Re: Adding CPE information
- Reply: Yasuhiro Kimura : "Re: Adding CPE information"
- In reply to: Yasuhiro Kimura : "Re: Adding CPE information"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 14 Oct 2021 13:58:01 UTC
On Thu, Oct 14, 2021 at 3:44 PM Yasuhiro Kimura <yasu@freebsd.org> wrote: > > From: Guido Falsi <mad@madpilot.net> > Subject: Re: Adding CPE information > Date: Thu, 14 Oct 2021 14:58:04 +0200 > > >> It seems recently some committers are working to add CPE information > >> to many ports. I don't know why it started. But if it is intended to > >> add CPE information to all (or most of ) ports, isn't it better to > >> modify ports framework so CPE intormation is added to each ports by > >> default? > >> > > > > AFAIK that's already in the tree. The framework tries to extrapolate > > CPE information from PORTNAME and other variables. > > Yes, but it isn't enabled by default. You need to add 'USES=cpe` to > Makefile if you want to add CPE information to specific port. What I > proposed is to change framework so CPE information is added to all > ports without adding 'USES=cpe' to Makefile of each port. > > > Unluckily most of the time it is actually impossible to get correct > > information and some other variables with the correct details, which > > are not necessarily logical or in any way connected with the > > information already present) need to be added by hand after manual > > discovery. > > I understand manual work is required to set the value of related > variables correctly. But it is always necessary whether we add CPE > information by changing framework of we do it by adding 'USES=cpe' to > Makefile of each port. And assuming that it is intended to add CPE > information to all ports, I think the former requires less work volume > than the latter. No, that does not work because valid CPE entries only exist if the software product was mentioned in a CVE or the CPE entry was reserved which is a rare case. -- Bernhard Froehlich http://www.bluelife.at/