From: Dimitri John Ledkov <19779+xnox@users.noreply.github.com>
Date: Mon, 3 Feb 2025 22:14:56 +0000 (+0000)
Subject: docs: Update CPE fields in package metadata spec (#36251)
X-Git-Tag: v258-rc1~1430
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6ad594122c98244bedd819dba7325ad94d4f5fa1;p=thirdparty%2Fsystemd.git

docs: Update CPE fields in package metadata spec (#36251)

Update osCPE field example to use cpe 2.3 format, as is in active use by
AmazonLinux 2023 for example.

Add appCPE field example to document the upstream application CPE for
the applicable CVEs. Often distribution source package names are
different from the upstream CPE. For example adding/removing "lib"
prefix, or adding version stream "-3" suffix. This typically leads to
guessing or fuzzy matching. Adding appCPE in such cases can help to
disambiguate (or collate) correct application CPEs; especially beyond
the lifetime of osCPE support timeframes. This also will help a lot with
packaging multiple alternative source packages of the same software
(e.g. nginx-full nginx-core); different version streams (e.g.
openssl-1.1, openssl-3); or alternative builds of upstream software with
largely the same CVEs with multiple version streams (e.g.
openjdk-{22,17,11..}, corretto-{22,17,11..}, temurin-{22,17,11..}, etc).
---

6ad594122c98244bedd819dba7325ad94d4f5fa1