[ptxdist] [PATCH] RFC: ptxd_make_world: Extract CPE for packages

[Simon Falsig <sfalsig@verity.net>]

From: Simon Falsig <sfalsig@verity.ch>

If a package specifies a CPE or CPE_VENDOR and CPE_PRODUCT, this is
extracted into the fast report for that package. If no CPE is
specified, or not both of CPE_VENDOR and CPE_PRODUCT, then no value is
added.

By default, the existing VERSION is used, but can be overridden with
CPE_VERSION.

Constructed CPEs are validated against the official CPE regex.

The CPE (Common Platform Enumerator) allows matching CVEs to specific
packages, and see if these apply to a specific deployment.
---
 rules/post/ptxd_make_world_common.make | 4 ++++
 scripts/lib/ptxd_make_world_report.sh  | 9 +++++++++
 2 files changed, 13 insertions(+)

diff --git a/rules/post/ptxd_make_world_common.make b/rules/post/ptxd_make_world_common.make
index 08120607a..0804f0b81 100644
--- a/rules/post/ptxd_make_world_common.make
+++ b/rules/post/ptxd_make_world_common.make
@@ -78,6 +78,10 @@ world/env/impl = \
 	pkg_PKG="$(call ptx/escape,$(1))"					\
 	pkg_pkg="$(call ptx/escape,$($(1)))"					\
 	pkg_version="$(call ptx/escape,$($(1)_VERSION))"			\
+	pkg_cpe_vendor="$(call ptx/escape,$($(1)_CPE_VENDOR))"			\
+	pkg_cpe_product="$(call ptx/escape,$($(1)_CPE_PRODUCT))"		\
+	pkg_cpe_version="$(call ptx/escape,$($(1)_CPE_VERSION))"		\
+	pkg_cpe="$(call ptx/escape,$($(1)_CPE))"				\
 	pkg_config="$(call ptx/escape,$($(1)_CONFIG))"				\
 	pkg_ref_config="$(call ptx/escape,$($(1)_REF_CONFIG))"			\
 	pkg_path="$(call ptx/escape,$($(1)_PATH))"				\
diff --git a/scripts/lib/ptxd_make_world_report.sh b/scripts/lib/ptxd_make_world_report.sh
index dbdae5736..dea25635b 100644
--- a/scripts/lib/ptxd_make_world_report.sh
+++ b/scripts/lib/ptxd_make_world_report.sh
@@ -39,6 +39,15 @@ ptxd_make_world_report_yaml() {
     do_list "rundeps:" "${pkg_run_deps}"
     do_echo "config:" "${pkg_config}"
     do_echo "version:" "${pkg_version}"
+    if [ ! -n "${pkg_cpe_version}" -a ! -n "${pkg_cpe}" ]; then
+	# Default to using pkg_version for the CPE string, unless _CPE_VERSION or _CPE are explicitly
+	# specified. In the case of the latter, there's no need to keep track of the version separately.
+	pkg_cpe_version="${pkg_version}"
+    fi
+    do_echo "cpe:" "${pkg_cpe}"
+    do_echo "cpe_vendor:" "${pkg_cpe_vendor}"
+    do_echo "cpe_product:" "${pkg_cpe_product}"
+    do_echo "cpe_version:" "${pkg_cpe_version}"
     do_list "url:" "${pkg_url}"
     do_echo "md5:" "${pkg_md5}"
     do_echo "source:" "${pkg_src}"
-- 
2.25.1