Created attachment 152808 [details]
Makefile with CPE info added
security/tor-devel has had vulnerabilities with a CVE number (e.g. CVE-2014-5117). This patch adds CPE information as suggested in the FreeBSD wiki.
Auto-assigned to maintainer bf@FreeBSD.org
A commit references this bug:
Date: Sun Mar 8 15:52:00 UTC 2015
New revision: 380776
update to 0.2.6.3-alpha ; use cpe ; adjust rc-script REQUIRES ;
use @sample 
PR: 197839 , 197494 , 197998 , 198164 
Submitted by: C. Sturm , J. Beich , amdmi3 
I am not very happy with an additional vulnerability reporting mandate, especially for a developer port, and with a database that does not include many problems that may affect tor users. Nevertheless, I've added the information, with further adjustments needed to match the cpe data properly.
(In reply to Brendan Fabeny from comment #3)
> ... an additional vulnerability reporting mandate ...
> .. database that does not include many problems
Just to clear up a misconception: CPE is not about vulnerability reporting, it more aimed software inventory management (since it identifies specific software versions, vendors and platforms) . This in turn fits with vulnerability reporting, but is not the core purpose.