Date: Tue, 13 May 2025 10:28:00 +1000 From: Dewayne Geraghty <dewayne@heuristicsystems.com.au> To: questions@freebsd.org Subject: Re: CPE as a consistent element of pkg annotations Message-ID: <508d5c63-2a1e-41be-a660-b8597aed2c70@heuristicsystems.com.au> In-Reply-To: <86ikm6s4i2.fsf@ltc.des.dev> References: <72b26605-50ac-41c5-aca0-aaf93f091436@heuristicsystems.com.au> <86msbis8e2.fsf@ltc.des.dev> <1b98ae6a-d0b0-496d-a32a-3202f41244dd@heuristicsystems.com.au> <86ikm6s4i2.fsf@ltc.des.dev>
index | next in thread | previous in thread | raw e-mail
Subsequent to an offline discussion with DES, I'm sharing the conclusion: NIST 7695 provides the necessary guidance for CPE content. The structure of the CPE is defined in section 6.2. The inclusion of a CPE can't be automated because the port maintainer must review the National Vulnerability Database per instructions in the Porters Handbook section 17.19 to maintain alignment in the event of a vulnerability. References: 1. https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf 2. https://docs.freebsd.org/en/books/porters-handbook/book/#uses-cpehome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?508d5c63-2a1e-41be-a660-b8597aed2c70>