Re: Incomplete UDD import of CPE info from upstream/metadata?
On Thu, Dec 15, 2016 at 8:17 PM, Petter Reinholdtsen wrote:
> I was looking at the automatic CVE tracking a bit today, and hoped to
> figure out which packages had the CPE field already in their
> debian/upstream/metadata file. But according to UDD there are none:
I expect that is because UMEGAYA is not working right now:
https://wiki.debian.org/UpstreamMetadata
> Help! there is a bug that I do not manage to solve by myself. -- Charles
> https://lists.debian.org/debian-qa/2014/06/msg00022.html
Also, please note that UMEGAYA was only tracking metadata files in VCS
repos, not the ones in the archive and there are definitely some in
the archive that aren't in any VCS.
> Is there any other way to find the packages using the CPE field in the
> metadata file without unpacking every source package in the archive? Is
> the import of d/upstream/metadata incomplete?
Looks like only two packages in Debian have it:
https://codesearch.debian.net/search?q=path:debian/upstream+CPE:
https://codesearch.debian.net/search?q=path:debian/upstream/metadata+CPE:
To confirm, on stretch do `apt-file -I dsc search debian/upstream`
(for jessie I think `apt-file -a source search debian/upstream`) and
then download and unpack the packages that contain that file and grep
them for CPE.
--
bye,
pabs
https://wiki.debian.org/PaulWise
Reply to: