Bug 211797

Summary: x11-fonts/xfs: Add CPE information
Product: Ports & Packages Reporter: shun <shun.fbsd.pr>
Component: Individual Port(s)Assignee: Ports Security Team <ports-secteam>
Status: Closed FIXED    
Severity: Affects Only Me CC: decke, joneum, w.schwarzenfeld, x11, zeising
Priority: --- Keywords: easy, security
Version: LatestFlags: bugzilla: maintainer-feedback? (x11)
Hardware: Any   
OS: Any   
Attachments:
Description Flags
add CPE information to Makefile none

Description shun 2016-08-12 21:25:16 UTC 
Created attachment 173613 [details]
add CPE information to Makefile

x11-fonts/xfs has had vulnerabilities with a CPE identifier assigned (e.g. CVE-2007-4568). This patch adds CPE information as suggested in the FreeBSD wiki[0].

[0] https://wiki.freebsd.org/Ports/CPE
Comment 1 Walter Schwarzenfeld 2018-01-13 22:49:04 UTC 
Maintainer feedback?
Comment 2 Niclas Zeising freebsd_committer freebsd_triage 2018-01-13 23:00:43 UTC 
I'll look into this.  There's a couple of other xorg ports with PRs for CPE info, I'll do them in one go.
Comment 3 Walter Schwarzenfeld 2018-01-13 23:08:04 UTC 
Thanks!
Comment 4 Jochen Neumeister freebsd_committer freebsd_triage 2019-02-15 18:17:01 UTC 
what is the current status?
Does ports-secteam have to be active here?
Comment 5 Niclas Zeising freebsd_committer freebsd_triage 2019-02-17 18:08:12 UTC 
(In reply to Jochen Neumeister from comment #4)

This has probably just been dropped.  I'm not sure how useful CPE info is, but there is no harm in adding it.
Comment 6 Niclas Zeising freebsd_committer freebsd_triage 2019-02-17 18:13:04 UTC 
(In reply to Niclas Zeising from comment #5)

I do believe the vendor should be x, not x.org though.
Comment 7 Niclas Zeising freebsd_committer freebsd_triage 2019-02-17 18:29:47 UTC 
(In reply to Niclas Zeising from comment #6)

Hm
After a closer look, it seems like both x and x.org is used.  I'll double check with ports secteam on which is preferred.
Comment 8 Niclas Zeising freebsd_committer freebsd_triage 2019-02-17 18:34:03 UTC 
(In reply to Niclas Zeising from comment #7)

Sorry for spam.  Looking through the ports tree, we have used x as vendor.
Comment 9 commit-hook freebsd_committer freebsd_triage 2019-02-17 19:00:16 UTC 
A commit references this bug:

Author: zeising
Date: Sun Feb 17 18:59:31 UTC 2019
New revision: 493180
URL: https://svnweb.freebsd.org/changeset/ports/493180

Log:
  x11-fonts/xfs: Add CPE info

  Add CPE info to xfs.  Use x as vendor, since that's what's used through out
  the ports tree.  Looking at the NVD CPE database, both x and x.org seem to
  be used.

  PR:		211797 (based on)
  Submitted by:	shun
  Sponsored by:	B3 Init (zeising)

Changes:
  head/x11-fonts/xfs/Makefile
Comment 10 Niclas Zeising freebsd_committer freebsd_triage 2019-02-17 19:16:40 UTC 
CPE info has been added.  Sorry for dropping this one on the floor, and thanks for the reminder!
Comment 11 Bernhard Froehlich freebsd_committer freebsd_triage 2021-08-18 06:37:46 UTC 
I am currently trying to fix and add CPE information all over the portstree and just noticed that the CPE info for x11-fonts/xfs was added incorrectly.

CPE_VENDOR is nothing that we decide on but is coming from the CPE Dictionary and the correct value for this port is "x.org" - so the submitted patch was correct. I've fixed it in the portstree in a71a0b5.