We need to use mapping files where provided in place of the obtained package names to ensure maximum coverage. The two required fields map directly to CPE fields.
cve.ini:
vendor = somevendor
product = someproduct
Implementing distributions will have various methods for exposing this file. In the source repository the cve.ini file shall be present in the directory of the packaging files, i.e. *.spec, pspec.xml.
For RPM based distributions making use of source RPM scanning, cve.ini should be incorporated as Source100 in the .spec, ensuring we can extract it from the .src.rpm
Adding this issue for tracking purposes:
We need to use mapping files where provided in place of the obtained package names to ensure maximum coverage. The two required fields map directly to CPE fields.
cve.ini:
Implementing distributions will have various methods for exposing this file. In the source repository the
cve.ini
file shall be present in the directory of the packaging files, i.e.*.spec
,pspec.xml
.For RPM based distributions making use of source RPM scanning, cve.ini should be incorporated as
Source100
in the.spec
, ensuring we can extract it from the.src.rpm