Created attachment 152122 [details] add USES=cpe NVD lists 3 vulnerabilites, the most recent being from 2014-07-29 against 2.82 and we have no VuXML entry for it. Trivial change, no logs. $ make -V CPE_STR PORTVERSION=2.82 cpe:2.3:a:transmissionbt:transmission:2.82:::::freebsd11:x64:1 https://web.nvd.nist.gov/view/cpe/search/results?searchChoice=name&cpeName=cpe:2.3:a:transmissionbt:transmission:2.82:
Auto-assigned to maintainer crees@FreeBSD.org
Created attachment 152711 [details] Makefile with CPE information CPE info added to Makefile
Comment on attachment 152711 [details] Makefile with CPE information CPE has to include -web slave in order to catch vulns like CVE-2012-4037. https://trac.transmissionbt.com/changeset/13392
Could you clarify what you mean? The official CPE dictionary does not include the "-web" string for transmission. (test: grep transmission official-cpe-dictionary_v2.3.xml | grep web | wc -l -> yields 0)
I was talking about www/transmission-web which was vulnerable at one point while your patch only populates CPE_STR under .if ${SLAVEPORT} != web.
Created attachment 152785 [details] new Makefile with CPE information for all options
(In reply to Jan Beich from comment #5) You are right. I was confused by the "# This is master port of transmission-*, so don't override USES definition" comment. Uploaded a new patch.
And the only difference with my patch in comment 0 is newline. ;) I'll probably take over maintainership and land with other changes, see review D1806.
A commit references this bug: Author: jbeich Date: Tue Feb 10 21:57:47 UTC 2015 New revision: 378806 URL: https://svnweb.freebsd.org/changeset/ports/378806 Log: - Add CPE information for Transmission ports [1] - Take maintainership [2] as the next update may require partially reverting r369657 hacks in favor of upstream support - Disable devel/libinotify: * used only by transmission-daemon's watch-dir * maybe less stable than readdir() fallback * disabled by other ports e.g., devel/glib20 * completely different from devel/libnotify [3] - Belatedly bump PORTREVISION PR: 197065 [1] Differential Revision: https://reviews.freebsd.org/D1806 Suggested by: crees [2] Pointy hat: crees (r287179) [3] Approved by: crees (maintainer) [1][2] Approved by: bapt (mentor) Changes: head/net-p2p/transmission-cli/Makefile head/net-p2p/transmission-daemon/Makefile head/net-p2p/transmission-gtk/Makefile head/net-p2p/transmission-qt4/Makefile