Bug 1217921 - CPE ID in /etc/os-release adheres to superseded standard.
Summary: CPE ID in /etc/os-release adheres to superseded standard.
Status: RESOLVED FIXED
Alias: None
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Basesystem (show other bugs)
Version: Current
Hardware: All openSUSE Tumbleweed
: P4 - Low : Enhancement (vote)
Target Milestone: ---
Assignee: Dominique Leuenberger
QA Contact: E-mail List
URL: https://nvd.nist.gov/products/cpe/det...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-12-10 17:53 UTC by roke beedell
Modified: 2024-02-02 16:20 UTC (History)
1 user (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: No
Marketing QA Status: ---
IT Deployment: ---

Attachments
os-release as of cpe:2.3:o:opensuse:tumbleweed:20231208. (438 bytes, text/plain)
2023-12-10 17:53 UTC, roke beedell 		Details
Specification Documentation (993.84 KB, application/pdf)
2023-12-10 23:17 UTC, roke beedell 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description roke beedell 2023-12-10 17:53:35 UTC 
Created attachment 871229 [details]
os-release as of cpe:2.3:o:opensuse:tumbleweed:20231208.

The Common Platform Enumeration Operating System Identifier (as hostnamectl and /etc/os-release report) format adheres to the pre-2.3 version, as its lack of version demonstrates. https://nvd.nist.gov/products/cpe/detail/34AB288B-8A0F-4C9D-9C61-6E11BC2CE0E8?namingFormat=2.3&orderBy=CPEURI&keyword=cpe%3A2.3%3Ao%3Aopensuse%3Atumbleweed%3A-%3A*%3A*%3A*%3A*%3A*%3A*%3A*&status=FINAL%2CDEPRECATED demonstrates how it should be formatted.
Comment 1 roke beedell 2023-12-10 23:17:45 UTC 
Created attachment 871230 [details]
Specification Documentation

(In reply to roke beedell from comment #0)
> Created attachment 871229 [details]
> os-release as of cpe:2.3:o:opensuse:tumbleweed:20231208.
> 
> The Common Platform Enumeration Operating System Identifier (as hostnamectl
> and /etc/os-release report) format adheres to the pre-2.3 version, as its
> lack of version demonstrates.
> https://nvd.nist.gov/products/cpe/detail/34AB288B-8A0F-4C9D-9C61-
> 6E11BC2CE0E8?namingFormat=2.3&orderBy=CPEURI&keyword=cpe%3A2.
> 3%3Ao%3Aopensuse%3Atumbleweed%3A-
> %3A*%3A*%3A*%3A*%3A*%3A*%3A*&status=FINAL%2CDEPRECATED demonstrates how it
> should be formatted.

More specifically, per https://doi.org/10.6028/NIST.IR.7695#page=7&zoom=auto,-332,731 (from https://csrc.nist.gov/pubs/ir/7695/final) states:

> This method of naming is known as a well-formed CPE name (WFN). It is an abstract logical
> construction. The CPE Naming specification defines procedures for binding WFNs to machine-readable
> encodings, as well as unbinding those encodings back to WFNs. One of the bindings, called a Uniform
> Resource Identifier (URI) binding, is included in CPE version 2.3 for backward compatibility with CPE
> version 2.2 [CPE22]. The URI binding representation of the WFN above is:
> 
> cpe:/a:microsoft:internet_explorer:8.0.6001:beta
> 
> The second binding defined in CPE 2.3 is called a formatted string binding. It has a somewhat different
> syntax than the URI binding, and it also supports additional product attributes. With the formatted string
> binding, the WFN above can be represented by the following.
> 
> cpe:2.3:a:microsoft:internet_explorer:8.0.6001:beta:*:*:*:*:*:*

We should be proactive in adhering to 2.3 rather than relying upon backward compatibility with 2.2.
Comment 2 roke beedell 2023-12-10 23:25:48 UTC 
I do prefer the WFN 2.2 syntax - it appears to be merely logically ordered rather than bound to a complex specification. However, most of the world appears to have moved on. Consider this more an RFC than a proposal I fervently support.
Comment 3 roke beedell 2024-02-02 16:20:07 UTC 
```.log
PS /home/RokeJulianLockhart> cat -vbET '/etc/os-release' | grep 'CPE_NAME' 
     9  CPE_NAME="cpe:2.3:o:opensuse:tumbleweed:20240131:*:*:*:*:*:*:*"$
    11  #CPE_NAME="cpe:/o:opensuse:tumbleweed:20240131"$
PS /home/RokeJulianLockhart>
```