From 08a8e0f345f61cc308f27b960e1c182b91107a6d Mon Sep 17 00:00:00 2001 From: Tracey Clark Date: Sat, 16 May 2026 15:33:20 -0500 Subject: [PATCH 1/2] Update cpesearch example --- docs/packaging/monitoring.yaml.md | 23 +++++++++-------------- 1 file changed, 9 insertions(+), 14 deletions(-) diff --git a/docs/packaging/monitoring.yaml.md b/docs/packaging/monitoring.yaml.md index c608ad7de..f7892d6a9 100644 --- a/docs/packaging/monitoring.yaml.md +++ b/docs/packaging/monitoring.yaml.md @@ -144,31 +144,26 @@ The command returns the following: ```text [ [ - 49192, - "cpe:2.3:a:ubuntu_developers:systemd" - ], - [ - 116392, - "cpe:2.3:a:lennart_poettering:systemd" - ], - [ - 120506, - "cpe:2.3:a:freedesktop:systemd" + 916.0, + "cpe:2.3:a:systemd_project:systemd" ], [ - 120627, - "cpe:2.3:a:systemd_project:systemd" + 1.0, + "cpe:2.3:a:ubuntu_developers:systemd" ] ] +Verify successful hits by visiting https://cve.circl.lu/search/$VENDOR/$PRODUCT +- CPE entries for software applications have the form 'cpe:2.3:a:$VENDOR:$PRODUCT' + ``` Ignore the numerical ids, let's walk through the CPEs by vendor: - `ubuntu_developers` is for `systemd` patched by Ubuntu; we can ignore it -- `lennart_poettering` is for the main `systemd` developer and is probably a bleeding edge vendor; ignore it -- `freedesktop` is from freedesktop.org and is a good candidate, so we add it - `systemd_project` is a good candidate, so we add it +If you see something like `"cpe:2.3:a:lennart_poettering:systemd"`, that means it's for a branch owned by Lennart Poettering. These kinds of branches shouldn't be used, because they are development branches, rather than production branches. + ### No known CPE If an established product hasn't had a security advisory in the past, it might not have a CPE. From 3b249e9c6d4a191fae4755c55b00839f2d52af45 Mon Sep 17 00:00:00 2001 From: Tracey Clark Date: Sat, 16 May 2026 15:37:42 -0500 Subject: [PATCH 2/2] fixup! Update cpesearch example --- docs/packaging/monitoring.yaml.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/packaging/monitoring.yaml.md b/docs/packaging/monitoring.yaml.md index f7892d6a9..4bf89b6f1 100644 --- a/docs/packaging/monitoring.yaml.md +++ b/docs/packaging/monitoring.yaml.md @@ -162,7 +162,7 @@ Ignore the numerical ids, let's walk through the CPEs by vendor: - `ubuntu_developers` is for `systemd` patched by Ubuntu; we can ignore it - `systemd_project` is a good candidate, so we add it -If you see something like `"cpe:2.3:a:lennart_poettering:systemd"`, that means it's for a branch owned by Lennart Poettering. These kinds of branches shouldn't be used, because they are development branches, rather than production branches. +If you see something like `"cpe:2.3:a:lennart_poettering:systemd"`, the vendor is Lennart Poettering and this shouldn't be used. This is a bleeding edge / development vendor, rather than production. ### No known CPE