Ports: - Add CPE info what does it mean?

[getopt]

Some ports are committed with this in the description:

- Add CPE info

What does it mean?

 

[SirDice]

https://wiki.freebsd.org/Ports/CPE

 

[SirDice]

Not a binary but the port, and by extension a package, should have a proper CPE string. So tools like pkg-audit(8) could get better information from the vulnerability database.

 

[kpa]

The CPE strings are added to the pkg package metadata as annotations, for example this is for of lang/perl5.18:

% pkg info -A perl5-5.18.4_13     
perl5-5.18.4_13:
        cpe            : cpe:2.3:a:perl:perl:5.18.4:::::freebsd10:x64:13
        repo_type      : binary
        repository     : local

This is explained in the wiki as well.

 

[kpa]

Much more interesting is this > pkg info -aA | grep cpe.
Asking myself how useful CPE really is?

Better yet:

% pkg query "%n-%v %Av" | grep cpe

Output from pkg-info(8) might be more human readable but if you're doing scripting pkg-query(8) is superior because it outputs everything on one line with a format you can specify.

I can imagine that with CPE information available it is easier to decide if an installed port is vulnerable on the platform used because you have a well defined data format with fields for (for example) machine architecture that would otherwise coded in some custom format, now pkg-audit(8) can use the CPE fields directly without conversions.