Bug 197065 - net-p2p/transmission-cli: Add CPE information for Transmission ports
Summary: net-p2p/transmission-cli: Add CPE information for Transmission ports
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Jan Beich
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-25 10:29 UTC by Jan Beich
Modified: 2015-02-10 22:17 UTC (History)
1 user (show)

See Also:
jbeich: maintainer-feedback+

Attachments
add USES=cpe (415 bytes, patch)
2015-01-25 10:29 UTC, Jan Beich 		no flags Details | Diff
Makefile with CPE information (546 bytes, patch)
2015-02-08 16:25 UTC, shun 		no flags Details | Diff
new Makefile with CPE information for all options (287 bytes, patch)
2015-02-08 22:42 UTC, shun 		no flags Details | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jan Beich freebsd_committer freebsd_triage 2015-01-25 10:29:02 UTC 
Created attachment 152122 [details]
add USES=cpe

NVD lists 3 vulnerabilites, the most recent being from 2014-07-29
against 2.82 and we have no VuXML entry for it.

Trivial change, no logs.

  $ make -V CPE_STR PORTVERSION=2.82
  cpe:2.3:a:transmissionbt:transmission:2.82:::::freebsd11:x64:1

https://web.nvd.nist.gov/view/cpe/search/results?searchChoice=name&cpeName=cpe:2.3:a:transmissionbt:transmission:2.82:
Comment 1 Bugzilla Automation freebsd_committer freebsd_triage 2015-01-25 10:29:02 UTC 
Auto-assigned to maintainer crees@FreeBSD.org
Comment 2 shun 2015-02-08 16:25:49 UTC 
Created attachment 152711 [details]
Makefile with CPE information

CPE info added to Makefile
Comment 3 Jan Beich freebsd_committer freebsd_triage 2015-02-08 21:52:08 UTC 
Comment on attachment 152711 [details]
Makefile with CPE information

CPE has to include -web slave in order to catch vulns like CVE-2012-4037.
https://trac.transmissionbt.com/changeset/13392
Comment 4 shun 2015-02-08 22:07:53 UTC 
Could you clarify what you mean? The official CPE dictionary does not include the "-web" string for transmission. (test: grep transmission official-cpe-dictionary_v2.3.xml | grep web | wc -l -> yields 0)
Comment 5 Jan Beich freebsd_committer freebsd_triage 2015-02-08 22:24:14 UTC 
I was talking about www/transmission-web which was vulnerable at one point while your patch only populates CPE_STR under .if ${SLAVEPORT} != web.
Comment 6 shun 2015-02-08 22:42:04 UTC 
Created attachment 152785 [details]
new Makefile with CPE information for all options
Comment 7 shun 2015-02-08 22:43:02 UTC 
(In reply to Jan Beich from comment #5)
You are right. I was confused by the "# This is master port of transmission-*, so don't override USES definition" comment. Uploaded a new patch.
Comment 8 Jan Beich freebsd_committer freebsd_triage 2015-02-10 21:24:21 UTC 
And the only difference with my patch in comment 0 is newline. ;)
I'll probably take over maintainership and land with other changes, see review D1806.
Comment 9 commit-hook freebsd_committer freebsd_triage 2015-02-10 21:58:40 UTC 
A commit references this bug:

Author: jbeich
Date: Tue Feb 10 21:57:47 UTC 2015
New revision: 378806
URL: https://svnweb.freebsd.org/changeset/ports/378806

Log:
  - Add CPE information for Transmission ports [1]
  - Take maintainership [2] as the next update may require partially
    reverting r369657 hacks in favor of upstream support
  - Disable devel/libinotify:
    * used only by transmission-daemon's watch-dir
    * maybe less stable than readdir() fallback
    * disabled by other ports e.g., devel/glib20
    * completely different from devel/libnotify [3]
  - Belatedly bump PORTREVISION

  PR:		197065 [1]
  Differential Revision:	https://reviews.freebsd.org/D1806
  Suggested by:	crees [2]
  Pointy hat:	crees (r287179) [3]
  Approved by:	crees (maintainer) [1][2]
  Approved by:	bapt (mentor)

Changes:
  head/net-p2p/transmission-cli/Makefile
  head/net-p2p/transmission-daemon/Makefile
  head/net-p2p/transmission-gtk/Makefile
  head/net-p2p/transmission-qt4/Makefile