@@ -393,6 +393,10 @@ TARGET_CONFIGURE_ARGS = \
################################################################################
+CPE_PREFIX_OS = cpe:2.3:o
+CPE_PREFIX_APP = cpe:2.3:a
+CPE_SUFFIX = *:*:*:*:*:*:*
+
ifeq ($(BR2_SYSTEM_ENABLE_NLS),y)
NLS_OPTS = --enable-nls
TARGET_NLS_DEPENDENCIES = host-gettext
@@ -875,11 +875,17 @@ $(2)_CPE_ID_NAME ?= $$($(2)_NAME)
$(2)_CPE_ID_VERSION ?= $$($(2)_VERSION)
$(2)_CPE_ID ?= $$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION)
+ifneq ($(filter linux linux-headers,$(1)),)
+$(2)_CPE_PREFIX = $(CPE_PREFIX_OS)
+else
+$(2)_CPE_PREFIX = $(CPE_PREFIX_APP)
+endif
+
$(1)-cpe-info: PKG=$(2)
$(1)-cpe-info:
ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
@$$(call MESSAGE,"Collecting cpe info")
- $(Q)$$(call cpe-manifest,$$($(2)_CPE_ID),$$($(2)_CVE_PATCHED),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))
+ $(Q)$$(call cpe-manifest,$$($(2)_CPE_PREFIX):$$($(2)_CPE_ID):$(CPE_SUFFIX),$$($(2)_CVE_PATCHED),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE))
endif # ifneq ($$(call qstrip,$$($(2)_SOURCE)),)
# legal-info: declare dependencies and set values used later for the manifest
There are two types of software cpe prefixes, one for applications and one for operating systems. Note: There is a third type for hardware. This patchset determines which should be used and stores that information with the package for later use when assembling the CPE report. There is also a suffix which we just default to wildcards at this point. Refs: https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf https://cpe.mitre.org/specification/ Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com> --- Changes v4 -> v7 - None v3 [Arnout - Moved CPE prefix and suffix defines to package/Makefile.in v1 -> v2 [Thomas P - Change to using a filter on pkg name value vs ifelse --- package/Makefile.in | 4 ++++ package/pkg-generic.mk | 8 +++++++- 2 files changed, 11 insertions(+), 1 deletion(-)