Improve CPE Data in the Ports Collection
Links:
chkcpe URL: https://github.com/decke/chkcpe
CPE on
wiki.freebsd.org URL: https://wiki.freebsd.org/Ports/CPE
CPE Dictionary URL:
https://nvd.nist.gov/products/cpe
Contact: Bernhard Froehlich <decke@FreeBSD.org>
Common Platform Enumeration (CPE) is an open standard for naming hardware and software components. Originally developed by MITRE, it is now maintained by NIST under the aegis of the National Vulnerability Database. A CPE URI uniquely identifies a device or program by its vendor, product name, version, revision, etc. NIST maintains the official CPE dictionary which lists CPE names for all software versions that have ever been mentioned in an advisory.
In the FreeBSD Ports Collection it has been possible to annotate
CPE data with USES=cpe since 2014 but only around 1000
ports out of 30.000 did use it. This is why a script called
chkcpe was created to validate existing CPE data and
find new possible matches automatically.
Why do we need it?
It allows comparing CPE URIs for installed packages against
published vulnerability data and will give us a much better and
more complete pkg audit. As a side effect we will also
have a better overview of vulnerable ports in the FreeBSD Ports
Collection that need to be patched or updated.
How can I help?
In this phase there is no easy possibility for port maintainers to help. Creating separate PRs only to add CPE data does not make sense because the overhead is very high. This is why I did spend some time on chkcpe to improve the review and commit workflow. Right now review and commit consumes around 3 minutes per port.
If you are a Ports Committer and want to help please get in touch!
Open Tasks
-
Review remaining reports (~1800) and update ports when appropriate
-
Improve matching quality to find more possible matches
-
Support using CPE data in
pkg audit -
Scan for vulnerable ports in the Ports Collection
Last modified on: November 15, 2021 by Daniel Ebdrup Jensen