Bug 404371 - [feature] Provide our CPE name in a new system file
[feature] Provide our CPE name in a new system file
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: redhat-release-server (Show other bugs)
6.0
All Linux
low Severity low
: rc
: ---
Assigned To: Andrew Thomas
Release Test Team
: FutureFeature
Depends On:
Blocks: 592425 593463
  Show dependency treegraph
 
Reported: 2007-11-29 08:39 EST by Mark J. Cox (Product Security)
Modified: 2016-01-18 11:09 EST (History)
8 users (show)

See Also:
Fixed In Version: redhat-release-6-6.0.0.14
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
: 592425 (view as bug list)
Environment:
Last Closed: 2010-11-11 09:54:55 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mark J. Cox (Product Security) 2007-11-29 08:39:53 EST
+++ This bug was initially created as a clone of Bug #404361 +++

CPE (Common Platform Enumeration) is a structured naming scheme for platforms
proposed by Mitre.  

CPE is used by the National Vulnerability Database and is part of SCAP and is
designed to be a way of providing a formal way to uniquely identify a platform.  
Whilst security tools can guess our platform by reading
/etc/[fedora|redhat|system]-release, parsing the marketing names is not
consistent.  We're already using CPE names to identify platforms and metrics
when releasing Red Hat Enterprise Linux advisories.  

So the proposal is to have fedora-release provide the CPE name for the release
in such a way that third party system tools can make use of it, and also to
convince other distributions to do the same.

For example, the formal name for the OS platform Fedora 8 is
"cpe://o:fedora_project:fedora:8" (ignore the incorrect name used in the
dictionary on the NVD site, it's due for update shortly)

This is a common platform name, regardless of what individual applications
(packages) are provided.  Therefore spins can use the same name.

So perhaps provide a /etc/system-release-cpe (/etc/system-cpe?) file containing
cpe://o:fedora_project:fedora:%{version}
Comment 1 Mark J. Cox (Product Security) 2007-11-29 08:41:55 EST
Contact me for the specific RHEL names, but they're of the form like:

cpe://o:redhat:enterprise_linux:6:GA:Server
cpe://o:redhat:enterprise_linux:6:Update1:Client
Comment 2 Mike McLean 2007-12-10 12:09:49 EST
Are we planning on adding this for all RHEL releases? I.e do we need to clone
this for the next round of updates?
Comment 6 Dennis Gregorovic 2009-09-17 08:44:32 EDT
/etc/system-release-cpe added to redhat-release-6-6.0.0.11
Comment 7 Mark J. Cox (Product Security) 2009-09-18 03:39:00 EDT
Hi Dennis, I noticed that the format of the CPE name wasn't updated to match the latest CPE spec which only uses one slash after cpe: and a lowercase product variant.  So can you update it to something like this?

echo "cpe:/o:redhat:enterprise_linux:%{version}:%{?beta: %{beta}}%{!?beta: GA}" > $RPM_BUILD_ROOT/etc/system-release-cpe

Thanks, Mark
Comment 8 Mark J. Cox (Product Security) 2009-09-18 03:44:10 EDT
Alan, for RHEV you need to use the official RHEV CPE name, this can be found in the master product file (product.xml), where it is:

cpe:/o:redhat:enterprise_virtualization_hypervisor:2.1

Do you want me to file a bz for this? (I assume against ovirt-node pkg)
Comment 9 Dennis Gregorovic 2009-09-18 07:46:45 EDT
CPE text updated to match the latest spec.  redhat-release-6-6.0.0.13
Comment 10 Mark J. Cox (Product Security) 2009-09-21 04:24:25 EDT
Hey Dennis, it came out as 
cpe:/o:redhat:enterprise_linux:6: Alpha

I guess it needs no space after the beta: (I didn't test this)

Sorry about that.
Comment 11 Dennis Gregorovic 2009-09-21 11:40:09 EDT
How does this look?

$ rpm2cpio /mnt/redhat/brewroot/packages/redhat-release/6/6.0.0.14/ppc64/redhat-release-6-6.0.0.14.ppc64.rpm  | cpio -iuvmd /etc/system-release-cpe
293 blocks
$ cat ./etc/system-release-cpe
cpe:/o:redhat:enterprise_linux:6:Alpha
Comment 12 Mark J. Cox (Product Security) 2009-09-22 05:13:52 EDT
that's correct, thanks!
Comment 13 releng-rhel@redhat.com 2009-10-28 11:51:07 EDT
Fixed in 'redhat-release-6-6.0.0.14'. 'redhat-release-6-6.0.0.15' included in compose 'RHEL6.0-20091027.3'.
Moving to ON_QA.
Comment 14 Alexander Todorov 2010-05-14 07:42:30 EDT
redhat-release-server-6-6.0.0.27.el6.x86_64

# cat /etc/system-release-cpe 
cpe:/o:redhat:enterprise_linux:6:beta:server

Moving to VERIFIED.
Comment 15 releng-rhel@redhat.com 2010-11-11 09:54:55 EST
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.