Created attachment 173613 [details] add CPE information to Makefile x11-fonts/xfs has had vulnerabilities with a CPE identifier assigned (e.g. CVE-2007-4568). This patch adds CPE information as suggested in the FreeBSD wiki[0]. [0] https://wiki.freebsd.org/Ports/CPE
Maintainer feedback?
I'll look into this. There's a couple of other xorg ports with PRs for CPE info, I'll do them in one go.
Thanks!
what is the current status? Does ports-secteam have to be active here?
(In reply to Jochen Neumeister from comment #4) This has probably just been dropped. I'm not sure how useful CPE info is, but there is no harm in adding it.
(In reply to Niclas Zeising from comment #5) I do believe the vendor should be x, not x.org though.
(In reply to Niclas Zeising from comment #6) Hm After a closer look, it seems like both x and x.org is used. I'll double check with ports secteam on which is preferred.
(In reply to Niclas Zeising from comment #7) Sorry for spam. Looking through the ports tree, we have used x as vendor.
A commit references this bug: Author: zeising Date: Sun Feb 17 18:59:31 UTC 2019 New revision: 493180 URL: https://svnweb.freebsd.org/changeset/ports/493180 Log: x11-fonts/xfs: Add CPE info Add CPE info to xfs. Use x as vendor, since that's what's used through out the ports tree. Looking at the NVD CPE database, both x and x.org seem to be used. PR: 211797 (based on) Submitted by: shun Sponsored by: B3 Init (zeising) Changes: head/x11-fonts/xfs/Makefile
CPE info has been added. Sorry for dropping this one on the floor, and thanks for the reminder!
I am currently trying to fix and add CPE information all over the portstree and just noticed that the CPE info for x11-fonts/xfs was added incorrectly. CPE_VENDOR is nothing that we decide on but is coming from the CPE Dictionary and the correct value for this port is "x.org" - so the submitted patch was correct. I've fixed it in the portstree in a71a0b5.