Date: Tue, 12 Oct 2021 15:12:40 +0200 From: =?UTF-8?Q?Bernhard_Fr=C3=B6hlich?= <decke@freebsd.org> To: Stefan Esser <se@freebsd.org> Cc: "ports-committers@freebsd.org" <ports-committers@freebsd.org>, "dev-commits-ports-all@freebsd.org" <dev-commits-ports-all@freebsd.org>, "dev-commits-ports-main@freebsd.org" <dev-commits-ports-main@freebsd.org> Subject: Re: git: a90e961f4d19 - main - */*: Avoid extra CPE_VENDOR=kde by properly sorting USES Message-ID: <CAE-m3X01=yxwtoau-K69QG_VFcSS0ZibP5XZGw7cYSNbJoeUrg@mail.gmail.com> In-Reply-To: <255b290b-72fe-45c0-b5bf-6271eb1543ac@freebsd.org> References: <202110111458.19BEw4xF062545@gitrepo.freebsd.org> <3067458.bT80LyP3VS@mercury> <CAE-m3X2o-nDLrvK4g8w0Mqsy5fXF2Pix1YR-TK=m-yrL2Du8JQ@mail.gmail.com> <255b290b-72fe-45c0-b5bf-6271eb1543ac@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Oct 12, 2021 at 1:04 PM Stefan Esser <se@freebsd.org> wrote: > > Am 11.10.21 um 21:43 schrieb Bernhard Fr=C3=B6hlich: > [...] > > Doesn't matter much since CPE data is a moving target anyway. To handle= that I > > created chkcpe [1] which automatically analyzes the portstree once a da= y and > > verifies the CPE data it finds. > > > > In this particular case it will detect a invalid CPE vendor/product and= will > > list the port under "invalid". There are similar cases like port rename= , " > > repocopy" etc. which can also easily lead to invalid CPE data. > > > > [1] https://github.com/decke/chkcpe <https://github.com/decke/chkcpe>; > > Hi Bernhard, > > interesting service, has it ever been announced to port maintainers? No, but I have announced it to portmgr@ and ports-secteam@ and there is an entry in the upcoming quarterly status report. > One question: what am I supposed to do with ports that are in the > "checkneeded" list with wrong information, but do not have a CPE > database entry (and probably won't ever get one)? Right now there is no need to do anything as a port maintainer. The lists that chkcpe generates need to be manually checked and verified (I can check around 50 matches per hour with the small webinterface in chkcpe which collects all relevant info that is needed to decide). > Specifically: > > I just checked for entries matching ports I maintain, and there are > 2 in the "checkneeded" category, both with wrong CPE information. > > The ports in question are math/gh-bc and deskutils/calendar, and > neither of them is in the CPE dictionary and I'm not supposed to > make entries up. Yeah, both names are very generic and likely generate false positives. Right now PORTNAME is used to search a product in the CPE database but it's the best that we have. > The entry suggested for gh-bc is: cpe:2.3:a:gnu:bc:*:*:*:*:*:*:*:* > which is wrong. This project has no connection to GNU. > > The calendar port is a slightly modified version of the calendar > program in FreeBSD-CURRENT for use with older -STABLE releases > that lack quite a number of features of the new version. > > Neither the WiKi nor any other information I found seems to offer > any help for this case. > > Is it possible to mark a port as: "ignore with regard to CPE"? > > How do products added to the CPE database (should be possible > for gh-bc, which is available for a lot of operating systems)? The CPE database is maintained by NIST and they add entries when a CVE is created. So if your port was never affected by a CVE then there is no valid CPE yet. From what I have seen CPE entries can also be reserved for further use but I don't know how to do that yet. It does not seem to be very common and I don't know if only the project or everyone can do that. > And how do we deal with base system components that have been > converted to a port or have been made available as a port in > addition to being present in some base system release? I don't think that this is a special case. If there is a CVE entry that affects this component you can lookup the CPE info from there. --=20 Bernhard Froehlich http://www.bluelife.at/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAE-m3X01=yxwtoau-K69QG_VFcSS0ZibP5XZGw7cYSNbJoeUrg>