doc/manual: document _CPE_ID_VALID

The way we handle CPE_ID variable is unusual compared to the other
variables: we mostly compute defaults for all of them, and eventually
aggregate the various CPE_ID variables to form the CPE ID name.

However, we do not consider that CPE ID to valid, unless there is one
(or more) CPE_ID variables actually set by the package; this shows that
the CPE ID has been checked to be valid against the NVD CPE database. In
that situation, we internally define the duly undocumented _CPE_ID_VALID
variable.

However, it is totally possible (and very often the case) that the
default value we set to those variables are appropriate, and do defne a
valid CPE ID. In this case, the package will define any arbitrary CPE_ID
variable to its default value, usually by setting either the VENDOR or
PRODUCT field, though there is no rule or requirement that be the case.

This is not very clean, non-obvious, and does not allow for easily
adding checks in check-package.

Add the _CPE_ID_VALID variable to the manual, to make it official that
it should be used when the default values of the others are valid.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This commit is contained in:
Yann E. MORIN 2024-02-10 22:24:57 +01:00 committed by Thomas Petazzoni
parent 949c1a51b7
commit ddf66867b1

View File

@ -516,6 +516,10 @@ LIBFOO_IGNORE_CVES += CVE-2020-54321
identifier]. The available variables are: identifier]. The available variables are:
+ +
-- --
** +LIBFOO_CPE_ID_VALID+, if set to +YES+, specifies that the default
values for each of the following variables is appropriate, and
generates a valid CPE ID.
** +LIBFOO_CPE_ID_PREFIX+, specifies the prefix of the CPE identifier, ** +LIBFOO_CPE_ID_PREFIX+, specifies the prefix of the CPE identifier,
i.e the first three fields. When not defined, the default value is i.e the first three fields. When not defined, the default value is
+cpe:2.3:a+. +cpe:2.3:a+.