Bug 199037 - security/apache-xml-security-c: add CPE information
Summary: security/apache-xml-security-c: add CPE information
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Palle Girgensohn
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-03-30 17:08 UTC by shun
Modified: 2018-01-20 15:46 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (girgen)

Attachments
adding CPE information to Makefile (387 bytes, patch)
2015-03-30 17:08 UTC, shun 		no flags Details | Diff
adding CPE 2.3 information to Makefile (880 bytes, patch)
2015-09-15 21:23 UTC, shun 		shun.fbsd.pr: maintainer-approval+
Details | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description shun 2015-03-30 17:08:51 UTC 
Created attachment 155016 [details]
adding CPE information to Makefile

security/apache-xml-security-c has had vulnerabilities with a CPE identifier assigned (e.g. CVE-2013-2155). This patch adds CPE information as suggested in the FreeBSD wiki[0].

[0] https://wiki.freebsd.org/Ports/CPE
Comment 1 Bartek Rutkowski freebsd_committer freebsd_triage 2015-04-14 10:09:39 UTC 
Is the entry 'CPE_PRODUCT=    xml_security_for_c%2b%2b' really a valid one?
Comment 2 shun 2015-04-14 16:55:38 UTC 
(In reply to Bartek Rutkowski from comment #1)
Yes, I am pretty sure. You can check the CPE dictionary here[0].

[0] https://nvd.nist.gov/cpe.cfm
Comment 3 Bartek Rutkowski freebsd_committer freebsd_triage 2015-04-15 10:08:21 UTC 
(In reply to shun from comment #2)

I did and in fact I cant find such string, there's only xml_security_for_c\+\+, like that 'cpe:2.3:a:apache:xml_security_for_c\+\+:0.1.0:*:*:*:*:*:*:*'
Comment 4 Palle Girgensohn freebsd_committer freebsd_triage 2015-04-15 10:34:07 UTC 
This is very confusing indeed.:

%2b is the URL rewrite for a '+'.

NIST changed from %2b to \+ between 2.2 and 2.3:

https://web.nvd.nist.gov/view/cpe/detail?keyword=xml_security_for&nonDeprecatedOnly=true&namingFormat=2.3&officialOnly=true&startIndex=0&cpeId=199996

I have no idea how to set it up correctly in the ports tree? How can I verify that the CPE id is correct?
Comment 5 shun 2015-09-15 21:23:37 UTC 
Created attachment 161085 [details]
adding CPE 2.3 information to Makefile

updates CPE product string to 2.3
Comment 6 Walter Schwarzenfeld freebsd_triage 2018-01-12 22:23:32 UTC 
Any advance here?
Comment 7 Palle Girgensohn freebsd_committer freebsd_triage 2018-01-20 15:46:25 UTC 
Committed CPE tags for apache-xml-security-c. Thanks!