Bug 208328 - devel/pcre: Add CPE information
Summary: devel/pcre: Add CPE information
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Jason Unovitch
URL:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2016-03-27 15:46 UTC by shun
Modified: 2016-07-09 13:44 UTC (History)
2 users (show)

See Also:
junovitch: maintainer-feedback+


Attachments
adding CPE information to Makefile (451 bytes, patch)
2016-03-27 15:46 UTC, shun
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description shun 2016-03-27 15:46:35 UTC
Created attachment 168687 [details]
adding CPE information to Makefile

devel/pcre has had vulnerabilities with a CPE identifier assigned (e.g. CVE-2016-3191). This patch adds CPE information as suggested in the FreeBSD wiki[0].

[0] https://wiki.freebsd.org/Ports/CPE
Comment 1 Rene Ladan freebsd_committer freebsd_triage 2016-06-27 21:41:45 UTC
Maintainer reset.
Comment 2 Jason Unovitch freebsd_committer freebsd_triage 2016-07-03 20:58:31 UTC
Assign post https://svnweb.FreeBSD.org/changeset/ports/417686

The information upstream on this looks incorrect.  The preponderance of PCRE entries [see 1] uses a CPE_VENDOR=pcre and CPE_PRODUCT=pcre which is the default when cpe is added to USES.  However there are conflicting entries using 'perl-compatible_regular_expression_library' and 'perl_compatible_regular_expression_library'.  I've emailed an inquiry to 
cpe_dictionary@nist.gov per https://cpe.mitre.org/dictionary/ for clarification.

[1] https://web.nvd.nist.gov/view/cpe/search/results?keyword=pcre&status=FINAL&orderBy=CPEURI&namingFormat=2.3

Adam, I'll let you know the response when that happens but I would advise we hold off adding incorrect or incomplete information for now.  If you'd like to give me the thumbs up to make the change when I receive clarification go ahead and assign the PR to me.
Comment 3 Adam Weinberger freebsd_committer freebsd_triage 2016-07-03 21:03:54 UTC
Oh most definitely, thank you Jason. I really appreciate you doing the legwork!
Comment 4 commit-hook freebsd_committer freebsd_triage 2016-07-06 00:40:08 UTC
A commit references this bug:

Author: junovitch
Date: Wed Jul  6 00:39:13 UTC 2016
New revision: 418115
URL: https://svnweb.freebsd.org/changeset/ports/418115

Log:
  devel/pcre: add USES= cpe

  Note: There are two other conflicting CPE_PRODUCTs in the CPE dictionary.
    perl-compatible_regular_expression_library
    perl_compatible_regular_expression_library

  I contacted NIST for clarification and 'cpe:2.3:a:pcre:pcre' is the correct
  CPE string. As such we do not need to set CPE_VENDOR or CPE_PRODUCT.

  PR:		208328
  Submitted by:	Shun <shun.fbsd.pr@dropcut.net> (original patch)
  Approved by:	adamw (maintainer)

Changes:
  head/devel/pcre/Makefile
Comment 5 Jason Unovitch freebsd_committer freebsd_triage 2016-07-06 00:41:25 UTC
Thanks Adam.  Setting the maintainer-feedback+ and closing.