docs: Update CPE fields in package metadata spec

Update osCPE field example to use cpe 2.3 format, as is in active use by
AmazonLinux 2023 for example.

Add appCPE field example to document the upstream application CPE for the
applicable CVEs. Often distribution source package names are different from the
upstream CPE. For example adding/removing "lib" prefix, or adding version
stream "-3" suffix. This typically leads to guessing or fuzzy matching. Adding
appCPE in such cases can help to disambiguate (or collate) correct application
CPEs; especially beyond the lifetime of osCPE support timeframes.

diff --git a/docs/PACKAGE_METADATA_FOR_EXECUTABLE_FILES.md b/docs/PACKAGE_METADATA_FOR_EXECUTABLE_FILES.md
index af564e8e4d4544b3b40e0bd0811051ca28cb38a8..46b4e00bddd92046933fe888dc98b7ea274c6f0a 100644 (file)
--- a/docs/PACKAGE_METADATA_FOR_EXECUTABLE_FILES.md
+++ b/docs/PACKAGE_METADATA_FOR_EXECUTABLE_FILES.md
@@ -89,7 +89,8 @@ Value: a single JSON object encoded as a NUL-terminated UTF-8 string
      "name":"coreutils",
      "version":"4711.0815.fc13",
      "architecture":"arm32",
-     "osCpe": "cpe:/o:fedoraproject:fedora:33",          # A CPE name for the operating system, `CPE_NAME` from os-release is a good default
+     "osCpe": "cpe:2.3:o:fedoraproject:fedora:33",          # A CPE name for the operating system, `CPE_NAME` from os-release is a good default
+     "appCpe": "cpe:2.3:a:gnu:coreutils:5.0",               # A CPE name for the upstream application, check NVD
      "debugInfoUrl": "https://debuginfod.fedoraproject.org/"
 }
 ```
@@ -134,7 +135,8 @@ A set of well-known keys is defined here, and hopefully shared among all vendors
 | name         | The source package name                                                  | coreutils                             |
 | version      | The source package version                                               | 4711.0815.fc13                        |
 | architecture | The binary package architecture                                          | arm32                                 |
-| osCpe        | A CPE name for the OS, typically corresponding to CPE_NAME in os-release | cpe:/o:fedoraproject:fedora:33        |
+| osCpe        | A CPE name for the OS, typically corresponding to CPE_NAME in os-release | cpe:2.3:o:fedoraproject:fedora:33     |
+| appCpe       | A CPE name for the upstream Application, check NVD                       | cpe:2.3:a:gnu:coreutils:5.0           |
 | debugInfoUrl | The debuginfod server url, if available                                  | https://debuginfod.fedoraproject.org/ |
 
 ### Displaying package notes