Bug 1217921

Summary: CPE ID in /etc/os-release adheres to superseded standard.
Product: [openSUSE] openSUSE Tumbleweed Reporter: roke beedell <rokejulianlockhart+1674683091>
Component: BasesystemAssignee: Dominique Leuenberger <dimstar>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Enhancement    
Priority: P4 - Low CC: meissner
Version: Current   
Target Milestone: ---   
Hardware: All   
OS: openSUSE Tumbleweed   
URL: https://nvd.nist.gov/products/cpe/detail/34AB288B-8A0F-4C9D-9C61-6E11BC2CE0E8?namingFormat=2.3&orderBy=CPEURI&keyword=cpe%3A2.3%3Ao%3Aopensuse%3Atumbleweed%3A-%3A*%3A*%3A*%3A*%3A*%3A*%3A*&status=FINAL%2CDEPRECATED
Whiteboard:
Found By: Other Services Priority:
Business Priority: Blocker: No
Marketing QA Status: --- IT Deployment: ---
Attachments: os-release as of cpe:2.3:o:opensuse:tumbleweed:20231208.
Specification Documentation

Description roke beedell 2023-12-10 17:53:35 UTC 
Created attachment 871229 [details]
os-release as of cpe:2.3:o:opensuse:tumbleweed:20231208.

The Common Platform Enumeration Operating System Identifier (as hostnamectl and /etc/os-release report) format adheres to the pre-2.3 version, as its lack of version demonstrates. https://nvd.nist.gov/products/cpe/detail/34AB288B-8A0F-4C9D-9C61-6E11BC2CE0E8?namingFormat=2.3&orderBy=CPEURI&keyword=cpe%3A2.3%3Ao%3Aopensuse%3Atumbleweed%3A-%3A*%3A*%3A*%3A*%3A*%3A*%3A*&status=FINAL%2CDEPRECATED demonstrates how it should be formatted.
Comment 1 roke beedell 2023-12-10 23:17:45 UTC 
Created attachment 871230 [details]
Specification Documentation

(In reply to roke beedell from comment #0)
> Created attachment 871229 [details]
> os-release as of cpe:2.3:o:opensuse:tumbleweed:20231208.
> 
> The Common Platform Enumeration Operating System Identifier (as hostnamectl
> and /etc/os-release report) format adheres to the pre-2.3 version, as its
> lack of version demonstrates.
> https://nvd.nist.gov/products/cpe/detail/34AB288B-8A0F-4C9D-9C61-
> 6E11BC2CE0E8?namingFormat=2.3&orderBy=CPEURI&keyword=cpe%3A2.
> 3%3Ao%3Aopensuse%3Atumbleweed%3A-
> %3A*%3A*%3A*%3A*%3A*%3A*%3A*&status=FINAL%2CDEPRECATED demonstrates how it
> should be formatted.

More specifically, per https://doi.org/10.6028/NIST.IR.7695#page=7&zoom=auto,-332,731 (from https://csrc.nist.gov/pubs/ir/7695/final) states:

> This method of naming is known as a well-formed CPE name (WFN). It is an abstract logical
> construction. The CPE Naming specification defines procedures for binding WFNs to machine-readable
> encodings, as well as unbinding those encodings back to WFNs. One of the bindings, called a Uniform
> Resource Identifier (URI) binding, is included in CPE version 2.3 for backward compatibility with CPE
> version 2.2 [CPE22]. The URI binding representation of the WFN above is:
> 
> cpe:/a:microsoft:internet_explorer:8.0.6001:beta
> 
> The second binding defined in CPE 2.3 is called a formatted string binding. It has a somewhat different
> syntax than the URI binding, and it also supports additional product attributes. With the formatted string
> binding, the WFN above can be represented by the following.
> 
> cpe:2.3:a:microsoft:internet_explorer:8.0.6001:beta:*:*:*:*:*:*

We should be proactive in adhering to 2.3 rather than relying upon backward compatibility with 2.2.
Comment 2 roke beedell 2023-12-10 23:25:48 UTC 
I do prefer the WFN 2.2 syntax - it appears to be merely logically ordered rather than bound to a complex specification. However, most of the world appears to have moved on. Consider this more an RFC than a proposal I fervently support.
Comment 3 roke beedell 2024-02-02 16:20:07 UTC 
```.log
PS /home/RokeJulianLockhart> cat -vbET '/etc/os-release' | grep 'CPE_NAME' 
     9  CPE_NAME="cpe:2.3:o:opensuse:tumbleweed:20240131:*:*:*:*:*:*:*"$
    11  #CPE_NAME="cpe:/o:opensuse:tumbleweed:20240131"$
PS /home/RokeJulianLockhart>
```