From nobody Tue Oct 12 13:12:40 2021 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id A0C6D17F7BB2 for ; Tue, 12 Oct 2021 13:12:57 +0000 (UTC) (envelope-from decke@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HTGLK418cz4VFs for ; Tue, 12 Oct 2021 13:12:57 +0000 (UTC) (envelope-from decke@freebsd.org) Received: from mail-io1-f49.google.com (mail-io1-f49.google.com [209.85.166.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) (Authenticated sender: decke) by smtp.freebsd.org (Postfix) with ESMTPSA id 695DBB07F for ; Tue, 12 Oct 2021 13:12:57 +0000 (UTC) (envelope-from decke@freebsd.org) Received: by mail-io1-f49.google.com with SMTP id q205so23620443iod.8 for ; Tue, 12 Oct 2021 06:12:57 -0700 (PDT) X-Gm-Message-State: AOAM530taKh6VwhoVX2Fby7iWGrF9m7yLIkZri4fQusGAQlhp9/8c8sO qJGt7dUCEzG/haSnAs2FFbV1ghrqm6eE5ZIbr1ug+A== X-Google-Smtp-Source: ABdhPJyAlsVK1FVRlvO7tU8r7V3K3S3vAQK1SCf0IHDiVs283H3OHnMwgMEHbVYOno2dUsx0JauOrjUjygPA9ba+5Iw= X-Received: by 2002:a05:6602:2a42:: with SMTP id k2mr14963977iov.97.1634044376698; Tue, 12 Oct 2021 06:12:56 -0700 (PDT) List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org MIME-Version: 1.0 References: <202110111458.19BEw4xF062545@gitrepo.freebsd.org> <3067458.bT80LyP3VS@mercury> <255b290b-72fe-45c0-b5bf-6271eb1543ac@freebsd.org> In-Reply-To: <255b290b-72fe-45c0-b5bf-6271eb1543ac@freebsd.org> From: =?UTF-8?Q?Bernhard_Fr=C3=B6hlich?= Date: Tue, 12 Oct 2021 15:12:40 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: git: a90e961f4d19 - main - */*: Avoid extra CPE_VENDOR=kde by properly sorting USES To: Stefan Esser Cc: "ports-committers@freebsd.org" , "dev-commits-ports-all@freebsd.org" , "dev-commits-ports-main@freebsd.org" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-ThisMailContainsUnwantedMimeParts: N On Tue, Oct 12, 2021 at 1:04 PM Stefan Esser wrote: > > Am 11.10.21 um 21:43 schrieb Bernhard Fr=C3=B6hlich: > [...] > > Doesn't matter much since CPE data is a moving target anyway. To handle= that I > > created chkcpe [1] which automatically analyzes the portstree once a da= y and > > verifies the CPE data it finds. > > > > In this particular case it will detect a invalid CPE vendor/product and= will > > list the port under "invalid". There are similar cases like port rename= , " > > repocopy" etc. which can also easily lead to invalid CPE data. > > > > [1] https://github.com/decke/chkcpe > > Hi Bernhard, > > interesting service, has it ever been announced to port maintainers? No, but I have announced it to portmgr@ and ports-secteam@ and there is an entry in the upcoming quarterly status report. > One question: what am I supposed to do with ports that are in the > "checkneeded" list with wrong information, but do not have a CPE > database entry (and probably won't ever get one)? Right now there is no need to do anything as a port maintainer. The lists that chkcpe generates need to be manually checked and verified (I can check around 50 matches per hour with the small webinterface in chkcpe which collects all relevant info that is needed to decide). > Specifically: > > I just checked for entries matching ports I maintain, and there are > 2 in the "checkneeded" category, both with wrong CPE information. > > The ports in question are math/gh-bc and deskutils/calendar, and > neither of them is in the CPE dictionary and I'm not supposed to > make entries up. Yeah, both names are very generic and likely generate false positives. Right now PORTNAME is used to search a product in the CPE database but it's the best that we have. > The entry suggested for gh-bc is: cpe:2.3:a:gnu:bc:*:*:*:*:*:*:*:* > which is wrong. This project has no connection to GNU. > > The calendar port is a slightly modified version of the calendar > program in FreeBSD-CURRENT for use with older -STABLE releases > that lack quite a number of features of the new version. > > Neither the WiKi nor any other information I found seems to offer > any help for this case. > > Is it possible to mark a port as: "ignore with regard to CPE"? > > How do products added to the CPE database (should be possible > for gh-bc, which is available for a lot of operating systems)? The CPE database is maintained by NIST and they add entries when a CVE is created. So if your port was never affected by a CVE then there is no valid CPE yet. From what I have seen CPE entries can also be reserved for further use but I don't know how to do that yet. It does not seem to be very common and I don't know if only the project or everyone can do that. > And how do we deal with base system components that have been > converted to a port or have been made available as a port in > addition to being present in some base system release? I don't think that this is a special case. If there is a CVE entry that affects this component you can lookup the CPE info from there. --=20 Bernhard Froehlich http://www.bluelife.at/