Created attachment 152748 [details] Makefile with CPE information added net/rabbitmq has vulnerabilities with a CVE number (CVE-2015-0862)[0]. This patch adds CPE information as suggested in the FreeBSD wiki[1]. [0] http://www.vuxml.org/freebsd/8469d41c-a960-11e4-b18e-bcaec55be5e5.html [1] https://wiki.freebsd.org/Ports/CPE
Auto-assigned to maintainer olgeni@FreeBSD.org
Hi, official-cpe-dictionary_v2.3.xml has "rabbitmq" listed as a product, but there is no "rabbitmq_management". Maybe CPE_PRODUCT should be left empty? This way the CPE_STR would look like the pattern in the CPE dictionary: $ make -V CPE_STR cpe:2.3:a:pivotal_software:rabbitmq:3.4.3:::::freebsd10:x64:2
I wondered too, but the CPE product name in CVE-2015-0862 is actually 'rabbitmq_management'[0]. [0] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0862
A commit references this bug: Author: olgeni Date: Thu Feb 12 10:43:42 UTC 2015 New revision: 378867 URL: https://svnweb.freebsd.org/changeset/ports/378867 Log: Upgrade to version 3.4.4 and set CPE_VENDOR. PR: 197449 (CPE) Submitted by: shun Changes: head/net/rabbitmq/Makefile head/net/rabbitmq/distinfo
I only set CPE_VENDOR to match the official naming - seems to be the best match so far. Thanks!