6fa3a239ac
The intention of this script is to generate the XML that can be sent to NVD to request a new CPE identifier. As discussed on the mailing list [0] keeping up with version numbers of all registered CPE ID won't work. In addition the feed used to generated the XML files will be retired [1]. In the future an API needs to be used for fetching the data in connection with a local database. All of this works against keeping this script and porting it to the new API. As a last blow Matthew, the original author concluded [2]: > Makes sense to drop it. There never got to be enough momentum in the overall > software community to make CVE or even the new identifier really accurate. The intention is to ignore the version part of CPE IDs in the future, and only look at the version range specified on a CVE. Therefore, a tool to add new CPE ID versions isn't useful to us. It might still be useful to have a tool to create the vendor and project parts of a CPE ID. However, the current gen-missing-cpe tool doesn't support that, and the API is anyway going to be retired. So there is no reason at all to keep this around. Remove gen-missing-cpe and the cpedb module. Remove the Makefile target to call the script. Since the cpedb module is removed, the CPEDB_URL definition must be moved to the place where it is still used, in pkg-stats. [0]: https://lists.buildroot.org/pipermail/buildroot/2023-August/672620.html [1]: https://nvd.nist.gov/General/News/change-timeline [2]: https://lists.buildroot.org/pipermail/buildroot/2023-August/672651.html Signed-off-by: Daniel Lang <dalang@gmx.at> Signed-off-by: Arnout Vandecappelle <arnout@mind.be> |
||
|---|---|---|
| .. | ||
| config-fragments | ||
| dependencies | ||
| docker | ||
| download | ||
| gnuconfig | ||
| kconfig | ||
| legal-info | ||
| libtool | ||
| misc | ||
| scripts | ||
| testing | ||