TARGET_HW}:${CPE_OTHER}

CPE_URI?=		${_CPE_STR:C/:+$//}
.endif