Draft for http://dep.debian.net/ - merged with DEP12

Title: Add Common Platform Enumerator information to package meta information
DEP: DEP12
State: Pre-DRAFT
Date: 2012-04-13
Drivers: Petter Reinholdtsen <pere@hungry.com>
URL: http://wiki.debian.org/CPEtagPackagesDep
Abstract:
 This document propose to make it easier to map between Debian packages
 and known security holes by tagging each package with Common Platform
 Enumerator strings, allowing us to look up our packages in the NVD CVE
 database of security issues.  This will make it easier for enterprise system
 administrators to figure out which security problems affect their computers,
 and make it easier for the Debian security team to figure out which Debian
 packages are affected by a given security problem.

Introduction and Motivation

The National Vulnerability Database (NVD) provide a information about Common Vulnerabilities and Exposures (CVE) entries, including the severity of the problem and what software is affected. The list of software packages affected uses the Common Platform Enumerator values to identify individual software packages and versions.

By mapping Debian packages to CPE values, it is possible to figure out which packages are affected by which CVEs, and also to discover if the security tracker in Debian have holes in its coverage. This mapping can be done manually, but the it would be easier for both system administrators and the Debian security team if each package maintainer would keep track of their packages CPE value.

A prototype doing such mapping is implemented in the secure-testing git repository, https://salsa.debian.org/security-tracker-team/security-tracker.git . These are the files involved:

Proposal

Use the upstream metadata file (YAML format) to store the CPE values as a space separated list. Some packages have several CPE values, for historical reasons, and for these all of them should be listed, separated by space.

debian/upstream/metadata would look something like this for the perl package:

And something like this for the dmitry package:

History