From: Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk>
Date: Mon, 3 Feb 2025 10:55:20 +0000 (+0000)
Subject: docs: Update CPE fields in package metadata spec
X-Git-Tag: v258-rc1~1430^2~1
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=355afa92322752692993fbf82a7f98c62b3e95e1;p=thirdparty%2Fsystemd.git

docs: Update CPE fields in package metadata spec

Update osCPE field example to use cpe 2.3 format, as is in active use by
AmazonLinux 2023 for example.

Add appCPE field example to document the upstream application CPE for the
applicable CVEs. Often distribution source package names are different from the
upstream CPE. For example adding/removing "lib" prefix, or adding version
stream "-3" suffix. This typically leads to guessing or fuzzy matching. Adding
appCPE in such cases can help to disambiguate (or collate) correct application
CPEs; especially beyond the lifetime of osCPE support timeframes.
---

diff --git a/docs/PACKAGE_METADATA_FOR_EXECUTABLE_FILES.md b/docs/PACKAGE_METADATA_FOR_EXECUTABLE_FILES.md
index af564e8e4d4..46b4e00bddd 100644
--- a/docs/PACKAGE_METADATA_FOR_EXECUTABLE_FILES.md
+++ b/docs/PACKAGE_METADATA_FOR_EXECUTABLE_FILES.md
@@ -89,7 +89,8 @@ Value: a single JSON object encoded as a NUL-terminated UTF-8 string
      "name":"coreutils",
      "version":"4711.0815.fc13",
      "architecture":"arm32",
-     "osCpe": "cpe:/o:fedoraproject:fedora:33",          # A CPE name for the operating system, `CPE_NAME` from os-release is a good default
+     "osCpe": "cpe:2.3:o:fedoraproject:fedora:33",          # A CPE name for the operating system, `CPE_NAME` from os-release is a good default
+     "appCpe": "cpe:2.3:a:gnu:coreutils:5.0",               # A CPE name for the upstream application, check NVD
      "debugInfoUrl": "https://debuginfod.fedoraproject.org/"
 }
 ```
@@ -134,7 +135,8 @@ A set of well-known keys is defined here, and hopefully shared among all vendors
 | name         | The source package name                                                  | coreutils                             |
 | version      | The source package version                                               | 4711.0815.fc13                        |
 | architecture | The binary package architecture                                          | arm32                                 |
-| osCpe        | A CPE name for the OS, typically corresponding to CPE_NAME in os-release | cpe:/o:fedoraproject:fedora:33        |
+| osCpe        | A CPE name for the OS, typically corresponding to CPE_NAME in os-release | cpe:2.3:o:fedoraproject:fedora:33     |
+| appCpe       | A CPE name for the upstream Application, check NVD                       | cpe:2.3:a:gnu:coreutils:5.0           |
 | debugInfoUrl | The debuginfod server url, if available                                  | https://debuginfod.fedoraproject.org/ |
 
 ### Displaying package notes