contrib: add CPE information on packages

Added "cpe" field in package.json and PKG_CVE for make rules. GitLab: #1021 Change-Id: I375fe3c224b0578ed702877d236fbc8ed0a5d8d5

contrib: add CPE information on packages
d84d0c42 · Louis Maillard · c9f251d7 · d84d0c42 · d84d0c42 · d84d0c42
Commit d84d0c42 authored 1 year ago by Louis Maillard
--- a/contrib/src/libarchive/package.json
+++ b/contrib/src/libarchive/package.json
 {
    "name": "libarchive",
    "version": "a53d711261f4d5bf2104d9c3616a8602a45ba196",
+    "cpe": "cpe:2.3:a:libarchive:libarchive:3.6.0:*:*:*:*:*:*:*",
    "url": "https://github.com/libarchive/libarchive/archive/__VERSION__.tar.gz",
    "deps": ["iconv"],
    "patches": [

--- a/contrib/src/libarchive/rules.mak
+++ b/contrib/src/libarchive/rules.mak
 # LIBARCHIVE
 LIBARCHIVE_VERSION := 3.6.0
+PKG_CPE += cpe:2.3:a:libarchive:libarchive:$(LIBARCHIVE_VERSION):*:*:*:*:*:*:*
 LIBARCHIVE_URL := https://github.com/libarchive/libarchive/releases/download/v$(LIBARCHIVE_VERSION)/libarchive-$(LIBARCHIVE_VERSION).tar.xz
 ifndef HAVE_MACOSX

--- a/contrib/src/libgit2/package.json
+++ b/contrib/src/libgit2/package.json
 {
    "name": "libgit2",
    "version": "v1.8.0",
+    "cpe": "cpe:2.3:a:libgit2:libgit2:1.8.0:*:*:*:*:*:*:*",
    "url": "https://github.com/libgit2/libgit2/archive/__VERSION__.tar.gz",
    "use_cmake" : true,
    "defines": [

--- a/contrib/src/libgit2/rules.mak
+++ b/contrib/src/libgit2/rules.mak
 # LIBGIT2
 LIBGIT2_VERSION := 1.8.0
+PKG_CPE += cpe:2.3:a:libgit2:libgit2:${LIBGIT2_VERSION}:*:*:*:*:*:*:*
 LIBGIT2_URL := https://github.com/libgit2/libgit2/archive/v${LIBGIT2_VERSION}.tar.gz
 PKGS += libgit2

--- a/contrib/src/libressl/rules.mak
+++ b/contrib/src/libressl/rules.mak
@@ -19,6 +19,7 @@
 #  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301 USA.
 #
 SSL_VERSION := 3.7.0
+PKG_CPE += cpe:2.3:a:openbsd:libressl:$(SSL_VERSION):*:*:*:*:*:*:*
 LIBRESSL_VERSION := libressl-$(SSL_VERSION)
 LIBRESSL_URL := https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/$(LIBRESSL_VERSION).tar.gz

--- a/contrib/src/liburcu/package.json
+++ b/contrib/src/liburcu/package.json
 {
    "name": "liburcu",
    "version": "0.13.1",
+    "cpe": "cpe:2.3:a:lttng:urcu:0.13.1:*:*:*:*:*:*:*",
    "url": "https://lttng.org/files/urcu/userspace-rcu-__VERSION__.tar.bz2",
    "deps": [],
    "patches": [],

--- a/contrib/src/liburcu/rules.mak
+++ b/contrib/src/liburcu/rules.mak
 # liburcu
 LIBURCU_VERSION := 0.13.1
+PKG_CPE += cpe:2.3:a:lttng:urcu:${LIBURCU_VERSION}:*:*:*:*:*:*:*
 LIBURCU_URL     := https://lttng.org/files/urcu/userspace-rcu-${LIBURCU_VERSION}.tar.bz2
 ifeq ($(call need_pkg "liburcu >= 0.13.1"),)

--- a/contrib/src/llhttp/rules.mak
+++ b/contrib/src/llhttp/rules.mak
@@ -17,6 +17,7 @@
 #  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301 USA.
 #
 LLHTTP_VERSION := 9.2.0
+PKG_CPE += cpe:2.3:a:llhttp:llhttp:$(LLHTTP_VERSION):*:*:*:*:*:*:*
 LLHTTP_URL := https://github.com/nodejs/llhttp/archive/refs/tags/release/v$(LLHTTP_VERSION).tar.gz
 LLHTTP_CMAKECONF := \

--- a/contrib/src/lttng-ust/package.json
+++ b/contrib/src/lttng-ust/package.json
 {
    "name": "lttng-ust",
    "version": "2.13.0",
+    "cpe": "cpe:2.3:a:lttng:ust:2.13.0:*:*:*:*:*:*:*",
    "url": "https://lttng.org/files/lttng-ust/lttng-ust-__VERSION__.tar.bz2",
    "deps": [
-        "liburcu",
+        "liburcu"
    ],
    "patches": [],
    "win_patches": [],
-    "project_paths": [
+    "project_paths": [],
-    ],
    "with_env" : "",
    "custom_scripts": {
        "pre_build": [],

--- a/contrib/src/lttng-ust/rules.mak
+++ b/contrib/src/lttng-ust/rules.mak
 # lttng-ust
 LTTNG_UST_VERSION := 2.13.1
+PKG_CPE += cpe:2.3:a:lttng:ust:${LTTNG_UST_VERSION}:*:*:*:*:*:*:*
 LTTNG_UST_URL     := https://lttng.org/files/lttng-ust/lttng-ust-${LTTNG_UST_VERSION}.tar.bz2
 ifeq ($(call need_pkg "liblttng-ust >= 2.13.0"),)

--- a/contrib/src/main.mak
+++ b/contrib/src/main.mak
@@ -55,6 +55,9 @@ GNU := https://ftpmirror.gnu.org
 SF := https://sourceforge.net/projects
 CONTRIB_VIDEOLAN ?= https://downloads.videolan.org/pub/contrib
+# CPE ID list for generating SBOM
+PKG_CPE := 
 #
 # Machine-dependent variables
 #

--- a/contrib/src/minizip/package.json
+++ b/contrib/src/minizip/package.json
 {
    "name": "minizip",
    "version": "3.0.0",
+    "cpe": "cpe:2.3:a:minizip_project:minizip:3.0.0:*:*:*:*:*:*:*",
    "url": "https://github.com/zlib-ng/minizip-ng/archive/refs/tags/__VERSION__.tar.gz",
    "deps": ["zlib", "iconv"],
    "patches": [],

--- a/contrib/src/minizip/rules.mak
+++ b/contrib/src/minizip/rules.mak
 # MINIZIP
 LIBMINIZIP_VERSION := 4.0.7
+PKG_CPE += cpe:2.3:a:minizip_project:minizip:$(LIBMINIZIP_VERSION):*:*:*:*:*:*:*
 LIBMINIZIP_URL := https://github.com/zlib-ng/minizip-ng/archive/$(LIBMINIZIP_VERSION).tar.gz
 ifdef HAVE_MACOSX

--- a/contrib/src/msgpack/package.json
+++ b/contrib/src/msgpack/package.json
 {
    "name": "msgpack-c",
    "version": "cpp-6.1.0",
+    "cpe": "cpe:2.3:a:*:msgpack:6.1.0:*:*:*:*:*:*:*",
    "url": "https://github.com/msgpack/msgpack-c/archive/__VERSION__.tar.gz",
    "use_cmake" : true,
    "defines": [

--- a/contrib/src/msgpack/rules.mak
+++ b/contrib/src/msgpack/rules.mak
 # MSGPACK
 MSGPACK_VERSION := cpp-6.1.0
+PKG_CPE += cpe:2.3:a:*:msgpack:6.1.0:*:*:*:*:*:*:*
 MSGPACK_URL := https://github.com/msgpack/msgpack-c/archive/$(MSGPACK_VERSION).tar.gz
 PKGS += msgpack

--- a/contrib/src/nettle/package.json
+++ b/contrib/src/nettle/package.json
 {
    "name": "nettle",
    "version": "c180b4d7afbda4049ad265d1366567f62a7a4a3a",
+    "cpe": "cpe:2.3:a:nettle_project:nettle:3.9.1:*:*:*:*:*:*:*",
    "url": "https://github.com/ShiftMediaProject/nettle/archive/__VERSION__.tar.gz",
    "deps": ["gmp"],
    "patches": [],

--- a/contrib/src/nettle/rules.mak
+++ b/contrib/src/nettle/rules.mak
 # Nettle
 NETTLE_VERSION := nettle_3.9.1_release_20230601
+PKG_CPE += cpe:2.3:a:nettle_project:nettle:3.9.1:*:*:*:*:*:*:*
 NETTLE_URL := https://git.lysator.liu.se/nettle/nettle/-/archive/$(NETTLE_VERSION)/nettle-$(NETTLE_VERSION).tar.gz
 PKGS += nettle

--- a/contrib/src/onnx/package.json
+++ b/contrib/src/onnx/package.json
 {
    "name": "onnx",
    "version": "v1.12.0",
+    "cpe": "cpe:2.3:a:*:onnx:1.12.0:*:*:*:*:*:*:*",
    "url": "https://github.com/microsoft/onnxruntime/archive/__VERSION__.tar.gz",
    "deps": [],
    "patches": [],

--- a/contrib/src/onnx/rules.mak
+++ b/contrib/src/onnx/rules.mak
 # ONNX
 ONNX_VERSION := v1.16.3
+PKG_CPE += cpe:2.3:a:*:onnx:1.16.3:*:*:*:*:*:*:*
 ONNX_URL := https://github.com/microsoft/onnxruntime.git
 $(TARBALLS)/onnxruntime-$(ONNX_VERSION).tar.xz:

--- a/contrib/src/opencv/package.json
+++ b/contrib/src/opencv/package.json
 {
    "name": "opencv",
    "version": "4.6.0",
+    "cpe": "cpe:2.3:a:opencv:opencv:4.6.0:*:*:*:*:*:*:*",
    "url": "https://github.com/opencv/opencv/archive/__VERSION__.tar.gz",
    "deps": ["opencv_contrib"],
    "patches": [],