Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vcpkg.json: Add fields to specify CPE and PURL #44201

Open
invy opened this issue Mar 6, 2025 · 1 comment
Open

vcpkg.json: Add fields to specify CPE and PURL #44201

invy opened this issue Mar 6, 2025 · 1 comment
Assignees
@Cheney-W @JavierMatosD
Labels
category:vcpkg-feature The issue is a new capability of the tool that doesn’t already exist and we haven’t committed

Comments

@invy
Copy link

invy commented Mar 6, 2025
edited
Loading

If one is serious about vulnerability scanning of the libraries one use, one should be able to scan the libraries one uses against CVE databases.

However, the package name alone is not sufficient to find the corresponding CVEs.

Commonly CPE (Common Platform Enumerator) and/or PURL (Package URL) are being used to do this.
These, shall we call them 'keys', can uniquely identify which components we are trying to find in the CVE database.

The problem is: As far as I know, there is no way to automatically deduce based on the library name, which CPE or PURL it should correspond to.

Consider the example of 'libarchive':
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=libarchive

You can find all possible CPEs, which are available in the NVD Database for the name 'libarchive'

However:

  • vendor (author) can change:
cpe:2.3:a:freebsd:libarchive:2.2.3:*:*:*:*:*:*:*
cpe:2.3:a:libarchive:libarchive:2.6.0:*:*:*:*:*:*:*
  • the simple search covers all possible versions, vendors platforms and languages
  • you don't actually want to guess here, as this can potentially be security relevant (i.e. this must be done manually)

In this regard, I believe, the only way to uniquely identify, which library is being built by port is to specify CPE and PURL directly in the vcpkg.json manifest file.
This could look something like this:

"cveref": [
 { "cpe": "cpe:2.3:a:libarchive:libarchive:3.7.7:*:*:*:*:*:*:*" },
 { "purl": "pkg:generic/[email protected]" }
]

Consider, also, that in the example, I've specified PURL as 'generic' Type, because there is no known type for vcpkg (contrary to conan).
It would be great if vcpkg could be also a 'known' PURL Type.

Related links:
https://nvd.nist.gov/products/cpe/search
https://github.com/scanoss/purl2cpe
https://github.com/package-url/purl-spec/blob/main/PURL-TYPES.rst

vcpkg.schema.json:
https://github.com/microsoft/vcpkg-tool/blob/main/docs/vcpkg.schema.json

Additionally, this fields must be in vcpkg.json, and must be mandatory for port maintainers to fill, if available, to avoid providing and building ports, which could potentially contain issues (like liblzma)
@Cheney-W Cheney-W added the category:vcpkg-feature The issue is a new capability of the tool that doesn’t already exist and we haven’t committed label Mar 6, 2025
@JavierMatosD
Copy link
Contributor

Discussion on adding purl spec -> package-url/purl-spec#245 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Cheney-W Cheney-W

@JavierMatosD JavierMatosD

Labels
category:vcpkg-feature The issue is a new capability of the tool that doesn’t already exist and we haven’t committed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@invy @Cheney-W @JavierMatosD