=== Improve CPE Data in the Ports Collection Links: + link:https://github.com/decke/chkcpe[chkcpe] URL: link:https://github.com/decke/chkcpe[https://github.com/decke/chkcpe] + link:https://wiki.freebsd.org/Ports/CPE[CPE on wiki.freebsd.org] URL: link:https://wiki.freebsd.org/Ports/CPE[https://wiki.freebsd.org/Ports/CPE] + link:https://nvd.nist.gov/products/cpe[CPE Dictionary] URL: link:https://nvd.nist.gov/products/cpe[https://nvd.nist.gov/products/cpe] + Contact: Bernhard Froehlich Common Platform Enumeration (CPE) is an open standard for naming hardware and software components. Originally developed by MITRE, it is now maintained by NIST under the aegis of the National Vulnerability Database. A CPE URI uniquely identifies a device or program by its vendor, product name, version, revision, etc. NIST maintains the official CPE dictionary which lists CPE names for all software versions that have ever been mentioned in an advisory. In the FreeBSD Ports Collection it has been possible to annotate CPE data with `USES=cpe` since 2014 but only around 1000 ports out of 30.000 did use it. This is why a script called `chkcpe` was created to validate existing CPE data and find new possible matches automatically. ==== Why do we need it? It allows comparing CPE URIs for installed packages against published vulnerability data and will give us a much better and more complete `pkg audit`. As a side effect we will also have a better overview of vulnerable ports in the FreeBSD Ports Collection that need to be patched or updated. ==== How can I help? In this phase there is no easy possibility for port maintainers to help. Creating separate PRs only to add CPE data does not make sense because the overhead is very high. This is why I did spend some time on chkcpe to improve the review and commit workflow. Right now review and commit consumes around 3 minutes per port. If you are a Ports Committer and want to help please get in touch! ==== Open Tasks * Review remaining reports (~1800) and update ports when appropriate * Improve matching quality to find more possible matches * Support using CPE data in `pkg audit` * Scan for vulnerable ports in the Ports Collection