[LEDE-DEV] [RFC] adding CPE IDs to package Makefiles

Jo-Philipp Wich jo at mein.io
Sun Oct 1 06:24:45 PDT 2017

> Can't we just take the version from the PKG_VERSION entry and provide a
> way to overwrite it with some other variable in case the CVE database
> uses a different version number format?

yes, I was thinking something similar, like using
$(PKG_CPE):$(PKG_VERSION) if there is no version included already.

But I have not yet investigated if that would work in all cases, if the
version numbers are usable as-is etc.

> We could check if this version number is available in the CVE database
> and warn the user if this is not the case, but we could probably cover
> 90% of the packages.

Yes, assuming that we do get the versions properly included.

~ Jo

More information about the Lede-dev mailing list