diff mbox series

[10/10] package: provide CPE ID details for numerous packages

Message ID 20201104145145.1316167-11-thomas.petazzoni@bootlin.com
State New
Headers show
Series Introduce CPE ID matching for CVEs | expand

Commit Message

Thomas Petazzoni Nov. 4, 2020, 2:51 p.m. UTC
From: Matt Weber <matthew.weber@rockwellcollins.com>

This patch adds CPE ID information for a significant number of
packages.

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 boot/grub2/grub2.mk                                   |  1 +
 boot/uboot/uboot.mk                                   |  2 ++
 linux/linux.mk                                        |  2 ++
 package/audit/audit.mk                                |  2 ++
 package/aufs/aufs.mk                                  |  1 +
 package/bash/bash.mk                                  |  1 +
 package/bc/bc.mk                                      |  1 +
 package/bind/bind.mk                                  |  1 +
 package/boost/boost.mk                                |  1 +
 package/bridge-utils/bridge-utils.mk                  |  1 +
 package/busybox/busybox.mk                            |  1 +
 package/bzip2/bzip2.mk                                |  1 +
 package/clang/clang.mk                                |  1 +
 package/collectd/collectd.mk                          |  1 +
 package/conntrack-tools/conntrack-tools.mk            |  1 +
 package/coreutils/coreutils.mk                        |  1 +
 package/crda/crda.mk                                  |  1 +
 package/davici/davici.mk                              |  1 +
 package/dbus-glib/dbus-glib.mk                        |  1 +
 package/dbus/dbus.mk                                  |  2 ++
 package/dhcp/dhcp.mk                                  |  1 +
 package/dnsmasq/dnsmasq.mk                            |  1 +
 package/dropbear/dropbear.mk                          |  2 ++
 package/ebtables/ebtables.mk                          |  1 +
 package/ethtool/ethtool.mk                            |  1 +
 package/expat/expat.mk                                |  1 +
 package/gdb/gdb.mk                                    |  1 +
 package/gesftpserver/gesftpserver.mk                  |  2 ++
 package/glibc/glibc.mk                                |  1 +
 package/gmp/gmp.mk                                    |  1 +
 package/gnupg/gnupg.mk                                |  1 +
 package/gnutls/gnutls.mk                              |  1 +
 package/grep/grep.mk                                  |  1 +
 package/gtest/gtest.mk                                |  2 ++
 package/gzip/gzip.mk                                  |  1 +
 package/hostapd/hostapd.mk                            |  1 +
 package/ifupdown/ifupdown.mk                          |  1 +
 package/iperf/iperf.mk                                |  2 ++
 package/iperf3/iperf3.mk                              |  1 +
 package/ipset/ipset.mk                                |  1 +
 package/iptables/iptables.mk                          |  1 +
 package/iw/iw.mk                                      |  1 +
 package/kmod/kmod.mk                                  |  2 ++
 package/libarchive/libarchive.mk                      |  1 +
 package/libcurl/libcurl.mk                            |  2 ++
 package/libestr/libestr.mk                            |  1 +
 package/libfastjson/libfastjson.mk                    |  1 +
 package/libfcgi/libfcgi.mk                            |  2 ++
 package/libffi/libffi.mk                              |  2 ++
 package/libgcrypt/libgcrypt.mk                        |  1 +
 package/libglib2/libglib2.mk                          |  2 ++
 package/libgpg-error/libgpg-error.mk                  |  1 +
 package/liblogging/liblogging.mk                      |  1 +
 package/libmbim/libmbim.mk                            |  1 +
 package/libmnl/libmnl.mk                              |  1 +
 .../libnetfilter_conntrack/libnetfilter_conntrack.mk  |  1 +
 .../libnetfilter_cthelper/libnetfilter_cthelper.mk    |  1 +
 .../libnetfilter_cttimeout/libnetfilter_cttimeout.mk  |  1 +
 package/libnetfilter_queue/libnetfilter_queue.mk      |  1 +
 package/libnfnetlink/libnfnetlink.mk                  |  1 +
 package/libopenssl/Config.in                          | 11 +++++++++++
 package/libopenssl/libopenssl.mk                      |  2 ++
 package/libpcap/libpcap.mk                            |  1 +
 package/libselinux/libselinux.mk                      |  1 +
 package/libsemanage/libsemanage.mk                    |  1 +
 package/libsepol/libsepol.mk                          |  1 +
 package/libssh2/libssh2.mk                            |  1 +
 package/libsysfs/libsysfs.mk                          |  2 ++
 package/libtasn1/libtasn1.mk                          |  1 +
 package/libunistring/libunistring.mk                  |  1 +
 package/libxml2/libxml2.mk                            |  1 +
 package/libxslt/libxslt.mk                            |  1 +
 package/libzlib/libzlib.mk                            |  2 ++
 package/lighttpd/lighttpd.mk                          |  1 +
 package/linux-firmware/linux-firmware.mk              |  2 ++
 package/linux-headers/linux-headers.mk                |  2 ++
 package/linux-pam/linux-pam.mk                        |  2 ++
 package/llvm/llvm.mk                                  |  1 +
 package/lxc/lxc.mk                                    |  1 +
 package/lz4/lz4.mk                                    |  1 +
 package/memtester/memtester.mk                        |  1 +
 package/mii-diag/mii-diag.mk                          |  1 +
 package/mpfr/mpfr.mk                                  |  1 +
 package/mrouted/mrouted.mk                            |  1 +
 package/mtd/mtd.mk                                    |  2 ++
 package/ncurses/ncurses.mk                            |  1 +
 package/netsnmp/netsnmp.mk                            |  2 ++
 package/nfs-utils/nfs-utils.mk                        |  2 ++
 package/openssh/openssh.mk                            |  3 +++
 package/pax-utils/pax-utils.mk                        |  1 +
 package/paxtest/paxtest.mk                            |  1 +
 package/pcre/pcre.mk                                  |  1 +
 package/pixman/pixman.mk                              |  1 +
 package/policycoreutils/policycoreutils.mk            |  1 +
 package/pppd/pppd.mk                                  |  2 ++
 package/proftpd/proftpd.mk                            |  1 +
 package/protobuf/protobuf.mk                          |  1 +
 package/pure-ftpd/pure-ftpd.mk                        |  1 +
 package/python-lxml/python-lxml.mk                    |  2 ++
 package/python-setuptools/python-setuptools.mk        |  2 ++
 package/python/python.mk                              |  1 +
 package/qemu/qemu.mk                                  |  1 +
 package/rapidjson/rapidjson.mk                        |  1 +
 package/readline/readline.mk                          |  1 +
 package/refpolicy/refpolicy.mk                        |  1 +
 package/rsyslog/rsyslog.mk                            |  1 +
 package/rt-tests/rt-tests.mk                          |  1 +
 package/sed/sed.mk                                    |  1 +
 package/setools/setools.mk                            |  1 +
 package/setserial/setserial.mk                        |  1 +
 package/smcroute/smcroute.mk                          |  1 +
 package/spawn-fcgi/spawn-fcgi.mk                      |  1 +
 package/sqlite/sqlite.mk                              |  2 ++
 package/strongswan/strongswan.mk                      |  1 +
 package/tar/tar.mk                                    |  1 +
 package/tcl/tcl.mk                                    |  1 +
 package/tcpdump/tcpdump.mk                            |  1 +
 package/tftpd/tftpd.mk                                |  2 ++
 package/uboot-tools/uboot-tools.mk                    |  2 ++
 package/util-linux/util-linux.mk                      |  1 +
 package/valgrind/valgrind.mk                          |  1 +
 package/vim/vim.mk                                    |  1 +
 package/wget/wget.mk                                  |  1 +
 package/wireless-regdb/wireless-regdb.mk              |  1 +
 package/wireless_tools/wireless_tools.mk              |  2 ++
 package/wpa_supplicant/wpa_supplicant.mk              |  1 +
 package/xerces/xerces.mk                              |  2 ++
 package/xz/xz.mk                                      |  1 +
 128 files changed, 170 insertions(+)

Comments

Alexander Dahl Nov. 4, 2020, 3:42 p.m. UTC | #1
Hello Thomas,

I just wanted to know what a CPE ID is and how a change in hundred
packages look, so I had a quick glance and stumbled over two things …

On Wed, Nov 04, 2020 at 03:51:44PM +0100, Thomas Petazzoni wrote:
> From: Matt Weber <matthew.weber@rockwellcollins.com>
> 
> This patch adds CPE ID information for a significant number of
> packages.
> 
> Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> ---
>  boot/grub2/grub2.mk                                   |  1 +
>  boot/uboot/uboot.mk                                   |  2 ++
>  linux/linux.mk                                        |  2 ++
>  package/audit/audit.mk                                |  2 ++
>  package/aufs/aufs.mk                                  |  1 +
>  package/bash/bash.mk                                  |  1 +
>  package/bc/bc.mk                                      |  1 +
>  package/bind/bind.mk                                  |  1 +
>  package/boost/boost.mk                                |  1 +
>  package/bridge-utils/bridge-utils.mk                  |  1 +
>  package/busybox/busybox.mk                            |  1 +
>  package/bzip2/bzip2.mk                                |  1 +
>  package/clang/clang.mk                                |  1 +
>  package/collectd/collectd.mk                          |  1 +
>  package/conntrack-tools/conntrack-tools.mk            |  1 +
>  package/coreutils/coreutils.mk                        |  1 +
>  package/crda/crda.mk                                  |  1 +
>  package/davici/davici.mk                              |  1 +
>  package/dbus-glib/dbus-glib.mk                        |  1 +
>  package/dbus/dbus.mk                                  |  2 ++
>  package/dhcp/dhcp.mk                                  |  1 +
>  package/dnsmasq/dnsmasq.mk                            |  1 +
>  package/dropbear/dropbear.mk                          |  2 ++
>  package/ebtables/ebtables.mk                          |  1 +
>  package/ethtool/ethtool.mk                            |  1 +
>  package/expat/expat.mk                                |  1 +
>  package/gdb/gdb.mk                                    |  1 +
>  package/gesftpserver/gesftpserver.mk                  |  2 ++
>  package/glibc/glibc.mk                                |  1 +
>  package/gmp/gmp.mk                                    |  1 +
>  package/gnupg/gnupg.mk                                |  1 +
>  package/gnutls/gnutls.mk                              |  1 +
>  package/grep/grep.mk                                  |  1 +
>  package/gtest/gtest.mk                                |  2 ++
>  package/gzip/gzip.mk                                  |  1 +
>  package/hostapd/hostapd.mk                            |  1 +
>  package/ifupdown/ifupdown.mk                          |  1 +
>  package/iperf/iperf.mk                                |  2 ++
>  package/iperf3/iperf3.mk                              |  1 +
>  package/ipset/ipset.mk                                |  1 +
>  package/iptables/iptables.mk                          |  1 +
>  package/iw/iw.mk                                      |  1 +
>  package/kmod/kmod.mk                                  |  2 ++
>  package/libarchive/libarchive.mk                      |  1 +
>  package/libcurl/libcurl.mk                            |  2 ++
>  package/libestr/libestr.mk                            |  1 +
>  package/libfastjson/libfastjson.mk                    |  1 +
>  package/libfcgi/libfcgi.mk                            |  2 ++
>  package/libffi/libffi.mk                              |  2 ++
>  package/libgcrypt/libgcrypt.mk                        |  1 +
>  package/libglib2/libglib2.mk                          |  2 ++
>  package/libgpg-error/libgpg-error.mk                  |  1 +
>  package/liblogging/liblogging.mk                      |  1 +
>  package/libmbim/libmbim.mk                            |  1 +
>  package/libmnl/libmnl.mk                              |  1 +
>  .../libnetfilter_conntrack/libnetfilter_conntrack.mk  |  1 +
>  .../libnetfilter_cthelper/libnetfilter_cthelper.mk    |  1 +
>  .../libnetfilter_cttimeout/libnetfilter_cttimeout.mk  |  1 +
>  package/libnetfilter_queue/libnetfilter_queue.mk      |  1 +
>  package/libnfnetlink/libnfnetlink.mk                  |  1 +
>  package/libopenssl/Config.in                          | 11 +++++++++++
>  package/libopenssl/libopenssl.mk                      |  2 ++
>  package/libpcap/libpcap.mk                            |  1 +
>  package/libselinux/libselinux.mk                      |  1 +
>  package/libsemanage/libsemanage.mk                    |  1 +
>  package/libsepol/libsepol.mk                          |  1 +
>  package/libssh2/libssh2.mk                            |  1 +
>  package/libsysfs/libsysfs.mk                          |  2 ++
>  package/libtasn1/libtasn1.mk                          |  1 +
>  package/libunistring/libunistring.mk                  |  1 +
>  package/libxml2/libxml2.mk                            |  1 +
>  package/libxslt/libxslt.mk                            |  1 +
>  package/libzlib/libzlib.mk                            |  2 ++
>  package/lighttpd/lighttpd.mk                          |  1 +
>  package/linux-firmware/linux-firmware.mk              |  2 ++
>  package/linux-headers/linux-headers.mk                |  2 ++
>  package/linux-pam/linux-pam.mk                        |  2 ++
>  package/llvm/llvm.mk                                  |  1 +
>  package/lxc/lxc.mk                                    |  1 +
>  package/lz4/lz4.mk                                    |  1 +
>  package/memtester/memtester.mk                        |  1 +
>  package/mii-diag/mii-diag.mk                          |  1 +
>  package/mpfr/mpfr.mk                                  |  1 +
>  package/mrouted/mrouted.mk                            |  1 +
>  package/mtd/mtd.mk                                    |  2 ++
>  package/ncurses/ncurses.mk                            |  1 +
>  package/netsnmp/netsnmp.mk                            |  2 ++
>  package/nfs-utils/nfs-utils.mk                        |  2 ++
>  package/openssh/openssh.mk                            |  3 +++
>  package/pax-utils/pax-utils.mk                        |  1 +
>  package/paxtest/paxtest.mk                            |  1 +
>  package/pcre/pcre.mk                                  |  1 +
>  package/pixman/pixman.mk                              |  1 +
>  package/policycoreutils/policycoreutils.mk            |  1 +
>  package/pppd/pppd.mk                                  |  2 ++
>  package/proftpd/proftpd.mk                            |  1 +
>  package/protobuf/protobuf.mk                          |  1 +
>  package/pure-ftpd/pure-ftpd.mk                        |  1 +
>  package/python-lxml/python-lxml.mk                    |  2 ++
>  package/python-setuptools/python-setuptools.mk        |  2 ++
>  package/python/python.mk                              |  1 +
>  package/qemu/qemu.mk                                  |  1 +
>  package/rapidjson/rapidjson.mk                        |  1 +
>  package/readline/readline.mk                          |  1 +
>  package/refpolicy/refpolicy.mk                        |  1 +
>  package/rsyslog/rsyslog.mk                            |  1 +
>  package/rt-tests/rt-tests.mk                          |  1 +
>  package/sed/sed.mk                                    |  1 +
>  package/setools/setools.mk                            |  1 +
>  package/setserial/setserial.mk                        |  1 +
>  package/smcroute/smcroute.mk                          |  1 +
>  package/spawn-fcgi/spawn-fcgi.mk                      |  1 +
>  package/sqlite/sqlite.mk                              |  2 ++
>  package/strongswan/strongswan.mk                      |  1 +
>  package/tar/tar.mk                                    |  1 +
>  package/tcl/tcl.mk                                    |  1 +
>  package/tcpdump/tcpdump.mk                            |  1 +
>  package/tftpd/tftpd.mk                                |  2 ++
>  package/uboot-tools/uboot-tools.mk                    |  2 ++
>  package/util-linux/util-linux.mk                      |  1 +
>  package/valgrind/valgrind.mk                          |  1 +
>  package/vim/vim.mk                                    |  1 +
>  package/wget/wget.mk                                  |  1 +
>  package/wireless-regdb/wireless-regdb.mk              |  1 +
>  package/wireless_tools/wireless_tools.mk              |  2 ++
>  package/wpa_supplicant/wpa_supplicant.mk              |  1 +
>  package/xerces/xerces.mk                              |  2 ++
>  package/xz/xz.mk                                      |  1 +
>  128 files changed, 170 insertions(+)
> 
> diff --git a/boot/grub2/grub2.mk b/boot/grub2/grub2.mk
> index 5fca2315ee..9686815f4d 100644
> --- a/boot/grub2/grub2.mk
> +++ b/boot/grub2/grub2.mk
> @@ -37,6 +37,7 @@ GRUB2_INSTALL_TARGET = YES
>  else
>  GRUB2_INSTALL_TARGET = NO
>  endif
> +GRUB2_CPE_ID_VENDOR = gnu
>  
>  GRUB2_BUILTIN_MODULES = $(call qstrip,$(BR2_TARGET_GRUB2_BUILTIN_MODULES))
>  GRUB2_BUILTIN_CONFIG = $(call qstrip,$(BR2_TARGET_GRUB2_BUILTIN_CONFIG))
> diff --git a/boot/uboot/uboot.mk b/boot/uboot/uboot.mk
> index 72d5df412d..2028fb1167 100644
> --- a/boot/uboot/uboot.mk
> +++ b/boot/uboot/uboot.mk
> @@ -11,6 +11,8 @@ UBOOT_LICENSE = GPL-2.0+
>  ifeq ($(BR2_TARGET_UBOOT_LATEST_VERSION),y)
>  UBOOT_LICENSE_FILES = Licenses/gpl-2.0.txt
>  endif
> +UBOOT_CPE_ID_VENDOR = denx
> +UBOOT_CPE_ID_NAME = u-boot
>  
>  UBOOT_INSTALL_IMAGES = YES
>  
> diff --git a/linux/linux.mk b/linux/linux.mk
> index e07e014d1e..648f6ea2a5 100644
> --- a/linux/linux.mk
> +++ b/linux/linux.mk
> @@ -12,6 +12,8 @@ LINUX_LICENSE_FILES = \
>  	LICENSES/preferred/GPL-2.0 \
>  	LICENSES/exceptions/Linux-syscall-note
>  endif
> +LINUX_CPE_ID_VENDOR = $(LINUX_NAME)
> +LINUX_CPE_ID_NAME = $(LINUX_NAME)_kernel
>  
>  define LINUX_HELP_CMDS
>  	@echo '  linux-menuconfig       - Run Linux kernel menuconfig'
> diff --git a/package/audit/audit.mk b/package/audit/audit.mk
> index 652e0fcd56..a20767d24b 100644
> --- a/package/audit/audit.mk
> +++ b/package/audit/audit.mk
> @@ -10,6 +10,8 @@ AUDIT_LICENSE = GPL-2.0+ (programs), LGPL-2.1+ (libraries)
>  AUDIT_LICENSE_FILES = COPYING COPYING.LIB
>  # 0002-Add-substitue-functions-for-strndupa-rawmemchr.patch
>  AUDIT_AUTORECONF = YES
> +AUDIT_CPE_ID_VENDOR = linux_audit_project
> +AUDIT_CPE_ID_NAME = linux_audit
>  
>  AUDIT_INSTALL_STAGING = YES
>  
> diff --git a/package/aufs/aufs.mk b/package/aufs/aufs.mk
> index 4e95a350a0..495e94e606 100644
> --- a/package/aufs/aufs.mk
> +++ b/package/aufs/aufs.mk
> @@ -7,6 +7,7 @@
>  AUFS_VERSION = $(call qstrip,$(BR2_PACKAGE_AUFS_VERSION))
>  AUFS_LICENSE = GPL-2.0
>  AUFS_LICENSE_FILES = COPYING
> +AUFS_CPE_ID_VERSION = 4.1
>  
>  ifeq ($(BR2_PACKAGE_AUFS_SERIES),3)
>  AUFS_SITE = http://git.code.sf.net/p/aufs/aufs3-standalone
> diff --git a/package/bash/bash.mk b/package/bash/bash.mk
> index 1843862e49..b4681c1085 100644
> --- a/package/bash/bash.mk
> +++ b/package/bash/bash.mk
> @@ -10,6 +10,7 @@ BASH_DEPENDENCIES = ncurses readline host-bison
>  BASH_CONF_OPTS = --with-installed-readline --without-bash-malloc
>  BASH_LICENSE = GPL-3.0+
>  BASH_LICENSE_FILES = COPYING
> +BASH_CPE_ID_VENDOR = gnu
>  
>  BASH_CONF_ENV += \
>  	ac_cv_rl_prefix="$(STAGING_DIR)" \
> diff --git a/package/bc/bc.mk b/package/bc/bc.mk
> index fdfacb6c89..06b6feae4f 100644
> --- a/package/bc/bc.mk
> +++ b/package/bc/bc.mk
> @@ -9,6 +9,7 @@ BC_SITE = http://ftp.gnu.org/gnu/bc
>  BC_DEPENDENCIES = host-flex
>  BC_LICENSE = GPL-2.0+, LGPL-2.1+
>  BC_LICENSE_FILES = COPYING COPYING.LIB
> +BC_CPE_ID_VENDOR = gnu
>  BC_CONF_ENV = MAKEINFO=true
>  
>  # 0001-bc-use-MAKEINFO-variable-for-docs.patch and 0004-no-gen-libmath.patch
> diff --git a/package/bind/bind.mk b/package/bind/bind.mk
> index 18fc4845f9..41b3146da1 100644
> --- a/package/bind/bind.mk
> +++ b/package/bind/bind.mk
> @@ -12,6 +12,7 @@ BIND_INSTALL_STAGING = YES
>  BIND_CONFIG_SCRIPTS = bind9-config isc-config.sh
>  BIND_LICENSE = MPL-2.0
>  BIND_LICENSE_FILES = COPYRIGHT
> +BIND_CPE_ID_VENDOR = isc
>  BIND_TARGET_SERVER_SBIN = arpaname ddns-confgen dnssec-checkds dnssec-coverage
>  BIND_TARGET_SERVER_SBIN += dnssec-importkey dnssec-keygen dnssec-revoke
>  BIND_TARGET_SERVER_SBIN += dnssec-settime dnssec-verify genrandom
> diff --git a/package/boost/boost.mk b/package/boost/boost.mk
> index 82fe42d6b2..d5c404a13c 100644
> --- a/package/boost/boost.mk
> +++ b/package/boost/boost.mk
> @@ -10,6 +10,7 @@ BOOST_SITE = https://dl.bintray.com/boostorg/release/$(BOOST_VERSION)/source
>  BOOST_INSTALL_STAGING = YES
>  BOOST_LICENSE = BSL-1.0
>  BOOST_LICENSE_FILES = LICENSE_1_0.txt
> +BOOST_CPE_ID_VENDOR = $(BOOST_NAME)
>  
>  # CVE-2009-3654 is misclassified (by our CVE tracker) as affecting to boost,
>  # while in fact it affects Drupal (a module called boost in there).
> diff --git a/package/bridge-utils/bridge-utils.mk b/package/bridge-utils/bridge-utils.mk
> index 9d63b3ef30..fa71c3a64e 100644
> --- a/package/bridge-utils/bridge-utils.mk
> +++ b/package/bridge-utils/bridge-utils.mk
> @@ -10,6 +10,7 @@ BRIDGE_UTILS_SITE = \
>  BRIDGE_UTILS_AUTORECONF = YES
>  BRIDGE_UTILS_LICENSE = GPL-2.0+
>  BRIDGE_UTILS_LICENSE_FILES = COPYING
> +BRIDGE_UTILS_CPE_ID_VENDOR = kernel
>  
>  # Avoid using the host's headers. Location is not important as
>  # required headers will anyway be found from within the sysroot.
> diff --git a/package/busybox/busybox.mk b/package/busybox/busybox.mk
> index 8c8303a358..38c40eeb15 100644
> --- a/package/busybox/busybox.mk
> +++ b/package/busybox/busybox.mk
> @@ -9,6 +9,7 @@ BUSYBOX_SITE = http://www.busybox.net/downloads
>  BUSYBOX_SOURCE = busybox-$(BUSYBOX_VERSION).tar.bz2
>  BUSYBOX_LICENSE = GPL-2.0, bzip2-1.0.4
>  BUSYBOX_LICENSE_FILES = LICENSE archival/libarchive/bz/LICENSE
> +BUSYBOX_CPE_ID_VENDOR = $(BUSYBOX_NAME)
>  
>  define BUSYBOX_HELP_CMDS
>  	@echo '  busybox-menuconfig     - Run BusyBox menuconfig'
> diff --git a/package/bzip2/bzip2.mk b/package/bzip2/bzip2.mk
> index b4d8eea25e..c2e5f7610e 100644
> --- a/package/bzip2/bzip2.mk
> +++ b/package/bzip2/bzip2.mk
> @@ -9,6 +9,7 @@ BZIP2_SITE = https://sourceware.org/pub/bzip2
>  BZIP2_INSTALL_STAGING = YES
>  BZIP2_LICENSE = bzip2 license
>  BZIP2_LICENSE_FILES = LICENSE
> +BZIP2_CPE_ID_VENDOR = bzip
>  
>  ifeq ($(BR2_STATIC_LIBS),)
>  define BZIP2_BUILD_SHARED_CMDS
> diff --git a/package/clang/clang.mk b/package/clang/clang.mk
> index ceb7de9afa..bf1a362ccf 100644
> --- a/package/clang/clang.mk
> +++ b/package/clang/clang.mk
> @@ -10,6 +10,7 @@ CLANG_SITE = https://github.com/llvm/llvm-project/releases/download/llvmorg-$(CL
>  CLANG_SOURCE = clang-$(CLANG_VERSION).src.tar.xz
>  CLANG_LICENSE = Apache-2.0 with exceptions
>  CLANG_LICENSE_FILES = LICENSE.TXT
> +CLANG_CVE_ID_VENDOR = llvm

Is this supposed to be CLANG_CPE_ID_VENDOR instead?

>  CLANG_SUPPORTS_IN_SOURCE_BUILD = NO
>  CLANG_INSTALL_STAGING = YES
>  
> diff --git a/package/collectd/collectd.mk b/package/collectd/collectd.mk
> index 00e33f27df..83bf01109a 100644
> --- a/package/collectd/collectd.mk
> +++ b/package/collectd/collectd.mk
> @@ -12,6 +12,7 @@ COLLECTD_CONF_ENV = ac_cv_lib_yajl_yajl_alloc=yes
>  COLLECTD_INSTALL_STAGING = YES
>  COLLECTD_LICENSE = MIT (daemon, plugins), GPL-2.0 (plugins), LGPL-2.1 (plugins)
>  COLLECTD_LICENSE_FILES = COPYING
> +COLLECTD_CPE_ID_VENDOR = $(COLLECTD_NAME)
>  
>  # These require unmet dependencies, are fringe, pointless or deprecated
>  COLLECTD_PLUGINS_DISABLE = \
> diff --git a/package/conntrack-tools/conntrack-tools.mk b/package/conntrack-tools/conntrack-tools.mk
> index 145b6d785f..55ea407924 100644
> --- a/package/conntrack-tools/conntrack-tools.mk
> +++ b/package/conntrack-tools/conntrack-tools.mk
> @@ -12,6 +12,7 @@ CONNTRACK_TOOLS_DEPENDENCIES = host-pkgconf \
>  	libnetfilter_queue host-bison host-flex
>  CONNTRACK_TOOLS_LICENSE = GPL-2.0+
>  CONNTRACK_TOOLS_LICENSE_FILES = COPYING
> +CONNTRACK_TOOLS_CPE_ID_VENDOR = netfilter
>  
>  CONNTRACK_TOOLS_CFLAGS = $(TARGET_CFLAGS)
>  
> diff --git a/package/coreutils/coreutils.mk b/package/coreutils/coreutils.mk
> index 3866b76243..18e9052dfd 100644
> --- a/package/coreutils/coreutils.mk
> +++ b/package/coreutils/coreutils.mk
> @@ -9,6 +9,7 @@ COREUTILS_SITE = $(BR2_GNU_MIRROR)/coreutils
>  COREUTILS_SOURCE = coreutils-$(COREUTILS_VERSION).tar.xz
>  COREUTILS_LICENSE = GPL-3.0+
>  COREUTILS_LICENSE_FILES = COPYING
> +COREUTILS_CPE_ID_VENDOR = gnu
>  
>  COREUTILS_CONF_OPTS = --disable-rpath \
>  	$(if $(BR2_TOOLCHAIN_USES_MUSL),--with-included-regex)
> diff --git a/package/crda/crda.mk b/package/crda/crda.mk
> index c5880797be..31a64d004b 100644
> --- a/package/crda/crda.mk
> +++ b/package/crda/crda.mk
> @@ -9,6 +9,7 @@ CRDA_SITE = https://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/crda.git/snap
>  CRDA_DEPENDENCIES = host-pkgconf host-python-pycryptodomex libnl libgcrypt
>  CRDA_LICENSE = ISC
>  CRDA_LICENSE_FILES = LICENSE
> +CRDA_CPE_ID_VENDOR = kernel
>  
>  define CRDA_BUILD_CMDS
>  	$(TARGET_CONFIGURE_OPTS) \
> diff --git a/package/davici/davici.mk b/package/davici/davici.mk
> index 5c08bbe0da..6c8df48b6a 100644
> --- a/package/davici/davici.mk
> +++ b/package/davici/davici.mk
> @@ -8,6 +8,7 @@ DAVICI_VERSION = 1.3
>  DAVICI_SITE = $(call github,strongswan,davici,v$(DAVICI_VERSION))
>  DAVICI_LICENSE = LGPL-2.1+
>  DAVICI_LICENSE_FILES = COPYING
> +DAVICI_CPE_ID_VENDOR = strongswan
>  DAVICI_DEPENDENCIES = strongswan
>  DAVICI_INSTALL_STAGING = YES
>  DAVICI_AUTORECONF = YES
> diff --git a/package/dbus-glib/dbus-glib.mk b/package/dbus-glib/dbus-glib.mk
> index 372942e1c3..5eb158d954 100644
> --- a/package/dbus-glib/dbus-glib.mk
> +++ b/package/dbus-glib/dbus-glib.mk
> @@ -9,6 +9,7 @@ DBUS_GLIB_SITE = http://dbus.freedesktop.org/releases/dbus-glib
>  DBUS_GLIB_INSTALL_STAGING = YES
>  DBUS_GLIB_LICENSE = AFL-2.1 or GPL-2.0+
>  DBUS_GLIB_LICENSE_FILES = COPYING
> +DBUS_GLIB_CPE_ID_VENDOR = freedesktop
>  
>  DBUS_GLIB_CONF_ENV = \
>  	ac_cv_have_abstract_sockets=yes \
> diff --git a/package/dbus/dbus.mk b/package/dbus/dbus.mk
> index b58f1ddda3..279252bd78 100644
> --- a/package/dbus/dbus.mk
> +++ b/package/dbus/dbus.mk
> @@ -8,6 +8,8 @@ DBUS_VERSION = 1.12.18
>  DBUS_SITE = https://dbus.freedesktop.org/releases/dbus
>  DBUS_LICENSE = AFL-2.1 or GPL-2.0+ (library, tools), GPL-2.0+ (tools)
>  DBUS_LICENSE_FILES = COPYING
> +DBUS_CPE_ID_VENDOR = d-bus_project
> +DBUS_CPE_ID_NAME = d-bus
>  DBUS_INSTALL_STAGING = YES
>  
>  define DBUS_PERMISSIONS
> diff --git a/package/dhcp/dhcp.mk b/package/dhcp/dhcp.mk
> index ad59804d3b..988c7792dc 100644
> --- a/package/dhcp/dhcp.mk
> +++ b/package/dhcp/dhcp.mk
> @@ -10,6 +10,7 @@ DHCP_INSTALL_STAGING = YES
>  DHCP_LICENSE = MPL-2.0
>  DHCP_LICENSE_FILES = LICENSE
>  DHCP_DEPENDENCIES = bind
> +DHCP_CPE_ID_VENDOR = isc
>  
>  # use libtool-enabled configure.ac
>  define DHCP_LIBTOOL_AUTORECONF
> diff --git a/package/dnsmasq/dnsmasq.mk b/package/dnsmasq/dnsmasq.mk
> index 4a7218a2b7..e0e8bed5aa 100644
> --- a/package/dnsmasq/dnsmasq.mk
> +++ b/package/dnsmasq/dnsmasq.mk
> @@ -14,6 +14,7 @@ DNSMASQ_MAKE_OPTS += DESTDIR=$(TARGET_DIR) LDFLAGS="$(TARGET_LDFLAGS)" \
>  DNSMASQ_DEPENDENCIES = host-pkgconf $(TARGET_NLS_DEPENDENCIES)
>  DNSMASQ_LICENSE = GPL-2.0 or GPL-3.0
>  DNSMASQ_LICENSE_FILES = COPYING COPYING-v3
> +DNSMASQ_CPE_ID_VENDOR = thekelleys
>  
>  DNSMASQ_I18N = $(if $(BR2_SYSTEM_ENABLE_NLS),-i18n)
>  
> diff --git a/package/dropbear/dropbear.mk b/package/dropbear/dropbear.mk
> index 00992f0662..87c161f704 100644
> --- a/package/dropbear/dropbear.mk
> +++ b/package/dropbear/dropbear.mk
> @@ -11,6 +11,8 @@ DROPBEAR_LICENSE = MIT, BSD-2-Clause, Public domain
>  DROPBEAR_LICENSE_FILES = LICENSE
>  DROPBEAR_TARGET_BINS = dropbearkey dropbearconvert scp
>  DROPBEAR_PROGRAMS = dropbear $(DROPBEAR_TARGET_BINS)
> +DROPBEAR_CPE_ID_VENDOR = $(DROPBEAR_NAME)_ssh_project
> +DROPBEAR_CPE_ID_NAME = $(DROPBEAR_NAME)_ssh
>  
>  # Disable hardening flags added by dropbear configure.ac, and let
>  # Buildroot add them when the relevant options are enabled. This
> diff --git a/package/ebtables/ebtables.mk b/package/ebtables/ebtables.mk
> index e8b982206c..b94ac8541f 100644
> --- a/package/ebtables/ebtables.mk
> +++ b/package/ebtables/ebtables.mk
> @@ -8,6 +8,7 @@ EBTABLES_VERSION = 2.0.11
>  EBTABLES_SITE = http://ftp.netfilter.org/pub/ebtables
>  EBTABLES_LICENSE = GPL-2.0+
>  EBTABLES_LICENSE_FILES = COPYING
> +EBTABLES_CVE_ID_VENDOR = netfilter

Same here? CVE or CPE?

On all the other packages it is CPE, so maybe those two are just
typos?

Greets
Alex

>  
>  ifeq ($(BR2_PACKAGE_EBTABLES_UTILS_SAVE),y)
>  define EBTABLES_INSTALL_TARGET_UTILS_SAVE
> diff --git a/package/ethtool/ethtool.mk b/package/ethtool/ethtool.mk
> index 1668171f3a..0e94a918c2 100644
> --- a/package/ethtool/ethtool.mk
> +++ b/package/ethtool/ethtool.mk
> @@ -9,6 +9,7 @@ ETHTOOL_SOURCE = ethtool-$(ETHTOOL_VERSION).tar.xz
>  ETHTOOL_SITE = $(BR2_KERNEL_MIRROR)/software/network/ethtool
>  ETHTOOL_LICENSE = GPL-2.0
>  ETHTOOL_LICENSE_FILES = LICENSE COPYING
> +ETHTOOL_CPE_ID_VENDOR = kernel
>  ETHTOOL_CONF_OPTS = \
>  	$(if $(BR2_PACKAGE_ETHTOOL_PRETTY_PRINT),--enable-pretty-dump,--disable-pretty-dump)
>  
> diff --git a/package/expat/expat.mk b/package/expat/expat.mk
> index bb04ab1a90..201e18ae65 100644
> --- a/package/expat/expat.mk
> +++ b/package/expat/expat.mk
> @@ -12,6 +12,7 @@ EXPAT_DEPENDENCIES = host-pkgconf
>  HOST_EXPAT_DEPENDENCIES = host-pkgconf
>  EXPAT_LICENSE = MIT
>  EXPAT_LICENSE_FILES = COPYING
> +EXPAT_CPE_ID_VENDOR = libexpat
>  
>  EXPAT_CONF_OPTS = --without-docbook
>  HOST_EXPAT_CONF_OPTS = --without-docbook
> diff --git a/package/gdb/gdb.mk b/package/gdb/gdb.mk
> index f31b168bf1..b0a21c1d9f 100644
> --- a/package/gdb/gdb.mk
> +++ b/package/gdb/gdb.mk
> @@ -25,6 +25,7 @@ endif
>  
>  GDB_LICENSE = GPL-2.0+, LGPL-2.0+, GPL-3.0+, LGPL-3.0+
>  GDB_LICENSE_FILES = COPYING COPYING.LIB COPYING3 COPYING3.LIB
> +GDB_CPE_ID_VENDOR = gnu
>  
>  # On gdb < 10, if you want to build only gdbserver, you need to
>  # configure only gdb/gdbserver.
> diff --git a/package/gesftpserver/gesftpserver.mk b/package/gesftpserver/gesftpserver.mk
> index ff7ce768ae..07718a4c42 100644
> --- a/package/gesftpserver/gesftpserver.mk
> +++ b/package/gesftpserver/gesftpserver.mk
> @@ -12,6 +12,8 @@ GESFTPSERVER_LICENSE_FILES = COPYING
>  
>  # "Missing prototype" warning treated as error
>  GESFTPSERVER_CONF_OPTS = --disable-warnings-as-errors
> +GESFTPSERVER_CPE_ID_VENDOR = green_end
> +GESFTPSERVER_CPE_ID_NAME = sftpserver
>  
>  # forgets to link against pthread when cross compiling
>  GESFTPSERVER_CONF_ENV = LIBS=-lpthread
> diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
> index 4721177d83..7add82f9ce 100644
> --- a/package/glibc/glibc.mk
> +++ b/package/glibc/glibc.mk
> @@ -33,6 +33,7 @@ endif
>  
>  GLIBC_LICENSE = GPL-2.0+ (programs), LGPL-2.1+, BSD-3-Clause, MIT (library)
>  GLIBC_LICENSE_FILES = COPYING COPYING.LIB LICENSES
> +GLIBC_CPE_ID_VENDOR = gnu
>  
>  # glibc is part of the toolchain so disable the toolchain dependency
>  GLIBC_ADD_TOOLCHAIN_DEPENDENCY = NO
> diff --git a/package/gmp/gmp.mk b/package/gmp/gmp.mk
> index d124463a98..a79d5b7d9a 100644
> --- a/package/gmp/gmp.mk
> +++ b/package/gmp/gmp.mk
> @@ -10,6 +10,7 @@ GMP_SOURCE = gmp-$(GMP_VERSION).tar.xz
>  GMP_INSTALL_STAGING = YES
>  GMP_LICENSE = LGPL-3.0+ or GPL-2.0+
>  GMP_LICENSE_FILES = COPYING.LESSERv3 COPYINGv2
> +GMP_CPE_ID_VENDOR = gmplib
>  GMP_DEPENDENCIES = host-m4
>  HOST_GMP_DEPENDENCIES = host-m4
>  
> diff --git a/package/gnupg/gnupg.mk b/package/gnupg/gnupg.mk
> index 617def884e..ba424fed96 100644
> --- a/package/gnupg/gnupg.mk
> +++ b/package/gnupg/gnupg.mk
> @@ -10,6 +10,7 @@ GNUPG_SITE = https://gnupg.org/ftp/gcrypt/gnupg
>  GNUPG_LICENSE = GPL-3.0+
>  GNUPG_LICENSE_FILES = COPYING
>  GNUPG_DEPENDENCIES = zlib $(if $(BR2_PACKAGE_LIBICONV),libiconv)
> +GNUPG_CPE_ID_VENDOR = $(GNUPG_NAME)
>  GNUPG_CONF_ENV = ac_cv_sys_symbol_underscore=no
>  GNUPG_CONF_OPTS = \
>  	--disable-rpath \
> diff --git a/package/gnutls/gnutls.mk b/package/gnutls/gnutls.mk
> index 9f53150004..65bb4893e8 100644
> --- a/package/gnutls/gnutls.mk
> +++ b/package/gnutls/gnutls.mk
> @@ -17,6 +17,7 @@ GNUTLS_LICENSE_FILES += doc/COPYING
>  endif
>  
>  GNUTLS_DEPENDENCIES = host-pkgconf libtasn1 nettle pcre
> +GNUTLS_CPE_ID_VENDOR = gnu
>  GNUTLS_CONF_OPTS = \
>  	--disable-doc \
>  	--disable-guile \
> diff --git a/package/grep/grep.mk b/package/grep/grep.mk
> index bdc22fa46c..7a07f0b676 100644
> --- a/package/grep/grep.mk
> +++ b/package/grep/grep.mk
> @@ -9,6 +9,7 @@ GREP_SITE = $(BR2_GNU_MIRROR)/grep
>  GREP_SOURCE = grep-$(GREP_VERSION).tar.xz
>  GREP_LICENSE = GPL-3.0+
>  GREP_LICENSE_FILES = COPYING
> +GREP_CPE_ID_VENDOR = gnu
>  GREP_DEPENDENCIES = $(TARGET_NLS_DEPENDENCIES)
>  # install into /bin like busybox grep
>  GREP_CONF_OPTS = --exec-prefix=/
> diff --git a/package/gtest/gtest.mk b/package/gtest/gtest.mk
> index 7f967b8bfb..fc51d9f7a2 100644
> --- a/package/gtest/gtest.mk
> +++ b/package/gtest/gtest.mk
> @@ -10,6 +10,8 @@ GTEST_INSTALL_STAGING = YES
>  GTEST_INSTALL_TARGET = NO
>  GTEST_LICENSE = BSD-3-Clause
>  GTEST_LICENSE_FILES = googletest/LICENSE
> +GTEST_CPE_ID_VENDOR = google
> +GTEST_CPE_ID_NAME = google_test
>  
>  ifeq ($(BR2_PACKAGE_GTEST_GMOCK),y)
>  GTEST_DEPENDENCIES += host-gtest
> diff --git a/package/gzip/gzip.mk b/package/gzip/gzip.mk
> index 17b27b497c..c8fd3ddb7a 100644
> --- a/package/gzip/gzip.mk
> +++ b/package/gzip/gzip.mk
> @@ -11,6 +11,7 @@ GZIP_SITE = $(BR2_GNU_MIRROR)/gzip
>  GZIP_CONF_OPTS = --exec-prefix=/
>  GZIP_LICENSE = GPL-3.0+
>  GZIP_LICENSE_FILES = COPYING
> +GZIP_CPE_ID_VENDOR = gnu
>  GZIP_CONF_ENV += gl_cv_func_fflush_stdin=yes
>  HOST_GZIP_CONF_ENV += gl_cv_func_fflush_stdin=yes
>  # configure substitutes $(SHELL) for the shell shebang in scripts like
> diff --git a/package/hostapd/hostapd.mk b/package/hostapd/hostapd.mk
> index 676e36d8ba..efeefd8b35 100644
> --- a/package/hostapd/hostapd.mk
> +++ b/package/hostapd/hostapd.mk
> @@ -23,6 +23,7 @@ HOSTAPD_IGNORE_CVES += CVE-2019-16275
>  # 0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch
>  HOSTAPD_IGNORE_CVES += CVE-2020-12695
>  
> +HOSTAPD_CPE_ID_VENDOR = w1.fi
>  HOSTAPD_CONFIG_SET =
>  
>  HOSTAPD_CONFIG_ENABLE = \
> diff --git a/package/ifupdown/ifupdown.mk b/package/ifupdown/ifupdown.mk
> index 84d24aedab..e62c2a79c5 100644
> --- a/package/ifupdown/ifupdown.mk
> +++ b/package/ifupdown/ifupdown.mk
> @@ -9,6 +9,7 @@ IFUPDOWN_SOURCE = ifupdown_$(IFUPDOWN_VERSION).tar.xz
>  IFUPDOWN_SITE = http://snapshot.debian.org/archive/debian/20160922T165503Z/pool/main/i/ifupdown
>  IFUPDOWN_LICENSE = GPL-2.0+
>  IFUPDOWN_LICENSE_FILES = COPYING
> +IFUPDOWN_CPE_ID_VENDOR = debian
>  
>  define IFUPDOWN_BUILD_CMDS
>  	$(TARGET_MAKE_ENV) $(MAKE) $(TARGET_CONFIGURE_OPTS) \
> diff --git a/package/iperf/iperf.mk b/package/iperf/iperf.mk
> index 7088b0f152..f1e65e7545 100644
> --- a/package/iperf/iperf.mk
> +++ b/package/iperf/iperf.mk
> @@ -8,6 +8,8 @@ IPERF_VERSION = 2.0.13
>  IPERF_SITE = http://downloads.sourceforge.net/project/iperf2
>  IPERF_LICENSE = MIT-like
>  IPERF_LICENSE_FILES = COPYING
> +IPERF_CPE_ID_VENDOR = $(IPERF_NAME)2_project
> +IPERF_CPE_ID_NAME = $(IPERF_NAME)2
>  
>  IPERF_CONF_OPTS = \
>  	--disable-web100
> diff --git a/package/iperf3/iperf3.mk b/package/iperf3/iperf3.mk
> index f67fa17022..7d20b86e78 100644
> --- a/package/iperf3/iperf3.mk
> +++ b/package/iperf3/iperf3.mk
> @@ -9,6 +9,7 @@ IPERF3_SITE = https://downloads.es.net/pub/iperf
>  IPERF3_SOURCE = iperf-$(IPERF3_VERSION).tar.gz
>  IPERF3_LICENSE = BSD-3-Clause, BSD-2-Clause, MIT
>  IPERF3_LICENSE_FILES = LICENSE
> +IPERF3_CPE_ID_VENDOR = es
>  
>  IPERF3_CONF_ENV += CFLAGS="$(TARGET_CFLAGS) -D_GNU_SOURCE"
>  
> diff --git a/package/ipset/ipset.mk b/package/ipset/ipset.mk
> index 869763d322..cea3ee0e05 100644
> --- a/package/ipset/ipset.mk
> +++ b/package/ipset/ipset.mk
> @@ -11,6 +11,7 @@ IPSET_DEPENDENCIES = libmnl host-pkgconf
>  IPSET_CONF_OPTS = --with-kmod=no
>  IPSET_LICENSE = GPL-2.0
>  IPSET_LICENSE_FILES = COPYING
> +IPSET_CPE_ID_VENDOR = netfilter
>  IPSET_INSTALL_STAGING = YES
>  
>  $(eval $(autotools-package))
> diff --git a/package/iptables/iptables.mk b/package/iptables/iptables.mk
> index 442639f159..053d0e3964 100644
> --- a/package/iptables/iptables.mk
> +++ b/package/iptables/iptables.mk
> @@ -12,6 +12,7 @@ IPTABLES_DEPENDENCIES = host-pkgconf \
>  	$(if $(BR2_PACKAGE_LIBNETFILTER_CONNTRACK),libnetfilter_conntrack)
>  IPTABLES_LICENSE = GPL-2.0
>  IPTABLES_LICENSE_FILES = COPYING
> +IPTABLES_CPE_ID_VENDOR = netfilter
>  # Building static causes ugly warnings on some plugins
>  IPTABLES_CONF_OPTS = --libexecdir=/usr/lib --with-kernel=$(STAGING_DIR)/usr \
>  	$(if $(BR2_STATIC_LIBS),,--disable-static)
> diff --git a/package/iw/iw.mk b/package/iw/iw.mk
> index 2250ea413b..a232cc8baa 100644
> --- a/package/iw/iw.mk
> +++ b/package/iw/iw.mk
> @@ -9,6 +9,7 @@ IW_SOURCE = iw-$(IW_VERSION).tar.xz
>  IW_SITE = $(BR2_KERNEL_MIRROR)/software/network/iw
>  IW_LICENSE = ISC
>  IW_LICENSE_FILES = COPYING
> +IW_CPE_ID_VENDOR = kernel
>  IW_DEPENDENCIES = host-pkgconf libnl
>  IW_MAKE_ENV = \
>  	$(TARGET_MAKE_ENV) \
> diff --git a/package/kmod/kmod.mk b/package/kmod/kmod.mk
> index 69615452cf..d0f26a8841 100644
> --- a/package/kmod/kmod.mk
> +++ b/package/kmod/kmod.mk
> @@ -15,6 +15,8 @@ HOST_KMOD_DEPENDENCIES = host-pkgconf
>  KMOD_LICENSE = LGPL-2.1+ (library)
>  KMOD_LICENSE_FILES = libkmod/COPYING
>  
> +KMOD_CPE_ID_VENDOR = kernel
> +
>  # --gc-sections triggers binutils ld segfault
>  # https://sourceware.org/bugzilla/show_bug.cgi?id=21180
>  ifeq ($(BR2_microblaze),y)
> diff --git a/package/libarchive/libarchive.mk b/package/libarchive/libarchive.mk
> index 708ce637c2..71c8a2e4cf 100644
> --- a/package/libarchive/libarchive.mk
> +++ b/package/libarchive/libarchive.mk
> @@ -9,6 +9,7 @@ LIBARCHIVE_SITE = https://www.libarchive.de/downloads
>  LIBARCHIVE_INSTALL_STAGING = YES
>  LIBARCHIVE_LICENSE = BSD-2-Clause, BSD-3-Clause, CC0-1.0, OpenSSL, Apache-2.0
>  LIBARCHIVE_LICENSE_FILES = COPYING
> +LIBARCHIVE_CPE_ID_VENDOR = $(LIBARCHIVE_NAME)
>  
>  ifeq ($(BR2_PACKAGE_LIBARCHIVE_BSDTAR),y)
>  ifeq ($(BR2_STATIC_LIBS),y)
> diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk
> index 74ce3be654..40e2c8ec0e 100644
> --- a/package/libcurl/libcurl.mk
> +++ b/package/libcurl/libcurl.mk
> @@ -12,6 +12,8 @@ LIBCURL_DEPENDENCIES = host-pkgconf \
>  	$(if $(BR2_PACKAGE_RTMPDUMP),rtmpdump)
>  LIBCURL_LICENSE = curl
>  LIBCURL_LICENSE_FILES = COPYING
> +LIBCURL_CPE_ID_VENDOR = haxx
> +LIBCURL_CPE_ID_NAME = libcurl
>  LIBCURL_INSTALL_STAGING = YES
>  
>  # We disable NTLM support because it uses fork(), which doesn't work
> diff --git a/package/libestr/libestr.mk b/package/libestr/libestr.mk
> index 30960f7257..6ce22efae2 100644
> --- a/package/libestr/libestr.mk
> +++ b/package/libestr/libestr.mk
> @@ -8,6 +8,7 @@ LIBESTR_VERSION = 0.1.11
>  LIBESTR_SITE = http://libestr.adiscon.com/files/download
>  LIBESTR_LICENSE = LGPL-2.1+
>  LIBESTR_LICENSE_FILES = COPYING
> +LIBESTR_CPE_ID_VENDOR = adiscon
>  LIBESTR_INSTALL_STAGING = YES
>  
>  $(eval $(autotools-package))
> diff --git a/package/libfastjson/libfastjson.mk b/package/libfastjson/libfastjson.mk
> index ecca72f56c..37dbd7e03e 100644
> --- a/package/libfastjson/libfastjson.mk
> +++ b/package/libfastjson/libfastjson.mk
> @@ -12,5 +12,6 @@ LIBFASTJSON_CONF_ENV = ac_cv_prog_cc_c99='-std=gnu99'
>  LIBFASTJSON_AUTORECONF = YES
>  LIBFASTJSON_LICENSE = MIT
>  LIBFASTJSON_LICENSE_FILES = COPYING
> +LIBFASTJSON_CPE_ID_VENDOR = rsyslog
>  
>  $(eval $(autotools-package))
> diff --git a/package/libfcgi/libfcgi.mk b/package/libfcgi/libfcgi.mk
> index c158df2395..c40d9c5970 100644
> --- a/package/libfcgi/libfcgi.mk
> +++ b/package/libfcgi/libfcgi.mk
> @@ -8,6 +8,8 @@ LIBFCGI_VERSION = 2.4.2
>  LIBFCGI_SITE = $(call github,FastCGI-Archives,fcgi2,$(LIBFCGI_VERSION))
>  LIBFCGI_LICENSE = OML
>  LIBFCGI_LICENSE_FILES = LICENSE.TERMS
> +LIBFCGI_CPE_ID_VENDOR = fastcgi
> +LIBFCGI_CPE_ID_NAME = fcgi
>  LIBFCGI_INSTALL_STAGING = YES
>  LIBFCGI_AUTORECONF = YES
>  
> diff --git a/package/libffi/libffi.mk b/package/libffi/libffi.mk
> index 722a03dca0..e87a024040 100644
> --- a/package/libffi/libffi.mk
> +++ b/package/libffi/libffi.mk
> @@ -6,6 +6,8 @@
>  
>  LIBFFI_VERSION = 3.3
>  LIBFFI_SITE = $(call github,libffi,libffi,v$(LIBFFI_VERSION))
> +LIBFFI_CPE_ID_VERSION = 3.3
> +LIBFFI_CPE_ID_VERSION_MINOR = rc0
>  LIBFFI_LICENSE = MIT
>  LIBFFI_LICENSE_FILES = LICENSE
>  LIBFFI_INSTALL_STAGING = YES
> diff --git a/package/libgcrypt/libgcrypt.mk b/package/libgcrypt/libgcrypt.mk
> index b2c1ea3cbe..d928d2fd80 100644
> --- a/package/libgcrypt/libgcrypt.mk
> +++ b/package/libgcrypt/libgcrypt.mk
> @@ -12,6 +12,7 @@ LIBGCRYPT_SITE = https://gnupg.org/ftp/gcrypt/libgcrypt
>  LIBGCRYPT_INSTALL_STAGING = YES
>  LIBGCRYPT_DEPENDENCIES = libgpg-error
>  LIBGCRYPT_CONFIG_SCRIPTS = libgcrypt-config
> +LIBGCRYPT_CPE_ID_VENDOR = gnupg
>  
>  # Patching acinclude.m4 in 0001
>  # Patching configure.ac and Makefile.am in 0002
> diff --git a/package/libglib2/libglib2.mk b/package/libglib2/libglib2.mk
> index 6e9dbd7b26..e55540976d 100644
> --- a/package/libglib2/libglib2.mk
> +++ b/package/libglib2/libglib2.mk
> @@ -10,6 +10,8 @@ LIBGLIB2_SOURCE = glib-$(LIBGLIB2_VERSION).tar.xz
>  LIBGLIB2_SITE = http://ftp.gnome.org/pub/gnome/sources/glib/$(LIBGLIB2_VERSION_MAJOR)
>  LIBGLIB2_LICENSE = LGPL-2.1+
>  LIBGLIB2_LICENSE_FILES = COPYING
> +LIBGLIB2_CPE_ID_VENDOR = gnome
> +LIBGLIB2_CPE_ID_NAME = glib
>  LIBGLIB2_INSTALL_STAGING = YES
>  
>  LIBGLIB2_CFLAGS = $(TARGET_CFLAGS)
> diff --git a/package/libgpg-error/libgpg-error.mk b/package/libgpg-error/libgpg-error.mk
> index 6281faa662..05c7f710f2 100644
> --- a/package/libgpg-error/libgpg-error.mk
> +++ b/package/libgpg-error/libgpg-error.mk
> @@ -9,6 +9,7 @@ LIBGPG_ERROR_SITE = https://www.gnupg.org/ftp/gcrypt/libgpg-error
>  LIBGPG_ERROR_SOURCE = libgpg-error-$(LIBGPG_ERROR_VERSION).tar.bz2
>  LIBGPG_ERROR_LICENSE = GPL-2.0+, LGPL-2.1+
>  LIBGPG_ERROR_LICENSE_FILES = COPYING COPYING.LIB
> +LIBGPG_ERROR_CPE_ID_VENDOR = gnupg
>  LIBGPG_ERROR_INSTALL_STAGING = YES
>  LIBGPG_ERROR_CONFIG_SCRIPTS = gpg-error-config
>  LIBGPG_ERROR_DEPENDENCIES = $(TARGET_NLS_DEPENDENCIES)
> diff --git a/package/liblogging/liblogging.mk b/package/liblogging/liblogging.mk
> index c756891a86..24375b56b4 100644
> --- a/package/liblogging/liblogging.mk
> +++ b/package/liblogging/liblogging.mk
> @@ -8,6 +8,7 @@ LIBLOGGING_VERSION = 1.0.6
>  LIBLOGGING_SITE = http://download.rsyslog.com/liblogging
>  LIBLOGGING_LICENSE = BSD-2-Clause
>  LIBLOGGING_LICENSE_FILES = COPYING
> +LIBLOGGING_CPE_ID_VENDOR = adiscon
>  LIBLOGGING_INSTALL_STAGING = YES
>  LIBLOGGING_CONF_OPTS = --enable-cached-man-pages
>  
> diff --git a/package/libmbim/libmbim.mk b/package/libmbim/libmbim.mk
> index 05345623bd..4ce3ca892e 100644
> --- a/package/libmbim/libmbim.mk
> +++ b/package/libmbim/libmbim.mk
> @@ -9,6 +9,7 @@ LIBMBIM_SITE = https://www.freedesktop.org/software/libmbim
>  LIBMBIM_SOURCE = libmbim-$(LIBMBIM_VERSION).tar.xz
>  LIBMBIM_LICENSE = LGPL-2.0+ (library), GPL-2.0+ (programs)
>  LIBMBIM_LICENSE_FILES = COPYING COPYING.LIB
> +LIBMBIM_CPE_ID_VENDOR = freedesktop
>  LIBMBIM_INSTALL_STAGING = YES
>  
>  LIBMBIM_DEPENDENCIES = libglib2
> diff --git a/package/libmnl/libmnl.mk b/package/libmnl/libmnl.mk
> index 7fcce4c21f..d3b33db2e0 100644
> --- a/package/libmnl/libmnl.mk
> +++ b/package/libmnl/libmnl.mk
> @@ -10,5 +10,6 @@ LIBMNL_SITE = http://netfilter.org/projects/libmnl/files
>  LIBMNL_INSTALL_STAGING = YES
>  LIBMNL_LICENSE = LGPL-2.1+
>  LIBMNL_LICENSE_FILES = COPYING
> +LIBMNL_CPE_ID_VENDOR = netfilter
>  
>  $(eval $(autotools-package))
> diff --git a/package/libnetfilter_conntrack/libnetfilter_conntrack.mk b/package/libnetfilter_conntrack/libnetfilter_conntrack.mk
> index 8beefefb51..0a5a94be8f 100644
> --- a/package/libnetfilter_conntrack/libnetfilter_conntrack.mk
> +++ b/package/libnetfilter_conntrack/libnetfilter_conntrack.mk
> @@ -11,5 +11,6 @@ LIBNETFILTER_CONNTRACK_INSTALL_STAGING = YES
>  LIBNETFILTER_CONNTRACK_DEPENDENCIES = host-pkgconf libnfnetlink libmnl
>  LIBNETFILTER_CONNTRACK_LICENSE = GPL-2.0+
>  LIBNETFILTER_CONNTRACK_LICENSE_FILES = COPYING
> +LIBNETFILTER_CONNTRACK_CPE_ID_VENDOR = netfilter
>  
>  $(eval $(autotools-package))
> diff --git a/package/libnetfilter_cthelper/libnetfilter_cthelper.mk b/package/libnetfilter_cthelper/libnetfilter_cthelper.mk
> index 61d6acd07c..d74ea4d0fd 100644
> --- a/package/libnetfilter_cthelper/libnetfilter_cthelper.mk
> +++ b/package/libnetfilter_cthelper/libnetfilter_cthelper.mk
> @@ -12,5 +12,6 @@ LIBNETFILTER_CTHELPER_DEPENDENCIES = host-pkgconf libmnl
>  LIBNETFILTER_CTHELPER_AUTORECONF = YES
>  LIBNETFILTER_CTHELPER_LICENSE = GPL-2.0+
>  LIBNETFILTER_CTHELPER_LICENSE_FILES = COPYING
> +LIBNETFILTER_CTHELPER_CPE_ID_VENDOR = netfilter
>  
>  $(eval $(autotools-package))
> diff --git a/package/libnetfilter_cttimeout/libnetfilter_cttimeout.mk b/package/libnetfilter_cttimeout/libnetfilter_cttimeout.mk
> index 9c4c951687..f5c5067b64 100644
> --- a/package/libnetfilter_cttimeout/libnetfilter_cttimeout.mk
> +++ b/package/libnetfilter_cttimeout/libnetfilter_cttimeout.mk
> @@ -12,5 +12,6 @@ LIBNETFILTER_CTTIMEOUT_DEPENDENCIES = host-pkgconf libmnl
>  LIBNETFILTER_CTTIMEOUT_AUTORECONF = YES
>  LIBNETFILTER_CTTIMEOUT_LICENSE = GPL-2.0+
>  LIBNETFILTER_CTTIMEOUT_LICENSE_FILES = COPYING
> +LIBNETFILTER_CTTIMEOUT_CPE_ID_VENDOR = netfilter
>  
>  $(eval $(autotools-package))
> diff --git a/package/libnetfilter_queue/libnetfilter_queue.mk b/package/libnetfilter_queue/libnetfilter_queue.mk
> index 2bb4dd376d..6cd35baea1 100644
> --- a/package/libnetfilter_queue/libnetfilter_queue.mk
> +++ b/package/libnetfilter_queue/libnetfilter_queue.mk
> @@ -12,5 +12,6 @@ LIBNETFILTER_QUEUE_DEPENDENCIES = host-pkgconf libnfnetlink libmnl
>  LIBNETFILTER_QUEUE_AUTORECONF = YES
>  LIBNETFILTER_QUEUE_LICENSE = GPL-2.0+
>  LIBNETFILTER_QUEUE_LICENSE_FILES = COPYING
> +LIBNETFILTER_QUEUE_CPE_ID_VENDOR = netfilter
>  
>  $(eval $(autotools-package))
> diff --git a/package/libnfnetlink/libnfnetlink.mk b/package/libnfnetlink/libnfnetlink.mk
> index 13f5d72c87..a5ad47b85e 100644
> --- a/package/libnfnetlink/libnfnetlink.mk
> +++ b/package/libnfnetlink/libnfnetlink.mk
> @@ -11,5 +11,6 @@ LIBNFNETLINK_AUTORECONF = YES
>  LIBNFNETLINK_INSTALL_STAGING = YES
>  LIBNFNETLINK_LICENSE = GPL-2.0
>  LIBNFNETLINK_LICENSE_FILES = COPYING
> +LIBNFNETLINK_CPE_ID_VENDOR = netfilter
>  
>  $(eval $(autotools-package))
> diff --git a/package/libopenssl/Config.in b/package/libopenssl/Config.in
> index 8909e36b9e..dd03de7674 100644
> --- a/package/libopenssl/Config.in
> +++ b/package/libopenssl/Config.in
> @@ -45,3 +45,14 @@ config BR2_PACKAGE_LIBOPENSSL_ENGINES
>  	  Install additional encryption engine libraries.
>  
>  endif # BR2_PACKAGE_LIBOPENSSL
> +# See package/openssl/Config.in for the actual kconfig
> +# of this package. This file provides a URL for CPE use.
> +
> +#	help
> +#	  A collaborative effort to develop a robust, commercial-grade,
> +#	  fully featured, and Open Source toolkit implementing the
> +#	  Secure Sockets Layer (SSL v2/v3) and Transport Security
> +#	  (TLS v1) as well as a full-strength general-purpose
> +#	  cryptography library.
> +#
> +#	  http://www.openssl.org/
> diff --git a/package/libopenssl/libopenssl.mk b/package/libopenssl/libopenssl.mk
> index fe5a444cc7..75a7b485ef 100644
> --- a/package/libopenssl/libopenssl.mk
> +++ b/package/libopenssl/libopenssl.mk
> @@ -15,6 +15,8 @@ HOST_LIBOPENSSL_DEPENDENCIES = host-zlib
>  LIBOPENSSL_TARGET_ARCH = $(call qstrip,$(BR2_PACKAGE_LIBOPENSSL_TARGET_ARCH))
>  LIBOPENSSL_CFLAGS = $(TARGET_CFLAGS)
>  LIBOPENSSL_PROVIDES = openssl
> +LIBOPENSSL_CPE_ID_VENDOR = $(LIBOPENSSL_PROVIDES)
> +LIBOPENSSL_CPE_ID_NAME = $(LIBOPENSSL_PROVIDES)
>  
>  ifeq ($(BR2_m68k_cf),y)
>  # relocation truncated to fit: R_68K_GOT16O
> diff --git a/package/libpcap/libpcap.mk b/package/libpcap/libpcap.mk
> index 881a109a0a..e323461529 100644
> --- a/package/libpcap/libpcap.mk
> +++ b/package/libpcap/libpcap.mk
> @@ -8,6 +8,7 @@ LIBPCAP_VERSION = 1.9.1
>  LIBPCAP_SITE = http://www.tcpdump.org/release
>  LIBPCAP_LICENSE = BSD-3-Clause
>  LIBPCAP_LICENSE_FILES = LICENSE
> +LIBPCAP_CPE_ID_VENDOR = tcpdump
>  LIBPCAP_INSTALL_STAGING = YES
>  LIBPCAP_DEPENDENCIES = host-flex host-bison
>  
> diff --git a/package/libselinux/libselinux.mk b/package/libselinux/libselinux.mk
> index 8087af539a..fdd13aa942 100644
> --- a/package/libselinux/libselinux.mk
> +++ b/package/libselinux/libselinux.mk
> @@ -8,6 +8,7 @@ LIBSELINUX_VERSION = 3.1
>  LIBSELINUX_SITE = https://github.com/SELinuxProject/selinux/releases/download/20200710
>  LIBSELINUX_LICENSE = Public Domain
>  LIBSELINUX_LICENSE_FILES = LICENSE
> +LIBSELINUX_CPE_ID_VENDOR = selinuxproject
>  
>  LIBSELINUX_DEPENDENCIES = $(BR2_COREUTILS_HOST_DEPENDENCY) libsepol pcre
>  
> diff --git a/package/libsemanage/libsemanage.mk b/package/libsemanage/libsemanage.mk
> index 3ea0603f53..48e2bbbc8b 100644
> --- a/package/libsemanage/libsemanage.mk
> +++ b/package/libsemanage/libsemanage.mk
> @@ -9,6 +9,7 @@ LIBSEMANAGE_SITE = https://github.com/SELinuxProject/selinux/releases/download/2
>  LIBSEMANAGE_LICENSE = LGPL-2.1+
>  LIBSEMANAGE_LICENSE_FILES = COPYING
>  LIBSEMANAGE_DEPENDENCIES = host-bison host-flex audit libselinux bzip2
> +LIBSEMANAGE_CPE_ID_VENDOR = selinuxproject
>  LIBSEMANAGE_INSTALL_STAGING = YES
>  
>  LIBSEMANAGE_MAKE_OPTS = $(TARGET_CONFIGURE_OPTS)
> diff --git a/package/libsepol/libsepol.mk b/package/libsepol/libsepol.mk
> index 7d8b7b2063..a4398bdc42 100644
> --- a/package/libsepol/libsepol.mk
> +++ b/package/libsepol/libsepol.mk
> @@ -8,6 +8,7 @@ LIBSEPOL_VERSION = 3.1
>  LIBSEPOL_SITE = https://github.com/SELinuxProject/selinux/releases/download/20200710
>  LIBSEPOL_LICENSE = LGPL-2.1+
>  LIBSEPOL_LICENSE_FILES = COPYING
> +LIBSEPOL_CPE_ID_VENDOR = selinuxproject
>  
>  LIBSEPOL_INSTALL_STAGING = YES
>  LIBSEPOL_DEPENDENCIES = host-flex
> diff --git a/package/libssh2/libssh2.mk b/package/libssh2/libssh2.mk
> index c03fe0db55..eb66ab5643 100644
> --- a/package/libssh2/libssh2.mk
> +++ b/package/libssh2/libssh2.mk
> @@ -8,6 +8,7 @@ LIBSSH2_VERSION = 1.9.0
>  LIBSSH2_SITE = https://www.libssh2.org/download
>  LIBSSH2_LICENSE = BSD
>  LIBSSH2_LICENSE_FILES = COPYING
> +LIBSSH2_CPE_ID_VENDOR = $(LIBSSH2_NAME)
>  LIBSSH2_INSTALL_STAGING = YES
>  LIBSSH2_CONF_OPTS = --disable-examples-build
>  
> diff --git a/package/libsysfs/libsysfs.mk b/package/libsysfs/libsysfs.mk
> index 13edc9a4ea..fd8bfa6724 100644
> --- a/package/libsysfs/libsysfs.mk
> +++ b/package/libsysfs/libsysfs.mk
> @@ -10,5 +10,7 @@ LIBSYSFS_SOURCE = sysfsutils-$(LIBSYSFS_VERSION).tar.gz
>  LIBSYSFS_INSTALL_STAGING = YES
>  LIBSYSFS_LICENSE = GPL-2.0 (utilities), LGPL-2.1+ (library)
>  LIBSYSFS_LICENSE_FILES = cmd/GPL lib/LGPL
> +LIBSYSFS_CPE_ID_VENDOR = sysfsutils_project
> +LIBSYSFS_CPE_ID_NAME = sysfsutils
>  
>  $(eval $(autotools-package))
> diff --git a/package/libtasn1/libtasn1.mk b/package/libtasn1/libtasn1.mk
> index d5a6c69965..a354716824 100644
> --- a/package/libtasn1/libtasn1.mk
> +++ b/package/libtasn1/libtasn1.mk
> @@ -9,6 +9,7 @@ LIBTASN1_SITE = $(BR2_GNU_MIRROR)/libtasn1
>  LIBTASN1_DEPENDENCIES = host-bison host-pkgconf
>  LIBTASN1_LICENSE = GPL-3.0+ (tests, tools), LGPL-2.1+ (library)
>  LIBTASN1_LICENSE_FILES = LICENSE doc/COPYING doc/COPYING.LESSER
> +LIBTASN1_CPE_ID_VENDOR = gnu
>  LIBTASN1_INSTALL_STAGING = YES
>  
>  # We're patching fuzz/Makefile.am
> diff --git a/package/libunistring/libunistring.mk b/package/libunistring/libunistring.mk
> index fa51447170..1ed7ecf906 100644
> --- a/package/libunistring/libunistring.mk
> +++ b/package/libunistring/libunistring.mk
> @@ -10,6 +10,7 @@ LIBUNISTRING_SOURCE = libunistring-$(LIBUNISTRING_VERSION).tar.xz
>  LIBUNISTRING_INSTALL_STAGING = YES
>  LIBUNISTRING_LICENSE = LGPL-3.0+ or GPL-2.0
>  LIBUNISTRING_LICENSE_FILES = COPYING COPYING.LIB
> +LIBUNISTRING_CPE_ID_VENDOR = gnu
>  
>  $(eval $(autotools-package))
>  $(eval $(host-autotools-package))
> diff --git a/package/libxml2/libxml2.mk b/package/libxml2/libxml2.mk
> index e9379b05ae..e472970fde 100644
> --- a/package/libxml2/libxml2.mk
> +++ b/package/libxml2/libxml2.mk
> @@ -15,6 +15,7 @@ LIBXML2_IGNORE_CVES += CVE-2020-7595
>  LIBXML2_IGNORE_CVES += CVE-2019-20388
>  # 0003-Fix-out-of-bounds-read-with-xmllint--htmlout.patch
>  LIBXML2_IGNORE_CVES += CVE-2020-24977
> +LIBXML2_CPE_ID_VENDOR = xmlsoft
>  LIBXML2_CONFIG_SCRIPTS = xml2-config
>  
>  # relocation truncated to fit: R_68K_GOT16O
> diff --git a/package/libxslt/libxslt.mk b/package/libxslt/libxslt.mk
> index 2f37f303ac..3c603ad9f6 100644
> --- a/package/libxslt/libxslt.mk
> +++ b/package/libxslt/libxslt.mk
> @@ -9,6 +9,7 @@ LIBXSLT_SITE = http://xmlsoft.org/sources
>  LIBXSLT_INSTALL_STAGING = YES
>  LIBXSLT_LICENSE = MIT
>  LIBXSLT_LICENSE_FILES = COPYING
> +LIBXSLT_CPE_ID_VENDOR = xmlsoft
>  
>  LIBXSLT_CONF_OPTS = \
>  	--with-gnu-ld \
> diff --git a/package/libzlib/libzlib.mk b/package/libzlib/libzlib.mk
> index eea0c12f22..a1e2640bac 100644
> --- a/package/libzlib/libzlib.mk
> +++ b/package/libzlib/libzlib.mk
> @@ -11,6 +11,8 @@ LIBZLIB_LICENSE = Zlib
>  LIBZLIB_LICENSE_FILES = README
>  LIBZLIB_INSTALL_STAGING = YES
>  LIBZLIB_PROVIDES = zlib
> +LIBZLIB_CPE_ID_VENDOR = gnu
> +LIBZLIB_CPE_ID_NAME = $(LIBZLIB_PROVIDES)
>  
>  # It is not possible to build only a shared version of zlib, so we build both
>  # shared and static, unless we only want the static libs, and we eventually
> diff --git a/package/lighttpd/lighttpd.mk b/package/lighttpd/lighttpd.mk
> index 7181465c66..39600ef94b 100644
> --- a/package/lighttpd/lighttpd.mk
> +++ b/package/lighttpd/lighttpd.mk
> @@ -10,6 +10,7 @@ LIGHTTPD_SOURCE = lighttpd-$(LIGHTTPD_VERSION).tar.xz
>  LIGHTTPD_SITE = http://download.lighttpd.net/lighttpd/releases-$(LIGHTTPD_VERSION_MAJOR).x
>  LIGHTTPD_LICENSE = BSD-3-Clause
>  LIGHTTPD_LICENSE_FILES = COPYING
> +LIGHTTPD_CPE_ID_VENDOR = $(LIGHTTPD_NAME)
>  LIGHTTPD_DEPENDENCIES = host-pkgconf
>  LIGHTTPD_CONF_OPTS = \
>  	--without-wolfssl \
> diff --git a/package/linux-firmware/linux-firmware.mk b/package/linux-firmware/linux-firmware.mk
> index d9ad942903..368ff83a37 100644
> --- a/package/linux-firmware/linux-firmware.mk
> +++ b/package/linux-firmware/linux-firmware.mk
> @@ -8,6 +8,8 @@ LINUX_FIRMWARE_VERSION = 20200122
>  LINUX_FIRMWARE_SITE = http://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git
>  LINUX_FIRMWARE_SITE_METHOD = git
>  
> +LINUX_FIRMWARE_CPE_ID_VENDOR = kernel
> +
>  # Intel SST DSP
>  ifeq ($(BR2_PACKAGE_LINUX_FIRMWARE_INTEL_SST_DSP),y)
>  LINUX_FIRMWARE_FILES += intel/fw_sst_0f28.bin-48kHz_i2s_master
> diff --git a/package/linux-headers/linux-headers.mk b/package/linux-headers/linux-headers.mk
> index 4c3cb716b3..4496295f2a 100644
> --- a/package/linux-headers/linux-headers.mk
> +++ b/package/linux-headers/linux-headers.mk
> @@ -102,6 +102,8 @@ LINUX_HEADERS_LICENSE_FILES = \
>  	LICENSES/preferred/GPL-2.0 \
>  	LICENSES/exceptions/Linux-syscall-note
>  endif
> +LINUX_HEADERS_CPE_ID_VENDOR = linux
> +LINUX_HEADERS_CPE_ID_NAME = linux_kernel
>  
>  LINUX_HEADERS_INSTALL_STAGING = YES
>  
> diff --git a/package/linux-pam/linux-pam.mk b/package/linux-pam/linux-pam.mk
> index 57fb2c9cfd..ecd4a723c4 100644
> --- a/package/linux-pam/linux-pam.mk
> +++ b/package/linux-pam/linux-pam.mk
> @@ -23,6 +23,8 @@ LINUX_PAM_LICENSE_FILES = Copyright
>  # We're patching configure.ac
>  LINUX_PAM_AUTORECONF = YES
>  LINUX_PAM_MAKE_OPTS += LIBS=$(TARGET_NLS_LIBS)
> +LINUX_PAM_CPE_ID_VENDOR = $(LINUX_PAM_NAME)
> +LINUX_PAM_CPE_ID_NAME = $(LINUX_PAM_NAME)
>  
>  ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
>  LINUX_PAM_CONF_OPTS += --enable-selinux
> diff --git a/package/llvm/llvm.mk b/package/llvm/llvm.mk
> index 24d033d124..177fff71bb 100644
> --- a/package/llvm/llvm.mk
> +++ b/package/llvm/llvm.mk
> @@ -10,6 +10,7 @@ LLVM_SITE = https://github.com/llvm/llvm-project/releases/download/llvmorg-$(LLV
>  LLVM_SOURCE = llvm-$(LLVM_VERSION).src.tar.xz
>  LLVM_LICENSE = Apache-2.0 with exceptions
>  LLVM_LICENSE_FILES = LICENSE.TXT
> +LLVM_CPE_ID_VENDOR = $(LLVM_NAME)
>  LLVM_SUPPORTS_IN_SOURCE_BUILD = NO
>  LLVM_INSTALL_STAGING = YES
>  
> diff --git a/package/lxc/lxc.mk b/package/lxc/lxc.mk
> index b067f145e3..576036e246 100644
> --- a/package/lxc/lxc.mk
> +++ b/package/lxc/lxc.mk
> @@ -8,6 +8,7 @@ LXC_VERSION = 4.0.5
>  LXC_SITE = https://linuxcontainers.org/downloads/lxc
>  LXC_LICENSE = GPL-2.0 (some tools), LGPL-2.1+
>  LXC_LICENSE_FILES = LICENSE.GPL2 LICENSE.LGPL2.1
> +LXC_CPE_ID_VENDOR = linuxcontainers
>  LXC_DEPENDENCIES = host-pkgconf
>  LXC_INSTALL_STAGING = YES
>  
> diff --git a/package/lz4/lz4.mk b/package/lz4/lz4.mk
> index fa309e8dbb..7c91b6eecc 100644
> --- a/package/lz4/lz4.mk
> +++ b/package/lz4/lz4.mk
> @@ -9,6 +9,7 @@ LZ4_SITE = $(call github,lz4,lz4,v$(LZ4_VERSION))
>  LZ4_INSTALL_STAGING = YES
>  LZ4_LICENSE = BSD-2-Clause (library), GPL-2.0+ (programs)
>  LZ4_LICENSE_FILES = lib/LICENSE programs/COPYING
> +LZ4_CPE_ID_VENDOR = yann_collet
>  
>  # CVE-2014-4715 is misclassified (by our CVE tracker) as affecting version
>  # 1.9.2, while in fact this issue has been fixed since lz4-r130:
> diff --git a/package/memtester/memtester.mk b/package/memtester/memtester.mk
> index 1a319462a5..49cc935f39 100644
> --- a/package/memtester/memtester.mk
> +++ b/package/memtester/memtester.mk
> @@ -8,6 +8,7 @@ MEMTESTER_VERSION = 4.5.0
>  MEMTESTER_SITE = http://pyropus.ca/software/memtester/old-versions
>  MEMTESTER_LICENSE = GPL-2.0
>  MEMTESTER_LICENSE_FILES = COPYING
> +MEMTESTER_CPE_ID_VENDOR = pryopus
>  
>  MEMTESTER_TARGET_INSTALL_OPTS = INSTALLPATH=$(TARGET_DIR)/usr
>  
> diff --git a/package/mii-diag/mii-diag.mk b/package/mii-diag/mii-diag.mk
> index 6efd5be80d..a7c6483221 100644
> --- a/package/mii-diag/mii-diag.mk
> +++ b/package/mii-diag/mii-diag.mk
> @@ -10,6 +10,7 @@ MII_DIAG_PATCH = mii-diag_$(MII_DIAG_VERSION)-3.diff.gz
>  MII_DIAG_SITE = http://snapshot.debian.org/archive/debian/20141023T043132Z/pool/main/m/mii-diag
>  MII_DIAG_LICENSE = GPL # No version specified
>  MII_DIAG_LICENSE_FILES = mii-diag.c
> +MII_DIAG_CPE_ID_VENDOR = debian
>  
>  MII_DIAG_MAKE_OPTS = $(TARGET_CONFIGURE_OPTS)
>  
> diff --git a/package/mpfr/mpfr.mk b/package/mpfr/mpfr.mk
> index ef2999eb16..837aff3aa5 100644
> --- a/package/mpfr/mpfr.mk
> +++ b/package/mpfr/mpfr.mk
> @@ -9,6 +9,7 @@ MPFR_SITE = http://www.mpfr.org/mpfr-$(MPFR_VERSION)
>  MPFR_SOURCE = mpfr-$(MPFR_VERSION).tar.xz
>  MPFR_LICENSE = LGPL-3.0+
>  MPFR_LICENSE_FILES = COPYING.LESSER
> +MPFR_CPE_ID_VENDOR = gnu
>  MPFR_INSTALL_STAGING = YES
>  MPFR_DEPENDENCIES = gmp
>  HOST_MPFR_DEPENDENCIES = host-gmp
> diff --git a/package/mrouted/mrouted.mk b/package/mrouted/mrouted.mk
> index ae2f8a4e20..4e3715b445 100644
> --- a/package/mrouted/mrouted.mk
> +++ b/package/mrouted/mrouted.mk
> @@ -11,6 +11,7 @@ MROUTED_DEPENDENCIES = host-bison
>  MROUTED_LICENSE = BSD-3-Clause
>  MROUTED_LICENSE_FILES = LICENSE
>  MROUTED_CONFIGURE_OPTS = --enable-rsrr
> +MROUTED_CPE_ID_VENDOR = troglobit
>  
>  define MROUTED_INSTALL_INIT_SYSTEMD
>  	$(INSTALL) -D -m 644 $(@D)/mrouted.service \
> diff --git a/package/mtd/mtd.mk b/package/mtd/mtd.mk
> index 9f259b35d9..d0e70b8c8b 100644
> --- a/package/mtd/mtd.mk
> +++ b/package/mtd/mtd.mk
> @@ -9,6 +9,8 @@ MTD_SOURCE = mtd-utils-$(MTD_VERSION).tar.bz2
>  MTD_SITE = ftp://ftp.infradead.org/pub/mtd-utils
>  MTD_LICENSE = GPL-2.0
>  MTD_LICENSE_FILES = COPYING
> +MTD_CPE_ID_VENDOR = mtd-utils_project
> +MTD_CPE_ID_NAME = mtd-utils
>  MTD_INSTALL_STAGING = YES
>  
>  ifeq ($(BR2_PACKAGE_MTD_JFFS_UTILS),y)
> diff --git a/package/ncurses/ncurses.mk b/package/ncurses/ncurses.mk
> index c11650c766..5c5e497488 100644
> --- a/package/ncurses/ncurses.mk
> +++ b/package/ncurses/ncurses.mk
> @@ -10,6 +10,7 @@ NCURSES_INSTALL_STAGING = YES
>  NCURSES_DEPENDENCIES = host-ncurses
>  NCURSES_LICENSE = MIT with advertising clause
>  NCURSES_LICENSE_FILES = COPYING
> +NCURSES_CPE_ID_VENDOR = gnu
>  NCURSES_CONFIG_SCRIPTS = ncurses$(NCURSES_LIB_SUFFIX)6-config
>  NCURSES_PATCH = \
>  	$(addprefix https://invisible-mirror.net/archives/ncurses/$(NCURSES_VERSION)/, \
> diff --git a/package/netsnmp/netsnmp.mk b/package/netsnmp/netsnmp.mk
> index 904279d1fb..09ca33f754 100644
> --- a/package/netsnmp/netsnmp.mk
> +++ b/package/netsnmp/netsnmp.mk
> @@ -9,6 +9,8 @@ NETSNMP_SITE = https://downloads.sourceforge.net/project/net-snmp/net-snmp/$(NET
>  NETSNMP_SOURCE = net-snmp-$(NETSNMP_VERSION).tar.gz
>  NETSNMP_LICENSE = Various BSD-like
>  NETSNMP_LICENSE_FILES = COPYING
> +NETSNMP_CPE_ID_VENDOR = net-snmp
> +NETSNMP_CPE_ID_NAME = $(NETSNMP_CPE_ID_VENDOR)
>  NETSNMP_INSTALL_STAGING = YES
>  NETSNMP_CONF_ENV = ac_cv_NETSNMP_CAN_USE_SYSCTL=no
>  NETSNMP_CONF_OPTS = \
> diff --git a/package/nfs-utils/nfs-utils.mk b/package/nfs-utils/nfs-utils.mk
> index d60b5055a0..df581b381f 100644
> --- a/package/nfs-utils/nfs-utils.mk
> +++ b/package/nfs-utils/nfs-utils.mk
> @@ -10,6 +10,8 @@ NFS_UTILS_SITE = https://www.kernel.org/pub/linux/utils/nfs-utils/$(NFS_UTILS_VE
>  NFS_UTILS_LICENSE = GPL-2.0+
>  NFS_UTILS_LICENSE_FILES = COPYING
>  NFS_UTILS_DEPENDENCIES = host-nfs-utils host-pkgconf libtirpc
> +NFS_UTILS_CPE_ID_VENDOR = linux-nfs
> +NFS_UTILS_AUTORECONF = YES
>  
>  NFS_UTILS_CONF_ENV = knfsd_cv_bsd_signals=no
>  
> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
> index 64ac22181b..c8937229ab 100644
> --- a/package/openssh/openssh.mk
> +++ b/package/openssh/openssh.mk
> @@ -5,6 +5,8 @@
>  ################################################################################
>  
>  OPENSSH_VERSION = 8.3p1
> +OPENSSH_CPE_ID_VERSION = 8.3
> +OPENSSH_CPE_ID_VERSION_MINOR = p1
>  OPENSSH_SITE = http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable
>  OPENSSH_LICENSE = BSD-3-Clause, BSD-2-Clause, Public Domain
>  OPENSSH_LICENSE_FILES = LICENCE
> @@ -12,6 +14,7 @@ OPENSSH_CONF_ENV = \
>  	LD="$(TARGET_CC)" \
>  	LDFLAGS="$(TARGET_CFLAGS)" \
>  	LIBS=`$(PKG_CONFIG_HOST_BINARY) --libs openssl`
> +OPENSSH_CPE_ID_VENDOR = openbsd
>  OPENSSH_CONF_OPTS = \
>  	--sysconfdir=/etc/ssh \
>  	--with-default-path=$(BR2_SYSTEM_DEFAULT_PATH) \
> diff --git a/package/pax-utils/pax-utils.mk b/package/pax-utils/pax-utils.mk
> index 502fc87446..704e50e738 100644
> --- a/package/pax-utils/pax-utils.mk
> +++ b/package/pax-utils/pax-utils.mk
> @@ -9,6 +9,7 @@ PAX_UTILS_SITE = http://distfiles.gentoo.org/distfiles
>  PAX_UTILS_SOURCE = pax-utils-$(PAX_UTILS_VERSION).tar.xz
>  PAX_UTILS_LICENSE = GPL-2.0
>  PAX_UTILS_LICENSE_FILES = COPYING
> +PAX_UTILS_CPE_ID_VENDOR = gentoo
>  
>  PAX_UTILS_DEPENDENCIES = host-pkgconf
>  PAX_UTILS_CONF_OPTS = --without-python
> diff --git a/package/paxtest/paxtest.mk b/package/paxtest/paxtest.mk
> index e632e222c3..1b8d6699b6 100644
> --- a/package/paxtest/paxtest.mk
> +++ b/package/paxtest/paxtest.mk
> @@ -8,6 +8,7 @@ PAXTEST_VERSION = 0.9.15
>  PAXTEST_SITE = https://www.grsecurity.net/~spender
>  PAXTEST_LICENSE = GPL-2.0+
>  PAXTEST_LICENSE_FILES = README
> +PAXTEST_CPE_ID_VENDOR = grsecurity
>  
>  define PAXTEST_BUILD_CMDS
>  	$(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) $(MAKE) -C $(@D) \
> diff --git a/package/pcre/pcre.mk b/package/pcre/pcre.mk
> index 3c280e593f..b37a2ca9b7 100644
> --- a/package/pcre/pcre.mk
> +++ b/package/pcre/pcre.mk
> @@ -9,6 +9,7 @@ PCRE_SITE = https://ftp.pcre.org/pub/pcre
>  PCRE_SOURCE = pcre-$(PCRE_VERSION).tar.bz2
>  PCRE_LICENSE = BSD-3-Clause
>  PCRE_LICENSE_FILES = LICENCE
> +PCRE_CPE_ID_VENDOR = $(PCRE_NAME)
>  PCRE_INSTALL_STAGING = YES
>  PCRE_CONFIG_SCRIPTS = pcre-config
>  
> diff --git a/package/pixman/pixman.mk b/package/pixman/pixman.mk
> index a446ebca46..52d4e36f2e 100644
> --- a/package/pixman/pixman.mk
> +++ b/package/pixman/pixman.mk
> @@ -9,6 +9,7 @@ PIXMAN_SOURCE = pixman-$(PIXMAN_VERSION).tar.xz
>  PIXMAN_SITE = https://xorg.freedesktop.org/releases/individual/lib
>  PIXMAN_LICENSE = MIT
>  PIXMAN_LICENSE_FILES = COPYING
> +PIXMAN_CPE_ID_VENDOR = $(PIXMAN_NAME)
>  
>  PIXMAN_INSTALL_STAGING = YES
>  PIXMAN_DEPENDENCIES = host-pkgconf
> diff --git a/package/policycoreutils/policycoreutils.mk b/package/policycoreutils/policycoreutils.mk
> index 4c0fdc71a7..0dfdc7af03 100644
> --- a/package/policycoreutils/policycoreutils.mk
> +++ b/package/policycoreutils/policycoreutils.mk
> @@ -8,6 +8,7 @@ POLICYCOREUTILS_VERSION = 3.1
>  POLICYCOREUTILS_SITE = https://github.com/SELinuxProject/selinux/releases/download/20200710
>  POLICYCOREUTILS_LICENSE = GPL-2.0
>  POLICYCOREUTILS_LICENSE_FILES = COPYING
> +POLICYCOREUTILS_CPE_ID_VENDOR = selinuxproject
>  
>  POLICYCOREUTILS_DEPENDENCIES = libsemanage libcap-ng $(TARGET_NLS_DEPENDENCIES)
>  POLICYCOREUTILS_MAKE_OPTS = LDLIBS=$(TARGET_NLS_LIBS)
> diff --git a/package/pppd/pppd.mk b/package/pppd/pppd.mk
> index 685666a200..118f9fc334 100644
> --- a/package/pppd/pppd.mk
> +++ b/package/pppd/pppd.mk
> @@ -10,6 +10,8 @@ PPPD_LICENSE = LGPL-2.0+, LGPL, BSD-4-Clause, BSD-3-Clause, GPL-2.0+
>  PPPD_LICENSE_FILES = \
>  	pppd/tdb.c pppd/plugins/pppoatm/COPYING \
>  	pppdump/bsd-comp.c pppd/ccp.c pppd/plugins/passprompt.c
> +PPPD_CPE_ID_VENDOR = samba
> +PPPD_CPE_ID_NAME = ppp
>  
>  # 0001-pppd-Fix-bounds-check.patch
>  PPPD_IGNORE_CVES += CVE-2020-8597
> diff --git a/package/proftpd/proftpd.mk b/package/proftpd/proftpd.mk
> index e126d0e0a4..94276233c8 100644
> --- a/package/proftpd/proftpd.mk
> +++ b/package/proftpd/proftpd.mk
> @@ -8,6 +8,7 @@ PROFTPD_VERSION = 1.3.6c
>  PROFTPD_SITE = $(call github,proftpd,proftpd,v$(PROFTPD_VERSION))
>  PROFTPD_LICENSE = GPL-2.0+
>  PROFTPD_LICENSE_FILES = COPYING
> +PROFTPD_CPE_ID_VENDOR = $(PROFTPD_NAME)
>  
>  PROFTPD_CONF_ENV = \
>  	ac_cv_func_setpgrp_void=yes \
> diff --git a/package/protobuf/protobuf.mk b/package/protobuf/protobuf.mk
> index 5f2690603d..773a7bd0f0 100644
> --- a/package/protobuf/protobuf.mk
> +++ b/package/protobuf/protobuf.mk
> @@ -12,6 +12,7 @@ PROTOBUF_SOURCE = protobuf-cpp-$(PROTOBUF_VERSION).tar.gz
>  PROTOBUF_SITE = https://github.com/google/protobuf/releases/download/v$(PROTOBUF_VERSION)
>  PROTOBUF_LICENSE = BSD-3-Clause
>  PROTOBUF_LICENSE_FILES = LICENSE
> +PROTOBUF_CPE_ID_VENDOR = google
>  
>  # N.B. Need to use host protoc during cross compilation.
>  PROTOBUF_DEPENDENCIES = host-protobuf
> diff --git a/package/pure-ftpd/pure-ftpd.mk b/package/pure-ftpd/pure-ftpd.mk
> index 7b7c7d9637..7e3d18b433 100644
> --- a/package/pure-ftpd/pure-ftpd.mk
> +++ b/package/pure-ftpd/pure-ftpd.mk
> @@ -9,6 +9,7 @@ PURE_FTPD_SITE = https://download.pureftpd.org/pub/pure-ftpd/releases
>  PURE_FTPD_SOURCE = pure-ftpd-$(PURE_FTPD_VERSION).tar.bz2
>  PURE_FTPD_LICENSE = ISC
>  PURE_FTPD_LICENSE_FILES = COPYING
> +PURE_FTPD_CPE_ID_VENDOR = pureftpd
>  PURE_FTPD_DEPENDENCIES = $(if $(BR2_PACKAGE_LIBICONV),libiconv)
>  
>  # 0001-listdir-reuse-a-single-buffer-to-store-every-file-name-to-display.patch
> diff --git a/package/python-lxml/python-lxml.mk b/package/python-lxml/python-lxml.mk
> index 7e727a6753..0b95cf4dc6 100644
> --- a/package/python-lxml/python-lxml.mk
> +++ b/package/python-lxml/python-lxml.mk
> @@ -15,6 +15,8 @@ PYTHON_LXML_LICENSE_FILES = \
>  	doc/licenses/BSD.txt \
>  	doc/licenses/elementtree.txt \
>  	src/lxml/isoschematron/resources/rng/iso-schematron.rng
> +PYTHON_LXML_CPE_ID_VENDOR = lxml
> +PYTHON_LXML_CPE_ID_NAME = lxml
>  
>  # python-lxml can use either setuptools, or distutils as a fallback.
>  # So, we use setuptools.
> diff --git a/package/python-setuptools/python-setuptools.mk b/package/python-setuptools/python-setuptools.mk
> index 2cb575ae22..ade5ca5521 100644
> --- a/package/python-setuptools/python-setuptools.mk
> +++ b/package/python-setuptools/python-setuptools.mk
> @@ -11,6 +11,8 @@ PYTHON_SETUPTOOLS_SOURCE = setuptools-$(PYTHON_SETUPTOOLS_VERSION).zip
>  PYTHON_SETUPTOOLS_SITE = https://files.pythonhosted.org/packages/b0/f3/44da7482ac6da3f36f68e253cb04de37365b3dba9036a3c70773b778b485
>  PYTHON_SETUPTOOLS_LICENSE = MIT
>  PYTHON_SETUPTOOLS_LICENSE_FILES = LICENSE
> +PYTHON_SETUPTOOLS_CPE_ID_VENDOR = python
> +PYTHON_SETUPTOOLS_CPE_ID_NAME = setuptools
>  PYTHON_SETUPTOOLS_SETUP_TYPE = setuptools
>  HOST_PYTHON_SETUPTOOLS_NEEDS_HOST_PYTHON = python2
>  
> diff --git a/package/python/python.mk b/package/python/python.mk
> index 10718f4358..6240cb6c2f 100644
> --- a/package/python/python.mk
> +++ b/package/python/python.mk
> @@ -10,6 +10,7 @@ PYTHON_SOURCE = Python-$(PYTHON_VERSION).tar.xz
>  PYTHON_SITE = https://python.org/ftp/python/$(PYTHON_VERSION)
>  PYTHON_LICENSE = Python-2.0, others
>  PYTHON_LICENSE_FILES = LICENSE
> +PYTHON_CPE_ID_VENDOR = $(PYTHON_NAME)
>  PYTHON_LIBTOOL_PATCH = NO
>  
>  # Python needs itself to be built, so in order to cross-compile
> diff --git a/package/qemu/qemu.mk b/package/qemu/qemu.mk
> index 69850ec938..a4b5688605 100644
> --- a/package/qemu/qemu.mk
> +++ b/package/qemu/qemu.mk
> @@ -12,6 +12,7 @@ QEMU_LICENSE_FILES = COPYING COPYING.LIB
>  # NOTE: there is no top-level license file for non-(L)GPL licenses;
>  #       the non-(L)GPL license texts are specified in the affected
>  #       individual source files.
> +QEMU_CPE_ID_VENDOR = $(QEMU_NAME)
>  
>  #-------------------------------------------------------------
>  # Target-qemu
> diff --git a/package/rapidjson/rapidjson.mk b/package/rapidjson/rapidjson.mk
> index 9f1c82ce40..d3bcef7df1 100644
> --- a/package/rapidjson/rapidjson.mk
> +++ b/package/rapidjson/rapidjson.mk
> @@ -8,6 +8,7 @@ RAPIDJSON_VERSION = 1.1.0
>  RAPIDJSON_SITE = $(call github,miloyip,rapidjson,v$(RAPIDJSON_VERSION))
>  RAPIDJSON_LICENSE = MIT
>  RAPIDJSON_LICENSE_FILES = license.txt
> +RAPIDJSON_CPE_ID_VENDOR = tencent
>  
>  # rapidjson is a header-only C++ library
>  RAPIDJSON_INSTALL_TARGET = NO
> diff --git a/package/readline/readline.mk b/package/readline/readline.mk
> index f5d7d5bf9e..04872ac868 100644
> --- a/package/readline/readline.mk
> +++ b/package/readline/readline.mk
> @@ -14,6 +14,7 @@ READLINE_CONF_ENV = bash_cv_func_sigsetjmp=yes \
>  READLINE_CONF_OPTS = --disable-install-examples
>  READLINE_LICENSE = GPL-3.0+
>  READLINE_LICENSE_FILES = COPYING
> +READLINE_CPE_ID_VENDOR = gnu
>  
>  define READLINE_INSTALL_INPUTRC
>  	$(INSTALL) -D -m 644 package/readline/inputrc $(TARGET_DIR)/etc/inputrc
> diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
> index 0e94b72826..90b555d859 100644
> --- a/package/refpolicy/refpolicy.mk
> +++ b/package/refpolicy/refpolicy.mk
> @@ -6,6 +6,7 @@
>  
>  REFPOLICY_LICENSE = GPL-2.0
>  REFPOLICY_LICENSE_FILES = COPYING
> +REFPOLICY_CPE_ID_VENDOR = tresys
>  REFPOLICY_INSTALL_STAGING = YES
>  REFPOLICY_DEPENDENCIES = \
>  	host-m4 \
> diff --git a/package/rsyslog/rsyslog.mk b/package/rsyslog/rsyslog.mk
> index 50f3328493..040b33795e 100644
> --- a/package/rsyslog/rsyslog.mk
> +++ b/package/rsyslog/rsyslog.mk
> @@ -8,6 +8,7 @@ RSYSLOG_VERSION = 8.2004.0
>  RSYSLOG_SITE = http://rsyslog.com/files/download/rsyslog
>  RSYSLOG_LICENSE = GPL-3.0, LGPL-3.0, Apache-2.0
>  RSYSLOG_LICENSE_FILES = COPYING COPYING.LESSER COPYING.ASL20
> +RSYSLOG_CPE_ID_VENDOR = $(RSYSLOG_NAME)
>  RSYSLOG_DEPENDENCIES = zlib libestr liblogging libfastjson host-pkgconf
>  RSYSLOG_CONF_ENV = ac_cv_prog_cc_c99='-std=c99'
>  RSYSLOG_PLUGINS = imdiag imfile impstats imptcp \
> diff --git a/package/rt-tests/rt-tests.mk b/package/rt-tests/rt-tests.mk
> index 26c257213b..d4fdab0f5d 100644
> --- a/package/rt-tests/rt-tests.mk
> +++ b/package/rt-tests/rt-tests.mk
> @@ -10,6 +10,7 @@ RT_TESTS_VERSION = 1.9
>  RT_TESTS_LICENSE = GPL-2.0+
>  RT_TESTS_LICENSE_FILES = COPYING
>  RT_TESTS_DEPENDENCIES = numactl
> +RT_TESTS_CPE_ID_VENDOR = kernel
>  
>  define RT_TESTS_BUILD_CMDS
>  	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) \
> diff --git a/package/sed/sed.mk b/package/sed/sed.mk
> index 6bb3220553..64fb2035b0 100644
> --- a/package/sed/sed.mk
> +++ b/package/sed/sed.mk
> @@ -9,6 +9,7 @@ SED_SOURCE = sed-$(SED_VERSION).tar.xz
>  SED_SITE = $(BR2_GNU_MIRROR)/sed
>  SED_LICENSE = GPL-3.0
>  SED_LICENSE_FILES = COPYING
> +SED_CPE_ID_VENDOR = gnu
>  
>  SED_CONF_OPTS = \
>  	--bindir=/bin \
> diff --git a/package/setools/setools.mk b/package/setools/setools.mk
> index c1a3a909cb..a07b1367a2 100644
> --- a/package/setools/setools.mk
> +++ b/package/setools/setools.mk
> @@ -10,6 +10,7 @@ SETOOLS_DEPENDENCIES = libselinux libsepol python-setuptools host-bison host-fle
>  SETOOLS_INSTALL_STAGING = YES
>  SETOOLS_LICENSE = GPL-2.0+, LGPL-2.1+
>  SETOOLS_LICENSE_FILES = COPYING COPYING.GPL COPYING.LGPL
> +SETOOLS_CPE_ID_VENDOR = selinuxproject
>  SETOOLS_SETUP_TYPE = setuptools
>  HOST_SETOOLS_DEPENDENCIES = host-python3-cython host-libselinux host-libsepol host-python-networkx
>  HOST_SETOOLS_NEEDS_HOST_PYTHON = python3
> diff --git a/package/setserial/setserial.mk b/package/setserial/setserial.mk
> index 66ca59d79d..2e29e4c803 100644
> --- a/package/setserial/setserial.mk
> +++ b/package/setserial/setserial.mk
> @@ -10,6 +10,7 @@ SETSERIAL_SOURCE = setserial_$(SETSERIAL_VERSION).orig.tar.gz
>  SETSERIAL_SITE = http://snapshot.debian.org/archive/debian/20141023T043132Z/pool/main/s/setserial
>  SETSERIAL_LICENSE = GPL-2.0
>  SETSERIAL_LICENSE_FILES = debian/copyright
> +
>  # make all also builds setserial.cat which needs nroff
>  SETSERIAL_MAKE_OPTS = setserial
>  
> diff --git a/package/smcroute/smcroute.mk b/package/smcroute/smcroute.mk
> index 1a36c75d47..0db0e084f6 100644
> --- a/package/smcroute/smcroute.mk
> +++ b/package/smcroute/smcroute.mk
> @@ -9,6 +9,7 @@ SMCROUTE_SOURCE = smcroute-$(SMCROUTE_VERSION).tar.xz
>  SMCROUTE_SITE = https://github.com/troglobit/smcroute/releases/download/$(SMCROUTE_VERSION)
>  SMCROUTE_LICENSE = GPL-2.0+
>  SMCROUTE_LICENSE_FILES = COPYING
> +SMCROUTE_CPE_ID_VENDOR = troglobit
>  
>  SMCROUTE_CONF_OPTS = ac_cv_func_setpgrp_void=yes
>  #BUG:The package Makefile uses CC?= even though the package is autotools based
> diff --git a/package/spawn-fcgi/spawn-fcgi.mk b/package/spawn-fcgi/spawn-fcgi.mk
> index ed97d0a7b4..8caa1e2b3c 100644
> --- a/package/spawn-fcgi/spawn-fcgi.mk
> +++ b/package/spawn-fcgi/spawn-fcgi.mk
> @@ -9,5 +9,6 @@ SPAWN_FCGI_SITE = http://www.lighttpd.net/download
>  SPAWN_FCGI_SOURCE = spawn-fcgi-$(SPAWN_FCGI_VERSION).tar.bz2
>  SPAWN_FCGI_LICENSE = BSD-3-Clause
>  SPAWN_FCGI_LICENSE_FILES = COPYING
> +SPAWN_FCGI_CPE_ID_VENDOR = lighttpd
>  
>  $(eval $(autotools-package))
> diff --git a/package/sqlite/sqlite.mk b/package/sqlite/sqlite.mk
> index c8b9ba3150..796292178c 100644
> --- a/package/sqlite/sqlite.mk
> +++ b/package/sqlite/sqlite.mk
> @@ -5,11 +5,13 @@
>  ################################################################################
>  
>  SQLITE_VERSION = 3320300
> +SQLITE_CPE_ID_VERSION = 3.31.1
>  SQLITE_SOURCE = sqlite-autoconf-$(SQLITE_VERSION).tar.gz
>  SQLITE_SITE = https://www.sqlite.org/2020
>  SQLITE_LICENSE = Public domain
>  SQLITE_LICENSE_FILES = tea/license.terms
>  SQLITE_INSTALL_STAGING = YES
> +SQLITE_CPE_ID_VENDOR = $(SQLITE_NAME)
>  
>  ifeq ($(BR2_PACKAGE_SQLITE_STAT4),y)
>  SQLITE_CFLAGS += -DSQLITE_ENABLE_STAT4
> diff --git a/package/strongswan/strongswan.mk b/package/strongswan/strongswan.mk
> index a0290c5bf6..e0e8bb0ce8 100644
> --- a/package/strongswan/strongswan.mk
> +++ b/package/strongswan/strongswan.mk
> @@ -9,6 +9,7 @@ STRONGSWAN_SOURCE = strongswan-$(STRONGSWAN_VERSION).tar.bz2
>  STRONGSWAN_SITE = http://download.strongswan.org
>  STRONGSWAN_LICENSE = GPL-2.0+
>  STRONGSWAN_LICENSE_FILES = COPYING LICENSE
> +STRONGSWAN_CPE_ID_VENDOR = $(STRONGSWAN_NAME)
>  STRONGSWAN_DEPENDENCIES = host-pkgconf
>  STRONGSWAN_INSTALL_STAGING = YES
>  STRONGSWAN_CONF_OPTS += \
> diff --git a/package/tar/tar.mk b/package/tar/tar.mk
> index 9e0a40e561..643eff1cbc 100644
> --- a/package/tar/tar.mk
> +++ b/package/tar/tar.mk
> @@ -12,6 +12,7 @@ TAR_SITE = $(BR2_GNU_MIRROR)/tar
>  TAR_CONF_OPTS = --exec-prefix=/
>  TAR_LICENSE = GPL-3.0+
>  TAR_LICENSE_FILES = COPYING
> +TAR_CPE_ID_VENDOR = gnu
>  
>  ifeq ($(BR2_PACKAGE_ACL),y)
>  TAR_DEPENDENCIES += acl
> diff --git a/package/tcl/tcl.mk b/package/tcl/tcl.mk
> index 6d750b3cd2..913891e897 100644
> --- a/package/tcl/tcl.mk
> +++ b/package/tcl/tcl.mk
> @@ -10,6 +10,7 @@ TCL_SOURCE = tcl$(TCL_VERSION)-src.tar.gz
>  TCL_SITE = http://downloads.sourceforge.net/project/tcl/Tcl/$(TCL_VERSION)
>  TCL_LICENSE = TCL
>  TCL_LICENSE_FILES = license.terms
> +TCL_CPE_ID_VENDOR = $(TCL_NAME)
>  TCL_SUBDIR = unix
>  TCL_INSTALL_STAGING = YES
>  TCL_AUTORECONF = YES
> diff --git a/package/tcpdump/tcpdump.mk b/package/tcpdump/tcpdump.mk
> index 01a46b9b5f..9687e3c497 100644
> --- a/package/tcpdump/tcpdump.mk
> +++ b/package/tcpdump/tcpdump.mk
> @@ -8,6 +8,7 @@ TCPDUMP_VERSION = 4.9.3
>  TCPDUMP_SITE = http://www.tcpdump.org/release
>  TCPDUMP_LICENSE = BSD-3-Clause
>  TCPDUMP_LICENSE_FILES = LICENSE
> +TCPDUMP_CPE_ID_VENDOR = $(TCPDUMP_NAME)
>  TCPDUMP_CONF_ENV = \
>  	ac_cv_linux_vers=2 \
>  	td_cv_buggygetaddrinfo=no \
> diff --git a/package/tftpd/tftpd.mk b/package/tftpd/tftpd.mk
> index 57905fda05..301a222e39 100644
> --- a/package/tftpd/tftpd.mk
> +++ b/package/tftpd/tftpd.mk
> @@ -10,6 +10,8 @@ TFTPD_SITE = $(BR2_KERNEL_MIRROR)/software/network/tftp/tftp-hpa
>  TFTPD_CONF_OPTS = --without-tcpwrappers
>  TFTPD_LICENSE = BSD-4-Clause
>  TFTPD_LICENSE_FILES = tftpd/tftpd.c
> +TFTPD_CPE_ID_VENDOR = $(TFTPD_NAME)-hpa_project
> +TFTPD_CPE_ID_NAME = $(TFTPD_NAME)-hpa
>  
>  define TFTPD_INSTALL_TARGET_CMDS
>  	$(INSTALL) -D $(@D)/tftp/tftp $(TARGET_DIR)/usr/bin/tftp
> diff --git a/package/uboot-tools/uboot-tools.mk b/package/uboot-tools/uboot-tools.mk
> index 6aa7cba2dd..3a8e21ec9b 100644
> --- a/package/uboot-tools/uboot-tools.mk
> +++ b/package/uboot-tools/uboot-tools.mk
> @@ -9,6 +9,8 @@ UBOOT_TOOLS_SOURCE = u-boot-$(UBOOT_TOOLS_VERSION).tar.bz2
>  UBOOT_TOOLS_SITE = ftp://ftp.denx.de/pub/u-boot
>  UBOOT_TOOLS_LICENSE = GPL-2.0+
>  UBOOT_TOOLS_LICENSE_FILES = Licenses/gpl-2.0.txt
> +UBOOT_TOOLS_CPE_ID_VENDOR = denx
> +UBOOT_TOOLS_CPE_ID_NAME = u-boot
>  UBOOT_TOOLS_INSTALL_STAGING = YES
>  
>  # u-boot 2020.01+ needs make 4.0+
> diff --git a/package/util-linux/util-linux.mk b/package/util-linux/util-linux.mk
> index 0b29ef4d6f..46d7474b7f 100644
> --- a/package/util-linux/util-linux.mk
> +++ b/package/util-linux/util-linux.mk
> @@ -23,6 +23,7 @@ UTIL_LINUX_LICENSE_FILES = README.licensing \
>  	Documentation/licenses/COPYING.ISC \
>  	Documentation/licenses/COPYING.LGPL-2.1-or-later
>  
> +UTIL_LINUX_CPE_ID_VENDOR = kernel
>  UTIL_LINUX_INSTALL_STAGING = YES
>  UTIL_LINUX_DEPENDENCIES = \
>  	host-pkgconf \
> diff --git a/package/valgrind/valgrind.mk b/package/valgrind/valgrind.mk
> index 7fd3278614..7d0070a974 100644
> --- a/package/valgrind/valgrind.mk
> +++ b/package/valgrind/valgrind.mk
> @@ -9,6 +9,7 @@ VALGRIND_SITE = https://sourceware.org/pub/valgrind
>  VALGRIND_SOURCE = valgrind-$(VALGRIND_VERSION).tar.bz2
>  VALGRIND_LICENSE = GPL-2.0, GFDL-1.2
>  VALGRIND_LICENSE_FILES = COPYING COPYING.DOCS
> +VALGRIND_CPE_ID_VENDOR = $(VALGRIND_NAME)
>  VALGRIND_CONF_OPTS = \
>  	--disable-ubsan \
>  	--without-mpicc
> diff --git a/package/vim/vim.mk b/package/vim/vim.mk
> index 1fbb6a6b86..2bd3d437e4 100644
> --- a/package/vim/vim.mk
> +++ b/package/vim/vim.mk
> @@ -23,6 +23,7 @@ VIM_CONF_ENV = \
>  VIM_CONF_OPTS = --with-tlib=ncurses --enable-gui=no --without-x
>  VIM_LICENSE = Charityware
>  VIM_LICENSE_FILES = README.txt
> +VIM_CPE_ID_VENDOR = $(VIM_NAME)
>  
>  ifeq ($(BR2_PACKAGE_ACL),y)
>  VIM_CONF_OPTS += --enable-acl
> diff --git a/package/wget/wget.mk b/package/wget/wget.mk
> index ed3f1fdff9..65c132e453 100644
> --- a/package/wget/wget.mk
> +++ b/package/wget/wget.mk
> @@ -10,6 +10,7 @@ WGET_SITE = $(BR2_GNU_MIRROR)/wget
>  WGET_DEPENDENCIES = host-pkgconf
>  WGET_LICENSE = GPL-3.0+
>  WGET_LICENSE_FILES = COPYING
> +WGET_CPE_ID_VENDOR = gnu
>  
>  ifeq ($(BR2_PACKAGE_GNUTLS),y)
>  WGET_CONF_OPTS += --with-ssl=gnutls
> diff --git a/package/wireless-regdb/wireless-regdb.mk b/package/wireless-regdb/wireless-regdb.mk
> index 52a0e0cffc..aaab7fc28b 100644
> --- a/package/wireless-regdb/wireless-regdb.mk
> +++ b/package/wireless-regdb/wireless-regdb.mk
> @@ -9,6 +9,7 @@ WIRELESS_REGDB_SOURCE = wireless-regdb-$(WIRELESS_REGDB_VERSION).tar.xz
>  WIRELESS_REGDB_SITE = $(BR2_KERNEL_MIRROR)/software/network/wireless-regdb
>  WIRELESS_REGDB_LICENSE = ISC
>  WIRELESS_REGDB_LICENSE_FILES = LICENSE
> +WIRELESS_REGDB_CPE_ID_VENDOR = kernel
>  
>  ifeq ($(BR2_PACKAGE_CRDA),y)
>  define  WIRELESS_REGDB_INSTALL_CRDA_TARGET_CMDS
> diff --git a/package/wireless_tools/wireless_tools.mk b/package/wireless_tools/wireless_tools.mk
> index b87ab20fb2..01d03218d6 100644
> --- a/package/wireless_tools/wireless_tools.mk
> +++ b/package/wireless_tools/wireless_tools.mk
> @@ -10,6 +10,8 @@ WIRELESS_TOOLS_SITE = https://hewlettpackard.github.io/wireless-tools
>  WIRELESS_TOOLS_SOURCE = wireless_tools.$(WIRELESS_TOOLS_VERSION).tar.gz
>  WIRELESS_TOOLS_LICENSE = GPL-2.0
>  WIRELESS_TOOLS_LICENSE_FILES = COPYING
> +WIRELESS_TOOLS_CPE_ID_VERSION = $(WIRELESS_TOOLS_VERSION_MAJOR)
> +WIRELESS_TOOLS_CPE_ID_VERSION_MINOR = pre9
>  WIRELESS_TOOLS_INSTALL_STAGING = YES
>  
>  WIRELESS_TOOLS_BUILD_TARGETS = iwmulticall
> diff --git a/package/wpa_supplicant/wpa_supplicant.mk b/package/wpa_supplicant/wpa_supplicant.mk
> index 7170db0d07..955f7fb98f 100644
> --- a/package/wpa_supplicant/wpa_supplicant.mk
> +++ b/package/wpa_supplicant/wpa_supplicant.mk
> @@ -8,6 +8,7 @@ WPA_SUPPLICANT_VERSION = 2.9
>  WPA_SUPPLICANT_SITE = http://w1.fi/releases
>  WPA_SUPPLICANT_LICENSE = BSD-3-Clause
>  WPA_SUPPLICANT_LICENSE_FILES = README
> +WPA_SUPPLICANT_CPE_ID_VENDOR = w1.fi
>  WPA_SUPPLICANT_CONFIG = $(WPA_SUPPLICANT_DIR)/wpa_supplicant/.config
>  WPA_SUPPLICANT_SUBDIR = wpa_supplicant
>  WPA_SUPPLICANT_DBUS_OLD_SERVICE = fi.epitest.hostap.WPASupplicant
> diff --git a/package/xerces/xerces.mk b/package/xerces/xerces.mk
> index ae42b1e62f..5caf421132 100644
> --- a/package/xerces/xerces.mk
> +++ b/package/xerces/xerces.mk
> @@ -9,6 +9,8 @@ XERCES_SOURCE = xerces-c-$(XERCES_VERSION).tar.xz
>  XERCES_SITE = http://archive.apache.org/dist/xerces/c/3/sources
>  XERCES_LICENSE = Apache-2.0
>  XERCES_LICENSE_FILES = LICENSE
> +XERCES_CPE_ID_VENDOR = apache
> +XERCES_CPE_ID_NAME = $(XERCES_NAME)-c\+\+
>  XERCES_INSTALL_STAGING = YES
>  
>  define XERCES_DISABLE_SAMPLES
> diff --git a/package/xz/xz.mk b/package/xz/xz.mk
> index 487dac461b..ffbae4c873 100644
> --- a/package/xz/xz.mk
> +++ b/package/xz/xz.mk
> @@ -11,6 +11,7 @@ XZ_INSTALL_STAGING = YES
>  XZ_CONF_ENV = ac_cv_prog_cc_c99='-std=gnu99'
>  XZ_LICENSE = Public Domain, GPL-2.0+, GPL-3.0+, LGPL-2.1+
>  XZ_LICENSE_FILES = COPYING COPYING.GPLv2 COPYING.GPLv3 COPYING.LGPLv2.1
> +XZ_CPE_ID_VENDOR = tukaani
>  
>  ifeq ($(BR2_TOOLCHAIN_HAS_THREADS),y)
>  XZ_CONF_OPTS = --enable-threads
> -- 
> 2.26.2
> 
> _______________________________________________
> buildroot mailing list
> buildroot@busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
Thomas Petazzoni Nov. 4, 2020, 3:49 p.m. UTC | #2
Hello Alexander,

Thanks for taking a look at this series!

On Wed, 4 Nov 2020 16:42:59 +0100
Alexander Dahl <post@lespocky.de> wrote:

> > +EBTABLES_CVE_ID_VENDOR = netfilter  
> 
> Same here? CVE or CPE?
> 
> On all the other packages it is CPE, so maybe those two are just
> typos?

You are absolutely correct, those are typos. I'll do another pass on
this patch. Perhaps I should split it up into smaller chunks to make it
more manageable to review.

Thomas
diff mbox series

Patch

diff --git a/boot/grub2/grub2.mk b/boot/grub2/grub2.mk
index 5fca2315ee..9686815f4d 100644
--- a/boot/grub2/grub2.mk
+++ b/boot/grub2/grub2.mk
@@ -37,6 +37,7 @@  GRUB2_INSTALL_TARGET = YES
 else
 GRUB2_INSTALL_TARGET = NO
 endif
+GRUB2_CPE_ID_VENDOR = gnu
 
 GRUB2_BUILTIN_MODULES = $(call qstrip,$(BR2_TARGET_GRUB2_BUILTIN_MODULES))
 GRUB2_BUILTIN_CONFIG = $(call qstrip,$(BR2_TARGET_GRUB2_BUILTIN_CONFIG))
diff --git a/boot/uboot/uboot.mk b/boot/uboot/uboot.mk
index 72d5df412d..2028fb1167 100644
--- a/boot/uboot/uboot.mk
+++ b/boot/uboot/uboot.mk
@@ -11,6 +11,8 @@  UBOOT_LICENSE = GPL-2.0+
 ifeq ($(BR2_TARGET_UBOOT_LATEST_VERSION),y)
 UBOOT_LICENSE_FILES = Licenses/gpl-2.0.txt
 endif
+UBOOT_CPE_ID_VENDOR = denx
+UBOOT_CPE_ID_NAME = u-boot
 
 UBOOT_INSTALL_IMAGES = YES
 
diff --git a/linux/linux.mk b/linux/linux.mk
index e07e014d1e..648f6ea2a5 100644
--- a/linux/linux.mk
+++ b/linux/linux.mk
@@ -12,6 +12,8 @@  LINUX_LICENSE_FILES = \
 	LICENSES/preferred/GPL-2.0 \
 	LICENSES/exceptions/Linux-syscall-note
 endif
+LINUX_CPE_ID_VENDOR = $(LINUX_NAME)
+LINUX_CPE_ID_NAME = $(LINUX_NAME)_kernel
 
 define LINUX_HELP_CMDS
 	@echo '  linux-menuconfig       - Run Linux kernel menuconfig'
diff --git a/package/audit/audit.mk b/package/audit/audit.mk
index 652e0fcd56..a20767d24b 100644
--- a/package/audit/audit.mk
+++ b/package/audit/audit.mk
@@ -10,6 +10,8 @@  AUDIT_LICENSE = GPL-2.0+ (programs), LGPL-2.1+ (libraries)
 AUDIT_LICENSE_FILES = COPYING COPYING.LIB
 # 0002-Add-substitue-functions-for-strndupa-rawmemchr.patch
 AUDIT_AUTORECONF = YES
+AUDIT_CPE_ID_VENDOR = linux_audit_project
+AUDIT_CPE_ID_NAME = linux_audit
 
 AUDIT_INSTALL_STAGING = YES
 
diff --git a/package/aufs/aufs.mk b/package/aufs/aufs.mk
index 4e95a350a0..495e94e606 100644
--- a/package/aufs/aufs.mk
+++ b/package/aufs/aufs.mk
@@ -7,6 +7,7 @@ 
 AUFS_VERSION = $(call qstrip,$(BR2_PACKAGE_AUFS_VERSION))
 AUFS_LICENSE = GPL-2.0
 AUFS_LICENSE_FILES = COPYING
+AUFS_CPE_ID_VERSION = 4.1
 
 ifeq ($(BR2_PACKAGE_AUFS_SERIES),3)
 AUFS_SITE = http://git.code.sf.net/p/aufs/aufs3-standalone
diff --git a/package/bash/bash.mk b/package/bash/bash.mk
index 1843862e49..b4681c1085 100644
--- a/package/bash/bash.mk
+++ b/package/bash/bash.mk
@@ -10,6 +10,7 @@  BASH_DEPENDENCIES = ncurses readline host-bison
 BASH_CONF_OPTS = --with-installed-readline --without-bash-malloc
 BASH_LICENSE = GPL-3.0+
 BASH_LICENSE_FILES = COPYING
+BASH_CPE_ID_VENDOR = gnu
 
 BASH_CONF_ENV += \
 	ac_cv_rl_prefix="$(STAGING_DIR)" \
diff --git a/package/bc/bc.mk b/package/bc/bc.mk
index fdfacb6c89..06b6feae4f 100644
--- a/package/bc/bc.mk
+++ b/package/bc/bc.mk
@@ -9,6 +9,7 @@  BC_SITE = http://ftp.gnu.org/gnu/bc
 BC_DEPENDENCIES = host-flex
 BC_LICENSE = GPL-2.0+, LGPL-2.1+
 BC_LICENSE_FILES = COPYING COPYING.LIB
+BC_CPE_ID_VENDOR = gnu
 BC_CONF_ENV = MAKEINFO=true
 
 # 0001-bc-use-MAKEINFO-variable-for-docs.patch and 0004-no-gen-libmath.patch
diff --git a/package/bind/bind.mk b/package/bind/bind.mk
index 18fc4845f9..41b3146da1 100644
--- a/package/bind/bind.mk
+++ b/package/bind/bind.mk
@@ -12,6 +12,7 @@  BIND_INSTALL_STAGING = YES
 BIND_CONFIG_SCRIPTS = bind9-config isc-config.sh
 BIND_LICENSE = MPL-2.0
 BIND_LICENSE_FILES = COPYRIGHT
+BIND_CPE_ID_VENDOR = isc
 BIND_TARGET_SERVER_SBIN = arpaname ddns-confgen dnssec-checkds dnssec-coverage
 BIND_TARGET_SERVER_SBIN += dnssec-importkey dnssec-keygen dnssec-revoke
 BIND_TARGET_SERVER_SBIN += dnssec-settime dnssec-verify genrandom
diff --git a/package/boost/boost.mk b/package/boost/boost.mk
index 82fe42d6b2..d5c404a13c 100644
--- a/package/boost/boost.mk
+++ b/package/boost/boost.mk
@@ -10,6 +10,7 @@  BOOST_SITE = https://dl.bintray.com/boostorg/release/$(BOOST_VERSION)/source
 BOOST_INSTALL_STAGING = YES
 BOOST_LICENSE = BSL-1.0
 BOOST_LICENSE_FILES = LICENSE_1_0.txt
+BOOST_CPE_ID_VENDOR = $(BOOST_NAME)
 
 # CVE-2009-3654 is misclassified (by our CVE tracker) as affecting to boost,
 # while in fact it affects Drupal (a module called boost in there).
diff --git a/package/bridge-utils/bridge-utils.mk b/package/bridge-utils/bridge-utils.mk
index 9d63b3ef30..fa71c3a64e 100644
--- a/package/bridge-utils/bridge-utils.mk
+++ b/package/bridge-utils/bridge-utils.mk
@@ -10,6 +10,7 @@  BRIDGE_UTILS_SITE = \
 BRIDGE_UTILS_AUTORECONF = YES
 BRIDGE_UTILS_LICENSE = GPL-2.0+
 BRIDGE_UTILS_LICENSE_FILES = COPYING
+BRIDGE_UTILS_CPE_ID_VENDOR = kernel
 
 # Avoid using the host's headers. Location is not important as
 # required headers will anyway be found from within the sysroot.
diff --git a/package/busybox/busybox.mk b/package/busybox/busybox.mk
index 8c8303a358..38c40eeb15 100644
--- a/package/busybox/busybox.mk
+++ b/package/busybox/busybox.mk
@@ -9,6 +9,7 @@  BUSYBOX_SITE = http://www.busybox.net/downloads
 BUSYBOX_SOURCE = busybox-$(BUSYBOX_VERSION).tar.bz2
 BUSYBOX_LICENSE = GPL-2.0, bzip2-1.0.4
 BUSYBOX_LICENSE_FILES = LICENSE archival/libarchive/bz/LICENSE
+BUSYBOX_CPE_ID_VENDOR = $(BUSYBOX_NAME)
 
 define BUSYBOX_HELP_CMDS
 	@echo '  busybox-menuconfig     - Run BusyBox menuconfig'
diff --git a/package/bzip2/bzip2.mk b/package/bzip2/bzip2.mk
index b4d8eea25e..c2e5f7610e 100644
--- a/package/bzip2/bzip2.mk
+++ b/package/bzip2/bzip2.mk
@@ -9,6 +9,7 @@  BZIP2_SITE = https://sourceware.org/pub/bzip2
 BZIP2_INSTALL_STAGING = YES
 BZIP2_LICENSE = bzip2 license
 BZIP2_LICENSE_FILES = LICENSE
+BZIP2_CPE_ID_VENDOR = bzip
 
 ifeq ($(BR2_STATIC_LIBS),)
 define BZIP2_BUILD_SHARED_CMDS
diff --git a/package/clang/clang.mk b/package/clang/clang.mk
index ceb7de9afa..bf1a362ccf 100644
--- a/package/clang/clang.mk
+++ b/package/clang/clang.mk
@@ -10,6 +10,7 @@  CLANG_SITE = https://github.com/llvm/llvm-project/releases/download/llvmorg-$(CL
 CLANG_SOURCE = clang-$(CLANG_VERSION).src.tar.xz
 CLANG_LICENSE = Apache-2.0 with exceptions
 CLANG_LICENSE_FILES = LICENSE.TXT
+CLANG_CVE_ID_VENDOR = llvm
 CLANG_SUPPORTS_IN_SOURCE_BUILD = NO
 CLANG_INSTALL_STAGING = YES
 
diff --git a/package/collectd/collectd.mk b/package/collectd/collectd.mk
index 00e33f27df..83bf01109a 100644
--- a/package/collectd/collectd.mk
+++ b/package/collectd/collectd.mk
@@ -12,6 +12,7 @@  COLLECTD_CONF_ENV = ac_cv_lib_yajl_yajl_alloc=yes
 COLLECTD_INSTALL_STAGING = YES
 COLLECTD_LICENSE = MIT (daemon, plugins), GPL-2.0 (plugins), LGPL-2.1 (plugins)
 COLLECTD_LICENSE_FILES = COPYING
+COLLECTD_CPE_ID_VENDOR = $(COLLECTD_NAME)
 
 # These require unmet dependencies, are fringe, pointless or deprecated
 COLLECTD_PLUGINS_DISABLE = \
diff --git a/package/conntrack-tools/conntrack-tools.mk b/package/conntrack-tools/conntrack-tools.mk
index 145b6d785f..55ea407924 100644
--- a/package/conntrack-tools/conntrack-tools.mk
+++ b/package/conntrack-tools/conntrack-tools.mk
@@ -12,6 +12,7 @@  CONNTRACK_TOOLS_DEPENDENCIES = host-pkgconf \
 	libnetfilter_queue host-bison host-flex
 CONNTRACK_TOOLS_LICENSE = GPL-2.0+
 CONNTRACK_TOOLS_LICENSE_FILES = COPYING
+CONNTRACK_TOOLS_CPE_ID_VENDOR = netfilter
 
 CONNTRACK_TOOLS_CFLAGS = $(TARGET_CFLAGS)
 
diff --git a/package/coreutils/coreutils.mk b/package/coreutils/coreutils.mk
index 3866b76243..18e9052dfd 100644
--- a/package/coreutils/coreutils.mk
+++ b/package/coreutils/coreutils.mk
@@ -9,6 +9,7 @@  COREUTILS_SITE = $(BR2_GNU_MIRROR)/coreutils
 COREUTILS_SOURCE = coreutils-$(COREUTILS_VERSION).tar.xz
 COREUTILS_LICENSE = GPL-3.0+
 COREUTILS_LICENSE_FILES = COPYING
+COREUTILS_CPE_ID_VENDOR = gnu
 
 COREUTILS_CONF_OPTS = --disable-rpath \
 	$(if $(BR2_TOOLCHAIN_USES_MUSL),--with-included-regex)
diff --git a/package/crda/crda.mk b/package/crda/crda.mk
index c5880797be..31a64d004b 100644
--- a/package/crda/crda.mk
+++ b/package/crda/crda.mk
@@ -9,6 +9,7 @@  CRDA_SITE = https://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/crda.git/snap
 CRDA_DEPENDENCIES = host-pkgconf host-python-pycryptodomex libnl libgcrypt
 CRDA_LICENSE = ISC
 CRDA_LICENSE_FILES = LICENSE
+CRDA_CPE_ID_VENDOR = kernel
 
 define CRDA_BUILD_CMDS
 	$(TARGET_CONFIGURE_OPTS) \
diff --git a/package/davici/davici.mk b/package/davici/davici.mk
index 5c08bbe0da..6c8df48b6a 100644
--- a/package/davici/davici.mk
+++ b/package/davici/davici.mk
@@ -8,6 +8,7 @@  DAVICI_VERSION = 1.3
 DAVICI_SITE = $(call github,strongswan,davici,v$(DAVICI_VERSION))
 DAVICI_LICENSE = LGPL-2.1+
 DAVICI_LICENSE_FILES = COPYING
+DAVICI_CPE_ID_VENDOR = strongswan
 DAVICI_DEPENDENCIES = strongswan
 DAVICI_INSTALL_STAGING = YES
 DAVICI_AUTORECONF = YES
diff --git a/package/dbus-glib/dbus-glib.mk b/package/dbus-glib/dbus-glib.mk
index 372942e1c3..5eb158d954 100644
--- a/package/dbus-glib/dbus-glib.mk
+++ b/package/dbus-glib/dbus-glib.mk
@@ -9,6 +9,7 @@  DBUS_GLIB_SITE = http://dbus.freedesktop.org/releases/dbus-glib
 DBUS_GLIB_INSTALL_STAGING = YES
 DBUS_GLIB_LICENSE = AFL-2.1 or GPL-2.0+
 DBUS_GLIB_LICENSE_FILES = COPYING
+DBUS_GLIB_CPE_ID_VENDOR = freedesktop
 
 DBUS_GLIB_CONF_ENV = \
 	ac_cv_have_abstract_sockets=yes \
diff --git a/package/dbus/dbus.mk b/package/dbus/dbus.mk
index b58f1ddda3..279252bd78 100644
--- a/package/dbus/dbus.mk
+++ b/package/dbus/dbus.mk
@@ -8,6 +8,8 @@  DBUS_VERSION = 1.12.18
 DBUS_SITE = https://dbus.freedesktop.org/releases/dbus
 DBUS_LICENSE = AFL-2.1 or GPL-2.0+ (library, tools), GPL-2.0+ (tools)
 DBUS_LICENSE_FILES = COPYING
+DBUS_CPE_ID_VENDOR = d-bus_project
+DBUS_CPE_ID_NAME = d-bus
 DBUS_INSTALL_STAGING = YES
 
 define DBUS_PERMISSIONS
diff --git a/package/dhcp/dhcp.mk b/package/dhcp/dhcp.mk
index ad59804d3b..988c7792dc 100644
--- a/package/dhcp/dhcp.mk
+++ b/package/dhcp/dhcp.mk
@@ -10,6 +10,7 @@  DHCP_INSTALL_STAGING = YES
 DHCP_LICENSE = MPL-2.0
 DHCP_LICENSE_FILES = LICENSE
 DHCP_DEPENDENCIES = bind
+DHCP_CPE_ID_VENDOR = isc
 
 # use libtool-enabled configure.ac
 define DHCP_LIBTOOL_AUTORECONF
diff --git a/package/dnsmasq/dnsmasq.mk b/package/dnsmasq/dnsmasq.mk
index 4a7218a2b7..e0e8bed5aa 100644
--- a/package/dnsmasq/dnsmasq.mk
+++ b/package/dnsmasq/dnsmasq.mk
@@ -14,6 +14,7 @@  DNSMASQ_MAKE_OPTS += DESTDIR=$(TARGET_DIR) LDFLAGS="$(TARGET_LDFLAGS)" \
 DNSMASQ_DEPENDENCIES = host-pkgconf $(TARGET_NLS_DEPENDENCIES)
 DNSMASQ_LICENSE = GPL-2.0 or GPL-3.0
 DNSMASQ_LICENSE_FILES = COPYING COPYING-v3
+DNSMASQ_CPE_ID_VENDOR = thekelleys
 
 DNSMASQ_I18N = $(if $(BR2_SYSTEM_ENABLE_NLS),-i18n)
 
diff --git a/package/dropbear/dropbear.mk b/package/dropbear/dropbear.mk
index 00992f0662..87c161f704 100644
--- a/package/dropbear/dropbear.mk
+++ b/package/dropbear/dropbear.mk
@@ -11,6 +11,8 @@  DROPBEAR_LICENSE = MIT, BSD-2-Clause, Public domain
 DROPBEAR_LICENSE_FILES = LICENSE
 DROPBEAR_TARGET_BINS = dropbearkey dropbearconvert scp
 DROPBEAR_PROGRAMS = dropbear $(DROPBEAR_TARGET_BINS)
+DROPBEAR_CPE_ID_VENDOR = $(DROPBEAR_NAME)_ssh_project
+DROPBEAR_CPE_ID_NAME = $(DROPBEAR_NAME)_ssh
 
 # Disable hardening flags added by dropbear configure.ac, and let
 # Buildroot add them when the relevant options are enabled. This
diff --git a/package/ebtables/ebtables.mk b/package/ebtables/ebtables.mk
index e8b982206c..b94ac8541f 100644
--- a/package/ebtables/ebtables.mk
+++ b/package/ebtables/ebtables.mk
@@ -8,6 +8,7 @@  EBTABLES_VERSION = 2.0.11
 EBTABLES_SITE = http://ftp.netfilter.org/pub/ebtables
 EBTABLES_LICENSE = GPL-2.0+
 EBTABLES_LICENSE_FILES = COPYING
+EBTABLES_CVE_ID_VENDOR = netfilter
 
 ifeq ($(BR2_PACKAGE_EBTABLES_UTILS_SAVE),y)
 define EBTABLES_INSTALL_TARGET_UTILS_SAVE
diff --git a/package/ethtool/ethtool.mk b/package/ethtool/ethtool.mk
index 1668171f3a..0e94a918c2 100644
--- a/package/ethtool/ethtool.mk
+++ b/package/ethtool/ethtool.mk
@@ -9,6 +9,7 @@  ETHTOOL_SOURCE = ethtool-$(ETHTOOL_VERSION).tar.xz
 ETHTOOL_SITE = $(BR2_KERNEL_MIRROR)/software/network/ethtool
 ETHTOOL_LICENSE = GPL-2.0
 ETHTOOL_LICENSE_FILES = LICENSE COPYING
+ETHTOOL_CPE_ID_VENDOR = kernel
 ETHTOOL_CONF_OPTS = \
 	$(if $(BR2_PACKAGE_ETHTOOL_PRETTY_PRINT),--enable-pretty-dump,--disable-pretty-dump)
 
diff --git a/package/expat/expat.mk b/package/expat/expat.mk
index bb04ab1a90..201e18ae65 100644
--- a/package/expat/expat.mk
+++ b/package/expat/expat.mk
@@ -12,6 +12,7 @@  EXPAT_DEPENDENCIES = host-pkgconf
 HOST_EXPAT_DEPENDENCIES = host-pkgconf
 EXPAT_LICENSE = MIT
 EXPAT_LICENSE_FILES = COPYING
+EXPAT_CPE_ID_VENDOR = libexpat
 
 EXPAT_CONF_OPTS = --without-docbook
 HOST_EXPAT_CONF_OPTS = --without-docbook
diff --git a/package/gdb/gdb.mk b/package/gdb/gdb.mk
index f31b168bf1..b0a21c1d9f 100644
--- a/package/gdb/gdb.mk
+++ b/package/gdb/gdb.mk
@@ -25,6 +25,7 @@  endif
 
 GDB_LICENSE = GPL-2.0+, LGPL-2.0+, GPL-3.0+, LGPL-3.0+
 GDB_LICENSE_FILES = COPYING COPYING.LIB COPYING3 COPYING3.LIB
+GDB_CPE_ID_VENDOR = gnu
 
 # On gdb < 10, if you want to build only gdbserver, you need to
 # configure only gdb/gdbserver.
diff --git a/package/gesftpserver/gesftpserver.mk b/package/gesftpserver/gesftpserver.mk
index ff7ce768ae..07718a4c42 100644
--- a/package/gesftpserver/gesftpserver.mk
+++ b/package/gesftpserver/gesftpserver.mk
@@ -12,6 +12,8 @@  GESFTPSERVER_LICENSE_FILES = COPYING
 
 # "Missing prototype" warning treated as error
 GESFTPSERVER_CONF_OPTS = --disable-warnings-as-errors
+GESFTPSERVER_CPE_ID_VENDOR = green_end
+GESFTPSERVER_CPE_ID_NAME = sftpserver
 
 # forgets to link against pthread when cross compiling
 GESFTPSERVER_CONF_ENV = LIBS=-lpthread
diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
index 4721177d83..7add82f9ce 100644
--- a/package/glibc/glibc.mk
+++ b/package/glibc/glibc.mk
@@ -33,6 +33,7 @@  endif
 
 GLIBC_LICENSE = GPL-2.0+ (programs), LGPL-2.1+, BSD-3-Clause, MIT (library)
 GLIBC_LICENSE_FILES = COPYING COPYING.LIB LICENSES
+GLIBC_CPE_ID_VENDOR = gnu
 
 # glibc is part of the toolchain so disable the toolchain dependency
 GLIBC_ADD_TOOLCHAIN_DEPENDENCY = NO
diff --git a/package/gmp/gmp.mk b/package/gmp/gmp.mk
index d124463a98..a79d5b7d9a 100644
--- a/package/gmp/gmp.mk
+++ b/package/gmp/gmp.mk
@@ -10,6 +10,7 @@  GMP_SOURCE = gmp-$(GMP_VERSION).tar.xz
 GMP_INSTALL_STAGING = YES
 GMP_LICENSE = LGPL-3.0+ or GPL-2.0+
 GMP_LICENSE_FILES = COPYING.LESSERv3 COPYINGv2
+GMP_CPE_ID_VENDOR = gmplib
 GMP_DEPENDENCIES = host-m4
 HOST_GMP_DEPENDENCIES = host-m4
 
diff --git a/package/gnupg/gnupg.mk b/package/gnupg/gnupg.mk
index 617def884e..ba424fed96 100644
--- a/package/gnupg/gnupg.mk
+++ b/package/gnupg/gnupg.mk
@@ -10,6 +10,7 @@  GNUPG_SITE = https://gnupg.org/ftp/gcrypt/gnupg
 GNUPG_LICENSE = GPL-3.0+
 GNUPG_LICENSE_FILES = COPYING
 GNUPG_DEPENDENCIES = zlib $(if $(BR2_PACKAGE_LIBICONV),libiconv)
+GNUPG_CPE_ID_VENDOR = $(GNUPG_NAME)
 GNUPG_CONF_ENV = ac_cv_sys_symbol_underscore=no
 GNUPG_CONF_OPTS = \
 	--disable-rpath \
diff --git a/package/gnutls/gnutls.mk b/package/gnutls/gnutls.mk
index 9f53150004..65bb4893e8 100644
--- a/package/gnutls/gnutls.mk
+++ b/package/gnutls/gnutls.mk
@@ -17,6 +17,7 @@  GNUTLS_LICENSE_FILES += doc/COPYING
 endif
 
 GNUTLS_DEPENDENCIES = host-pkgconf libtasn1 nettle pcre
+GNUTLS_CPE_ID_VENDOR = gnu
 GNUTLS_CONF_OPTS = \
 	--disable-doc \
 	--disable-guile \
diff --git a/package/grep/grep.mk b/package/grep/grep.mk
index bdc22fa46c..7a07f0b676 100644
--- a/package/grep/grep.mk
+++ b/package/grep/grep.mk
@@ -9,6 +9,7 @@  GREP_SITE = $(BR2_GNU_MIRROR)/grep
 GREP_SOURCE = grep-$(GREP_VERSION).tar.xz
 GREP_LICENSE = GPL-3.0+
 GREP_LICENSE_FILES = COPYING
+GREP_CPE_ID_VENDOR = gnu
 GREP_DEPENDENCIES = $(TARGET_NLS_DEPENDENCIES)
 # install into /bin like busybox grep
 GREP_CONF_OPTS = --exec-prefix=/
diff --git a/package/gtest/gtest.mk b/package/gtest/gtest.mk
index 7f967b8bfb..fc51d9f7a2 100644
--- a/package/gtest/gtest.mk
+++ b/package/gtest/gtest.mk
@@ -10,6 +10,8 @@  GTEST_INSTALL_STAGING = YES
 GTEST_INSTALL_TARGET = NO
 GTEST_LICENSE = BSD-3-Clause
 GTEST_LICENSE_FILES = googletest/LICENSE
+GTEST_CPE_ID_VENDOR = google
+GTEST_CPE_ID_NAME = google_test
 
 ifeq ($(BR2_PACKAGE_GTEST_GMOCK),y)
 GTEST_DEPENDENCIES += host-gtest
diff --git a/package/gzip/gzip.mk b/package/gzip/gzip.mk
index 17b27b497c..c8fd3ddb7a 100644
--- a/package/gzip/gzip.mk
+++ b/package/gzip/gzip.mk
@@ -11,6 +11,7 @@  GZIP_SITE = $(BR2_GNU_MIRROR)/gzip
 GZIP_CONF_OPTS = --exec-prefix=/
 GZIP_LICENSE = GPL-3.0+
 GZIP_LICENSE_FILES = COPYING
+GZIP_CPE_ID_VENDOR = gnu
 GZIP_CONF_ENV += gl_cv_func_fflush_stdin=yes
 HOST_GZIP_CONF_ENV += gl_cv_func_fflush_stdin=yes
 # configure substitutes $(SHELL) for the shell shebang in scripts like
diff --git a/package/hostapd/hostapd.mk b/package/hostapd/hostapd.mk
index 676e36d8ba..efeefd8b35 100644
--- a/package/hostapd/hostapd.mk
+++ b/package/hostapd/hostapd.mk
@@ -23,6 +23,7 @@  HOSTAPD_IGNORE_CVES += CVE-2019-16275
 # 0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch
 HOSTAPD_IGNORE_CVES += CVE-2020-12695
 
+HOSTAPD_CPE_ID_VENDOR = w1.fi
 HOSTAPD_CONFIG_SET =
 
 HOSTAPD_CONFIG_ENABLE = \
diff --git a/package/ifupdown/ifupdown.mk b/package/ifupdown/ifupdown.mk
index 84d24aedab..e62c2a79c5 100644
--- a/package/ifupdown/ifupdown.mk
+++ b/package/ifupdown/ifupdown.mk
@@ -9,6 +9,7 @@  IFUPDOWN_SOURCE = ifupdown_$(IFUPDOWN_VERSION).tar.xz
 IFUPDOWN_SITE = http://snapshot.debian.org/archive/debian/20160922T165503Z/pool/main/i/ifupdown
 IFUPDOWN_LICENSE = GPL-2.0+
 IFUPDOWN_LICENSE_FILES = COPYING
+IFUPDOWN_CPE_ID_VENDOR = debian
 
 define IFUPDOWN_BUILD_CMDS
 	$(TARGET_MAKE_ENV) $(MAKE) $(TARGET_CONFIGURE_OPTS) \
diff --git a/package/iperf/iperf.mk b/package/iperf/iperf.mk
index 7088b0f152..f1e65e7545 100644
--- a/package/iperf/iperf.mk
+++ b/package/iperf/iperf.mk
@@ -8,6 +8,8 @@  IPERF_VERSION = 2.0.13
 IPERF_SITE = http://downloads.sourceforge.net/project/iperf2
 IPERF_LICENSE = MIT-like
 IPERF_LICENSE_FILES = COPYING
+IPERF_CPE_ID_VENDOR = $(IPERF_NAME)2_project
+IPERF_CPE_ID_NAME = $(IPERF_NAME)2
 
 IPERF_CONF_OPTS = \
 	--disable-web100
diff --git a/package/iperf3/iperf3.mk b/package/iperf3/iperf3.mk
index f67fa17022..7d20b86e78 100644
--- a/package/iperf3/iperf3.mk
+++ b/package/iperf3/iperf3.mk
@@ -9,6 +9,7 @@  IPERF3_SITE = https://downloads.es.net/pub/iperf
 IPERF3_SOURCE = iperf-$(IPERF3_VERSION).tar.gz
 IPERF3_LICENSE = BSD-3-Clause, BSD-2-Clause, MIT
 IPERF3_LICENSE_FILES = LICENSE
+IPERF3_CPE_ID_VENDOR = es
 
 IPERF3_CONF_ENV += CFLAGS="$(TARGET_CFLAGS) -D_GNU_SOURCE"
 
diff --git a/package/ipset/ipset.mk b/package/ipset/ipset.mk
index 869763d322..cea3ee0e05 100644
--- a/package/ipset/ipset.mk
+++ b/package/ipset/ipset.mk
@@ -11,6 +11,7 @@  IPSET_DEPENDENCIES = libmnl host-pkgconf
 IPSET_CONF_OPTS = --with-kmod=no
 IPSET_LICENSE = GPL-2.0
 IPSET_LICENSE_FILES = COPYING
+IPSET_CPE_ID_VENDOR = netfilter
 IPSET_INSTALL_STAGING = YES
 
 $(eval $(autotools-package))
diff --git a/package/iptables/iptables.mk b/package/iptables/iptables.mk
index 442639f159..053d0e3964 100644
--- a/package/iptables/iptables.mk
+++ b/package/iptables/iptables.mk
@@ -12,6 +12,7 @@  IPTABLES_DEPENDENCIES = host-pkgconf \
 	$(if $(BR2_PACKAGE_LIBNETFILTER_CONNTRACK),libnetfilter_conntrack)
 IPTABLES_LICENSE = GPL-2.0
 IPTABLES_LICENSE_FILES = COPYING
+IPTABLES_CPE_ID_VENDOR = netfilter
 # Building static causes ugly warnings on some plugins
 IPTABLES_CONF_OPTS = --libexecdir=/usr/lib --with-kernel=$(STAGING_DIR)/usr \
 	$(if $(BR2_STATIC_LIBS),,--disable-static)
diff --git a/package/iw/iw.mk b/package/iw/iw.mk
index 2250ea413b..a232cc8baa 100644
--- a/package/iw/iw.mk
+++ b/package/iw/iw.mk
@@ -9,6 +9,7 @@  IW_SOURCE = iw-$(IW_VERSION).tar.xz
 IW_SITE = $(BR2_KERNEL_MIRROR)/software/network/iw
 IW_LICENSE = ISC
 IW_LICENSE_FILES = COPYING
+IW_CPE_ID_VENDOR = kernel
 IW_DEPENDENCIES = host-pkgconf libnl
 IW_MAKE_ENV = \
 	$(TARGET_MAKE_ENV) \
diff --git a/package/kmod/kmod.mk b/package/kmod/kmod.mk
index 69615452cf..d0f26a8841 100644
--- a/package/kmod/kmod.mk
+++ b/package/kmod/kmod.mk
@@ -15,6 +15,8 @@  HOST_KMOD_DEPENDENCIES = host-pkgconf
 KMOD_LICENSE = LGPL-2.1+ (library)
 KMOD_LICENSE_FILES = libkmod/COPYING
 
+KMOD_CPE_ID_VENDOR = kernel
+
 # --gc-sections triggers binutils ld segfault
 # https://sourceware.org/bugzilla/show_bug.cgi?id=21180
 ifeq ($(BR2_microblaze),y)
diff --git a/package/libarchive/libarchive.mk b/package/libarchive/libarchive.mk
index 708ce637c2..71c8a2e4cf 100644
--- a/package/libarchive/libarchive.mk
+++ b/package/libarchive/libarchive.mk
@@ -9,6 +9,7 @@  LIBARCHIVE_SITE = https://www.libarchive.de/downloads
 LIBARCHIVE_INSTALL_STAGING = YES
 LIBARCHIVE_LICENSE = BSD-2-Clause, BSD-3-Clause, CC0-1.0, OpenSSL, Apache-2.0
 LIBARCHIVE_LICENSE_FILES = COPYING
+LIBARCHIVE_CPE_ID_VENDOR = $(LIBARCHIVE_NAME)
 
 ifeq ($(BR2_PACKAGE_LIBARCHIVE_BSDTAR),y)
 ifeq ($(BR2_STATIC_LIBS),y)
diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk
index 74ce3be654..40e2c8ec0e 100644
--- a/package/libcurl/libcurl.mk
+++ b/package/libcurl/libcurl.mk
@@ -12,6 +12,8 @@  LIBCURL_DEPENDENCIES = host-pkgconf \
 	$(if $(BR2_PACKAGE_RTMPDUMP),rtmpdump)
 LIBCURL_LICENSE = curl
 LIBCURL_LICENSE_FILES = COPYING
+LIBCURL_CPE_ID_VENDOR = haxx
+LIBCURL_CPE_ID_NAME = libcurl
 LIBCURL_INSTALL_STAGING = YES
 
 # We disable NTLM support because it uses fork(), which doesn't work
diff --git a/package/libestr/libestr.mk b/package/libestr/libestr.mk
index 30960f7257..6ce22efae2 100644
--- a/package/libestr/libestr.mk
+++ b/package/libestr/libestr.mk
@@ -8,6 +8,7 @@  LIBESTR_VERSION = 0.1.11
 LIBESTR_SITE = http://libestr.adiscon.com/files/download
 LIBESTR_LICENSE = LGPL-2.1+
 LIBESTR_LICENSE_FILES = COPYING
+LIBESTR_CPE_ID_VENDOR = adiscon
 LIBESTR_INSTALL_STAGING = YES
 
 $(eval $(autotools-package))
diff --git a/package/libfastjson/libfastjson.mk b/package/libfastjson/libfastjson.mk
index ecca72f56c..37dbd7e03e 100644
--- a/package/libfastjson/libfastjson.mk
+++ b/package/libfastjson/libfastjson.mk
@@ -12,5 +12,6 @@  LIBFASTJSON_CONF_ENV = ac_cv_prog_cc_c99='-std=gnu99'
 LIBFASTJSON_AUTORECONF = YES
 LIBFASTJSON_LICENSE = MIT
 LIBFASTJSON_LICENSE_FILES = COPYING
+LIBFASTJSON_CPE_ID_VENDOR = rsyslog
 
 $(eval $(autotools-package))
diff --git a/package/libfcgi/libfcgi.mk b/package/libfcgi/libfcgi.mk
index c158df2395..c40d9c5970 100644
--- a/package/libfcgi/libfcgi.mk
+++ b/package/libfcgi/libfcgi.mk
@@ -8,6 +8,8 @@  LIBFCGI_VERSION = 2.4.2
 LIBFCGI_SITE = $(call github,FastCGI-Archives,fcgi2,$(LIBFCGI_VERSION))
 LIBFCGI_LICENSE = OML
 LIBFCGI_LICENSE_FILES = LICENSE.TERMS
+LIBFCGI_CPE_ID_VENDOR = fastcgi
+LIBFCGI_CPE_ID_NAME = fcgi
 LIBFCGI_INSTALL_STAGING = YES
 LIBFCGI_AUTORECONF = YES
 
diff --git a/package/libffi/libffi.mk b/package/libffi/libffi.mk
index 722a03dca0..e87a024040 100644
--- a/package/libffi/libffi.mk
+++ b/package/libffi/libffi.mk
@@ -6,6 +6,8 @@ 
 
 LIBFFI_VERSION = 3.3
 LIBFFI_SITE = $(call github,libffi,libffi,v$(LIBFFI_VERSION))
+LIBFFI_CPE_ID_VERSION = 3.3
+LIBFFI_CPE_ID_VERSION_MINOR = rc0
 LIBFFI_LICENSE = MIT
 LIBFFI_LICENSE_FILES = LICENSE
 LIBFFI_INSTALL_STAGING = YES
diff --git a/package/libgcrypt/libgcrypt.mk b/package/libgcrypt/libgcrypt.mk
index b2c1ea3cbe..d928d2fd80 100644
--- a/package/libgcrypt/libgcrypt.mk
+++ b/package/libgcrypt/libgcrypt.mk
@@ -12,6 +12,7 @@  LIBGCRYPT_SITE = https://gnupg.org/ftp/gcrypt/libgcrypt
 LIBGCRYPT_INSTALL_STAGING = YES
 LIBGCRYPT_DEPENDENCIES = libgpg-error
 LIBGCRYPT_CONFIG_SCRIPTS = libgcrypt-config
+LIBGCRYPT_CPE_ID_VENDOR = gnupg
 
 # Patching acinclude.m4 in 0001
 # Patching configure.ac and Makefile.am in 0002
diff --git a/package/libglib2/libglib2.mk b/package/libglib2/libglib2.mk
index 6e9dbd7b26..e55540976d 100644
--- a/package/libglib2/libglib2.mk
+++ b/package/libglib2/libglib2.mk
@@ -10,6 +10,8 @@  LIBGLIB2_SOURCE = glib-$(LIBGLIB2_VERSION).tar.xz
 LIBGLIB2_SITE = http://ftp.gnome.org/pub/gnome/sources/glib/$(LIBGLIB2_VERSION_MAJOR)
 LIBGLIB2_LICENSE = LGPL-2.1+
 LIBGLIB2_LICENSE_FILES = COPYING
+LIBGLIB2_CPE_ID_VENDOR = gnome
+LIBGLIB2_CPE_ID_NAME = glib
 LIBGLIB2_INSTALL_STAGING = YES
 
 LIBGLIB2_CFLAGS = $(TARGET_CFLAGS)
diff --git a/package/libgpg-error/libgpg-error.mk b/package/libgpg-error/libgpg-error.mk
index 6281faa662..05c7f710f2 100644
--- a/package/libgpg-error/libgpg-error.mk
+++ b/package/libgpg-error/libgpg-error.mk
@@ -9,6 +9,7 @@  LIBGPG_ERROR_SITE = https://www.gnupg.org/ftp/gcrypt/libgpg-error
 LIBGPG_ERROR_SOURCE = libgpg-error-$(LIBGPG_ERROR_VERSION).tar.bz2
 LIBGPG_ERROR_LICENSE = GPL-2.0+, LGPL-2.1+
 LIBGPG_ERROR_LICENSE_FILES = COPYING COPYING.LIB
+LIBGPG_ERROR_CPE_ID_VENDOR = gnupg
 LIBGPG_ERROR_INSTALL_STAGING = YES
 LIBGPG_ERROR_CONFIG_SCRIPTS = gpg-error-config
 LIBGPG_ERROR_DEPENDENCIES = $(TARGET_NLS_DEPENDENCIES)
diff --git a/package/liblogging/liblogging.mk b/package/liblogging/liblogging.mk
index c756891a86..24375b56b4 100644
--- a/package/liblogging/liblogging.mk
+++ b/package/liblogging/liblogging.mk
@@ -8,6 +8,7 @@  LIBLOGGING_VERSION = 1.0.6
 LIBLOGGING_SITE = http://download.rsyslog.com/liblogging
 LIBLOGGING_LICENSE = BSD-2-Clause
 LIBLOGGING_LICENSE_FILES = COPYING
+LIBLOGGING_CPE_ID_VENDOR = adiscon
 LIBLOGGING_INSTALL_STAGING = YES
 LIBLOGGING_CONF_OPTS = --enable-cached-man-pages
 
diff --git a/package/libmbim/libmbim.mk b/package/libmbim/libmbim.mk
index 05345623bd..4ce3ca892e 100644
--- a/package/libmbim/libmbim.mk
+++ b/package/libmbim/libmbim.mk
@@ -9,6 +9,7 @@  LIBMBIM_SITE = https://www.freedesktop.org/software/libmbim
 LIBMBIM_SOURCE = libmbim-$(LIBMBIM_VERSION).tar.xz
 LIBMBIM_LICENSE = LGPL-2.0+ (library), GPL-2.0+ (programs)
 LIBMBIM_LICENSE_FILES = COPYING COPYING.LIB
+LIBMBIM_CPE_ID_VENDOR = freedesktop
 LIBMBIM_INSTALL_STAGING = YES
 
 LIBMBIM_DEPENDENCIES = libglib2
diff --git a/package/libmnl/libmnl.mk b/package/libmnl/libmnl.mk
index 7fcce4c21f..d3b33db2e0 100644
--- a/package/libmnl/libmnl.mk
+++ b/package/libmnl/libmnl.mk
@@ -10,5 +10,6 @@  LIBMNL_SITE = http://netfilter.org/projects/libmnl/files
 LIBMNL_INSTALL_STAGING = YES
 LIBMNL_LICENSE = LGPL-2.1+
 LIBMNL_LICENSE_FILES = COPYING
+LIBMNL_CPE_ID_VENDOR = netfilter
 
 $(eval $(autotools-package))
diff --git a/package/libnetfilter_conntrack/libnetfilter_conntrack.mk b/package/libnetfilter_conntrack/libnetfilter_conntrack.mk
index 8beefefb51..0a5a94be8f 100644
--- a/package/libnetfilter_conntrack/libnetfilter_conntrack.mk
+++ b/package/libnetfilter_conntrack/libnetfilter_conntrack.mk
@@ -11,5 +11,6 @@  LIBNETFILTER_CONNTRACK_INSTALL_STAGING = YES
 LIBNETFILTER_CONNTRACK_DEPENDENCIES = host-pkgconf libnfnetlink libmnl
 LIBNETFILTER_CONNTRACK_LICENSE = GPL-2.0+
 LIBNETFILTER_CONNTRACK_LICENSE_FILES = COPYING
+LIBNETFILTER_CONNTRACK_CPE_ID_VENDOR = netfilter
 
 $(eval $(autotools-package))
diff --git a/package/libnetfilter_cthelper/libnetfilter_cthelper.mk b/package/libnetfilter_cthelper/libnetfilter_cthelper.mk
index 61d6acd07c..d74ea4d0fd 100644
--- a/package/libnetfilter_cthelper/libnetfilter_cthelper.mk
+++ b/package/libnetfilter_cthelper/libnetfilter_cthelper.mk
@@ -12,5 +12,6 @@  LIBNETFILTER_CTHELPER_DEPENDENCIES = host-pkgconf libmnl
 LIBNETFILTER_CTHELPER_AUTORECONF = YES
 LIBNETFILTER_CTHELPER_LICENSE = GPL-2.0+
 LIBNETFILTER_CTHELPER_LICENSE_FILES = COPYING
+LIBNETFILTER_CTHELPER_CPE_ID_VENDOR = netfilter
 
 $(eval $(autotools-package))
diff --git a/package/libnetfilter_cttimeout/libnetfilter_cttimeout.mk b/package/libnetfilter_cttimeout/libnetfilter_cttimeout.mk
index 9c4c951687..f5c5067b64 100644
--- a/package/libnetfilter_cttimeout/libnetfilter_cttimeout.mk
+++ b/package/libnetfilter_cttimeout/libnetfilter_cttimeout.mk
@@ -12,5 +12,6 @@  LIBNETFILTER_CTTIMEOUT_DEPENDENCIES = host-pkgconf libmnl
 LIBNETFILTER_CTTIMEOUT_AUTORECONF = YES
 LIBNETFILTER_CTTIMEOUT_LICENSE = GPL-2.0+
 LIBNETFILTER_CTTIMEOUT_LICENSE_FILES = COPYING
+LIBNETFILTER_CTTIMEOUT_CPE_ID_VENDOR = netfilter
 
 $(eval $(autotools-package))
diff --git a/package/libnetfilter_queue/libnetfilter_queue.mk b/package/libnetfilter_queue/libnetfilter_queue.mk
index 2bb4dd376d..6cd35baea1 100644
--- a/package/libnetfilter_queue/libnetfilter_queue.mk
+++ b/package/libnetfilter_queue/libnetfilter_queue.mk
@@ -12,5 +12,6 @@  LIBNETFILTER_QUEUE_DEPENDENCIES = host-pkgconf libnfnetlink libmnl
 LIBNETFILTER_QUEUE_AUTORECONF = YES
 LIBNETFILTER_QUEUE_LICENSE = GPL-2.0+
 LIBNETFILTER_QUEUE_LICENSE_FILES = COPYING
+LIBNETFILTER_QUEUE_CPE_ID_VENDOR = netfilter
 
 $(eval $(autotools-package))
diff --git a/package/libnfnetlink/libnfnetlink.mk b/package/libnfnetlink/libnfnetlink.mk
index 13f5d72c87..a5ad47b85e 100644
--- a/package/libnfnetlink/libnfnetlink.mk
+++ b/package/libnfnetlink/libnfnetlink.mk
@@ -11,5 +11,6 @@  LIBNFNETLINK_AUTORECONF = YES
 LIBNFNETLINK_INSTALL_STAGING = YES
 LIBNFNETLINK_LICENSE = GPL-2.0
 LIBNFNETLINK_LICENSE_FILES = COPYING
+LIBNFNETLINK_CPE_ID_VENDOR = netfilter
 
 $(eval $(autotools-package))
diff --git a/package/libopenssl/Config.in b/package/libopenssl/Config.in
index 8909e36b9e..dd03de7674 100644
--- a/package/libopenssl/Config.in
+++ b/package/libopenssl/Config.in
@@ -45,3 +45,14 @@  config BR2_PACKAGE_LIBOPENSSL_ENGINES
 	  Install additional encryption engine libraries.
 
 endif # BR2_PACKAGE_LIBOPENSSL
+# See package/openssl/Config.in for the actual kconfig
+# of this package. This file provides a URL for CPE use.
+
+#	help
+#	  A collaborative effort to develop a robust, commercial-grade,
+#	  fully featured, and Open Source toolkit implementing the
+#	  Secure Sockets Layer (SSL v2/v3) and Transport Security
+#	  (TLS v1) as well as a full-strength general-purpose
+#	  cryptography library.
+#
+#	  http://www.openssl.org/
diff --git a/package/libopenssl/libopenssl.mk b/package/libopenssl/libopenssl.mk
index fe5a444cc7..75a7b485ef 100644
--- a/package/libopenssl/libopenssl.mk
+++ b/package/libopenssl/libopenssl.mk
@@ -15,6 +15,8 @@  HOST_LIBOPENSSL_DEPENDENCIES = host-zlib
 LIBOPENSSL_TARGET_ARCH = $(call qstrip,$(BR2_PACKAGE_LIBOPENSSL_TARGET_ARCH))
 LIBOPENSSL_CFLAGS = $(TARGET_CFLAGS)
 LIBOPENSSL_PROVIDES = openssl
+LIBOPENSSL_CPE_ID_VENDOR = $(LIBOPENSSL_PROVIDES)
+LIBOPENSSL_CPE_ID_NAME = $(LIBOPENSSL_PROVIDES)
 
 ifeq ($(BR2_m68k_cf),y)
 # relocation truncated to fit: R_68K_GOT16O
diff --git a/package/libpcap/libpcap.mk b/package/libpcap/libpcap.mk
index 881a109a0a..e323461529 100644
--- a/package/libpcap/libpcap.mk
+++ b/package/libpcap/libpcap.mk
@@ -8,6 +8,7 @@  LIBPCAP_VERSION = 1.9.1
 LIBPCAP_SITE = http://www.tcpdump.org/release
 LIBPCAP_LICENSE = BSD-3-Clause
 LIBPCAP_LICENSE_FILES = LICENSE
+LIBPCAP_CPE_ID_VENDOR = tcpdump
 LIBPCAP_INSTALL_STAGING = YES
 LIBPCAP_DEPENDENCIES = host-flex host-bison
 
diff --git a/package/libselinux/libselinux.mk b/package/libselinux/libselinux.mk
index 8087af539a..fdd13aa942 100644
--- a/package/libselinux/libselinux.mk
+++ b/package/libselinux/libselinux.mk
@@ -8,6 +8,7 @@  LIBSELINUX_VERSION = 3.1
 LIBSELINUX_SITE = https://github.com/SELinuxProject/selinux/releases/download/20200710
 LIBSELINUX_LICENSE = Public Domain
 LIBSELINUX_LICENSE_FILES = LICENSE
+LIBSELINUX_CPE_ID_VENDOR = selinuxproject
 
 LIBSELINUX_DEPENDENCIES = $(BR2_COREUTILS_HOST_DEPENDENCY) libsepol pcre
 
diff --git a/package/libsemanage/libsemanage.mk b/package/libsemanage/libsemanage.mk
index 3ea0603f53..48e2bbbc8b 100644
--- a/package/libsemanage/libsemanage.mk
+++ b/package/libsemanage/libsemanage.mk
@@ -9,6 +9,7 @@  LIBSEMANAGE_SITE = https://github.com/SELinuxProject/selinux/releases/download/2
 LIBSEMANAGE_LICENSE = LGPL-2.1+
 LIBSEMANAGE_LICENSE_FILES = COPYING
 LIBSEMANAGE_DEPENDENCIES = host-bison host-flex audit libselinux bzip2
+LIBSEMANAGE_CPE_ID_VENDOR = selinuxproject
 LIBSEMANAGE_INSTALL_STAGING = YES
 
 LIBSEMANAGE_MAKE_OPTS = $(TARGET_CONFIGURE_OPTS)
diff --git a/package/libsepol/libsepol.mk b/package/libsepol/libsepol.mk
index 7d8b7b2063..a4398bdc42 100644
--- a/package/libsepol/libsepol.mk
+++ b/package/libsepol/libsepol.mk
@@ -8,6 +8,7 @@  LIBSEPOL_VERSION = 3.1
 LIBSEPOL_SITE = https://github.com/SELinuxProject/selinux/releases/download/20200710
 LIBSEPOL_LICENSE = LGPL-2.1+
 LIBSEPOL_LICENSE_FILES = COPYING
+LIBSEPOL_CPE_ID_VENDOR = selinuxproject
 
 LIBSEPOL_INSTALL_STAGING = YES
 LIBSEPOL_DEPENDENCIES = host-flex
diff --git a/package/libssh2/libssh2.mk b/package/libssh2/libssh2.mk
index c03fe0db55..eb66ab5643 100644
--- a/package/libssh2/libssh2.mk
+++ b/package/libssh2/libssh2.mk
@@ -8,6 +8,7 @@  LIBSSH2_VERSION = 1.9.0
 LIBSSH2_SITE = https://www.libssh2.org/download
 LIBSSH2_LICENSE = BSD
 LIBSSH2_LICENSE_FILES = COPYING
+LIBSSH2_CPE_ID_VENDOR = $(LIBSSH2_NAME)
 LIBSSH2_INSTALL_STAGING = YES
 LIBSSH2_CONF_OPTS = --disable-examples-build
 
diff --git a/package/libsysfs/libsysfs.mk b/package/libsysfs/libsysfs.mk
index 13edc9a4ea..fd8bfa6724 100644
--- a/package/libsysfs/libsysfs.mk
+++ b/package/libsysfs/libsysfs.mk
@@ -10,5 +10,7 @@  LIBSYSFS_SOURCE = sysfsutils-$(LIBSYSFS_VERSION).tar.gz
 LIBSYSFS_INSTALL_STAGING = YES
 LIBSYSFS_LICENSE = GPL-2.0 (utilities), LGPL-2.1+ (library)
 LIBSYSFS_LICENSE_FILES = cmd/GPL lib/LGPL
+LIBSYSFS_CPE_ID_VENDOR = sysfsutils_project
+LIBSYSFS_CPE_ID_NAME = sysfsutils
 
 $(eval $(autotools-package))
diff --git a/package/libtasn1/libtasn1.mk b/package/libtasn1/libtasn1.mk
index d5a6c69965..a354716824 100644
--- a/package/libtasn1/libtasn1.mk
+++ b/package/libtasn1/libtasn1.mk
@@ -9,6 +9,7 @@  LIBTASN1_SITE = $(BR2_GNU_MIRROR)/libtasn1
 LIBTASN1_DEPENDENCIES = host-bison host-pkgconf
 LIBTASN1_LICENSE = GPL-3.0+ (tests, tools), LGPL-2.1+ (library)
 LIBTASN1_LICENSE_FILES = LICENSE doc/COPYING doc/COPYING.LESSER
+LIBTASN1_CPE_ID_VENDOR = gnu
 LIBTASN1_INSTALL_STAGING = YES
 
 # We're patching fuzz/Makefile.am
diff --git a/package/libunistring/libunistring.mk b/package/libunistring/libunistring.mk
index fa51447170..1ed7ecf906 100644
--- a/package/libunistring/libunistring.mk
+++ b/package/libunistring/libunistring.mk
@@ -10,6 +10,7 @@  LIBUNISTRING_SOURCE = libunistring-$(LIBUNISTRING_VERSION).tar.xz
 LIBUNISTRING_INSTALL_STAGING = YES
 LIBUNISTRING_LICENSE = LGPL-3.0+ or GPL-2.0
 LIBUNISTRING_LICENSE_FILES = COPYING COPYING.LIB
+LIBUNISTRING_CPE_ID_VENDOR = gnu
 
 $(eval $(autotools-package))
 $(eval $(host-autotools-package))
diff --git a/package/libxml2/libxml2.mk b/package/libxml2/libxml2.mk
index e9379b05ae..e472970fde 100644
--- a/package/libxml2/libxml2.mk
+++ b/package/libxml2/libxml2.mk
@@ -15,6 +15,7 @@  LIBXML2_IGNORE_CVES += CVE-2020-7595
 LIBXML2_IGNORE_CVES += CVE-2019-20388
 # 0003-Fix-out-of-bounds-read-with-xmllint--htmlout.patch
 LIBXML2_IGNORE_CVES += CVE-2020-24977
+LIBXML2_CPE_ID_VENDOR = xmlsoft
 LIBXML2_CONFIG_SCRIPTS = xml2-config
 
 # relocation truncated to fit: R_68K_GOT16O
diff --git a/package/libxslt/libxslt.mk b/package/libxslt/libxslt.mk
index 2f37f303ac..3c603ad9f6 100644
--- a/package/libxslt/libxslt.mk
+++ b/package/libxslt/libxslt.mk
@@ -9,6 +9,7 @@  LIBXSLT_SITE = http://xmlsoft.org/sources
 LIBXSLT_INSTALL_STAGING = YES
 LIBXSLT_LICENSE = MIT
 LIBXSLT_LICENSE_FILES = COPYING
+LIBXSLT_CPE_ID_VENDOR = xmlsoft
 
 LIBXSLT_CONF_OPTS = \
 	--with-gnu-ld \
diff --git a/package/libzlib/libzlib.mk b/package/libzlib/libzlib.mk
index eea0c12f22..a1e2640bac 100644
--- a/package/libzlib/libzlib.mk
+++ b/package/libzlib/libzlib.mk
@@ -11,6 +11,8 @@  LIBZLIB_LICENSE = Zlib
 LIBZLIB_LICENSE_FILES = README
 LIBZLIB_INSTALL_STAGING = YES
 LIBZLIB_PROVIDES = zlib
+LIBZLIB_CPE_ID_VENDOR = gnu
+LIBZLIB_CPE_ID_NAME = $(LIBZLIB_PROVIDES)
 
 # It is not possible to build only a shared version of zlib, so we build both
 # shared and static, unless we only want the static libs, and we eventually
diff --git a/package/lighttpd/lighttpd.mk b/package/lighttpd/lighttpd.mk
index 7181465c66..39600ef94b 100644
--- a/package/lighttpd/lighttpd.mk
+++ b/package/lighttpd/lighttpd.mk
@@ -10,6 +10,7 @@  LIGHTTPD_SOURCE = lighttpd-$(LIGHTTPD_VERSION).tar.xz
 LIGHTTPD_SITE = http://download.lighttpd.net/lighttpd/releases-$(LIGHTTPD_VERSION_MAJOR).x
 LIGHTTPD_LICENSE = BSD-3-Clause
 LIGHTTPD_LICENSE_FILES = COPYING
+LIGHTTPD_CPE_ID_VENDOR = $(LIGHTTPD_NAME)
 LIGHTTPD_DEPENDENCIES = host-pkgconf
 LIGHTTPD_CONF_OPTS = \
 	--without-wolfssl \
diff --git a/package/linux-firmware/linux-firmware.mk b/package/linux-firmware/linux-firmware.mk
index d9ad942903..368ff83a37 100644
--- a/package/linux-firmware/linux-firmware.mk
+++ b/package/linux-firmware/linux-firmware.mk
@@ -8,6 +8,8 @@  LINUX_FIRMWARE_VERSION = 20200122
 LINUX_FIRMWARE_SITE = http://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git
 LINUX_FIRMWARE_SITE_METHOD = git
 
+LINUX_FIRMWARE_CPE_ID_VENDOR = kernel
+
 # Intel SST DSP
 ifeq ($(BR2_PACKAGE_LINUX_FIRMWARE_INTEL_SST_DSP),y)
 LINUX_FIRMWARE_FILES += intel/fw_sst_0f28.bin-48kHz_i2s_master
diff --git a/package/linux-headers/linux-headers.mk b/package/linux-headers/linux-headers.mk
index 4c3cb716b3..4496295f2a 100644
--- a/package/linux-headers/linux-headers.mk
+++ b/package/linux-headers/linux-headers.mk
@@ -102,6 +102,8 @@  LINUX_HEADERS_LICENSE_FILES = \
 	LICENSES/preferred/GPL-2.0 \
 	LICENSES/exceptions/Linux-syscall-note
 endif
+LINUX_HEADERS_CPE_ID_VENDOR = linux
+LINUX_HEADERS_CPE_ID_NAME = linux_kernel
 
 LINUX_HEADERS_INSTALL_STAGING = YES
 
diff --git a/package/linux-pam/linux-pam.mk b/package/linux-pam/linux-pam.mk
index 57fb2c9cfd..ecd4a723c4 100644
--- a/package/linux-pam/linux-pam.mk
+++ b/package/linux-pam/linux-pam.mk
@@ -23,6 +23,8 @@  LINUX_PAM_LICENSE_FILES = Copyright
 # We're patching configure.ac
 LINUX_PAM_AUTORECONF = YES
 LINUX_PAM_MAKE_OPTS += LIBS=$(TARGET_NLS_LIBS)
+LINUX_PAM_CPE_ID_VENDOR = $(LINUX_PAM_NAME)
+LINUX_PAM_CPE_ID_NAME = $(LINUX_PAM_NAME)
 
 ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
 LINUX_PAM_CONF_OPTS += --enable-selinux
diff --git a/package/llvm/llvm.mk b/package/llvm/llvm.mk
index 24d033d124..177fff71bb 100644
--- a/package/llvm/llvm.mk
+++ b/package/llvm/llvm.mk
@@ -10,6 +10,7 @@  LLVM_SITE = https://github.com/llvm/llvm-project/releases/download/llvmorg-$(LLV
 LLVM_SOURCE = llvm-$(LLVM_VERSION).src.tar.xz
 LLVM_LICENSE = Apache-2.0 with exceptions
 LLVM_LICENSE_FILES = LICENSE.TXT
+LLVM_CPE_ID_VENDOR = $(LLVM_NAME)
 LLVM_SUPPORTS_IN_SOURCE_BUILD = NO
 LLVM_INSTALL_STAGING = YES
 
diff --git a/package/lxc/lxc.mk b/package/lxc/lxc.mk
index b067f145e3..576036e246 100644
--- a/package/lxc/lxc.mk
+++ b/package/lxc/lxc.mk
@@ -8,6 +8,7 @@  LXC_VERSION = 4.0.5
 LXC_SITE = https://linuxcontainers.org/downloads/lxc
 LXC_LICENSE = GPL-2.0 (some tools), LGPL-2.1+
 LXC_LICENSE_FILES = LICENSE.GPL2 LICENSE.LGPL2.1
+LXC_CPE_ID_VENDOR = linuxcontainers
 LXC_DEPENDENCIES = host-pkgconf
 LXC_INSTALL_STAGING = YES
 
diff --git a/package/lz4/lz4.mk b/package/lz4/lz4.mk
index fa309e8dbb..7c91b6eecc 100644
--- a/package/lz4/lz4.mk
+++ b/package/lz4/lz4.mk
@@ -9,6 +9,7 @@  LZ4_SITE = $(call github,lz4,lz4,v$(LZ4_VERSION))
 LZ4_INSTALL_STAGING = YES
 LZ4_LICENSE = BSD-2-Clause (library), GPL-2.0+ (programs)
 LZ4_LICENSE_FILES = lib/LICENSE programs/COPYING
+LZ4_CPE_ID_VENDOR = yann_collet
 
 # CVE-2014-4715 is misclassified (by our CVE tracker) as affecting version
 # 1.9.2, while in fact this issue has been fixed since lz4-r130:
diff --git a/package/memtester/memtester.mk b/package/memtester/memtester.mk
index 1a319462a5..49cc935f39 100644
--- a/package/memtester/memtester.mk
+++ b/package/memtester/memtester.mk
@@ -8,6 +8,7 @@  MEMTESTER_VERSION = 4.5.0
 MEMTESTER_SITE = http://pyropus.ca/software/memtester/old-versions
 MEMTESTER_LICENSE = GPL-2.0
 MEMTESTER_LICENSE_FILES = COPYING
+MEMTESTER_CPE_ID_VENDOR = pryopus
 
 MEMTESTER_TARGET_INSTALL_OPTS = INSTALLPATH=$(TARGET_DIR)/usr
 
diff --git a/package/mii-diag/mii-diag.mk b/package/mii-diag/mii-diag.mk
index 6efd5be80d..a7c6483221 100644
--- a/package/mii-diag/mii-diag.mk
+++ b/package/mii-diag/mii-diag.mk
@@ -10,6 +10,7 @@  MII_DIAG_PATCH = mii-diag_$(MII_DIAG_VERSION)-3.diff.gz
 MII_DIAG_SITE = http://snapshot.debian.org/archive/debian/20141023T043132Z/pool/main/m/mii-diag
 MII_DIAG_LICENSE = GPL # No version specified
 MII_DIAG_LICENSE_FILES = mii-diag.c
+MII_DIAG_CPE_ID_VENDOR = debian
 
 MII_DIAG_MAKE_OPTS = $(TARGET_CONFIGURE_OPTS)
 
diff --git a/package/mpfr/mpfr.mk b/package/mpfr/mpfr.mk
index ef2999eb16..837aff3aa5 100644
--- a/package/mpfr/mpfr.mk
+++ b/package/mpfr/mpfr.mk
@@ -9,6 +9,7 @@  MPFR_SITE = http://www.mpfr.org/mpfr-$(MPFR_VERSION)
 MPFR_SOURCE = mpfr-$(MPFR_VERSION).tar.xz
 MPFR_LICENSE = LGPL-3.0+
 MPFR_LICENSE_FILES = COPYING.LESSER
+MPFR_CPE_ID_VENDOR = gnu
 MPFR_INSTALL_STAGING = YES
 MPFR_DEPENDENCIES = gmp
 HOST_MPFR_DEPENDENCIES = host-gmp
diff --git a/package/mrouted/mrouted.mk b/package/mrouted/mrouted.mk
index ae2f8a4e20..4e3715b445 100644
--- a/package/mrouted/mrouted.mk
+++ b/package/mrouted/mrouted.mk
@@ -11,6 +11,7 @@  MROUTED_DEPENDENCIES = host-bison
 MROUTED_LICENSE = BSD-3-Clause
 MROUTED_LICENSE_FILES = LICENSE
 MROUTED_CONFIGURE_OPTS = --enable-rsrr
+MROUTED_CPE_ID_VENDOR = troglobit
 
 define MROUTED_INSTALL_INIT_SYSTEMD
 	$(INSTALL) -D -m 644 $(@D)/mrouted.service \
diff --git a/package/mtd/mtd.mk b/package/mtd/mtd.mk
index 9f259b35d9..d0e70b8c8b 100644
--- a/package/mtd/mtd.mk
+++ b/package/mtd/mtd.mk
@@ -9,6 +9,8 @@  MTD_SOURCE = mtd-utils-$(MTD_VERSION).tar.bz2
 MTD_SITE = ftp://ftp.infradead.org/pub/mtd-utils
 MTD_LICENSE = GPL-2.0
 MTD_LICENSE_FILES = COPYING
+MTD_CPE_ID_VENDOR = mtd-utils_project
+MTD_CPE_ID_NAME = mtd-utils
 MTD_INSTALL_STAGING = YES
 
 ifeq ($(BR2_PACKAGE_MTD_JFFS_UTILS),y)
diff --git a/package/ncurses/ncurses.mk b/package/ncurses/ncurses.mk
index c11650c766..5c5e497488 100644
--- a/package/ncurses/ncurses.mk
+++ b/package/ncurses/ncurses.mk
@@ -10,6 +10,7 @@  NCURSES_INSTALL_STAGING = YES
 NCURSES_DEPENDENCIES = host-ncurses
 NCURSES_LICENSE = MIT with advertising clause
 NCURSES_LICENSE_FILES = COPYING
+NCURSES_CPE_ID_VENDOR = gnu
 NCURSES_CONFIG_SCRIPTS = ncurses$(NCURSES_LIB_SUFFIX)6-config
 NCURSES_PATCH = \
 	$(addprefix https://invisible-mirror.net/archives/ncurses/$(NCURSES_VERSION)/, \
diff --git a/package/netsnmp/netsnmp.mk b/package/netsnmp/netsnmp.mk
index 904279d1fb..09ca33f754 100644
--- a/package/netsnmp/netsnmp.mk
+++ b/package/netsnmp/netsnmp.mk
@@ -9,6 +9,8 @@  NETSNMP_SITE = https://downloads.sourceforge.net/project/net-snmp/net-snmp/$(NET
 NETSNMP_SOURCE = net-snmp-$(NETSNMP_VERSION).tar.gz
 NETSNMP_LICENSE = Various BSD-like
 NETSNMP_LICENSE_FILES = COPYING
+NETSNMP_CPE_ID_VENDOR = net-snmp
+NETSNMP_CPE_ID_NAME = $(NETSNMP_CPE_ID_VENDOR)
 NETSNMP_INSTALL_STAGING = YES
 NETSNMP_CONF_ENV = ac_cv_NETSNMP_CAN_USE_SYSCTL=no
 NETSNMP_CONF_OPTS = \
diff --git a/package/nfs-utils/nfs-utils.mk b/package/nfs-utils/nfs-utils.mk
index d60b5055a0..df581b381f 100644
--- a/package/nfs-utils/nfs-utils.mk
+++ b/package/nfs-utils/nfs-utils.mk
@@ -10,6 +10,8 @@  NFS_UTILS_SITE = https://www.kernel.org/pub/linux/utils/nfs-utils/$(NFS_UTILS_VE
 NFS_UTILS_LICENSE = GPL-2.0+
 NFS_UTILS_LICENSE_FILES = COPYING
 NFS_UTILS_DEPENDENCIES = host-nfs-utils host-pkgconf libtirpc
+NFS_UTILS_CPE_ID_VENDOR = linux-nfs
+NFS_UTILS_AUTORECONF = YES
 
 NFS_UTILS_CONF_ENV = knfsd_cv_bsd_signals=no
 
diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
index 64ac22181b..c8937229ab 100644
--- a/package/openssh/openssh.mk
+++ b/package/openssh/openssh.mk
@@ -5,6 +5,8 @@ 
 ################################################################################
 
 OPENSSH_VERSION = 8.3p1
+OPENSSH_CPE_ID_VERSION = 8.3
+OPENSSH_CPE_ID_VERSION_MINOR = p1
 OPENSSH_SITE = http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable
 OPENSSH_LICENSE = BSD-3-Clause, BSD-2-Clause, Public Domain
 OPENSSH_LICENSE_FILES = LICENCE
@@ -12,6 +14,7 @@  OPENSSH_CONF_ENV = \
 	LD="$(TARGET_CC)" \
 	LDFLAGS="$(TARGET_CFLAGS)" \
 	LIBS=`$(PKG_CONFIG_HOST_BINARY) --libs openssl`
+OPENSSH_CPE_ID_VENDOR = openbsd
 OPENSSH_CONF_OPTS = \
 	--sysconfdir=/etc/ssh \
 	--with-default-path=$(BR2_SYSTEM_DEFAULT_PATH) \
diff --git a/package/pax-utils/pax-utils.mk b/package/pax-utils/pax-utils.mk
index 502fc87446..704e50e738 100644
--- a/package/pax-utils/pax-utils.mk
+++ b/package/pax-utils/pax-utils.mk
@@ -9,6 +9,7 @@  PAX_UTILS_SITE = http://distfiles.gentoo.org/distfiles
 PAX_UTILS_SOURCE = pax-utils-$(PAX_UTILS_VERSION).tar.xz
 PAX_UTILS_LICENSE = GPL-2.0
 PAX_UTILS_LICENSE_FILES = COPYING
+PAX_UTILS_CPE_ID_VENDOR = gentoo
 
 PAX_UTILS_DEPENDENCIES = host-pkgconf
 PAX_UTILS_CONF_OPTS = --without-python
diff --git a/package/paxtest/paxtest.mk b/package/paxtest/paxtest.mk
index e632e222c3..1b8d6699b6 100644
--- a/package/paxtest/paxtest.mk
+++ b/package/paxtest/paxtest.mk
@@ -8,6 +8,7 @@  PAXTEST_VERSION = 0.9.15
 PAXTEST_SITE = https://www.grsecurity.net/~spender
 PAXTEST_LICENSE = GPL-2.0+
 PAXTEST_LICENSE_FILES = README
+PAXTEST_CPE_ID_VENDOR = grsecurity
 
 define PAXTEST_BUILD_CMDS
 	$(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) $(MAKE) -C $(@D) \
diff --git a/package/pcre/pcre.mk b/package/pcre/pcre.mk
index 3c280e593f..b37a2ca9b7 100644
--- a/package/pcre/pcre.mk
+++ b/package/pcre/pcre.mk
@@ -9,6 +9,7 @@  PCRE_SITE = https://ftp.pcre.org/pub/pcre
 PCRE_SOURCE = pcre-$(PCRE_VERSION).tar.bz2
 PCRE_LICENSE = BSD-3-Clause
 PCRE_LICENSE_FILES = LICENCE
+PCRE_CPE_ID_VENDOR = $(PCRE_NAME)
 PCRE_INSTALL_STAGING = YES
 PCRE_CONFIG_SCRIPTS = pcre-config
 
diff --git a/package/pixman/pixman.mk b/package/pixman/pixman.mk
index a446ebca46..52d4e36f2e 100644
--- a/package/pixman/pixman.mk
+++ b/package/pixman/pixman.mk
@@ -9,6 +9,7 @@  PIXMAN_SOURCE = pixman-$(PIXMAN_VERSION).tar.xz
 PIXMAN_SITE = https://xorg.freedesktop.org/releases/individual/lib
 PIXMAN_LICENSE = MIT
 PIXMAN_LICENSE_FILES = COPYING
+PIXMAN_CPE_ID_VENDOR = $(PIXMAN_NAME)
 
 PIXMAN_INSTALL_STAGING = YES
 PIXMAN_DEPENDENCIES = host-pkgconf
diff --git a/package/policycoreutils/policycoreutils.mk b/package/policycoreutils/policycoreutils.mk
index 4c0fdc71a7..0dfdc7af03 100644
--- a/package/policycoreutils/policycoreutils.mk
+++ b/package/policycoreutils/policycoreutils.mk
@@ -8,6 +8,7 @@  POLICYCOREUTILS_VERSION = 3.1
 POLICYCOREUTILS_SITE = https://github.com/SELinuxProject/selinux/releases/download/20200710
 POLICYCOREUTILS_LICENSE = GPL-2.0
 POLICYCOREUTILS_LICENSE_FILES = COPYING
+POLICYCOREUTILS_CPE_ID_VENDOR = selinuxproject
 
 POLICYCOREUTILS_DEPENDENCIES = libsemanage libcap-ng $(TARGET_NLS_DEPENDENCIES)
 POLICYCOREUTILS_MAKE_OPTS = LDLIBS=$(TARGET_NLS_LIBS)
diff --git a/package/pppd/pppd.mk b/package/pppd/pppd.mk
index 685666a200..118f9fc334 100644
--- a/package/pppd/pppd.mk
+++ b/package/pppd/pppd.mk
@@ -10,6 +10,8 @@  PPPD_LICENSE = LGPL-2.0+, LGPL, BSD-4-Clause, BSD-3-Clause, GPL-2.0+
 PPPD_LICENSE_FILES = \
 	pppd/tdb.c pppd/plugins/pppoatm/COPYING \
 	pppdump/bsd-comp.c pppd/ccp.c pppd/plugins/passprompt.c
+PPPD_CPE_ID_VENDOR = samba
+PPPD_CPE_ID_NAME = ppp
 
 # 0001-pppd-Fix-bounds-check.patch
 PPPD_IGNORE_CVES += CVE-2020-8597
diff --git a/package/proftpd/proftpd.mk b/package/proftpd/proftpd.mk
index e126d0e0a4..94276233c8 100644
--- a/package/proftpd/proftpd.mk
+++ b/package/proftpd/proftpd.mk
@@ -8,6 +8,7 @@  PROFTPD_VERSION = 1.3.6c
 PROFTPD_SITE = $(call github,proftpd,proftpd,v$(PROFTPD_VERSION))
 PROFTPD_LICENSE = GPL-2.0+
 PROFTPD_LICENSE_FILES = COPYING
+PROFTPD_CPE_ID_VENDOR = $(PROFTPD_NAME)
 
 PROFTPD_CONF_ENV = \
 	ac_cv_func_setpgrp_void=yes \
diff --git a/package/protobuf/protobuf.mk b/package/protobuf/protobuf.mk
index 5f2690603d..773a7bd0f0 100644
--- a/package/protobuf/protobuf.mk
+++ b/package/protobuf/protobuf.mk
@@ -12,6 +12,7 @@  PROTOBUF_SOURCE = protobuf-cpp-$(PROTOBUF_VERSION).tar.gz
 PROTOBUF_SITE = https://github.com/google/protobuf/releases/download/v$(PROTOBUF_VERSION)
 PROTOBUF_LICENSE = BSD-3-Clause
 PROTOBUF_LICENSE_FILES = LICENSE
+PROTOBUF_CPE_ID_VENDOR = google
 
 # N.B. Need to use host protoc during cross compilation.
 PROTOBUF_DEPENDENCIES = host-protobuf
diff --git a/package/pure-ftpd/pure-ftpd.mk b/package/pure-ftpd/pure-ftpd.mk
index 7b7c7d9637..7e3d18b433 100644
--- a/package/pure-ftpd/pure-ftpd.mk
+++ b/package/pure-ftpd/pure-ftpd.mk
@@ -9,6 +9,7 @@  PURE_FTPD_SITE = https://download.pureftpd.org/pub/pure-ftpd/releases
 PURE_FTPD_SOURCE = pure-ftpd-$(PURE_FTPD_VERSION).tar.bz2
 PURE_FTPD_LICENSE = ISC
 PURE_FTPD_LICENSE_FILES = COPYING
+PURE_FTPD_CPE_ID_VENDOR = pureftpd
 PURE_FTPD_DEPENDENCIES = $(if $(BR2_PACKAGE_LIBICONV),libiconv)
 
 # 0001-listdir-reuse-a-single-buffer-to-store-every-file-name-to-display.patch
diff --git a/package/python-lxml/python-lxml.mk b/package/python-lxml/python-lxml.mk
index 7e727a6753..0b95cf4dc6 100644
--- a/package/python-lxml/python-lxml.mk
+++ b/package/python-lxml/python-lxml.mk
@@ -15,6 +15,8 @@  PYTHON_LXML_LICENSE_FILES = \
 	doc/licenses/BSD.txt \
 	doc/licenses/elementtree.txt \
 	src/lxml/isoschematron/resources/rng/iso-schematron.rng
+PYTHON_LXML_CPE_ID_VENDOR = lxml
+PYTHON_LXML_CPE_ID_NAME = lxml
 
 # python-lxml can use either setuptools, or distutils as a fallback.
 # So, we use setuptools.
diff --git a/package/python-setuptools/python-setuptools.mk b/package/python-setuptools/python-setuptools.mk
index 2cb575ae22..ade5ca5521 100644
--- a/package/python-setuptools/python-setuptools.mk
+++ b/package/python-setuptools/python-setuptools.mk
@@ -11,6 +11,8 @@  PYTHON_SETUPTOOLS_SOURCE = setuptools-$(PYTHON_SETUPTOOLS_VERSION).zip
 PYTHON_SETUPTOOLS_SITE = https://files.pythonhosted.org/packages/b0/f3/44da7482ac6da3f36f68e253cb04de37365b3dba9036a3c70773b778b485
 PYTHON_SETUPTOOLS_LICENSE = MIT
 PYTHON_SETUPTOOLS_LICENSE_FILES = LICENSE
+PYTHON_SETUPTOOLS_CPE_ID_VENDOR = python
+PYTHON_SETUPTOOLS_CPE_ID_NAME = setuptools
 PYTHON_SETUPTOOLS_SETUP_TYPE = setuptools
 HOST_PYTHON_SETUPTOOLS_NEEDS_HOST_PYTHON = python2
 
diff --git a/package/python/python.mk b/package/python/python.mk
index 10718f4358..6240cb6c2f 100644
--- a/package/python/python.mk
+++ b/package/python/python.mk
@@ -10,6 +10,7 @@  PYTHON_SOURCE = Python-$(PYTHON_VERSION).tar.xz
 PYTHON_SITE = https://python.org/ftp/python/$(PYTHON_VERSION)
 PYTHON_LICENSE = Python-2.0, others
 PYTHON_LICENSE_FILES = LICENSE
+PYTHON_CPE_ID_VENDOR = $(PYTHON_NAME)
 PYTHON_LIBTOOL_PATCH = NO
 
 # Python needs itself to be built, so in order to cross-compile
diff --git a/package/qemu/qemu.mk b/package/qemu/qemu.mk
index 69850ec938..a4b5688605 100644
--- a/package/qemu/qemu.mk
+++ b/package/qemu/qemu.mk
@@ -12,6 +12,7 @@  QEMU_LICENSE_FILES = COPYING COPYING.LIB
 # NOTE: there is no top-level license file for non-(L)GPL licenses;
 #       the non-(L)GPL license texts are specified in the affected
 #       individual source files.
+QEMU_CPE_ID_VENDOR = $(QEMU_NAME)
 
 #-------------------------------------------------------------
 # Target-qemu
diff --git a/package/rapidjson/rapidjson.mk b/package/rapidjson/rapidjson.mk
index 9f1c82ce40..d3bcef7df1 100644
--- a/package/rapidjson/rapidjson.mk
+++ b/package/rapidjson/rapidjson.mk
@@ -8,6 +8,7 @@  RAPIDJSON_VERSION = 1.1.0
 RAPIDJSON_SITE = $(call github,miloyip,rapidjson,v$(RAPIDJSON_VERSION))
 RAPIDJSON_LICENSE = MIT
 RAPIDJSON_LICENSE_FILES = license.txt
+RAPIDJSON_CPE_ID_VENDOR = tencent
 
 # rapidjson is a header-only C++ library
 RAPIDJSON_INSTALL_TARGET = NO
diff --git a/package/readline/readline.mk b/package/readline/readline.mk
index f5d7d5bf9e..04872ac868 100644
--- a/package/readline/readline.mk
+++ b/package/readline/readline.mk
@@ -14,6 +14,7 @@  READLINE_CONF_ENV = bash_cv_func_sigsetjmp=yes \
 READLINE_CONF_OPTS = --disable-install-examples
 READLINE_LICENSE = GPL-3.0+
 READLINE_LICENSE_FILES = COPYING
+READLINE_CPE_ID_VENDOR = gnu
 
 define READLINE_INSTALL_INPUTRC
 	$(INSTALL) -D -m 644 package/readline/inputrc $(TARGET_DIR)/etc/inputrc
diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
index 0e94b72826..90b555d859 100644
--- a/package/refpolicy/refpolicy.mk
+++ b/package/refpolicy/refpolicy.mk
@@ -6,6 +6,7 @@ 
 
 REFPOLICY_LICENSE = GPL-2.0
 REFPOLICY_LICENSE_FILES = COPYING
+REFPOLICY_CPE_ID_VENDOR = tresys
 REFPOLICY_INSTALL_STAGING = YES
 REFPOLICY_DEPENDENCIES = \
 	host-m4 \
diff --git a/package/rsyslog/rsyslog.mk b/package/rsyslog/rsyslog.mk
index 50f3328493..040b33795e 100644
--- a/package/rsyslog/rsyslog.mk
+++ b/package/rsyslog/rsyslog.mk
@@ -8,6 +8,7 @@  RSYSLOG_VERSION = 8.2004.0
 RSYSLOG_SITE = http://rsyslog.com/files/download/rsyslog
 RSYSLOG_LICENSE = GPL-3.0, LGPL-3.0, Apache-2.0
 RSYSLOG_LICENSE_FILES = COPYING COPYING.LESSER COPYING.ASL20
+RSYSLOG_CPE_ID_VENDOR = $(RSYSLOG_NAME)
 RSYSLOG_DEPENDENCIES = zlib libestr liblogging libfastjson host-pkgconf
 RSYSLOG_CONF_ENV = ac_cv_prog_cc_c99='-std=c99'
 RSYSLOG_PLUGINS = imdiag imfile impstats imptcp \
diff --git a/package/rt-tests/rt-tests.mk b/package/rt-tests/rt-tests.mk
index 26c257213b..d4fdab0f5d 100644
--- a/package/rt-tests/rt-tests.mk
+++ b/package/rt-tests/rt-tests.mk
@@ -10,6 +10,7 @@  RT_TESTS_VERSION = 1.9
 RT_TESTS_LICENSE = GPL-2.0+
 RT_TESTS_LICENSE_FILES = COPYING
 RT_TESTS_DEPENDENCIES = numactl
+RT_TESTS_CPE_ID_VENDOR = kernel
 
 define RT_TESTS_BUILD_CMDS
 	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) \
diff --git a/package/sed/sed.mk b/package/sed/sed.mk
index 6bb3220553..64fb2035b0 100644
--- a/package/sed/sed.mk
+++ b/package/sed/sed.mk
@@ -9,6 +9,7 @@  SED_SOURCE = sed-$(SED_VERSION).tar.xz
 SED_SITE = $(BR2_GNU_MIRROR)/sed
 SED_LICENSE = GPL-3.0
 SED_LICENSE_FILES = COPYING
+SED_CPE_ID_VENDOR = gnu
 
 SED_CONF_OPTS = \
 	--bindir=/bin \
diff --git a/package/setools/setools.mk b/package/setools/setools.mk
index c1a3a909cb..a07b1367a2 100644
--- a/package/setools/setools.mk
+++ b/package/setools/setools.mk
@@ -10,6 +10,7 @@  SETOOLS_DEPENDENCIES = libselinux libsepol python-setuptools host-bison host-fle
 SETOOLS_INSTALL_STAGING = YES
 SETOOLS_LICENSE = GPL-2.0+, LGPL-2.1+
 SETOOLS_LICENSE_FILES = COPYING COPYING.GPL COPYING.LGPL
+SETOOLS_CPE_ID_VENDOR = selinuxproject
 SETOOLS_SETUP_TYPE = setuptools
 HOST_SETOOLS_DEPENDENCIES = host-python3-cython host-libselinux host-libsepol host-python-networkx
 HOST_SETOOLS_NEEDS_HOST_PYTHON = python3
diff --git a/package/setserial/setserial.mk b/package/setserial/setserial.mk
index 66ca59d79d..2e29e4c803 100644
--- a/package/setserial/setserial.mk
+++ b/package/setserial/setserial.mk
@@ -10,6 +10,7 @@  SETSERIAL_SOURCE = setserial_$(SETSERIAL_VERSION).orig.tar.gz
 SETSERIAL_SITE = http://snapshot.debian.org/archive/debian/20141023T043132Z/pool/main/s/setserial
 SETSERIAL_LICENSE = GPL-2.0
 SETSERIAL_LICENSE_FILES = debian/copyright
+
 # make all also builds setserial.cat which needs nroff
 SETSERIAL_MAKE_OPTS = setserial
 
diff --git a/package/smcroute/smcroute.mk b/package/smcroute/smcroute.mk
index 1a36c75d47..0db0e084f6 100644
--- a/package/smcroute/smcroute.mk
+++ b/package/smcroute/smcroute.mk
@@ -9,6 +9,7 @@  SMCROUTE_SOURCE = smcroute-$(SMCROUTE_VERSION).tar.xz
 SMCROUTE_SITE = https://github.com/troglobit/smcroute/releases/download/$(SMCROUTE_VERSION)
 SMCROUTE_LICENSE = GPL-2.0+
 SMCROUTE_LICENSE_FILES = COPYING
+SMCROUTE_CPE_ID_VENDOR = troglobit
 
 SMCROUTE_CONF_OPTS = ac_cv_func_setpgrp_void=yes
 #BUG:The package Makefile uses CC?= even though the package is autotools based
diff --git a/package/spawn-fcgi/spawn-fcgi.mk b/package/spawn-fcgi/spawn-fcgi.mk
index ed97d0a7b4..8caa1e2b3c 100644
--- a/package/spawn-fcgi/spawn-fcgi.mk
+++ b/package/spawn-fcgi/spawn-fcgi.mk
@@ -9,5 +9,6 @@  SPAWN_FCGI_SITE = http://www.lighttpd.net/download
 SPAWN_FCGI_SOURCE = spawn-fcgi-$(SPAWN_FCGI_VERSION).tar.bz2
 SPAWN_FCGI_LICENSE = BSD-3-Clause
 SPAWN_FCGI_LICENSE_FILES = COPYING
+SPAWN_FCGI_CPE_ID_VENDOR = lighttpd
 
 $(eval $(autotools-package))
diff --git a/package/sqlite/sqlite.mk b/package/sqlite/sqlite.mk
index c8b9ba3150..796292178c 100644
--- a/package/sqlite/sqlite.mk
+++ b/package/sqlite/sqlite.mk
@@ -5,11 +5,13 @@ 
 ################################################################################
 
 SQLITE_VERSION = 3320300
+SQLITE_CPE_ID_VERSION = 3.31.1
 SQLITE_SOURCE = sqlite-autoconf-$(SQLITE_VERSION).tar.gz
 SQLITE_SITE = https://www.sqlite.org/2020
 SQLITE_LICENSE = Public domain
 SQLITE_LICENSE_FILES = tea/license.terms
 SQLITE_INSTALL_STAGING = YES
+SQLITE_CPE_ID_VENDOR = $(SQLITE_NAME)
 
 ifeq ($(BR2_PACKAGE_SQLITE_STAT4),y)
 SQLITE_CFLAGS += -DSQLITE_ENABLE_STAT4
diff --git a/package/strongswan/strongswan.mk b/package/strongswan/strongswan.mk
index a0290c5bf6..e0e8bb0ce8 100644
--- a/package/strongswan/strongswan.mk
+++ b/package/strongswan/strongswan.mk
@@ -9,6 +9,7 @@  STRONGSWAN_SOURCE = strongswan-$(STRONGSWAN_VERSION).tar.bz2
 STRONGSWAN_SITE = http://download.strongswan.org
 STRONGSWAN_LICENSE = GPL-2.0+
 STRONGSWAN_LICENSE_FILES = COPYING LICENSE
+STRONGSWAN_CPE_ID_VENDOR = $(STRONGSWAN_NAME)
 STRONGSWAN_DEPENDENCIES = host-pkgconf
 STRONGSWAN_INSTALL_STAGING = YES
 STRONGSWAN_CONF_OPTS += \
diff --git a/package/tar/tar.mk b/package/tar/tar.mk
index 9e0a40e561..643eff1cbc 100644
--- a/package/tar/tar.mk
+++ b/package/tar/tar.mk
@@ -12,6 +12,7 @@  TAR_SITE = $(BR2_GNU_MIRROR)/tar
 TAR_CONF_OPTS = --exec-prefix=/
 TAR_LICENSE = GPL-3.0+
 TAR_LICENSE_FILES = COPYING
+TAR_CPE_ID_VENDOR = gnu
 
 ifeq ($(BR2_PACKAGE_ACL),y)
 TAR_DEPENDENCIES += acl
diff --git a/package/tcl/tcl.mk b/package/tcl/tcl.mk
index 6d750b3cd2..913891e897 100644
--- a/package/tcl/tcl.mk
+++ b/package/tcl/tcl.mk
@@ -10,6 +10,7 @@  TCL_SOURCE = tcl$(TCL_VERSION)-src.tar.gz
 TCL_SITE = http://downloads.sourceforge.net/project/tcl/Tcl/$(TCL_VERSION)
 TCL_LICENSE = TCL
 TCL_LICENSE_FILES = license.terms
+TCL_CPE_ID_VENDOR = $(TCL_NAME)
 TCL_SUBDIR = unix
 TCL_INSTALL_STAGING = YES
 TCL_AUTORECONF = YES
diff --git a/package/tcpdump/tcpdump.mk b/package/tcpdump/tcpdump.mk
index 01a46b9b5f..9687e3c497 100644
--- a/package/tcpdump/tcpdump.mk
+++ b/package/tcpdump/tcpdump.mk
@@ -8,6 +8,7 @@  TCPDUMP_VERSION = 4.9.3
 TCPDUMP_SITE = http://www.tcpdump.org/release
 TCPDUMP_LICENSE = BSD-3-Clause
 TCPDUMP_LICENSE_FILES = LICENSE
+TCPDUMP_CPE_ID_VENDOR = $(TCPDUMP_NAME)
 TCPDUMP_CONF_ENV = \
 	ac_cv_linux_vers=2 \
 	td_cv_buggygetaddrinfo=no \
diff --git a/package/tftpd/tftpd.mk b/package/tftpd/tftpd.mk
index 57905fda05..301a222e39 100644
--- a/package/tftpd/tftpd.mk
+++ b/package/tftpd/tftpd.mk
@@ -10,6 +10,8 @@  TFTPD_SITE = $(BR2_KERNEL_MIRROR)/software/network/tftp/tftp-hpa
 TFTPD_CONF_OPTS = --without-tcpwrappers
 TFTPD_LICENSE = BSD-4-Clause
 TFTPD_LICENSE_FILES = tftpd/tftpd.c
+TFTPD_CPE_ID_VENDOR = $(TFTPD_NAME)-hpa_project
+TFTPD_CPE_ID_NAME = $(TFTPD_NAME)-hpa
 
 define TFTPD_INSTALL_TARGET_CMDS
 	$(INSTALL) -D $(@D)/tftp/tftp $(TARGET_DIR)/usr/bin/tftp
diff --git a/package/uboot-tools/uboot-tools.mk b/package/uboot-tools/uboot-tools.mk
index 6aa7cba2dd..3a8e21ec9b 100644
--- a/package/uboot-tools/uboot-tools.mk
+++ b/package/uboot-tools/uboot-tools.mk
@@ -9,6 +9,8 @@  UBOOT_TOOLS_SOURCE = u-boot-$(UBOOT_TOOLS_VERSION).tar.bz2
 UBOOT_TOOLS_SITE = ftp://ftp.denx.de/pub/u-boot
 UBOOT_TOOLS_LICENSE = GPL-2.0+
 UBOOT_TOOLS_LICENSE_FILES = Licenses/gpl-2.0.txt
+UBOOT_TOOLS_CPE_ID_VENDOR = denx
+UBOOT_TOOLS_CPE_ID_NAME = u-boot
 UBOOT_TOOLS_INSTALL_STAGING = YES
 
 # u-boot 2020.01+ needs make 4.0+
diff --git a/package/util-linux/util-linux.mk b/package/util-linux/util-linux.mk
index 0b29ef4d6f..46d7474b7f 100644
--- a/package/util-linux/util-linux.mk
+++ b/package/util-linux/util-linux.mk
@@ -23,6 +23,7 @@  UTIL_LINUX_LICENSE_FILES = README.licensing \
 	Documentation/licenses/COPYING.ISC \
 	Documentation/licenses/COPYING.LGPL-2.1-or-later
 
+UTIL_LINUX_CPE_ID_VENDOR = kernel
 UTIL_LINUX_INSTALL_STAGING = YES
 UTIL_LINUX_DEPENDENCIES = \
 	host-pkgconf \
diff --git a/package/valgrind/valgrind.mk b/package/valgrind/valgrind.mk
index 7fd3278614..7d0070a974 100644
--- a/package/valgrind/valgrind.mk
+++ b/package/valgrind/valgrind.mk
@@ -9,6 +9,7 @@  VALGRIND_SITE = https://sourceware.org/pub/valgrind
 VALGRIND_SOURCE = valgrind-$(VALGRIND_VERSION).tar.bz2
 VALGRIND_LICENSE = GPL-2.0, GFDL-1.2
 VALGRIND_LICENSE_FILES = COPYING COPYING.DOCS
+VALGRIND_CPE_ID_VENDOR = $(VALGRIND_NAME)
 VALGRIND_CONF_OPTS = \
 	--disable-ubsan \
 	--without-mpicc
diff --git a/package/vim/vim.mk b/package/vim/vim.mk
index 1fbb6a6b86..2bd3d437e4 100644
--- a/package/vim/vim.mk
+++ b/package/vim/vim.mk
@@ -23,6 +23,7 @@  VIM_CONF_ENV = \
 VIM_CONF_OPTS = --with-tlib=ncurses --enable-gui=no --without-x
 VIM_LICENSE = Charityware
 VIM_LICENSE_FILES = README.txt
+VIM_CPE_ID_VENDOR = $(VIM_NAME)
 
 ifeq ($(BR2_PACKAGE_ACL),y)
 VIM_CONF_OPTS += --enable-acl
diff --git a/package/wget/wget.mk b/package/wget/wget.mk
index ed3f1fdff9..65c132e453 100644
--- a/package/wget/wget.mk
+++ b/package/wget/wget.mk
@@ -10,6 +10,7 @@  WGET_SITE = $(BR2_GNU_MIRROR)/wget
 WGET_DEPENDENCIES = host-pkgconf
 WGET_LICENSE = GPL-3.0+
 WGET_LICENSE_FILES = COPYING
+WGET_CPE_ID_VENDOR = gnu
 
 ifeq ($(BR2_PACKAGE_GNUTLS),y)
 WGET_CONF_OPTS += --with-ssl=gnutls
diff --git a/package/wireless-regdb/wireless-regdb.mk b/package/wireless-regdb/wireless-regdb.mk
index 52a0e0cffc..aaab7fc28b 100644
--- a/package/wireless-regdb/wireless-regdb.mk
+++ b/package/wireless-regdb/wireless-regdb.mk
@@ -9,6 +9,7 @@  WIRELESS_REGDB_SOURCE = wireless-regdb-$(WIRELESS_REGDB_VERSION).tar.xz
 WIRELESS_REGDB_SITE = $(BR2_KERNEL_MIRROR)/software/network/wireless-regdb
 WIRELESS_REGDB_LICENSE = ISC
 WIRELESS_REGDB_LICENSE_FILES = LICENSE
+WIRELESS_REGDB_CPE_ID_VENDOR = kernel
 
 ifeq ($(BR2_PACKAGE_CRDA),y)
 define  WIRELESS_REGDB_INSTALL_CRDA_TARGET_CMDS
diff --git a/package/wireless_tools/wireless_tools.mk b/package/wireless_tools/wireless_tools.mk
index b87ab20fb2..01d03218d6 100644
--- a/package/wireless_tools/wireless_tools.mk
+++ b/package/wireless_tools/wireless_tools.mk
@@ -10,6 +10,8 @@  WIRELESS_TOOLS_SITE = https://hewlettpackard.github.io/wireless-tools
 WIRELESS_TOOLS_SOURCE = wireless_tools.$(WIRELESS_TOOLS_VERSION).tar.gz
 WIRELESS_TOOLS_LICENSE = GPL-2.0
 WIRELESS_TOOLS_LICENSE_FILES = COPYING
+WIRELESS_TOOLS_CPE_ID_VERSION = $(WIRELESS_TOOLS_VERSION_MAJOR)
+WIRELESS_TOOLS_CPE_ID_VERSION_MINOR = pre9
 WIRELESS_TOOLS_INSTALL_STAGING = YES
 
 WIRELESS_TOOLS_BUILD_TARGETS = iwmulticall
diff --git a/package/wpa_supplicant/wpa_supplicant.mk b/package/wpa_supplicant/wpa_supplicant.mk
index 7170db0d07..955f7fb98f 100644
--- a/package/wpa_supplicant/wpa_supplicant.mk
+++ b/package/wpa_supplicant/wpa_supplicant.mk
@@ -8,6 +8,7 @@  WPA_SUPPLICANT_VERSION = 2.9
 WPA_SUPPLICANT_SITE = http://w1.fi/releases
 WPA_SUPPLICANT_LICENSE = BSD-3-Clause
 WPA_SUPPLICANT_LICENSE_FILES = README
+WPA_SUPPLICANT_CPE_ID_VENDOR = w1.fi
 WPA_SUPPLICANT_CONFIG = $(WPA_SUPPLICANT_DIR)/wpa_supplicant/.config
 WPA_SUPPLICANT_SUBDIR = wpa_supplicant
 WPA_SUPPLICANT_DBUS_OLD_SERVICE = fi.epitest.hostap.WPASupplicant
diff --git a/package/xerces/xerces.mk b/package/xerces/xerces.mk
index ae42b1e62f..5caf421132 100644
--- a/package/xerces/xerces.mk
+++ b/package/xerces/xerces.mk
@@ -9,6 +9,8 @@  XERCES_SOURCE = xerces-c-$(XERCES_VERSION).tar.xz
 XERCES_SITE = http://archive.apache.org/dist/xerces/c/3/sources
 XERCES_LICENSE = Apache-2.0
 XERCES_LICENSE_FILES = LICENSE
+XERCES_CPE_ID_VENDOR = apache
+XERCES_CPE_ID_NAME = $(XERCES_NAME)-c\+\+
 XERCES_INSTALL_STAGING = YES
 
 define XERCES_DISABLE_SAMPLES
diff --git a/package/xz/xz.mk b/package/xz/xz.mk
index 487dac461b..ffbae4c873 100644
--- a/package/xz/xz.mk
+++ b/package/xz/xz.mk
@@ -11,6 +11,7 @@  XZ_INSTALL_STAGING = YES
 XZ_CONF_ENV = ac_cv_prog_cc_c99='-std=gnu99'
 XZ_LICENSE = Public Domain, GPL-2.0+, GPL-3.0+, LGPL-2.1+
 XZ_LICENSE_FILES = COPYING COPYING.GPLv2 COPYING.GPLv3 COPYING.LGPLv2.1
+XZ_CPE_ID_VENDOR = tukaani
 
 ifeq ($(BR2_TOOLCHAIN_HAS_THREADS),y)
 XZ_CONF_OPTS = --enable-threads