Created attachment 260347 [details] Correct CPE record. Adds both language and CPUTYPE into record Reviewing /usr/ports/Mk/cpe.mk against https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf it became apparent that cpe.mk has field 7 "language" should be field 10. Its also arguable that the current field 5, "Update" would be better used for the Port Revision information rather than field 11 "Other". The attachment is how I have cpe configured. It includes both the language, in field 10, and the CPUTYPE, as field 11, other. This unambiguously defines the package as I build for both different languages and different CPU_TYPES. It would make a great deal of sense if a simiar record was added to /sys/conf/newvers.sh so "uname -c" could provide a CPE record.
Subsequent to an offline discussion with DES, I'm sharing the conclusion: NIST 7695 provides the necessary guidance for CPE content. The structure of the CPE is defined in section 6.2. The inclusion of a CPE can't be automated because the port maintainer must review the National Vulnerability Database per instructions in the Porters Handbook section 17.19 to maintain alignment in the event of a vulnerability. References: 1. https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf 2. https://docs.freebsd.org/en/books/porters-handbook/book/#uses-cpe