CPE entry in metadata.xml for app-portage/portage-utils is: ``` <remote-id type="cpe">cpe:/a:gentoo:portage</remote-id> ``` This entry is not correct because portage-utils does not install portage. This leads to automated security scanning systems detecting portage version to be whatever portage-utils version is. Reproducible: Always
I've sent this reply to your collegue: Hi Michael, I guess you're referring to metadata.xml's <remote-id type="cpe">cpe:/a:gentoo:portage</remote-id> which came from commit 783f7f985c507 % git show 783f7f985c507 commit 783f7f985c507d10d457d3a09427b178f4926e9e Author: Roy Yang <royyang@google.com> Date: Sat May 2 15:16:36 2020 -0700 Fixed CPE tag for app-portage/portage-utils Signed-off-by: Roy Yang <royyang@google.com> Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> diff --git a/app-portage/portage-utils/metadata.xml b/app-portage/portage-utils/metadata.xml index 3aac9818b8b0..6d218bbea7e4 100644 --- a/app-portage/portage-utils/metadata.xml +++ b/app-portage/portage-utils/metadata.xml @@ -9,4 +9,7 @@ <flag name="qmanifest">Build qmanifest applet, this adds additional dependencies for GPG, OpenSSL and BLAKE2B hashing</flag> <flag name="qtegrity">Build qtegrity applet, this adds additional dependencies for OpenSSL</flag> </use> + <upstream> + <remote-id type="cpe">cpe:/a:gentoo:portage</remote-id> + </upstream> </pkgmetadata> So, it seems someone from your org/company assigned this "cpe". I'm not aware of any details of what it is, so could you suggest another value to use here, or should I remove it? Ultimately I think we'd need to loop in security, as they did the commit and may have a better understanding what needs to be done here. Thanks, Fabian @security, I assume these IDs are well-known to you, do you know how to get a new one for portage-utils?
> it seems someone from your org/company assigned this "cpe". not sure what you mean by "assign", but Google isn't responsible for the "gentoo" namespace, or able to have things officially assigned. Gentoo manages that namespace. i expect this patch was just an oversight in trying to backfill things since the vast majority of CPE entries in Gentoo came from ChromiumOS. let's just change it to "portage-utils", since that's the package name, and call it a day. i'd make the change but my desktop is offline atm.
If you say so, that's simple enough. Consider it done.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=14a07eb230f0b23ad5d4d1f1825ccd5496b09bb5 commit 14a07eb230f0b23ad5d4d1f1825ccd5496b09bb5 Author: Fabian Groffen <grobian@gentoo.org> AuthorDate: 2023-03-01 20:33:56 +0000 Commit: Fabian Groffen <grobian@gentoo.org> CommitDate: 2023-03-01 20:33:56 +0000 app-portage/portage-utils: set unique CPE entry Closes: https://bugs.gentoo.org/898196 Signed-off-by: Fabian Groffen <grobian@gentoo.org> app-portage/portage-utils/metadata.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
(In reply to SpanKY from comment #2) > > it seems someone from your org/company assigned this "cpe". > > not sure what you mean by "assign", but Google isn't responsible for the > "gentoo" namespace, or able to have things officially assigned. Gentoo > manages that namespace. If we manage CPEs, I've never heard of it. CPE assignments are ad-hoc, mediated by MITRE. Yes, it sucks. But thank MITRE, and if a CVE's CPEs are wrong, tell them. I suspect there's a CVE somewhere that incorrectly has a Portage CPE for a portage-utils issue, or something, which lead to the wrong CPE getting added to portage-utils. Of course, Whissi should've noticed this error too :( > i expect this patch was just an oversight in trying > to backfill things since the vast majority of CPE entries in Gentoo came > from ChromiumOS. > > let's just change it to "portage-utils", since that's the package name, and > call it a day. i'd make the change but my desktop is offline atm.
