docs: Update CPE fields in package metadata spec

Update osCPE field example to use cpe 2.3 format, as is in active use by AmazonLinux 2023 for example. Add appCPE field example to document the upstream application CPE for the applicable CVEs. Often distribution source package names are different from the upstream CPE. For example adding/removing "lib" prefix, or adding version stream "-3" suffix. This typically leads to guessing or fuzzy matching. Adding appCPE in such cases can help to disambiguate (or collate) correct application CPEs; especially beyond the lifetime of osCPE support timeframes.
2025-03-22 06:50:18 +03:00 · 2025-02-03 10:55:20 +00:00 · 2025-02-03 10:55:20 +00:00 · 355afa9232
commit 355afa9232
parent d35f7966ba
1 changed files with 4 additions and 2 deletions
--- a/docs/PACKAGE_METADATA_FOR_EXECUTABLE_FILES.md
+++ b/docs/PACKAGE_METADATA_FOR_EXECUTABLE_FILES.md
@ -89,7 +89,8 @@ Value: a single JSON object encoded as a NUL-terminated UTF-8 string
     "name":"coreutils",
     "version":"4711.0815.fc13",
     "architecture":"arm32",
-     "osCpe": "cpe:/o:fedoraproject:fedora:33",          # A CPE name for the operating system, `CPE_NAME` from os-release is a good default
+     "osCpe": "cpe:2.3:o:fedoraproject:fedora:33",          # A CPE name for the operating system, `CPE_NAME` from os-release is a good default
+     "appCpe": "cpe:2.3:a:gnu:coreutils:5.0",               # A CPE name for the upstream application, check NVD
     "debugInfoUrl": "https://debuginfod.fedoraproject.org/"
 }
 ```
@ -134,7 +135,8 @@ A set of well-known keys is defined here, and hopefully shared among all vendors
 | name         | The source package name                                                  | coreutils                             |
 | version      | The source package version                                               | 4711.0815.fc13                        |
 | architecture | The binary package architecture                                          | arm32                                 |
-| osCpe        | A CPE name for the OS, typically corresponding to CPE_NAME in os-release | cpe:/o:fedoraproject:fedora:33        |
+| osCpe        | A CPE name for the OS, typically corresponding to CPE_NAME in os-release | cpe:2.3:o:fedoraproject:fedora:33     |
+| appCpe       | A CPE name for the upstream Application, check NVD                       | cpe:2.3:a:gnu:coreutils:5.0           |
 | debugInfoUrl | The debuginfod server url, if available                                  | https://debuginfod.fedoraproject.org/ |

 ### Displaying package notes