Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-doc
 Path: blob/main/website/content/en/status/report-2021-07-2021-09/cpe.adoc
18096 views
=== Improve CPE Data in the Ports Collection

Links: +
link:https://github.com/decke/chkcpe[chkcpe] URL: link:https://github.com/decke/chkcpe[https://github.com/decke/chkcpe] +
link:https://wiki.freebsd.org/Ports/CPE[CPE on wiki.freebsd.org] URL: link:https://wiki.freebsd.org/Ports/CPE[https://wiki.freebsd.org/Ports/CPE] +
link:https://nvd.nist.gov/products/cpe[CPE Dictionary] URL: link:https://nvd.nist.gov/products/cpe[https://nvd.nist.gov/products/cpe] +

Contact: Bernhard Froehlich <[email protected]>

Common Platform Enumeration (CPE) is an open standard for naming
hardware and software components. Originally developed by MITRE,
it is now maintained by NIST under the aegis of the National
Vulnerability Database.
A CPE URI uniquely identifies a device or program by its vendor,
product name, version, revision, etc. NIST maintains the official
CPE dictionary which lists CPE names for all software versions
that have ever been mentioned in an advisory.

In the FreeBSD Ports Collection it has been possible to annotate CPE data with
`USES=cpe` since 2014 but only around 1000 ports out of 30.000 did
use it. This is why a script called `chkcpe` was created to
validate existing CPE data and find new possible matches
automatically.

==== Why do we need it?

It allows comparing CPE URIs for installed packages against
published vulnerability data and will give us a much better and
more complete `pkg audit`. As a side effect we will also have a
better overview of vulnerable ports in the FreeBSD Ports Collection
that need to be patched or updated.

==== How can I help?

In this phase there is no easy possibility for port maintainers to
help. Creating separate PRs only to add CPE data does not make
sense because the overhead is very high. This is why I did spend
some time on chkcpe to improve the review and commit workflow.
Right now review and commit consumes around 3 minutes per port.

If you are a Ports Committer and want to help please get in touch!

==== Open Tasks

* Review remaining reports (~1800) and update ports when appropriate
* Improve matching quality to find more possible matches
* Support using CPE data in `pkg audit`
* Scan for vulnerable ports in the Ports Collection