Created attachment 173613 [details]
add CPE information to Makefile
x11-fonts/xfs has had vulnerabilities with a CPE identifier assigned (e.g. CVE-2007-4568). This patch adds CPE information as suggested in the FreeBSD wiki.
I'll look into this. There's a couple of other xorg ports with PRs for CPE info, I'll do them in one go.
what is the current status?
Does ports-secteam have to be active here?
(In reply to Jochen Neumeister from comment #4)
This has probably just been dropped. I'm not sure how useful CPE info is, but there is no harm in adding it.
(In reply to Niclas Zeising from comment #5)
I do believe the vendor should be x, not x.org though.
(In reply to Niclas Zeising from comment #6)
After a closer look, it seems like both x and x.org is used. I'll double check with ports secteam on which is preferred.
(In reply to Niclas Zeising from comment #7)
Sorry for spam. Looking through the ports tree, we have used x as vendor.
A commit references this bug:
Date: Sun Feb 17 18:59:31 UTC 2019
New revision: 493180
x11-fonts/xfs: Add CPE info
Add CPE info to xfs. Use x as vendor, since that's what's used through out
the ports tree. Looking at the NVD CPE database, both x and x.org seem to
PR: 211797 (based on)
Submitted by: shun
Sponsored by: B3 Init (zeising)
CPE info has been added. Sorry for dropping this one on the floor, and thanks for the reminder!
I am currently trying to fix and add CPE information all over the portstree and just noticed that the CPE info for x11-fonts/xfs was added incorrectly.
CPE_VENDOR is nothing that we decide on but is coming from the CPE Dictionary and the correct value for this port is "x.org" - so the submitted patch was correct. I've fixed it in the portstree in a71a0b5.