Red Hat Bugzilla – Bug 404371
[feature] Provide our CPE name in a new system file
Last modified: 2016-01-18 11:09:42 EST
+++ This bug was initially created as a clone of Bug #404361 +++ CPE (Common Platform Enumeration) is a structured naming scheme for platforms proposed by Mitre. CPE is used by the National Vulnerability Database and is part of SCAP and is designed to be a way of providing a formal way to uniquely identify a platform. Whilst security tools can guess our platform by reading /etc/[fedora|redhat|system]-release, parsing the marketing names is not consistent. We're already using CPE names to identify platforms and metrics when releasing Red Hat Enterprise Linux advisories. So the proposal is to have fedora-release provide the CPE name for the release in such a way that third party system tools can make use of it, and also to convince other distributions to do the same. For example, the formal name for the OS platform Fedora 8 is "cpe://o:fedora_project:fedora:8" (ignore the incorrect name used in the dictionary on the NVD site, it's due for update shortly) This is a common platform name, regardless of what individual applications (packages) are provided. Therefore spins can use the same name. So perhaps provide a /etc/system-release-cpe (/etc/system-cpe?) file containing cpe://o:fedora_project:fedora:%{version}
Contact me for the specific RHEL names, but they're of the form like: cpe://o:redhat:enterprise_linux:6:GA:Server cpe://o:redhat:enterprise_linux:6:Update1:Client
Are we planning on adding this for all RHEL releases? I.e do we need to clone this for the next round of updates?
/etc/system-release-cpe added to redhat-release-6-6.0.0.11
Hi Dennis, I noticed that the format of the CPE name wasn't updated to match the latest CPE spec which only uses one slash after cpe: and a lowercase product variant. So can you update it to something like this? echo "cpe:/o:redhat:enterprise_linux:%{version}:%{?beta: %{beta}}%{!?beta: GA}" > $RPM_BUILD_ROOT/etc/system-release-cpe Thanks, Mark
Alan, for RHEV you need to use the official RHEV CPE name, this can be found in the master product file (product.xml), where it is: cpe:/o:redhat:enterprise_virtualization_hypervisor:2.1 Do you want me to file a bz for this? (I assume against ovirt-node pkg)
CPE text updated to match the latest spec. redhat-release-6-6.0.0.13
Hey Dennis, it came out as cpe:/o:redhat:enterprise_linux:6: Alpha I guess it needs no space after the beta: (I didn't test this) Sorry about that.
How does this look? $ rpm2cpio /mnt/redhat/brewroot/packages/redhat-release/6/6.0.0.14/ppc64/redhat-release-6-6.0.0.14.ppc64.rpm | cpio -iuvmd /etc/system-release-cpe 293 blocks $ cat ./etc/system-release-cpe cpe:/o:redhat:enterprise_linux:6:Alpha
that's correct, thanks!
Fixed in 'redhat-release-6-6.0.0.14'. 'redhat-release-6-6.0.0.15' included in compose 'RHEL6.0-20091027.3'. Moving to ON_QA.
redhat-release-server-6-6.0.0.27.el6.x86_64 # cat /etc/system-release-cpe cpe:/o:redhat:enterprise_linux:6:beta:server Moving to VERIFIED.
Red Hat Enterprise Linux 6.0 is now available and should resolve the problem described in this bug report. This report is therefore being closed with a resolution of CURRENTRELEASE. You may reopen this bug report if the solution does not work for you.