[v8,6/9] cpe-info: update manual for new pkg vars
diff mbox series

Message ID 1552082667-46877-7-git-send-email-matthew.weber@rockwellcollins.com
State Changes Requested
Headers show
Series
  • Package CPE Reporting
Related show

Commit Message

Matt Weber March 8, 2019, 10:04 p.m. UTC
Provide guidance on setting up the *_CPE_* and *_CVE_* variables.

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
Changes

v8
 - Added note about minor version
 - Removed CVE patch listing as the backend has not be implemented
    (LIBFOO_CVE_PATCHED)

v4 -> v7
 - None

v3
 - Updated to make *_CPE_VENDOR optional
 - Changed wording around _CPE_ID as there is only one defined now

v2
[Thomas P
 - Reworded LIBFOO_CVE_PATCHED description

[Matt W
 - Added definition for new preset variables to auto-gen the CPE ID
 - Added example LIBFOO_CPE_ID_VENDOR to LIBFOO
---
 docs/manual/adding-packages-generic.txt | 111 +++++++++++++++++++-------------
 1 file changed, 68 insertions(+), 43 deletions(-)

Comments

Arnout Vandecappelle April 14, 2019, 3:32 p.m. UTC | #1
On 08/03/2019 23:04, Matt Weber wrote:
> +license text (+LIBFOO_LICENSE_FILES+) and the vendor for vunerability
> +analysis (+LIBFOO_CPE_ID_VENDOR+). All variables must start with

 "for vulnerability analysis" is not entirely correct; it's for product
identification. And of course this would be a full CPE_ID not just a vendor. So
it should become something like

... and the CPE (Common Platform Enumeration) identifier.

 There should be a reference to the cpe-info section as well, but of course that
can be added only after that section has been added.

 Regards,
 Arnout
Thomas De Schampheleire April 14, 2019, 5:24 p.m. UTC | #2
On Fri, Mar 8, 2019, 23:06 Matt Weber <matthew.weber@rockwellcollins.com>
wrote:

> Provide guidance on setting up the *_CPE_* and *_CVE_* variables.
>
> Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
> ---
> Changes
>
> v8
>  - Added note about minor version
>  - Removed CVE patch listing as the backend has not be implemented
>     (LIBFOO_CVE_PATCHED)
>
> v4 -> v7
>  - None
>
> v3
>  - Updated to make *_CPE_VENDOR optional
>  - Changed wording around _CPE_ID as there is only one defined now
>
> v2
> [Thomas P
>  - Reworded LIBFOO_CVE_PATCHED description
>
> [Matt W
>  - Added definition for new preset variables to auto-gen the CPE ID
>  - Added example LIBFOO_CPE_ID_VENDOR to LIBFOO
> ---
>  docs/manual/adding-packages-generic.txt | 111
> +++++++++++++++++++-------------
>  1 file changed, 68 insertions(+), 43 deletions(-)
>
> diff --git a/docs/manual/adding-packages-generic.txt
> b/docs/manual/adding-packages-generic.txt
> index 7be1754..ddf1b2e 100644
> --- a/docs/manual/adding-packages-generic.txt
> +++ b/docs/manual/adding-packages-generic.txt
> @@ -24,57 +24,59 @@ system is based on hand-written Makefiles or shell
> scripts.
>  09: LIBFOO_SITE = http://www.foosoftware.org/download
>  10: LIBFOO_LICENSE = GPL-3.0+
>  11: LIBFOO_LICENSE_FILES = COPYING
> -12: LIBFOO_INSTALL_STAGING = YES
> -13: LIBFOO_CONFIG_SCRIPTS = libfoo-config
> -14: LIBFOO_DEPENDENCIES = host-libaaa libbbb
> -15:
> -16: define LIBFOO_BUILD_CMDS
> -17:    $(MAKE) $(TARGET_CONFIGURE_OPTS) -C $(@D) all
> -18: endef
> -19:
> -20: define LIBFOO_INSTALL_STAGING_CMDS
> -21:    $(INSTALL) -D -m 0755 $(@D)/libfoo.a
> $(STAGING_DIR)/usr/lib/libfoo.a
> -22:    $(INSTALL) -D -m 0644 $(@D)/foo.h $(STAGING_DIR)/usr/include/foo.h
> -23:    $(INSTALL) -D -m 0755 $(@D)/libfoo.so* $(STAGING_DIR)/usr/lib
> -24: endef
> -25:
> -26: define LIBFOO_INSTALL_TARGET_CMDS
> -27:    $(INSTALL) -D -m 0755 $(@D)/libfoo.so* $(TARGET_DIR)/usr/lib
> -28:    $(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/foo.d
> -29: endef
> -30:
> -31: define LIBFOO_USERS
> -32:    foo -1 libfoo -1 * - - - LibFoo daemon
> -33: endef
> -34:
> -35: define LIBFOO_DEVICES
> -36:    /dev/foo  c  666  0  0  42  0  -  -  -
> -37: endef
> -38:
> -39: define LIBFOO_PERMISSIONS
> -40:    /bin/foo  f  4755  foo  libfoo   -  -  -  -  -
> -41: endef
> -42:
> -43: $(eval $(generic-package))
> +12: LIBFOO_CPE_ID_VENDOR = foosoftware
> +13: LIBFOO_INSTALL_STAGING = YES
> +14: LIBFOO_CONFIG_SCRIPTS = libfoo-config
> +15: LIBFOO_DEPENDENCIES = host-libaaa libbbb
> +16:
> +17: define LIBFOO_BUILD_CMDS
> +18:    $(MAKE) $(TARGET_CONFIGURE_OPTS) -C $(@D) all
> +19: endef
> +20:
> +21: define LIBFOO_INSTALL_STAGING_CMDS
> +22:    $(INSTALL) -D -m 0755 $(@D)/libfoo.a
> $(STAGING_DIR)/usr/lib/libfoo.a
> +23:    $(INSTALL) -D -m 0644 $(@D)/foo.h $(STAGING_DIR)/usr/include/foo.h
> +24:    $(INSTALL) -D -m 0755 $(@D)/libfoo.so* $(STAGING_DIR)/usr/lib
> +25: endef
> +26:
> +27: define LIBFOO_INSTALL_TARGET_CMDS
> +28:    $(INSTALL) -D -m 0755 $(@D)/libfoo.so* $(TARGET_DIR)/usr/lib
> +29:    $(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/foo.d
> +30: endef
> +31:
> +32: define LIBFOO_USERS
> +33:    foo -1 libfoo -1 * - - - LibFoo daemon
> +34: endef
> +35:
> +36: define LIBFOO_DEVICES
> +37:    /dev/foo  c  666  0  0  42  0  -  -  -
> +38: endef
> +39:
> +40: define LIBFOO_PERMISSIONS
> +41:    /bin/foo  f  4755  foo  libfoo   -  -  -  -  -
> +42: endef
> +43:
> +44: $(eval $(generic-package))
>  --------------------------------
>
> -The Makefile begins on line 7 to 11 with metadata information: the
> +The Makefile begins on line 7 to 12 with metadata information: the
>  version of the package (+LIBFOO_VERSION+), the name of the
>  tarball containing the package (+LIBFOO_SOURCE+) (xz-ed tarball
> recommended)
>  the Internet location at which the tarball can be downloaded from
> -(+LIBFOO_SITE+), the license (+LIBFOO_LICENSE+) and file with the
> -license text (+LIBFOO_LICENSE_FILES+). All variables must start with
> +(+LIBFOO_SITE+), the license (+LIBFOO_LICENSE+), the file with the
> +license text (+LIBFOO_LICENSE_FILES+) and the vendor for vunerability
> +analysis (+LIBFOO_CPE_ID_VENDOR+). All variables must start with
>  the same prefix, +LIBFOO_+ in this case. This prefix is always the
>  uppercased version of the package name (see below to understand where
>  the package name is defined).
>
> -On line 12, we specify that this package wants to install something to
> +On line 13, we specify that this package wants to install something to
>  the staging space. This is often needed for libraries, since they must
>  install header files and other development files in the staging space.
>  This will ensure that the commands listed in the
>  +LIBFOO_INSTALL_STAGING_CMDS+ variable will be executed.
>
> -On line 13, we specify that there is some fixing to be done to some
> +On line 14, we specify that there is some fixing to be done to some
>  of the 'libfoo-config' files that were installed during
>  +LIBFOO_INSTALL_STAGING_CMDS+ phase.
>  These *-config files are executable shell script files that are
> @@ -122,14 +124,14 @@ IMAGEMAGICK_CONFIG_SCRIPTS = \
>  --------------------------------
>  ================================
>
> -On line 14, we specify the list of dependencies this package relies
> +On line 15, we specify the list of dependencies this package relies
>  on. These dependencies are listed in terms of lower-case package names,
>  which can be packages for the target (without the +host-+
>  prefix) or packages for the host (with the +host-+) prefix).
>  Buildroot will ensure that all these packages are built and installed
>  'before' the current package starts its configuration.
>
> -The rest of the Makefile, lines 16..29, defines what should be done
> +The rest of the Makefile, lines 17..29, defines what should be done
>  at the different steps of the package configuration, compilation and
>  installation.
>  +LIBFOO_BUILD_CMDS+ tells what steps should be performed to
> @@ -142,16 +144,16 @@ All these steps rely on the +$(@D)+ variable, which
>  contains the directory where the source code of the package has been
>  extracted.
>
> -On lines 31..43, we define a user that is used by this package (e.g.
> +On lines 32..44, we define a user that is used by this package (e.g.
>  to run a daemon as non-root) (+LIBFOO_USERS+).
>
> -On line 35..37, we define a device-node file used by this package
> +On line 36..38, we define a device-node file used by this package
>  (+LIBFOO_DEVICES+).
>
> -On line 39..41, we define the permissions to set to specific files
> +On line 40..42, we define the permissions to set to specific files
>  installed by this package (+LIBFOO_PERMISSIONS+).
>
> -Finally, on line 43, we call the +generic-package+ function, which
> +Finally, on line 44, we call the +generic-package+ function, which
>  generates, according to the variables defined previously, all the
>  Makefile code necessary to make your package working.
>
> @@ -482,6 +484,29 @@ not and can not work as people would expect it should:
>    locations, `/lib/firmware`, `/usr/lib/firmware`, `/lib/modules`,
>    `/usr/lib/modules`, and `/usr/share`, which are automatically excluded.
>
> +* +LIBFOO_CPE_ID_VENDOR+
> +  This variable is optional. It only must be defined if the package name
> +  does not match what the CPE ID uses for the vendor. By default it's set
> +  to <pkg-name>_project.
> +
> +* +LIBFOO_CPE_ID_NAME+
> +  This variable is optional. It only must be defined if the package name
> +  does not match what the CPE ID uses for the name. By default it's set
> +  to <pkg-name>.
> +
> +* +LIBFOO_CPE_ID_VERSION+
> +  This variable is optional. By default it's set to <pkg-version>.
> +
> +* +LIBFOO_CPE_ID_VERSION_MINOR+
> +  This variable is optional. By default it's set to *.
> +
> +* +LIBFOO_CPE_ID+ is optional, as the package infrastructure hangles the
> +  default case of a single package's Common Product Enumeration (CPE)
> +  identification string. +make cpe-info+ copies all of these into a
> +  +cpe-manifest.csv+ file. To identify a package's possible CPE,
> +  the National Vunerability Database can be searched at
>

Also here: Vulnerability with l


+  https://nvd.nist.gov/products/cpe/search.
> +
>  The recommended way to define these variables is to use the following
>  syntax:
>
> --
> 1.9.1
>
> _______________________________________________
> buildroot mailing list
> buildroot@busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
>
<div dir="auto"><div><br><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Mar 8, 2019, 23:06 Matt Weber &lt;<a href="mailto:matthew.weber@rockwellcollins.com">matthew.weber@rockwellcollins.com</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Provide guidance on setting up the *_CPE_* and *_CVE_* variables.<br>
<br>
Signed-off-by: Matthew Weber &lt;<a href="mailto:matthew.weber@rockwellcollins.com" target="_blank" rel="noreferrer">matthew.weber@rockwellcollins.com</a>&gt;<br>
---<br>
Changes<br>
<br>
v8<br>
 - Added note about minor version<br>
 - Removed CVE patch listing as the backend has not be implemented<br>
    (LIBFOO_CVE_PATCHED)<br>
<br>
v4 -&gt; v7<br>
 - None<br>
<br>
v3<br>
 - Updated to make *_CPE_VENDOR optional<br>
 - Changed wording around _CPE_ID as there is only one defined now<br>
<br>
v2<br>
[Thomas P<br>
 - Reworded LIBFOO_CVE_PATCHED description<br>
<br>
[Matt W<br>
 - Added definition for new preset variables to auto-gen the CPE ID<br>
 - Added example LIBFOO_CPE_ID_VENDOR to LIBFOO<br>
---<br>
 docs/manual/adding-packages-generic.txt | 111 +++++++++++++++++++-------------<br>
 1 file changed, 68 insertions(+), 43 deletions(-)<br>
<br>
diff --git a/docs/manual/adding-packages-generic.txt b/docs/manual/adding-packages-generic.txt<br>
index 7be1754..ddf1b2e 100644<br>
--- a/docs/manual/adding-packages-generic.txt<br>
+++ b/docs/manual/adding-packages-generic.txt<br>
@@ -24,57 +24,59 @@ system is based on hand-written Makefiles or shell scripts.<br>
 09: LIBFOO_SITE = <a href="http://www.foosoftware.org/download" rel="noreferrer noreferrer" target="_blank">http://www.foosoftware.org/download</a><br>
 10: LIBFOO_LICENSE = GPL-3.0+<br>
 11: LIBFOO_LICENSE_FILES = COPYING<br>
-12: LIBFOO_INSTALL_STAGING = YES<br>
-13: LIBFOO_CONFIG_SCRIPTS = libfoo-config<br>
-14: LIBFOO_DEPENDENCIES = host-libaaa libbbb<br>
-15:<br>
-16: define LIBFOO_BUILD_CMDS<br>
-17:    $(MAKE) $(TARGET_CONFIGURE_OPTS) -C $(@D) all<br>
-18: endef<br>
-19:<br>
-20: define LIBFOO_INSTALL_STAGING_CMDS<br>
-21:    $(INSTALL) -D -m 0755 $(@D)/libfoo.a $(STAGING_DIR)/usr/lib/libfoo.a<br>
-22:    $(INSTALL) -D -m 0644 $(@D)/foo.h $(STAGING_DIR)/usr/include/foo.h<br>
-23:    $(INSTALL) -D -m 0755 $(@D)/libfoo.so* $(STAGING_DIR)/usr/lib<br>
-24: endef<br>
-25:<br>
-26: define LIBFOO_INSTALL_TARGET_CMDS<br>
-27:    $(INSTALL) -D -m 0755 $(@D)/libfoo.so* $(TARGET_DIR)/usr/lib<br>
-28:    $(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/foo.d<br>
-29: endef<br>
-30:<br>
-31: define LIBFOO_USERS<br>
-32:    foo -1 libfoo -1 * - - - LibFoo daemon<br>
-33: endef<br>
-34:<br>
-35: define LIBFOO_DEVICES<br>
-36:    /dev/foo  c  666  0  0  42  0  -  -  -<br>
-37: endef<br>
-38:<br>
-39: define LIBFOO_PERMISSIONS<br>
-40:    /bin/foo  f  4755  foo  libfoo   -  -  -  -  -<br>
-41: endef<br>
-42:<br>
-43: $(eval $(generic-package))<br>
+12: LIBFOO_CPE_ID_VENDOR = foosoftware<br>
+13: LIBFOO_INSTALL_STAGING = YES<br>
+14: LIBFOO_CONFIG_SCRIPTS = libfoo-config<br>
+15: LIBFOO_DEPENDENCIES = host-libaaa libbbb<br>
+16:<br>
+17: define LIBFOO_BUILD_CMDS<br>
+18:    $(MAKE) $(TARGET_CONFIGURE_OPTS) -C $(@D) all<br>
+19: endef<br>
+20:<br>
+21: define LIBFOO_INSTALL_STAGING_CMDS<br>
+22:    $(INSTALL) -D -m 0755 $(@D)/libfoo.a $(STAGING_DIR)/usr/lib/libfoo.a<br>
+23:    $(INSTALL) -D -m 0644 $(@D)/foo.h $(STAGING_DIR)/usr/include/foo.h<br>
+24:    $(INSTALL) -D -m 0755 $(@D)/libfoo.so* $(STAGING_DIR)/usr/lib<br>
+25: endef<br>
+26:<br>
+27: define LIBFOO_INSTALL_TARGET_CMDS<br>
+28:    $(INSTALL) -D -m 0755 $(@D)/libfoo.so* $(TARGET_DIR)/usr/lib<br>
+29:    $(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/foo.d<br>
+30: endef<br>
+31:<br>
+32: define LIBFOO_USERS<br>
+33:    foo -1 libfoo -1 * - - - LibFoo daemon<br>
+34: endef<br>
+35:<br>
+36: define LIBFOO_DEVICES<br>
+37:    /dev/foo  c  666  0  0  42  0  -  -  -<br>
+38: endef<br>
+39:<br>
+40: define LIBFOO_PERMISSIONS<br>
+41:    /bin/foo  f  4755  foo  libfoo   -  -  -  -  -<br>
+42: endef<br>
+43:<br>
+44: $(eval $(generic-package))<br>
 --------------------------------<br>
<br>
-The Makefile begins on line 7 to 11 with metadata information: the<br>
+The Makefile begins on line 7 to 12 with metadata information: the<br>
 version of the package (+LIBFOO_VERSION+), the name of the<br>
 tarball containing the package (+LIBFOO_SOURCE+) (xz-ed tarball recommended)<br>
 the Internet location at which the tarball can be downloaded from<br>
-(+LIBFOO_SITE+), the license (+LIBFOO_LICENSE+) and file with the<br>
-license text (+LIBFOO_LICENSE_FILES+). All variables must start with<br>
+(+LIBFOO_SITE+), the license (+LIBFOO_LICENSE+), the file with the<br>
+license text (+LIBFOO_LICENSE_FILES+) and the vendor for vunerability<br>
+analysis (+LIBFOO_CPE_ID_VENDOR+). All variables must start with<br>
 the same prefix, +LIBFOO_+ in this case. This prefix is always the<br>
 uppercased version of the package name (see below to understand where<br>
 the package name is defined).<br>
<br>
-On line 12, we specify that this package wants to install something to<br>
+On line 13, we specify that this package wants to install something to<br>
 the staging space. This is often needed for libraries, since they must<br>
 install header files and other development files in the staging space.<br>
 This will ensure that the commands listed in the<br>
 +LIBFOO_INSTALL_STAGING_CMDS+ variable will be executed.<br>
<br>
-On line 13, we specify that there is some fixing to be done to some<br>
+On line 14, we specify that there is some fixing to be done to some<br>
 of the &#39;libfoo-config&#39; files that were installed during<br>
 +LIBFOO_INSTALL_STAGING_CMDS+ phase.<br>
 These *-config files are executable shell script files that are<br>
@@ -122,14 +124,14 @@ IMAGEMAGICK_CONFIG_SCRIPTS = \<br>
 --------------------------------<br>
 ================================<br>
<br>
-On line 14, we specify the list of dependencies this package relies<br>
+On line 15, we specify the list of dependencies this package relies<br>
 on. These dependencies are listed in terms of lower-case package names,<br>
 which can be packages for the target (without the +host-+<br>
 prefix) or packages for the host (with the +host-+) prefix).<br>
 Buildroot will ensure that all these packages are built and installed<br>
 &#39;before&#39; the current package starts its configuration.<br>
<br>
-The rest of the Makefile, lines 16..29, defines what should be done<br>
+The rest of the Makefile, lines 17..29, defines what should be done<br>
 at the different steps of the package configuration, compilation and<br>
 installation.<br>
 +LIBFOO_BUILD_CMDS+ tells what steps should be performed to<br>
@@ -142,16 +144,16 @@ All these steps rely on the +$(@D)+ variable, which<br>
 contains the directory where the source code of the package has been<br>
 extracted.<br>
<br>
-On lines 31..43, we define a user that is used by this package (e.g.<br>
+On lines 32..44, we define a user that is used by this package (e.g.<br>
 to run a daemon as non-root) (+LIBFOO_USERS+).<br>
<br>
-On line 35..37, we define a device-node file used by this package<br>
+On line 36..38, we define a device-node file used by this package<br>
 (+LIBFOO_DEVICES+).<br>
<br>
-On line 39..41, we define the permissions to set to specific files<br>
+On line 40..42, we define the permissions to set to specific files<br>
 installed by this package (+LIBFOO_PERMISSIONS+).<br>
<br>
-Finally, on line 43, we call the +generic-package+ function, which<br>
+Finally, on line 44, we call the +generic-package+ function, which<br>
 generates, according to the variables defined previously, all the<br>
 Makefile code necessary to make your package working.<br>
<br>
@@ -482,6 +484,29 @@ not and can not work as people would expect it should:<br>
   locations, `/lib/firmware`, `/usr/lib/firmware`, `/lib/modules`,<br>
   `/usr/lib/modules`, and `/usr/share`, which are automatically excluded.<br>
<br>
+* +LIBFOO_CPE_ID_VENDOR+<br>
+  This variable is optional. It only must be defined if the package name<br>
+  does not match what the CPE ID uses for the vendor. By default it&#39;s set<br>
+  to &lt;pkg-name&gt;_project.<br>
+<br>
+* +LIBFOO_CPE_ID_NAME+<br>
+  This variable is optional. It only must be defined if the package name<br>
+  does not match what the CPE ID uses for the name. By default it&#39;s set<br>
+  to &lt;pkg-name&gt;.<br>
+<br>
+* +LIBFOO_CPE_ID_VERSION+<br>
+  This variable is optional. By default it&#39;s set to &lt;pkg-version&gt;.<br>
+<br>
+* +LIBFOO_CPE_ID_VERSION_MINOR+<br>
+  This variable is optional. By default it&#39;s set to *.<br>
+<br>
+* +LIBFOO_CPE_ID+ is optional, as the package infrastructure hangles the<br>
+  default case of a single package&#39;s Common Product Enumeration (CPE)<br>
+  identification string. +make cpe-info+ copies all of these into a<br>
+  +cpe-manifest.csv+ file. To identify a package&#39;s possible CPE,<br>
+  the National Vunerability Database can be searched at<br></blockquote></div></div><div dir="auto"><br></div><div dir="auto">Also here: Vulnerability with l</div><div dir="auto"><br></div><div dir="auto"><br></div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
+  <a href="https://nvd.nist.gov/products/cpe/search" rel="noreferrer noreferrer" target="_blank">https://nvd.nist.gov/products/cpe/search</a>.<br>
+<br>
 The recommended way to define these variables is to use the following<br>
 syntax:<br>
<br>
-- <br>
1.9.1<br>
<br>
_______________________________________________<br>
buildroot mailing list<br>
<a href="mailto:buildroot@busybox.net" target="_blank" rel="noreferrer">buildroot@busybox.net</a><br>
<a href="http://lists.busybox.net/mailman/listinfo/buildroot" rel="noreferrer noreferrer" target="_blank">http://lists.busybox.net/mailman/listinfo/buildroot</a><br>
</blockquote></div></div></div>

Patch
diff mbox series

diff --git a/docs/manual/adding-packages-generic.txt b/docs/manual/adding-packages-generic.txt
index 7be1754..ddf1b2e 100644
--- a/docs/manual/adding-packages-generic.txt
+++ b/docs/manual/adding-packages-generic.txt
@@ -24,57 +24,59 @@  system is based on hand-written Makefiles or shell scripts.
 09: LIBFOO_SITE = http://www.foosoftware.org/download
 10: LIBFOO_LICENSE = GPL-3.0+
 11: LIBFOO_LICENSE_FILES = COPYING
-12: LIBFOO_INSTALL_STAGING = YES
-13: LIBFOO_CONFIG_SCRIPTS = libfoo-config
-14: LIBFOO_DEPENDENCIES = host-libaaa libbbb
-15:
-16: define LIBFOO_BUILD_CMDS
-17:	$(MAKE) $(TARGET_CONFIGURE_OPTS) -C $(@D) all
-18: endef
-19:
-20: define LIBFOO_INSTALL_STAGING_CMDS
-21:	$(INSTALL) -D -m 0755 $(@D)/libfoo.a $(STAGING_DIR)/usr/lib/libfoo.a
-22:	$(INSTALL) -D -m 0644 $(@D)/foo.h $(STAGING_DIR)/usr/include/foo.h
-23:	$(INSTALL) -D -m 0755 $(@D)/libfoo.so* $(STAGING_DIR)/usr/lib
-24: endef
-25:
-26: define LIBFOO_INSTALL_TARGET_CMDS
-27:	$(INSTALL) -D -m 0755 $(@D)/libfoo.so* $(TARGET_DIR)/usr/lib
-28:	$(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/foo.d
-29: endef
-30:
-31: define LIBFOO_USERS
-32:	foo -1 libfoo -1 * - - - LibFoo daemon
-33: endef
-34:
-35: define LIBFOO_DEVICES
-36:	/dev/foo  c  666  0  0	42  0  -  -  -
-37: endef
-38:
-39: define LIBFOO_PERMISSIONS
-40:	/bin/foo  f  4755  foo  libfoo	 -  -  -  -  -
-41: endef
-42:
-43: $(eval $(generic-package))
+12: LIBFOO_CPE_ID_VENDOR = foosoftware
+13: LIBFOO_INSTALL_STAGING = YES
+14: LIBFOO_CONFIG_SCRIPTS = libfoo-config
+15: LIBFOO_DEPENDENCIES = host-libaaa libbbb
+16:
+17: define LIBFOO_BUILD_CMDS
+18:	$(MAKE) $(TARGET_CONFIGURE_OPTS) -C $(@D) all
+19: endef
+20:
+21: define LIBFOO_INSTALL_STAGING_CMDS
+22:	$(INSTALL) -D -m 0755 $(@D)/libfoo.a $(STAGING_DIR)/usr/lib/libfoo.a
+23:	$(INSTALL) -D -m 0644 $(@D)/foo.h $(STAGING_DIR)/usr/include/foo.h
+24:	$(INSTALL) -D -m 0755 $(@D)/libfoo.so* $(STAGING_DIR)/usr/lib
+25: endef
+26:
+27: define LIBFOO_INSTALL_TARGET_CMDS
+28:	$(INSTALL) -D -m 0755 $(@D)/libfoo.so* $(TARGET_DIR)/usr/lib
+29:	$(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/foo.d
+30: endef
+31:
+32: define LIBFOO_USERS
+33:	foo -1 libfoo -1 * - - - LibFoo daemon
+34: endef
+35:
+36: define LIBFOO_DEVICES
+37:	/dev/foo  c  666  0  0	42  0  -  -  -
+38: endef
+39:
+40: define LIBFOO_PERMISSIONS
+41:	/bin/foo  f  4755  foo  libfoo	 -  -  -  -  -
+42: endef
+43:
+44: $(eval $(generic-package))
 --------------------------------
 
-The Makefile begins on line 7 to 11 with metadata information: the
+The Makefile begins on line 7 to 12 with metadata information: the
 version of the package (+LIBFOO_VERSION+), the name of the
 tarball containing the package (+LIBFOO_SOURCE+) (xz-ed tarball recommended)
 the Internet location at which the tarball can be downloaded from
-(+LIBFOO_SITE+), the license (+LIBFOO_LICENSE+) and file with the
-license text (+LIBFOO_LICENSE_FILES+). All variables must start with
+(+LIBFOO_SITE+), the license (+LIBFOO_LICENSE+), the file with the
+license text (+LIBFOO_LICENSE_FILES+) and the vendor for vunerability
+analysis (+LIBFOO_CPE_ID_VENDOR+). All variables must start with
 the same prefix, +LIBFOO_+ in this case. This prefix is always the
 uppercased version of the package name (see below to understand where
 the package name is defined).
 
-On line 12, we specify that this package wants to install something to
+On line 13, we specify that this package wants to install something to
 the staging space. This is often needed for libraries, since they must
 install header files and other development files in the staging space.
 This will ensure that the commands listed in the
 +LIBFOO_INSTALL_STAGING_CMDS+ variable will be executed.
 
-On line 13, we specify that there is some fixing to be done to some
+On line 14, we specify that there is some fixing to be done to some
 of the 'libfoo-config' files that were installed during
 +LIBFOO_INSTALL_STAGING_CMDS+ phase.
 These *-config files are executable shell script files that are
@@ -122,14 +124,14 @@  IMAGEMAGICK_CONFIG_SCRIPTS = \
 --------------------------------
 ================================
 
-On line 14, we specify the list of dependencies this package relies
+On line 15, we specify the list of dependencies this package relies
 on. These dependencies are listed in terms of lower-case package names,
 which can be packages for the target (without the +host-+
 prefix) or packages for the host (with the +host-+) prefix).
 Buildroot will ensure that all these packages are built and installed
 'before' the current package starts its configuration.
 
-The rest of the Makefile, lines 16..29, defines what should be done
+The rest of the Makefile, lines 17..29, defines what should be done
 at the different steps of the package configuration, compilation and
 installation.
 +LIBFOO_BUILD_CMDS+ tells what steps should be performed to
@@ -142,16 +144,16 @@  All these steps rely on the +$(@D)+ variable, which
 contains the directory where the source code of the package has been
 extracted.
 
-On lines 31..43, we define a user that is used by this package (e.g.
+On lines 32..44, we define a user that is used by this package (e.g.
 to run a daemon as non-root) (+LIBFOO_USERS+).
 
-On line 35..37, we define a device-node file used by this package
+On line 36..38, we define a device-node file used by this package
 (+LIBFOO_DEVICES+).
 
-On line 39..41, we define the permissions to set to specific files
+On line 40..42, we define the permissions to set to specific files
 installed by this package (+LIBFOO_PERMISSIONS+).
 
-Finally, on line 43, we call the +generic-package+ function, which
+Finally, on line 44, we call the +generic-package+ function, which
 generates, according to the variables defined previously, all the
 Makefile code necessary to make your package working.
 
@@ -482,6 +484,29 @@  not and can not work as people would expect it should:
   locations, `/lib/firmware`, `/usr/lib/firmware`, `/lib/modules`,
   `/usr/lib/modules`, and `/usr/share`, which are automatically excluded.
 
+* +LIBFOO_CPE_ID_VENDOR+
+  This variable is optional. It only must be defined if the package name
+  does not match what the CPE ID uses for the vendor. By default it's set
+  to <pkg-name>_project.
+
+* +LIBFOO_CPE_ID_NAME+
+  This variable is optional. It only must be defined if the package name
+  does not match what the CPE ID uses for the name. By default it's set
+  to <pkg-name>.
+
+* +LIBFOO_CPE_ID_VERSION+
+  This variable is optional. By default it's set to <pkg-version>.
+
+* +LIBFOO_CPE_ID_VERSION_MINOR+
+  This variable is optional. By default it's set to *.
+
+* +LIBFOO_CPE_ID+ is optional, as the package infrastructure hangles the
+  default case of a single package's Common Product Enumeration (CPE)
+  identification string. +make cpe-info+ copies all of these into a
+  +cpe-manifest.csv+ file. To identify a package's possible CPE,
+  the National Vunerability Database can be searched at
+  https://nvd.nist.gov/products/cpe/search.
+
 The recommended way to define these variables is to use the following
 syntax: