Created attachment 168687 [details] adding CPE information to Makefile devel/pcre has had vulnerabilities with a CPE identifier assigned (e.g. CVE-2016-3191). This patch adds CPE information as suggested in the FreeBSD wiki[0]. [0] https://wiki.freebsd.org/Ports/CPE
Maintainer reset.
Assign post https://svnweb.FreeBSD.org/changeset/ports/417686 The information upstream on this looks incorrect. The preponderance of PCRE entries [see 1] uses a CPE_VENDOR=pcre and CPE_PRODUCT=pcre which is the default when cpe is added to USES. However there are conflicting entries using 'perl-compatible_regular_expression_library' and 'perl_compatible_regular_expression_library'. I've emailed an inquiry to cpe_dictionary@nist.gov per https://cpe.mitre.org/dictionary/ for clarification. [1] https://web.nvd.nist.gov/view/cpe/search/results?keyword=pcre&status=FINAL&orderBy=CPEURI&namingFormat=2.3 Adam, I'll let you know the response when that happens but I would advise we hold off adding incorrect or incomplete information for now. If you'd like to give me the thumbs up to make the change when I receive clarification go ahead and assign the PR to me.
Oh most definitely, thank you Jason. I really appreciate you doing the legwork!
A commit references this bug: Author: junovitch Date: Wed Jul 6 00:39:13 UTC 2016 New revision: 418115 URL: https://svnweb.freebsd.org/changeset/ports/418115 Log: devel/pcre: add USES= cpe Note: There are two other conflicting CPE_PRODUCTs in the CPE dictionary. perl-compatible_regular_expression_library perl_compatible_regular_expression_library I contacted NIST for clarification and 'cpe:2.3:a:pcre:pcre' is the correct CPE string. As such we do not need to set CPE_VENDOR or CPE_PRODUCT. PR: 208328 Submitted by: Shun <shun.fbsd.pr@dropcut.net> (original patch) Approved by: adamw (maintainer) Changes: head/devel/pcre/Makefile
Thanks Adam. Setting the maintainer-feedback+ and closing.