Re: git: a90e961f4d19 - main - */*: Avoid extra CPE_VENDOR=kde by properly sorting USES

From: Bernhard_Fröhlich <decke_at_freebsd.org>
Date: Tue, 12 Oct 2021 13:12:40 UTC
On Tue, Oct 12, 2021 at 1:04 PM Stefan Esser <se@freebsd.org> wrote:
>
> Am 11.10.21 um 21:43 schrieb Bernhard Fröhlich:
> [...]
> > Doesn't matter much since CPE data is a moving target anyway. To handle that I
> > created chkcpe [1] which automatically analyzes the portstree once a day and
> > verifies the CPE data it finds.
> >
> > In this particular case it will detect a invalid CPE vendor/product and will
> > list the port under "invalid". There are similar cases like port rename, "
> > repocopy" etc. which can also easily lead to invalid CPE data.
> >
> >  [1] https://github.com/decke/chkcpe <https://github.com/decke/chkcpe>
>
> Hi Bernhard,
>
> interesting service, has it ever been announced to port maintainers?

No, but I have announced it to portmgr@ and ports-secteam@ and there is
an entry in the upcoming quarterly status report.

> One question: what am I supposed to do with ports that are in the
> "checkneeded" list with wrong information, but do not have a CPE
> database entry (and probably won't ever get one)?

Right now there is no need to do anything as a port maintainer. The
lists that chkcpe generates need to be manually checked and verified
(I can check around 50 matches per hour with the small webinterface
in chkcpe which collects all relevant info that is needed to decide).

> Specifically:
>
> I just checked for entries matching ports I maintain, and there are
> 2 in the "checkneeded" category, both with wrong CPE information.
>
> The ports in question are math/gh-bc and deskutils/calendar, and
> neither of them is in the CPE dictionary and I'm not supposed to
> make entries up.

Yeah, both names are very generic and likely generate false positives.
Right now PORTNAME is used to search a product in the CPE
database but it's the best that we have.

> The entry suggested for gh-bc is: cpe:2.3:a:gnu:bc:*:*:*:*:*:*:*:*
> which is wrong. This project has no connection to GNU.
>
> The calendar port is a slightly modified version of the calendar
> program in FreeBSD-CURRENT for use with older -STABLE releases
> that lack quite a number of features of the new version.
>
> Neither the WiKi nor any other information I found seems to offer
> any help for this case.
>
> Is it possible to mark a port as: "ignore with regard to CPE"?
>
> How do products added to the CPE database (should be possible
> for gh-bc, which is available for a lot of operating systems)?

The CPE database is maintained by NIST and they add entries when
a CVE is created. So if your port was never affected by a CVE then
there is no valid CPE yet. From what I have seen CPE entries can
also be reserved for further use but I don't know how to do that yet.
It does not seem to be very common and I don't know if only the
project or everyone can do that.

> And how do we deal with base system components that have been
> converted to a port or have been made available as a port in
> addition to being present in some base system release?

I don't think that this is a special case. If there is a CVE entry that
affects this component you can lookup the CPE info from there.

-- 
Bernhard Froehlich
http://www.bluelife.at/