"Simon L. B. Nielsen" <simon at qxnitro.org>
writes:> Dag-Erling Sm?rgrav <des at des.no> wrote:
> > This wouldn't keep happening if we used CPEs whenever possible...
> Where would you use CPE - in all packages ? I assume you are talking
> about http://cpe.mitre.org/about/ ?
Yes.
> Part of the problem for VuXML is the trilion names for packages some
> ports have, making it more painful.
Exactly. So what I propose is:
- Add a port Makefile variable for the CPE (or multiple variables for
the different components of the CPE, and code that "assembles" it).
The ports infrastructure ensures that the CPE is included in the port
/ package metadata.
- If a vulnerability is discovered in a port that has a CPE, the CPE is
included in the vuxml entry.
- portaudit, "pkg audit" etc are modified so that if an installed
package has a CPE, the CPE is used instead of (or in addition to?)
the name when matching vuxml entries.
It is very important that the CPE logic be conditional on the presence
of a CPE in the *package* and not in the vuxml entry, not just to ensure
the transition from the pre-CPE regime, but also because most software
doesn't even have a CPE until the first time it is the subject of a CVE.
DES
--
Dag-Erling Sm?rgrav - des at des.no