Commit 8b81addd authored by Samuel Dionne-Riel's avatar Samuel Dionne-Riel
Browse files

doc/meta: Fix documentation and example for `update` CPE field 

The previous claims are unsourced, since they are not supported by the
source given for CPEs.

Quoting from the 5.3.3.5 section of the NISTIR 7695 document:

> Values for this attribute SHOULD be vendor-specific alphanumeric
> strings characterizing the particular update, service pack, or
> point release of the product.

So, first, they should be ***vendor-specific***, and dare I say,
vendor-specified. But let's not trip on the carpet's flower pattern, and
instead look at evidence from data.

Using the data from `official-cpe-dictionary_v2.3.xml`, gently massaged
into a form that can be queried, we can list all known CPE expressions
for glibc.

There is only one known entry using the `update` field. It's:

```
cpe:2.3:a:gnu:glibc:2.0.5:b:*:*:*:*:*:*
```

As such, the current example is plainly and demonstrably wrong.

```
SELECT * FROM cpe
WHERE cpe_update != ''
   AND cpe_vendor = 'gnu'
   AND cpe_product = 'glibc'
ORDER BY cpe_vendor, cpe_product, cpe_version

id    |title            |cpe_part|cpe_vendor|cpe_product|cpe_version|cpe_update|cpe_edition|cpe_language|cpe_sw_edition|cpe_target_sw|cpe_target_hw|cpe_other|
------+-----------------+--------+----------+-----------+-----------+----------+-----------+------------+--------------+-------------+-------------+---------+
460867|GNU glibc 2.0.5 B|a       |gnu       |glibc      |2.0.5      |b         |           |            |              |             |             |         |
```

Let's see good examples of `cpe_product` in contrast:

```
SELECT * FROM cpe
WHERE cpe_update != ''
   AND cpe_vendor = 'gnu'
   AND cpe_product = 'bash'
ORDER BY cpe_vendor, cpe_product, cpe_version DESC
LIMIT 10

id    |title                                                         |cpe_part|cpe_vendor|cpe_product|cpe_version|cpe_update|cpe_edition|cpe_language|cpe_sw_edition|cpe_target_sw|cpe_target_hw|cpe_other|
------+--------------------------------------------------------------+--------+----------+-----------+-----------+----------+-----------+------------+--------------+-------------+-------------+---------+
460088|GNU Bourne-Again SHell bash (GNU Bash) 4.3.30 Beta 1          |a       |gnu       |bash       |4.3.30     |beta1     |           |            |              |             |             |         |
460086|GNU Bourne-Again SHell bash (GNU Bash) 4.2.53 Beta 1          |a       |gnu       |bash       |4.2.53     |beta1     |           |            |              |             |             |         |
460081|GNU Bourne-Again SHell bash (GNU Bash) 3.2.57 Beta 1          |a       |gnu       |bash       |3.2.57     |beta1     |           |            |              |             |             |         |
460140|GNU Bourne-Again SHell bash (GNU Bash) 5.2                    |a       |gnu       |bash       |5.2        |-         |           |            |              |             |             |         |
460141|GNU Bourne-Again SHell bash (GNU Bash) 5.2 Alpha              |a       |gnu       |bash       |5.2        |alpha     |           |            |              |             |             |         |
460142|GNU Bourne-Again SHell bash (GNU Bash) 5.2 Beta               |a       |gnu       |bash       |5.2        |beta      |           |            |              |             |             |         |
460143|GNU Bourne-Again SHell bash (GNU Bash) 5.2 Release Candidate 1|a       |gnu       |bash       |5.2        |rc1       |           |            |              |             |             |         |
460144|GNU Bourne-Again SHell bash (GNU Bash) 5.2 Release Candidate 2|a       |gnu       |bash       |5.2        |rc2       |           |            |              |             |             |         |
460145|GNU Bourne-Again SHell bash (GNU Bash) 5.2 Release Candidate 3|a       |gnu       |bash       |5.2        |rc3       |           |            |              |             |             |         |
460146|GNU Bourne-Again SHell bash (GNU Bash) 5.2 Release Candidate 4|a       |gnu       |bash       |5.2        |rc4       |           |            |              |             |             |         |
```
parent e52e23f0

doc/stdenv/meta.chapter.md

+2 −2
Original line number Diff line number Diff line
@@ -291,7 +291,7 @@ Some of them are as follows: 
* *vendor* - can point to the source of the package, or to Nixpkgs itself

* *product* - name of the package

* *version* - version of the package

* *update* - name of the latest update, can be a patch version for semantically versioned packages

* *update* - vendor-specific string part of the version string of the latest update (e.g. `rc1`, `beta`, etc...)

* *edition* - deprecated and should be set to `*`



You can find information about all of these attributes in the [official specification](https://csrc.nist.gov/projects/security-content-automation-protocol/specifications/cpe/naming) (heading 5.3.3, pages 11-13).
@@ -301,7 +301,7 @@ Any fields that don't have a value are set to either: 
* `*` (ANY) when the field can match any value

* `-` (NA) when the value is not meaningful or not used in the description



For example, for glibc 2.40.1 CPE would be `cpe:2.3:a:gnu:glibc:2.40:1:*:*:*:*:*:*`.

For example, for glibc 2.40.1 CPE would be `cpe:2.3:a:gnu:glibc:2.40.1:*:*:*:*:*:*:*`.



#### `meta.identifiers.cpeParts` {#var-meta-identifiers-cpeParts}