From 875c5c891fe11ec9d0b98497b47c15a33d382cc5 Mon Sep 17 00:00:00 2001 From: Matt Weber Date: Fri, 24 Jul 2020 03:07:08 -0700 Subject: [PATCH] patch: add cpe-info make target for buildroot --- config/buildroot/patches/cpe-info.patch | 1912 +++++++++++++++++++++++ 1 file changed, 1912 insertions(+) create mode 100644 config/buildroot/patches/cpe-info.patch diff --git a/config/buildroot/patches/cpe-info.patch b/config/buildroot/patches/cpe-info.patch new file mode 100644 index 0000000..3387664 --- /dev/null +++ b/config/buildroot/patches/cpe-info.patch @@ -0,0 +1,1912 @@ +diff --git a/Makefile b/Makefile +index b2afe5bcfb..ea00891aa1 100644 +--- a/Makefile ++++ b/Makefile +@@ -135,7 +135,7 @@ nobuild_targets := source %-source \ + clean distclean help show-targets graph-depends \ + %-graph-depends %-show-depends %-show-version \ + graph-build graph-size list-defconfigs \ +- savedefconfig update-defconfig printvars ++ savedefconfig update-defconfig printvars cpe-info %-cpe-info + ifeq ($(MAKECMDGOALS),) + BR_BUILDING = y + else ifneq ($(filter-out $(nobuild_targets),$(MAKECMDGOALS)),) +@@ -222,6 +222,7 @@ LEGAL_MANIFEST_CSV_TARGET = $(LEGAL_INFO_DIR)/manifest.csv + LEGAL_MANIFEST_CSV_HOST = $(LEGAL_INFO_DIR)/host-manifest.csv + LEGAL_WARNINGS = $(LEGAL_INFO_DIR)/.warnings + LEGAL_REPORT = $(LEGAL_INFO_DIR)/README ++CPE_MANIFEST_CSV = $(BASE_DIR)/cpe-manifest.csv + + BR2_CONFIG = $(CONFIG_DIR)/.config + +@@ -864,6 +865,19 @@ legal-info: legal-info-clean legal-info-prepare $(foreach p,$(PACKAGES),$(p)-all + mv .legal-info.sha256 legal-info.sha256) + @echo "Legal info produced in $(LEGAL_INFO_DIR)" + ++.PHONY: cpe-info-clean ++cpe-info-clean: ++ @rm -f $(CPE_MANIFEST_CSV) ++ ++.PHONY: cpe-info-prepare ++cpe-info-prepare: ++ @$(call MESSAGE,"Gathering CPE info") ++ @$(call cpe-manifest,CPE ID,CVE PATCHED,PACKAGE,VERSION,SOURCE SITE) ++ ++.PHONY: cpe-info ++cpe-info: cpe-info-clean cpe-info-prepare $(foreach p,$(PACKAGES),$(p)-cpe-info) ++ @echo "CPE info produced in $(CPE_MANIFEST_CSV)" ++ + .PHONY: show-targets + show-targets: + @echo $(sort $(PACKAGES)) $(sort $(TARGETS_ROOTFS)) +@@ -1145,6 +1159,7 @@ help: + @echo ' legal-info - generate info about license compliance' + @echo ' show-info - generate info about packages, as a JSON blurb' + @echo ' printvars - dump internal variables selected with VARS=...' ++ @echo ' cpe-info - generate info about security CPE identification' + @echo + @echo ' make V=0|1 - 0 => quiet build (default), 1 => verbose build' + @echo ' make O=dir - Locate all output files in "dir", including .config' +diff --git a/boot/grub2/grub2.mk b/boot/grub2/grub2.mk +index a202525d71..280de94d2d 100644 +--- a/boot/grub2/grub2.mk ++++ b/boot/grub2/grub2.mk +@@ -18,6 +18,7 @@ GRUB2_INSTALL_TARGET = YES + else + GRUB2_INSTALL_TARGET = NO + endif ++GRUB2_CPE_ID_VENDOR = gnu + + GRUB2_BUILTIN_MODULES = $(call qstrip,$(BR2_TARGET_GRUB2_BUILTIN_MODULES)) + GRUB2_BUILTIN_CONFIG = $(call qstrip,$(BR2_TARGET_GRUB2_BUILTIN_CONFIG)) +diff --git a/boot/uboot/uboot.mk b/boot/uboot/uboot.mk +index 1d50e72846..f82e8951ba 100644 +--- a/boot/uboot/uboot.mk ++++ b/boot/uboot/uboot.mk +@@ -11,6 +11,8 @@ UBOOT_LICENSE = GPL-2.0+ + ifeq ($(BR2_TARGET_UBOOT_LATEST_VERSION),y) + UBOOT_LICENSE_FILES = Licenses/gpl-2.0.txt + endif ++UBOOT_CPE_ID_VENDOR = denx ++UBOOT_CPE_ID_NAME = u-boot + + UBOOT_INSTALL_IMAGES = YES + +diff --git a/docs/manual/adding-packages-generic.txt b/docs/manual/adding-packages-generic.txt +index 568daaeb8d..54ffdee9d6 100644 +--- a/docs/manual/adding-packages-generic.txt ++++ b/docs/manual/adding-packages-generic.txt +@@ -24,57 +24,59 @@ system is based on hand-written Makefiles or shell scripts. + 09: LIBFOO_SITE = http://www.foosoftware.org/download + 10: LIBFOO_LICENSE = GPL-3.0+ + 11: LIBFOO_LICENSE_FILES = COPYING +-12: LIBFOO_INSTALL_STAGING = YES +-13: LIBFOO_CONFIG_SCRIPTS = libfoo-config +-14: LIBFOO_DEPENDENCIES = host-libaaa libbbb +-15: +-16: define LIBFOO_BUILD_CMDS +-17: $(MAKE) $(TARGET_CONFIGURE_OPTS) -C $(@D) all +-18: endef +-19: +-20: define LIBFOO_INSTALL_STAGING_CMDS +-21: $(INSTALL) -D -m 0755 $(@D)/libfoo.a $(STAGING_DIR)/usr/lib/libfoo.a +-22: $(INSTALL) -D -m 0644 $(@D)/foo.h $(STAGING_DIR)/usr/include/foo.h +-23: $(INSTALL) -D -m 0755 $(@D)/libfoo.so* $(STAGING_DIR)/usr/lib +-24: endef +-25: +-26: define LIBFOO_INSTALL_TARGET_CMDS +-27: $(INSTALL) -D -m 0755 $(@D)/libfoo.so* $(TARGET_DIR)/usr/lib +-28: $(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/foo.d +-29: endef +-30: +-31: define LIBFOO_USERS +-32: foo -1 libfoo -1 * - - - LibFoo daemon +-33: endef +-34: +-35: define LIBFOO_DEVICES +-36: /dev/foo c 666 0 0 42 0 - - - +-37: endef +-38: +-39: define LIBFOO_PERMISSIONS +-40: /bin/foo f 4755 foo libfoo - - - - - +-41: endef +-42: +-43: $(eval $(generic-package)) ++12: LIBFOO_CPE_ID_VENDOR = foosoftware ++13: LIBFOO_INSTALL_STAGING = YES ++14: LIBFOO_CONFIG_SCRIPTS = libfoo-config ++15: LIBFOO_DEPENDENCIES = host-libaaa libbbb ++16: ++17: define LIBFOO_BUILD_CMDS ++18: $(MAKE) $(TARGET_CONFIGURE_OPTS) -C $(@D) all ++19: endef ++20: ++21: define LIBFOO_INSTALL_STAGING_CMDS ++22: $(INSTALL) -D -m 0755 $(@D)/libfoo.a $(STAGING_DIR)/usr/lib/libfoo.a ++23: $(INSTALL) -D -m 0644 $(@D)/foo.h $(STAGING_DIR)/usr/include/foo.h ++24: $(INSTALL) -D -m 0755 $(@D)/libfoo.so* $(STAGING_DIR)/usr/lib ++25: endef ++26: ++27: define LIBFOO_INSTALL_TARGET_CMDS ++28: $(INSTALL) -D -m 0755 $(@D)/libfoo.so* $(TARGET_DIR)/usr/lib ++29: $(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/foo.d ++30: endef ++31: ++32: define LIBFOO_USERS ++33: foo -1 libfoo -1 * - - - LibFoo daemon ++34: endef ++35: ++36: define LIBFOO_DEVICES ++37: /dev/foo c 666 0 0 42 0 - - - ++38: endef ++39: ++40: define LIBFOO_PERMISSIONS ++41: /bin/foo f 4755 foo libfoo - - - - - ++42: endef ++43: ++44: $(eval $(generic-package)) + -------------------------------- + +-The Makefile begins on line 7 to 11 with metadata information: the ++The Makefile begins on line 7 to 12 with metadata information: the + version of the package (+LIBFOO_VERSION+), the name of the + tarball containing the package (+LIBFOO_SOURCE+) (xz-ed tarball recommended) + the Internet location at which the tarball can be downloaded from +-(+LIBFOO_SITE+), the license (+LIBFOO_LICENSE+) and file with the +-license text (+LIBFOO_LICENSE_FILES+). All variables must start with ++(+LIBFOO_SITE+), the license (+LIBFOO_LICENSE+), the file with the ++license text (+LIBFOO_LICENSE_FILES+) and the vendor for vunerability ++analysis (+LIBFOO_CPE_ID_VENDOR+). All variables must start with + the same prefix, +LIBFOO_+ in this case. This prefix is always the + uppercased version of the package name (see below to understand where + the package name is defined). + +-On line 12, we specify that this package wants to install something to ++On line 13, we specify that this package wants to install something to + the staging space. This is often needed for libraries, since they must + install header files and other development files in the staging space. + This will ensure that the commands listed in the + +LIBFOO_INSTALL_STAGING_CMDS+ variable will be executed. + +-On line 13, we specify that there is some fixing to be done to some ++On line 14, we specify that there is some fixing to be done to some + of the 'libfoo-config' files that were installed during + +LIBFOO_INSTALL_STAGING_CMDS+ phase. + These *-config files are executable shell script files that are +@@ -122,14 +124,14 @@ IMAGEMAGICK_CONFIG_SCRIPTS = \ + -------------------------------- + ================================ + +-On line 14, we specify the list of dependencies this package relies ++On line 15, we specify the list of dependencies this package relies + on. These dependencies are listed in terms of lower-case package names, + which can be packages for the target (without the +host-+ + prefix) or packages for the host (with the +host-+) prefix). + Buildroot will ensure that all these packages are built and installed + 'before' the current package starts its configuration. + +-The rest of the Makefile, lines 16..29, defines what should be done ++The rest of the Makefile, lines 17..29, defines what should be done + at the different steps of the package configuration, compilation and + installation. + +LIBFOO_BUILD_CMDS+ tells what steps should be performed to +@@ -142,16 +144,16 @@ All these steps rely on the +$(@D)+ variable, which + contains the directory where the source code of the package has been + extracted. + +-On lines 31..33, we define a user that is used by this package (e.g. ++On lines 31..44, we define a user that is used by this package (e.g. + to run a daemon as non-root) (+LIBFOO_USERS+). + +-On line 35..37, we define a device-node file used by this package ++On line 36..38, we define a device-node file used by this package + (+LIBFOO_DEVICES+). + +-On line 39..41, we define the permissions to set to specific files ++On line 40..42, we define the permissions to set to specific files + installed by this package (+LIBFOO_PERMISSIONS+). + +-Finally, on line 43, we call the +generic-package+ function, which ++Finally, on line 44, we call the +generic-package+ function, which + generates, according to the variables defined previously, all the + Makefile code necessary to make your package working. + +@@ -502,6 +504,29 @@ LIBFOO_IGNORE_CVES += CVE-2020-12345 + LIBFOO_IGNORE_CVES += CVE-2020-54321 + ---------------------- + ++* +LIBFOO_CPE_ID_VENDOR+ ++ This variable is optional. It only must be defined if the package name ++ does not match what the CPE ID uses for the vendor. By default it's set ++ to _project. ++ ++* +LIBFOO_CPE_ID_NAME+ ++ This variable is optional. It only must be defined if the package name ++ does not match what the CPE ID uses for the name. By default it's set ++ to . ++ ++* +LIBFOO_CPE_ID_VERSION+ ++ This variable is optional. By default it's set to . ++ ++* +LIBFOO_CPE_ID_VERSION_MINOR+ ++ This variable is optional. By default it's set to *. ++ ++* +LIBFOO_CPE_ID+ is optional, as the package infrastructure hangles the ++ default case of a single package's Common Product Enumeration (CPE) ++ identification string. +make cpe-info+ copies all of these into a ++ +cpe-manifest.csv+ file. To identify a package's possible CPE, ++ the National Vunerability Database can be searched at ++ https://nvd.nist.gov/products/cpe/search. ++ + The recommended way to define these variables is to use the following + syntax: + +diff --git a/docs/manual/manual.txt b/docs/manual/manual.txt +index 48de65ee10..fcc087f6f1 100644 +--- a/docs/manual/manual.txt ++++ b/docs/manual/manual.txt +@@ -46,6 +46,8 @@ include::legal-notice.txt[] + + include::beyond-buildroot.txt[] + ++include::cpe-reporting.txt[] ++ + = Developer guide + + include::how-buildroot-works.txt[] +diff --git a/linux/linux.mk b/linux/linux.mk +index b9f2052ee7..bf0381f44a 100644 +--- a/linux/linux.mk ++++ b/linux/linux.mk +@@ -12,6 +12,8 @@ LINUX_LICENSE_FILES = \ + LICENSES/preferred/GPL-2.0 \ + LICENSES/exceptions/Linux-syscall-note + endif ++LINUX_CPE_ID_VENDOR = $(LINUX_NAME) ++LINUX_CPE_ID_NAME = $(LINUX_NAME)_kernel + + define LINUX_HELP_CMDS + @echo ' linux-menuconfig - Run Linux kernel menuconfig' +diff --git a/package/Makefile.in b/package/Makefile.in +index 51f5cbce4f..f66f7041ee 100644 +--- a/package/Makefile.in ++++ b/package/Makefile.in +@@ -373,6 +373,10 @@ TARGET_CONFIGURE_ARGS = \ + + ################################################################################ + ++CPE_PREFIX_OS = cpe:2.3:o ++CPE_PREFIX_APP = cpe:2.3:a ++CPE_SUFFIX = *:*:*:*:*:* ++ + ifeq ($(BR2_SYSTEM_ENABLE_NLS),y) + NLS_OPTS = --enable-nls + TARGET_NLS_DEPENDENCIES = host-gettext +diff --git a/package/audit/audit.mk b/package/audit/audit.mk +index 652e0fcd56..a20767d24b 100644 +--- a/package/audit/audit.mk ++++ b/package/audit/audit.mk +@@ -10,6 +10,8 @@ AUDIT_LICENSE = GPL-2.0+ (programs), LGPL-2.1+ (libraries) + AUDIT_LICENSE_FILES = COPYING COPYING.LIB + # 0002-Add-substitue-functions-for-strndupa-rawmemchr.patch + AUDIT_AUTORECONF = YES ++AUDIT_CPE_ID_VENDOR = linux_audit_project ++AUDIT_CPE_ID_NAME = linux_audit + + AUDIT_INSTALL_STAGING = YES + +diff --git a/package/aufs/aufs.mk b/package/aufs/aufs.mk +index 4e95a350a0..495e94e606 100644 +--- a/package/aufs/aufs.mk ++++ b/package/aufs/aufs.mk +@@ -7,6 +7,7 @@ + AUFS_VERSION = $(call qstrip,$(BR2_PACKAGE_AUFS_VERSION)) + AUFS_LICENSE = GPL-2.0 + AUFS_LICENSE_FILES = COPYING ++AUFS_CPE_ID_VERSION = 4.1 + + ifeq ($(BR2_PACKAGE_AUFS_SERIES),3) + AUFS_SITE = http://git.code.sf.net/p/aufs/aufs3-standalone +diff --git a/package/bash/bash.mk b/package/bash/bash.mk +index 1843862e49..b4681c1085 100644 +--- a/package/bash/bash.mk ++++ b/package/bash/bash.mk +@@ -10,6 +10,7 @@ BASH_DEPENDENCIES = ncurses readline host-bison + BASH_CONF_OPTS = --with-installed-readline --without-bash-malloc + BASH_LICENSE = GPL-3.0+ + BASH_LICENSE_FILES = COPYING ++BASH_CPE_ID_VENDOR = gnu + + BASH_CONF_ENV += \ + ac_cv_rl_prefix="$(STAGING_DIR)" \ +diff --git a/package/bc/bc.mk b/package/bc/bc.mk +index fdfacb6c89..06b6feae4f 100644 +--- a/package/bc/bc.mk ++++ b/package/bc/bc.mk +@@ -9,6 +9,7 @@ BC_SITE = http://ftp.gnu.org/gnu/bc + BC_DEPENDENCIES = host-flex + BC_LICENSE = GPL-2.0+, LGPL-2.1+ + BC_LICENSE_FILES = COPYING COPYING.LIB ++BC_CPE_ID_VENDOR = gnu + BC_CONF_ENV = MAKEINFO=true + + # 0001-bc-use-MAKEINFO-variable-for-docs.patch and 0004-no-gen-libmath.patch +diff --git a/package/bind/bind.mk b/package/bind/bind.mk +index 362a26dce6..806ece6ccd 100644 +--- a/package/bind/bind.mk ++++ b/package/bind/bind.mk +@@ -12,6 +12,7 @@ BIND_INSTALL_STAGING = YES + BIND_CONFIG_SCRIPTS = bind9-config isc-config.sh + BIND_LICENSE = MPL-2.0 + BIND_LICENSE_FILES = COPYRIGHT ++BIND_CPE_ID_VENDOR = isc + BIND_TARGET_SERVER_SBIN = arpaname ddns-confgen dnssec-checkds dnssec-coverage + BIND_TARGET_SERVER_SBIN += dnssec-importkey dnssec-keygen dnssec-revoke + BIND_TARGET_SERVER_SBIN += dnssec-settime dnssec-verify genrandom +diff --git a/package/boost/boost.mk b/package/boost/boost.mk +index 2daf7f5a96..73f8e71143 100644 +--- a/package/boost/boost.mk ++++ b/package/boost/boost.mk +@@ -10,6 +10,7 @@ BOOST_SITE = https://dl.bintray.com/boostorg/release/$(BOOST_VERSION)/source + BOOST_INSTALL_STAGING = YES + BOOST_LICENSE = BSL-1.0 + BOOST_LICENSE_FILES = LICENSE_1_0.txt ++BOOST_CPE_ID_VENDOR = $(BOOST_NAME) + + # CVE-2009-3654 is misclassified (by our CVE tracker) as affecting to boost, + # while in fact it affects Drupal (a module called boost in there). +diff --git a/package/bridge-utils/bridge-utils.mk b/package/bridge-utils/bridge-utils.mk +index 2519227471..288de8c373 100644 +--- a/package/bridge-utils/bridge-utils.mk ++++ b/package/bridge-utils/bridge-utils.mk +@@ -10,6 +10,7 @@ BRIDGE_UTILS_SOURCE = bridge-utils-1.6.tar.xz + BRIDGE_UTILS_AUTORECONF = YES + BRIDGE_UTILS_LICENSE = GPL-2.0+ + BRIDGE_UTILS_LICENSE_FILES = COPYING ++BRIDGE_UTILS_CPE_ID_VENDOR = kernel + + # Avoid using the host's headers. Location is not important as + # required headers will anyway be found from within the sysroot. +diff --git a/package/busybox/busybox.mk b/package/busybox/busybox.mk +index 24f3ba3b19..eae8aa3276 100644 +--- a/package/busybox/busybox.mk ++++ b/package/busybox/busybox.mk +@@ -9,6 +9,7 @@ BUSYBOX_SITE = http://www.busybox.net/downloads + BUSYBOX_SOURCE = busybox-$(BUSYBOX_VERSION).tar.bz2 + BUSYBOX_LICENSE = GPL-2.0 + BUSYBOX_LICENSE_FILES = LICENSE ++BUSYBOX_CPE_ID_VENDOR = $(BUSYBOX_NAME) + + define BUSYBOX_HELP_CMDS + @echo ' busybox-menuconfig - Run BusyBox menuconfig' +diff --git a/package/bzip2/bzip2.mk b/package/bzip2/bzip2.mk +index b4d8eea25e..c2e5f7610e 100644 +--- a/package/bzip2/bzip2.mk ++++ b/package/bzip2/bzip2.mk +@@ -9,6 +9,7 @@ BZIP2_SITE = https://sourceware.org/pub/bzip2 + BZIP2_INSTALL_STAGING = YES + BZIP2_LICENSE = bzip2 license + BZIP2_LICENSE_FILES = LICENSE ++BZIP2_CPE_ID_VENDOR = bzip + + ifeq ($(BR2_STATIC_LIBS),) + define BZIP2_BUILD_SHARED_CMDS +diff --git a/package/clang/clang.mk b/package/clang/clang.mk +index d740af5322..672c9fb3fa 100644 +--- a/package/clang/clang.mk ++++ b/package/clang/clang.mk +@@ -10,6 +10,7 @@ CLANG_SITE = https://github.com/llvm/llvm-project/releases/download/llvmorg-$(CL + CLANG_SOURCE = clang-$(CLANG_VERSION).src.tar.xz + CLANG_LICENSE = Apache-2.0 with exceptions + CLANG_LICENSE_FILES = LICENSE.TXT ++CLANG_CVE_ID_VENDOR = llvm + CLANG_SUPPORTS_IN_SOURCE_BUILD = NO + CLANG_INSTALL_STAGING = YES + +diff --git a/package/collectd/collectd.mk b/package/collectd/collectd.mk +index 24cdad7e1b..18c69369c6 100644 +--- a/package/collectd/collectd.mk ++++ b/package/collectd/collectd.mk +@@ -12,6 +12,7 @@ COLLECTD_CONF_ENV = ac_cv_lib_yajl_yajl_alloc=yes + COLLECTD_INSTALL_STAGING = YES + COLLECTD_LICENSE = MIT (daemon, plugins), GPL-2.0 (plugins), LGPL-2.1 (plugins) + COLLECTD_LICENSE_FILES = COPYING ++COLLECTD_CPE_ID_VENDOR = $(COLLECTD_NAME) + + # These require unmet dependencies, are fringe, pointless or deprecated + COLLECTD_PLUGINS_DISABLE = \ +diff --git a/package/conntrack-tools/conntrack-tools.mk b/package/conntrack-tools/conntrack-tools.mk +index 145b6d785f..55ea407924 100644 +--- a/package/conntrack-tools/conntrack-tools.mk ++++ b/package/conntrack-tools/conntrack-tools.mk +@@ -12,6 +12,7 @@ CONNTRACK_TOOLS_DEPENDENCIES = host-pkgconf \ + libnetfilter_queue host-bison host-flex + CONNTRACK_TOOLS_LICENSE = GPL-2.0+ + CONNTRACK_TOOLS_LICENSE_FILES = COPYING ++CONNTRACK_TOOLS_CPE_ID_VENDOR = netfilter + + CONNTRACK_TOOLS_CFLAGS = $(TARGET_CFLAGS) + +diff --git a/package/coreutils/coreutils.mk b/package/coreutils/coreutils.mk +index 3866b76243..18e9052dfd 100644 +--- a/package/coreutils/coreutils.mk ++++ b/package/coreutils/coreutils.mk +@@ -9,6 +9,7 @@ COREUTILS_SITE = $(BR2_GNU_MIRROR)/coreutils + COREUTILS_SOURCE = coreutils-$(COREUTILS_VERSION).tar.xz + COREUTILS_LICENSE = GPL-3.0+ + COREUTILS_LICENSE_FILES = COPYING ++COREUTILS_CPE_ID_VENDOR = gnu + + COREUTILS_CONF_OPTS = --disable-rpath \ + $(if $(BR2_TOOLCHAIN_USES_MUSL),--with-included-regex) +diff --git a/package/crda/crda.mk b/package/crda/crda.mk +index c5880797be..31a64d004b 100644 +--- a/package/crda/crda.mk ++++ b/package/crda/crda.mk +@@ -9,6 +9,7 @@ CRDA_SITE = https://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/crda.git/snap + CRDA_DEPENDENCIES = host-pkgconf host-python-pycryptodomex libnl libgcrypt + CRDA_LICENSE = ISC + CRDA_LICENSE_FILES = LICENSE ++CRDA_CPE_ID_VENDOR = kernel + + define CRDA_BUILD_CMDS + $(TARGET_CONFIGURE_OPTS) \ +diff --git a/package/davici/davici.mk b/package/davici/davici.mk +index 5c08bbe0da..6c8df48b6a 100644 +--- a/package/davici/davici.mk ++++ b/package/davici/davici.mk +@@ -8,6 +8,7 @@ DAVICI_VERSION = 1.3 + DAVICI_SITE = $(call github,strongswan,davici,v$(DAVICI_VERSION)) + DAVICI_LICENSE = LGPL-2.1+ + DAVICI_LICENSE_FILES = COPYING ++DAVICI_CPE_ID_VENDOR = strongswan + DAVICI_DEPENDENCIES = strongswan + DAVICI_INSTALL_STAGING = YES + DAVICI_AUTORECONF = YES +diff --git a/package/dbus-glib/dbus-glib.mk b/package/dbus-glib/dbus-glib.mk +index 372942e1c3..5eb158d954 100644 +--- a/package/dbus-glib/dbus-glib.mk ++++ b/package/dbus-glib/dbus-glib.mk +@@ -9,6 +9,7 @@ DBUS_GLIB_SITE = http://dbus.freedesktop.org/releases/dbus-glib + DBUS_GLIB_INSTALL_STAGING = YES + DBUS_GLIB_LICENSE = AFL-2.1 or GPL-2.0+ + DBUS_GLIB_LICENSE_FILES = COPYING ++DBUS_GLIB_CPE_ID_VENDOR = freedesktop + + DBUS_GLIB_CONF_ENV = \ + ac_cv_have_abstract_sockets=yes \ +diff --git a/package/dbus/dbus.mk b/package/dbus/dbus.mk +index a4043864d1..958f28c60b 100644 +--- a/package/dbus/dbus.mk ++++ b/package/dbus/dbus.mk +@@ -8,6 +8,8 @@ DBUS_VERSION = 1.12.16 + DBUS_SITE = https://dbus.freedesktop.org/releases/dbus + DBUS_LICENSE = AFL-2.1 or GPL-2.0+ (library, tools), GPL-2.0+ (tools) + DBUS_LICENSE_FILES = COPYING ++DBUS_CPE_ID_VENDOR = d-bus_project ++DBUS_CPE_ID_NAME = d-bus + DBUS_INSTALL_STAGING = YES + + define DBUS_PERMISSIONS +diff --git a/package/dhcp/dhcp.mk b/package/dhcp/dhcp.mk +index ad59804d3b..988c7792dc 100644 +--- a/package/dhcp/dhcp.mk ++++ b/package/dhcp/dhcp.mk +@@ -10,6 +10,7 @@ DHCP_INSTALL_STAGING = YES + DHCP_LICENSE = MPL-2.0 + DHCP_LICENSE_FILES = LICENSE + DHCP_DEPENDENCIES = bind ++DHCP_CPE_ID_VENDOR = isc + + # use libtool-enabled configure.ac + define DHCP_LIBTOOL_AUTORECONF +diff --git a/package/dnsmasq/dnsmasq.mk b/package/dnsmasq/dnsmasq.mk +index 4a7218a2b7..e0e8bed5aa 100644 +--- a/package/dnsmasq/dnsmasq.mk ++++ b/package/dnsmasq/dnsmasq.mk +@@ -14,6 +14,7 @@ DNSMASQ_MAKE_OPTS += DESTDIR=$(TARGET_DIR) LDFLAGS="$(TARGET_LDFLAGS)" \ + DNSMASQ_DEPENDENCIES = host-pkgconf $(TARGET_NLS_DEPENDENCIES) + DNSMASQ_LICENSE = GPL-2.0 or GPL-3.0 + DNSMASQ_LICENSE_FILES = COPYING COPYING-v3 ++DNSMASQ_CPE_ID_VENDOR = thekelleys + + DNSMASQ_I18N = $(if $(BR2_SYSTEM_ENABLE_NLS),-i18n) + +diff --git a/package/dropbear/dropbear.mk b/package/dropbear/dropbear.mk +index 1070a410b9..72c6928c7a 100644 +--- a/package/dropbear/dropbear.mk ++++ b/package/dropbear/dropbear.mk +@@ -11,6 +11,8 @@ DROPBEAR_LICENSE = MIT, BSD-2-Clause, BSD-3-Clause + DROPBEAR_LICENSE_FILES = LICENSE + DROPBEAR_TARGET_BINS = dropbearkey dropbearconvert scp + DROPBEAR_PROGRAMS = dropbear $(DROPBEAR_TARGET_BINS) ++DROPBEAR_CPE_ID_VENDOR = $(DROPBEAR_NAME)_ssh_project ++DROPBEAR_CPE_ID_NAME = $(DROPBEAR_NAME)_ssh + + # Disable hardening flags added by dropbear configure.ac, and let + # Buildroot add them when the relevant options are enabled. This +diff --git a/package/ebtables/ebtables.mk b/package/ebtables/ebtables.mk +index 117cd5e99e..2f1e291c03 100644 +--- a/package/ebtables/ebtables.mk ++++ b/package/ebtables/ebtables.mk +@@ -9,6 +9,7 @@ EBTABLES_SOURCE = ebtables-v$(EBTABLES_VERSION).tar.gz + EBTABLES_SITE = http://ftp.netfilter.org/pub/ebtables + EBTABLES_LICENSE = GPL-2.0+ + EBTABLES_LICENSE_FILES = COPYING ++EBTABLES_CVE_ID_VENDOR = netfilter + EBTABLES_STATIC = $(if $(BR2_STATIC_LIBS),static) + EBTABLES_K64U32 = $(if $(BR2_KERNEL_64_USERLAND_32),-DKERNEL_64_USERSPACE_32) + +diff --git a/package/ethtool/ethtool.mk b/package/ethtool/ethtool.mk +index ce4f2d862d..759d7d6fb6 100644 +--- a/package/ethtool/ethtool.mk ++++ b/package/ethtool/ethtool.mk +@@ -9,6 +9,7 @@ ETHTOOL_SOURCE = ethtool-$(ETHTOOL_VERSION).tar.xz + ETHTOOL_SITE = $(BR2_KERNEL_MIRROR)/software/network/ethtool + ETHTOOL_LICENSE = GPL-2.0 + ETHTOOL_LICENSE_FILES = LICENSE COPYING ++ETHTOOL_CPE_ID_VENDOR = kernel + ETHTOOL_CONF_OPTS = \ + $(if $(BR2_PACKAGE_ETHTOOL_PRETTY_PRINT),--enable-pretty-dump,--disable-pretty-dump) + +diff --git a/package/expat/expat.mk b/package/expat/expat.mk +index 38e5dee75d..af3088b80c 100644 +--- a/package/expat/expat.mk ++++ b/package/expat/expat.mk +@@ -12,6 +12,7 @@ EXPAT_DEPENDENCIES = host-pkgconf + HOST_EXPAT_DEPENDENCIES = host-pkgconf + EXPAT_LICENSE = MIT + EXPAT_LICENSE_FILES = COPYING ++EXPAT_CPE_ID_VENDOR = libexpat + + EXPAT_CONF_OPTS = --without-docbook + HOST_EXPAT_CONF_OPTS = --without-docbook +diff --git a/package/gdb/gdb.mk b/package/gdb/gdb.mk +index 8c74a0e2f6..ea4ec7bdc6 100644 +--- a/package/gdb/gdb.mk ++++ b/package/gdb/gdb.mk +@@ -22,6 +22,7 @@ endif + + GDB_LICENSE = GPL-2.0+, LGPL-2.0+, GPL-3.0+, LGPL-3.0+ + GDB_LICENSE_FILES = COPYING COPYING.LIB COPYING3 COPYING3.LIB ++GDB_CPE_ID_VENDOR = gnu + + # We only want gdbserver and not the entire debugger. + ifeq ($(BR2_PACKAGE_GDB_DEBUGGER),) +diff --git a/package/gesftpserver/gesftpserver.mk b/package/gesftpserver/gesftpserver.mk +index ff7ce768ae..07718a4c42 100644 +--- a/package/gesftpserver/gesftpserver.mk ++++ b/package/gesftpserver/gesftpserver.mk +@@ -12,6 +12,8 @@ GESFTPSERVER_LICENSE_FILES = COPYING + + # "Missing prototype" warning treated as error + GESFTPSERVER_CONF_OPTS = --disable-warnings-as-errors ++GESFTPSERVER_CPE_ID_VENDOR = green_end ++GESFTPSERVER_CPE_ID_NAME = sftpserver + + # forgets to link against pthread when cross compiling + GESFTPSERVER_CONF_ENV = LIBS=-lpthread +diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk +index 4621c9c2f9..81be3435b5 100644 +--- a/package/glibc/glibc.mk ++++ b/package/glibc/glibc.mk +@@ -29,6 +29,7 @@ endif + + GLIBC_LICENSE = GPL-2.0+ (programs), LGPL-2.1+, BSD-3-Clause, MIT (library) + GLIBC_LICENSE_FILES = COPYING COPYING.LIB LICENSES ++GLIBC_CPE_ID_VENDOR = gnu + + # glibc is part of the toolchain so disable the toolchain dependency + GLIBC_ADD_TOOLCHAIN_DEPENDENCY = NO +diff --git a/package/gmp/gmp.mk b/package/gmp/gmp.mk +index d124463a98..a79d5b7d9a 100644 +--- a/package/gmp/gmp.mk ++++ b/package/gmp/gmp.mk +@@ -10,6 +10,7 @@ GMP_SOURCE = gmp-$(GMP_VERSION).tar.xz + GMP_INSTALL_STAGING = YES + GMP_LICENSE = LGPL-3.0+ or GPL-2.0+ + GMP_LICENSE_FILES = COPYING.LESSERv3 COPYINGv2 ++GMP_CPE_ID_VENDOR = gmplib + GMP_DEPENDENCIES = host-m4 + HOST_GMP_DEPENDENCIES = host-m4 + +diff --git a/package/gnupg/gnupg.mk b/package/gnupg/gnupg.mk +index 617def884e..ba424fed96 100644 +--- a/package/gnupg/gnupg.mk ++++ b/package/gnupg/gnupg.mk +@@ -10,6 +10,7 @@ GNUPG_SITE = https://gnupg.org/ftp/gcrypt/gnupg + GNUPG_LICENSE = GPL-3.0+ + GNUPG_LICENSE_FILES = COPYING + GNUPG_DEPENDENCIES = zlib $(if $(BR2_PACKAGE_LIBICONV),libiconv) ++GNUPG_CPE_ID_VENDOR = $(GNUPG_NAME) + GNUPG_CONF_ENV = ac_cv_sys_symbol_underscore=no + GNUPG_CONF_OPTS = \ + --disable-rpath \ +diff --git a/package/gnutls/gnutls.mk b/package/gnutls/gnutls.mk +index a1dfce62a2..1e98746441 100644 +--- a/package/gnutls/gnutls.mk ++++ b/package/gnutls/gnutls.mk +@@ -17,6 +17,7 @@ GNUTLS_LICENSE_FILES += doc/COPYING + endif + + GNUTLS_DEPENDENCIES = host-pkgconf libtasn1 nettle pcre ++GNUTLS_CPE_ID_VENDOR = gnu + GNUTLS_CONF_OPTS = \ + --disable-doc \ + --disable-guile \ +diff --git a/package/grep/grep.mk b/package/grep/grep.mk +index ef1bbb4487..204c74f3b8 100644 +--- a/package/grep/grep.mk ++++ b/package/grep/grep.mk +@@ -9,6 +9,7 @@ GREP_SITE = $(BR2_GNU_MIRROR)/grep + GREP_SOURCE = grep-$(GREP_VERSION).tar.xz + GREP_LICENSE = GPL-3.0+ + GREP_LICENSE_FILES = COPYING ++GREP_CPE_ID_VENDOR = gnu + GREP_DEPENDENCIES = $(TARGET_NLS_DEPENDENCIES) + # install into /bin like busybox grep + GREP_CONF_OPTS = --exec-prefix=/ +diff --git a/package/gtest/gtest.mk b/package/gtest/gtest.mk +index 7f967b8bfb..fc51d9f7a2 100644 +--- a/package/gtest/gtest.mk ++++ b/package/gtest/gtest.mk +@@ -10,6 +10,8 @@ GTEST_INSTALL_STAGING = YES + GTEST_INSTALL_TARGET = NO + GTEST_LICENSE = BSD-3-Clause + GTEST_LICENSE_FILES = googletest/LICENSE ++GTEST_CPE_ID_VENDOR = google ++GTEST_CPE_ID_NAME = google_test + + ifeq ($(BR2_PACKAGE_GTEST_GMOCK),y) + GTEST_DEPENDENCIES += host-gtest +diff --git a/package/gzip/gzip.mk b/package/gzip/gzip.mk +index 17b27b497c..c8fd3ddb7a 100644 +--- a/package/gzip/gzip.mk ++++ b/package/gzip/gzip.mk +@@ -11,6 +11,7 @@ GZIP_SITE = $(BR2_GNU_MIRROR)/gzip + GZIP_CONF_OPTS = --exec-prefix=/ + GZIP_LICENSE = GPL-3.0+ + GZIP_LICENSE_FILES = COPYING ++GZIP_CPE_ID_VENDOR = gnu + GZIP_CONF_ENV += gl_cv_func_fflush_stdin=yes + HOST_GZIP_CONF_ENV += gl_cv_func_fflush_stdin=yes + # configure substitutes $(SHELL) for the shell shebang in scripts like +diff --git a/package/hostapd/hostapd.mk b/package/hostapd/hostapd.mk +index b94a0e4578..61576c9323 100644 +--- a/package/hostapd/hostapd.mk ++++ b/package/hostapd/hostapd.mk +@@ -16,6 +16,7 @@ HOSTAPD_LICENSE_FILES = README + # 0001-AP-Silently-ignore-management-frame-from-unexpected-.patch + HOSTAPD_IGNORE_CVES += CVE-2019-16275 + ++HOSTAPD_CPE_ID_VENDOR = w1.fi + HOSTAPD_CONFIG_SET = + + HOSTAPD_CONFIG_ENABLE = \ +diff --git a/package/ifupdown/ifupdown.mk b/package/ifupdown/ifupdown.mk +index 84d24aedab..e62c2a79c5 100644 +--- a/package/ifupdown/ifupdown.mk ++++ b/package/ifupdown/ifupdown.mk +@@ -9,6 +9,7 @@ IFUPDOWN_SOURCE = ifupdown_$(IFUPDOWN_VERSION).tar.xz + IFUPDOWN_SITE = http://snapshot.debian.org/archive/debian/20160922T165503Z/pool/main/i/ifupdown + IFUPDOWN_LICENSE = GPL-2.0+ + IFUPDOWN_LICENSE_FILES = COPYING ++IFUPDOWN_CPE_ID_VENDOR = debian + + define IFUPDOWN_BUILD_CMDS + $(TARGET_MAKE_ENV) $(MAKE) $(TARGET_CONFIGURE_OPTS) \ +diff --git a/package/iperf/iperf.mk b/package/iperf/iperf.mk +index 7088b0f152..f1e65e7545 100644 +--- a/package/iperf/iperf.mk ++++ b/package/iperf/iperf.mk +@@ -8,6 +8,8 @@ IPERF_VERSION = 2.0.13 + IPERF_SITE = http://downloads.sourceforge.net/project/iperf2 + IPERF_LICENSE = MIT-like + IPERF_LICENSE_FILES = COPYING ++IPERF_CPE_ID_VENDOR = $(IPERF_NAME)2_project ++IPERF_CPE_ID_NAME = $(IPERF_NAME)2 + + IPERF_CONF_OPTS = \ + --disable-web100 +diff --git a/package/iperf3/iperf3.mk b/package/iperf3/iperf3.mk +index 3537b23824..d29eb8505e 100644 +--- a/package/iperf3/iperf3.mk ++++ b/package/iperf3/iperf3.mk +@@ -9,6 +9,7 @@ IPERF3_SITE = https://downloads.es.net/pub/iperf + IPERF3_SOURCE = iperf-$(IPERF3_VERSION).tar.gz + IPERF3_LICENSE = BSD-3-Clause, BSD-2-Clause, MIT + IPERF3_LICENSE_FILES = LICENSE ++IPERF3_CPE_ID_VENDOR = es + + IPERF3_CONF_ENV += CFLAGS="$(TARGET_CFLAGS) -D_GNU_SOURCE" + +diff --git a/package/ipset/ipset.mk b/package/ipset/ipset.mk +index 869763d322..cea3ee0e05 100644 +--- a/package/ipset/ipset.mk ++++ b/package/ipset/ipset.mk +@@ -11,6 +11,7 @@ IPSET_DEPENDENCIES = libmnl host-pkgconf + IPSET_CONF_OPTS = --with-kmod=no + IPSET_LICENSE = GPL-2.0 + IPSET_LICENSE_FILES = COPYING ++IPSET_CPE_ID_VENDOR = netfilter + IPSET_INSTALL_STAGING = YES + + $(eval $(autotools-package)) +diff --git a/package/iptables/iptables.mk b/package/iptables/iptables.mk +index 7b964aaf41..f4ddbcefd8 100644 +--- a/package/iptables/iptables.mk ++++ b/package/iptables/iptables.mk +@@ -12,6 +12,7 @@ IPTABLES_DEPENDENCIES = host-pkgconf \ + $(if $(BR2_PACKAGE_LIBNETFILTER_CONNTRACK),libnetfilter_conntrack) + IPTABLES_LICENSE = GPL-2.0 + IPTABLES_LICENSE_FILES = COPYING ++IPTABLES_CPE_ID_VENDOR = netfilter + # Building static causes ugly warnings on some plugins + IPTABLES_CONF_OPTS = --libexecdir=/usr/lib --with-kernel=$(STAGING_DIR)/usr \ + $(if $(BR2_STATIC_LIBS),,--disable-static) +diff --git a/package/iw/iw.mk b/package/iw/iw.mk +index 2250ea413b..a232cc8baa 100644 +--- a/package/iw/iw.mk ++++ b/package/iw/iw.mk +@@ -9,6 +9,7 @@ IW_SOURCE = iw-$(IW_VERSION).tar.xz + IW_SITE = $(BR2_KERNEL_MIRROR)/software/network/iw + IW_LICENSE = ISC + IW_LICENSE_FILES = COPYING ++IW_CPE_ID_VENDOR = kernel + IW_DEPENDENCIES = host-pkgconf libnl + IW_MAKE_ENV = \ + $(TARGET_MAKE_ENV) \ +diff --git a/package/kmod/kmod.mk b/package/kmod/kmod.mk +index 0a79b2cf4d..c44764ea18 100644 +--- a/package/kmod/kmod.mk ++++ b/package/kmod/kmod.mk +@@ -15,6 +15,8 @@ HOST_KMOD_DEPENDENCIES = host-pkgconf + KMOD_LICENSE = LGPL-2.1+ (library) + KMOD_LICENSE_FILES = libkmod/COPYING + ++KMOD_CPE_ID_VENDOR = kernel ++ + # --gc-sections triggers binutils ld segfault + # https://sourceware.org/bugzilla/show_bug.cgi?id=21180 + ifeq ($(BR2_microblaze),y) +diff --git a/package/libarchive/libarchive.mk b/package/libarchive/libarchive.mk +index 4aabbea560..366af22487 100644 +--- a/package/libarchive/libarchive.mk ++++ b/package/libarchive/libarchive.mk +@@ -9,6 +9,7 @@ LIBARCHIVE_SITE = https://www.libarchive.de/downloads + LIBARCHIVE_INSTALL_STAGING = YES + LIBARCHIVE_LICENSE = BSD-2-Clause, BSD-3-Clause, CC0-1.0, OpenSSL, Apache-2.0 + LIBARCHIVE_LICENSE_FILES = COPYING ++LIBARCHIVE_CPE_ID_VENDOR = $(LIBARCHIVE_NAME) + + ifeq ($(BR2_PACKAGE_LIBARCHIVE_BSDTAR),y) + ifeq ($(BR2_STATIC_LIBS),y) +diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk +index 7a29634c68..36687bb57d 100644 +--- a/package/libcurl/libcurl.mk ++++ b/package/libcurl/libcurl.mk +@@ -12,6 +12,8 @@ LIBCURL_DEPENDENCIES = host-pkgconf \ + $(if $(BR2_PACKAGE_RTMPDUMP),rtmpdump) + LIBCURL_LICENSE = curl + LIBCURL_LICENSE_FILES = COPYING ++LIBCURL_CPE_ID_VENDOR = haxx ++LIBCURL_CPE_ID_NAME = libcurl + LIBCURL_INSTALL_STAGING = YES + + # We disable NTLM support because it uses fork(), which doesn't work +diff --git a/package/libestr/libestr.mk b/package/libestr/libestr.mk +index 30960f7257..6ce22efae2 100644 +--- a/package/libestr/libestr.mk ++++ b/package/libestr/libestr.mk +@@ -8,6 +8,7 @@ LIBESTR_VERSION = 0.1.11 + LIBESTR_SITE = http://libestr.adiscon.com/files/download + LIBESTR_LICENSE = LGPL-2.1+ + LIBESTR_LICENSE_FILES = COPYING ++LIBESTR_CPE_ID_VENDOR = adiscon + LIBESTR_INSTALL_STAGING = YES + + $(eval $(autotools-package)) +diff --git a/package/libfastjson/libfastjson.mk b/package/libfastjson/libfastjson.mk +index ecca72f56c..37dbd7e03e 100644 +--- a/package/libfastjson/libfastjson.mk ++++ b/package/libfastjson/libfastjson.mk +@@ -12,5 +12,6 @@ LIBFASTJSON_CONF_ENV = ac_cv_prog_cc_c99='-std=gnu99' + LIBFASTJSON_AUTORECONF = YES + LIBFASTJSON_LICENSE = MIT + LIBFASTJSON_LICENSE_FILES = COPYING ++LIBFASTJSON_CPE_ID_VENDOR = rsyslog + + $(eval $(autotools-package)) +diff --git a/package/libfcgi/libfcgi.mk b/package/libfcgi/libfcgi.mk +index c158df2395..c40d9c5970 100644 +--- a/package/libfcgi/libfcgi.mk ++++ b/package/libfcgi/libfcgi.mk +@@ -8,6 +8,8 @@ LIBFCGI_VERSION = 2.4.2 + LIBFCGI_SITE = $(call github,FastCGI-Archives,fcgi2,$(LIBFCGI_VERSION)) + LIBFCGI_LICENSE = OML + LIBFCGI_LICENSE_FILES = LICENSE.TERMS ++LIBFCGI_CPE_ID_VENDOR = fastcgi ++LIBFCGI_CPE_ID_NAME = fcgi + LIBFCGI_INSTALL_STAGING = YES + LIBFCGI_AUTORECONF = YES + +diff --git a/package/libffi/libffi.mk b/package/libffi/libffi.mk +index 722a03dca0..e87a024040 100644 +--- a/package/libffi/libffi.mk ++++ b/package/libffi/libffi.mk +@@ -6,6 +6,8 @@ + + LIBFFI_VERSION = 3.3 + LIBFFI_SITE = $(call github,libffi,libffi,v$(LIBFFI_VERSION)) ++LIBFFI_CPE_ID_VERSION = 3.3 ++LIBFFI_CPE_ID_VERSION_MINOR = rc0 + LIBFFI_LICENSE = MIT + LIBFFI_LICENSE_FILES = LICENSE + LIBFFI_INSTALL_STAGING = YES +diff --git a/package/libgcrypt/libgcrypt.mk b/package/libgcrypt/libgcrypt.mk +index d21513bd39..12fdcab422 100644 +--- a/package/libgcrypt/libgcrypt.mk ++++ b/package/libgcrypt/libgcrypt.mk +@@ -12,6 +12,7 @@ LIBGCRYPT_SITE = https://gnupg.org/ftp/gcrypt/libgcrypt + LIBGCRYPT_INSTALL_STAGING = YES + LIBGCRYPT_DEPENDENCIES = libgpg-error + LIBGCRYPT_CONFIG_SCRIPTS = libgcrypt-config ++LIBGCRYPT_CPE_ID_VENDOR = gnupg + + # Patching acinclude.m4 in 0001 + # Patching configure.ac and Makefile.am in 0002 +diff --git a/package/libglib2/libglib2.mk b/package/libglib2/libglib2.mk +index 7106124d72..8eea7e96e4 100644 +--- a/package/libglib2/libglib2.mk ++++ b/package/libglib2/libglib2.mk +@@ -10,6 +10,8 @@ LIBGLIB2_SOURCE = glib-$(LIBGLIB2_VERSION).tar.xz + LIBGLIB2_SITE = http://ftp.gnome.org/pub/gnome/sources/glib/$(LIBGLIB2_VERSION_MAJOR) + LIBGLIB2_LICENSE = LGPL-2.1+ + LIBGLIB2_LICENSE_FILES = COPYING ++LIBGLIB2_CPE_ID_VENDOR = gnome ++LIBGLIB2_CPE_ID_NAME = glib + LIBGLIB2_INSTALL_STAGING = YES + + LIBGLIB2_CFLAGS = $(TARGET_CFLAGS) +diff --git a/package/libgpg-error/libgpg-error.mk b/package/libgpg-error/libgpg-error.mk +index 6281faa662..05c7f710f2 100644 +--- a/package/libgpg-error/libgpg-error.mk ++++ b/package/libgpg-error/libgpg-error.mk +@@ -9,6 +9,7 @@ LIBGPG_ERROR_SITE = https://www.gnupg.org/ftp/gcrypt/libgpg-error + LIBGPG_ERROR_SOURCE = libgpg-error-$(LIBGPG_ERROR_VERSION).tar.bz2 + LIBGPG_ERROR_LICENSE = GPL-2.0+, LGPL-2.1+ + LIBGPG_ERROR_LICENSE_FILES = COPYING COPYING.LIB ++LIBGPG_ERROR_CPE_ID_VENDOR = gnupg + LIBGPG_ERROR_INSTALL_STAGING = YES + LIBGPG_ERROR_CONFIG_SCRIPTS = gpg-error-config + LIBGPG_ERROR_DEPENDENCIES = $(TARGET_NLS_DEPENDENCIES) +diff --git a/package/liblogging/liblogging.mk b/package/liblogging/liblogging.mk +index c756891a86..24375b56b4 100644 +--- a/package/liblogging/liblogging.mk ++++ b/package/liblogging/liblogging.mk +@@ -8,6 +8,7 @@ LIBLOGGING_VERSION = 1.0.6 + LIBLOGGING_SITE = http://download.rsyslog.com/liblogging + LIBLOGGING_LICENSE = BSD-2-Clause + LIBLOGGING_LICENSE_FILES = COPYING ++LIBLOGGING_CPE_ID_VENDOR = adiscon + LIBLOGGING_INSTALL_STAGING = YES + LIBLOGGING_CONF_OPTS = --enable-cached-man-pages + +diff --git a/package/libmbim/libmbim.mk b/package/libmbim/libmbim.mk +index 67cfd2bc0b..c61315ea68 100644 +--- a/package/libmbim/libmbim.mk ++++ b/package/libmbim/libmbim.mk +@@ -9,6 +9,7 @@ LIBMBIM_SITE = https://www.freedesktop.org/software/libmbim + LIBMBIM_SOURCE = libmbim-$(LIBMBIM_VERSION).tar.xz + LIBMBIM_LICENSE = LGPL-2.0+ (library), GPL-2.0+ (programs) + LIBMBIM_LICENSE_FILES = COPYING COPYING.LIB ++LIBMBIM_CPE_ID_VENDOR = freedesktop + LIBMBIM_INSTALL_STAGING = YES + + LIBMBIM_DEPENDENCIES = libglib2 +diff --git a/package/libmnl/libmnl.mk b/package/libmnl/libmnl.mk +index 7fcce4c21f..d3b33db2e0 100644 +--- a/package/libmnl/libmnl.mk ++++ b/package/libmnl/libmnl.mk +@@ -10,5 +10,6 @@ LIBMNL_SITE = http://netfilter.org/projects/libmnl/files + LIBMNL_INSTALL_STAGING = YES + LIBMNL_LICENSE = LGPL-2.1+ + LIBMNL_LICENSE_FILES = COPYING ++LIBMNL_CPE_ID_VENDOR = netfilter + + $(eval $(autotools-package)) +diff --git a/package/libnetfilter_conntrack/libnetfilter_conntrack.mk b/package/libnetfilter_conntrack/libnetfilter_conntrack.mk +index 8beefefb51..0a5a94be8f 100644 +--- a/package/libnetfilter_conntrack/libnetfilter_conntrack.mk ++++ b/package/libnetfilter_conntrack/libnetfilter_conntrack.mk +@@ -11,5 +11,6 @@ LIBNETFILTER_CONNTRACK_INSTALL_STAGING = YES + LIBNETFILTER_CONNTRACK_DEPENDENCIES = host-pkgconf libnfnetlink libmnl + LIBNETFILTER_CONNTRACK_LICENSE = GPL-2.0+ + LIBNETFILTER_CONNTRACK_LICENSE_FILES = COPYING ++LIBNETFILTER_CONNTRACK_CPE_ID_VENDOR = netfilter + + $(eval $(autotools-package)) +diff --git a/package/libnetfilter_cthelper/libnetfilter_cthelper.mk b/package/libnetfilter_cthelper/libnetfilter_cthelper.mk +index 61d6acd07c..d74ea4d0fd 100644 +--- a/package/libnetfilter_cthelper/libnetfilter_cthelper.mk ++++ b/package/libnetfilter_cthelper/libnetfilter_cthelper.mk +@@ -12,5 +12,6 @@ LIBNETFILTER_CTHELPER_DEPENDENCIES = host-pkgconf libmnl + LIBNETFILTER_CTHELPER_AUTORECONF = YES + LIBNETFILTER_CTHELPER_LICENSE = GPL-2.0+ + LIBNETFILTER_CTHELPER_LICENSE_FILES = COPYING ++LIBNETFILTER_CTHELPER_CPE_ID_VENDOR = netfilter + + $(eval $(autotools-package)) +diff --git a/package/libnetfilter_cttimeout/libnetfilter_cttimeout.mk b/package/libnetfilter_cttimeout/libnetfilter_cttimeout.mk +index 9c4c951687..f5c5067b64 100644 +--- a/package/libnetfilter_cttimeout/libnetfilter_cttimeout.mk ++++ b/package/libnetfilter_cttimeout/libnetfilter_cttimeout.mk +@@ -12,5 +12,6 @@ LIBNETFILTER_CTTIMEOUT_DEPENDENCIES = host-pkgconf libmnl + LIBNETFILTER_CTTIMEOUT_AUTORECONF = YES + LIBNETFILTER_CTTIMEOUT_LICENSE = GPL-2.0+ + LIBNETFILTER_CTTIMEOUT_LICENSE_FILES = COPYING ++LIBNETFILTER_CTTIMEOUT_CPE_ID_VENDOR = netfilter + + $(eval $(autotools-package)) +diff --git a/package/libnetfilter_queue/libnetfilter_queue.mk b/package/libnetfilter_queue/libnetfilter_queue.mk +index 302f9a2575..5556969fde 100644 +--- a/package/libnetfilter_queue/libnetfilter_queue.mk ++++ b/package/libnetfilter_queue/libnetfilter_queue.mk +@@ -12,5 +12,6 @@ LIBNETFILTER_QUEUE_DEPENDENCIES = host-pkgconf libnfnetlink libmnl + LIBNETFILTER_QUEUE_AUTORECONF = YES + LIBNETFILTER_QUEUE_LICENSE = GPL-2.0+ + LIBNETFILTER_QUEUE_LICENSE_FILES = COPYING ++LIBNETFILTER_QUEUE_CPE_ID_VENDOR = netfilter + + $(eval $(autotools-package)) +diff --git a/package/libnfnetlink/libnfnetlink.mk b/package/libnfnetlink/libnfnetlink.mk +index 13f5d72c87..a5ad47b85e 100644 +--- a/package/libnfnetlink/libnfnetlink.mk ++++ b/package/libnfnetlink/libnfnetlink.mk +@@ -11,5 +11,6 @@ LIBNFNETLINK_AUTORECONF = YES + LIBNFNETLINK_INSTALL_STAGING = YES + LIBNFNETLINK_LICENSE = GPL-2.0 + LIBNFNETLINK_LICENSE_FILES = COPYING ++LIBNFNETLINK_CPE_ID_VENDOR = netfilter + + $(eval $(autotools-package)) +diff --git a/package/libopenssl/Config.in b/package/libopenssl/Config.in +index 881518d1cb..3aa5b88017 100644 +--- a/package/libopenssl/Config.in ++++ b/package/libopenssl/Config.in +@@ -45,3 +45,14 @@ config BR2_PACKAGE_LIBOPENSSL_ENGINES + Install additional encryption engine libraries. + + endif # BR2_PACKAGE_LIBOPENSSL ++# See package/openssl/Config.in for the actual kconfig ++# of this package. This file provides a URL for CPE use. ++ ++# help ++# A collaborative effort to develop a robust, commercial-grade, ++# fully featured, and Open Source toolkit implementing the ++# Secure Sockets Layer (SSL v2/v3) and Transport Security ++# (TLS v1) as well as a full-strength general-purpose ++# cryptography library. ++# ++# http://www.openssl.org/ +diff --git a/package/libopenssl/libopenssl.mk b/package/libopenssl/libopenssl.mk +index a300458f85..bb4747f4c0 100644 +--- a/package/libopenssl/libopenssl.mk ++++ b/package/libopenssl/libopenssl.mk +@@ -15,6 +15,8 @@ HOST_LIBOPENSSL_DEPENDENCIES = host-zlib + LIBOPENSSL_TARGET_ARCH = $(call qstrip,$(BR2_PACKAGE_LIBOPENSSL_TARGET_ARCH)) + LIBOPENSSL_CFLAGS = $(TARGET_CFLAGS) + LIBOPENSSL_PROVIDES = openssl ++LIBOPENSSL_CPE_ID_VENDOR = $(LIBOPENSSL_PROVIDES) ++LIBOPENSSL_CPE_ID_NAME = $(LIBOPENSSL_PROVIDES) + + ifeq ($(BR2_m68k_cf),y) + # relocation truncated to fit: R_68K_GOT16O +diff --git a/package/libpcap/libpcap.mk b/package/libpcap/libpcap.mk +index 881a109a0a..e323461529 100644 +--- a/package/libpcap/libpcap.mk ++++ b/package/libpcap/libpcap.mk +@@ -8,6 +8,7 @@ LIBPCAP_VERSION = 1.9.1 + LIBPCAP_SITE = http://www.tcpdump.org/release + LIBPCAP_LICENSE = BSD-3-Clause + LIBPCAP_LICENSE_FILES = LICENSE ++LIBPCAP_CPE_ID_VENDOR = tcpdump + LIBPCAP_INSTALL_STAGING = YES + LIBPCAP_DEPENDENCIES = host-flex host-bison + +diff --git a/package/libselinux/libselinux.mk b/package/libselinux/libselinux.mk +index d0e7b66241..bd728e6bc6 100644 +--- a/package/libselinux/libselinux.mk ++++ b/package/libselinux/libselinux.mk +@@ -8,6 +8,7 @@ LIBSELINUX_VERSION = 3.0 + LIBSELINUX_SITE = https://github.com/SELinuxProject/selinux/releases/download/20191204 + LIBSELINUX_LICENSE = Public Domain + LIBSELINUX_LICENSE_FILES = LICENSE ++LIBSELINUX_CPE_ID_VENDOR = selinuxproject + + LIBSELINUX_DEPENDENCIES = $(BR2_COREUTILS_HOST_DEPENDENCY) libsepol pcre + +diff --git a/package/libsemanage/libsemanage.mk b/package/libsemanage/libsemanage.mk +index deba5fafcd..34c9e604c5 100644 +--- a/package/libsemanage/libsemanage.mk ++++ b/package/libsemanage/libsemanage.mk +@@ -9,6 +9,7 @@ LIBSEMANAGE_SITE = https://github.com/SELinuxProject/selinux/releases/download/2 + LIBSEMANAGE_LICENSE = LGPL-2.1+ + LIBSEMANAGE_LICENSE_FILES = COPYING + LIBSEMANAGE_DEPENDENCIES = host-bison host-flex audit libselinux bzip2 ++LIBSEMANAGE_CPE_ID_VENDOR = selinuxproject + LIBSEMANAGE_INSTALL_STAGING = YES + + LIBSEMANAGE_MAKE_OPTS = $(TARGET_CONFIGURE_OPTS) +diff --git a/package/libsepol/libsepol.mk b/package/libsepol/libsepol.mk +index 2d64c53bc3..59ba710dfe 100644 +--- a/package/libsepol/libsepol.mk ++++ b/package/libsepol/libsepol.mk +@@ -8,6 +8,7 @@ LIBSEPOL_VERSION = 3.0 + LIBSEPOL_SITE = https://github.com/SELinuxProject/selinux/releases/download/20191204 + LIBSEPOL_LICENSE = LGPL-2.1+ + LIBSEPOL_LICENSE_FILES = COPYING ++LIBSEPOL_CPE_ID_VENDOR = selinuxproject + + LIBSEPOL_INSTALL_STAGING = YES + LIBSEPOL_DEPENDENCIES = host-flex +diff --git a/package/libssh2/libssh2.mk b/package/libssh2/libssh2.mk +index c03fe0db55..eb66ab5643 100644 +--- a/package/libssh2/libssh2.mk ++++ b/package/libssh2/libssh2.mk +@@ -8,6 +8,7 @@ LIBSSH2_VERSION = 1.9.0 + LIBSSH2_SITE = https://www.libssh2.org/download + LIBSSH2_LICENSE = BSD + LIBSSH2_LICENSE_FILES = COPYING ++LIBSSH2_CPE_ID_VENDOR = $(LIBSSH2_NAME) + LIBSSH2_INSTALL_STAGING = YES + LIBSSH2_CONF_OPTS = --disable-examples-build + +diff --git a/package/libsysfs/libsysfs.mk b/package/libsysfs/libsysfs.mk +index 13edc9a4ea..fd8bfa6724 100644 +--- a/package/libsysfs/libsysfs.mk ++++ b/package/libsysfs/libsysfs.mk +@@ -10,5 +10,7 @@ LIBSYSFS_SOURCE = sysfsutils-$(LIBSYSFS_VERSION).tar.gz + LIBSYSFS_INSTALL_STAGING = YES + LIBSYSFS_LICENSE = GPL-2.0 (utilities), LGPL-2.1+ (library) + LIBSYSFS_LICENSE_FILES = cmd/GPL lib/LGPL ++LIBSYSFS_CPE_ID_VENDOR = sysfsutils_project ++LIBSYSFS_CPE_ID_NAME = sysfsutils + + $(eval $(autotools-package)) +diff --git a/package/libtasn1/libtasn1.mk b/package/libtasn1/libtasn1.mk +index d5a6c69965..a354716824 100644 +--- a/package/libtasn1/libtasn1.mk ++++ b/package/libtasn1/libtasn1.mk +@@ -9,6 +9,7 @@ LIBTASN1_SITE = $(BR2_GNU_MIRROR)/libtasn1 + LIBTASN1_DEPENDENCIES = host-bison host-pkgconf + LIBTASN1_LICENSE = GPL-3.0+ (tests, tools), LGPL-2.1+ (library) + LIBTASN1_LICENSE_FILES = LICENSE doc/COPYING doc/COPYING.LESSER ++LIBTASN1_CPE_ID_VENDOR = gnu + LIBTASN1_INSTALL_STAGING = YES + + # We're patching fuzz/Makefile.am +diff --git a/package/libunistring/libunistring.mk b/package/libunistring/libunistring.mk +index fa51447170..1ed7ecf906 100644 +--- a/package/libunistring/libunistring.mk ++++ b/package/libunistring/libunistring.mk +@@ -10,6 +10,7 @@ LIBUNISTRING_SOURCE = libunistring-$(LIBUNISTRING_VERSION).tar.xz + LIBUNISTRING_INSTALL_STAGING = YES + LIBUNISTRING_LICENSE = LGPL-3.0+ or GPL-2.0 + LIBUNISTRING_LICENSE_FILES = COPYING COPYING.LIB ++LIBUNISTRING_CPE_ID_VENDOR = gnu + + $(eval $(autotools-package)) + $(eval $(host-autotools-package)) +diff --git a/package/libxml2/libxml2.mk b/package/libxml2/libxml2.mk +index ea6a8c1f6d..76872a0d2d 100644 +--- a/package/libxml2/libxml2.mk ++++ b/package/libxml2/libxml2.mk +@@ -13,6 +13,7 @@ LIBXML2_LICENSE_FILES = COPYING + LIBXML2_IGNORE_CVES += CVE-2020-7595 + # 0002-Fix-memory-leak-in-xmlSchemaValidateStream.patch + LIBXML2_IGNORE_CVES += CVE-2019-20388 ++LIBXML2_CPE_ID_VENDOR = xmlsoft + LIBXML2_CONFIG_SCRIPTS = xml2-config + + # relocation truncated to fit: R_68K_GOT16O +diff --git a/package/libxslt/libxslt.mk b/package/libxslt/libxslt.mk +index 2f37f303ac..3c603ad9f6 100644 +--- a/package/libxslt/libxslt.mk ++++ b/package/libxslt/libxslt.mk +@@ -9,6 +9,7 @@ LIBXSLT_SITE = http://xmlsoft.org/sources + LIBXSLT_INSTALL_STAGING = YES + LIBXSLT_LICENSE = MIT + LIBXSLT_LICENSE_FILES = COPYING ++LIBXSLT_CPE_ID_VENDOR = xmlsoft + + LIBXSLT_CONF_OPTS = \ + --with-gnu-ld \ +diff --git a/package/libzlib/libzlib.mk b/package/libzlib/libzlib.mk +index eea0c12f22..a1e2640bac 100644 +--- a/package/libzlib/libzlib.mk ++++ b/package/libzlib/libzlib.mk +@@ -11,6 +11,8 @@ LIBZLIB_LICENSE = Zlib + LIBZLIB_LICENSE_FILES = README + LIBZLIB_INSTALL_STAGING = YES + LIBZLIB_PROVIDES = zlib ++LIBZLIB_CPE_ID_VENDOR = gnu ++LIBZLIB_CPE_ID_NAME = $(LIBZLIB_PROVIDES) + + # It is not possible to build only a shared version of zlib, so we build both + # shared and static, unless we only want the static libs, and we eventually +diff --git a/package/lighttpd/lighttpd.mk b/package/lighttpd/lighttpd.mk +index 7181465c66..39600ef94b 100644 +--- a/package/lighttpd/lighttpd.mk ++++ b/package/lighttpd/lighttpd.mk +@@ -10,6 +10,7 @@ LIGHTTPD_SOURCE = lighttpd-$(LIGHTTPD_VERSION).tar.xz + LIGHTTPD_SITE = http://download.lighttpd.net/lighttpd/releases-$(LIGHTTPD_VERSION_MAJOR).x + LIGHTTPD_LICENSE = BSD-3-Clause + LIGHTTPD_LICENSE_FILES = COPYING ++LIGHTTPD_CPE_ID_VENDOR = $(LIGHTTPD_NAME) + LIGHTTPD_DEPENDENCIES = host-pkgconf + LIGHTTPD_CONF_OPTS = \ + --without-wolfssl \ +diff --git a/package/linux-firmware/linux-firmware.mk b/package/linux-firmware/linux-firmware.mk +index cbad8d592a..632afd70bb 100644 +--- a/package/linux-firmware/linux-firmware.mk ++++ b/package/linux-firmware/linux-firmware.mk +@@ -8,6 +8,8 @@ LINUX_FIRMWARE_VERSION = 20200122 + LINUX_FIRMWARE_SITE = http://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git + LINUX_FIRMWARE_SITE_METHOD = git + ++LINUX_FIRMWARE_CPE_ID_VENDOR = kernel ++ + # Intel SST DSP + ifeq ($(BR2_PACKAGE_LINUX_FIRMWARE_INTEL_SST_DSP),y) + LINUX_FIRMWARE_FILES += intel/fw_sst_0f28.bin-48kHz_i2s_master +diff --git a/package/linux-headers/linux-headers.mk b/package/linux-headers/linux-headers.mk +index 4c3cb716b3..4496295f2a 100644 +--- a/package/linux-headers/linux-headers.mk ++++ b/package/linux-headers/linux-headers.mk +@@ -102,6 +102,8 @@ LINUX_HEADERS_LICENSE_FILES = \ + LICENSES/preferred/GPL-2.0 \ + LICENSES/exceptions/Linux-syscall-note + endif ++LINUX_HEADERS_CPE_ID_VENDOR = linux ++LINUX_HEADERS_CPE_ID_NAME = linux_kernel + + LINUX_HEADERS_INSTALL_STAGING = YES + +diff --git a/package/linux-pam/linux-pam.mk b/package/linux-pam/linux-pam.mk +index 63610fcc57..28bb5b9de0 100644 +--- a/package/linux-pam/linux-pam.mk ++++ b/package/linux-pam/linux-pam.mk +@@ -22,6 +22,8 @@ LINUX_PAM_AUTORECONF = YES + LINUX_PAM_LICENSE = BSD-3-Clause + LINUX_PAM_LICENSE_FILES = Copyright + LINUX_PAM_MAKE_OPTS += LIBS=$(TARGET_NLS_LIBS) ++LINUX_PAM_CPE_ID_VENDOR = $(LINUX_PAM_NAME) ++LINUX_PAM_CPE_ID_NAME = $(LINUX_PAM_NAME) + + ifeq ($(BR2_PACKAGE_LIBSELINUX),y) + LINUX_PAM_CONF_OPTS += --enable-selinux +diff --git a/package/llvm/llvm.mk b/package/llvm/llvm.mk +index 24d033d124..177fff71bb 100644 +--- a/package/llvm/llvm.mk ++++ b/package/llvm/llvm.mk +@@ -10,6 +10,7 @@ LLVM_SITE = https://github.com/llvm/llvm-project/releases/download/llvmorg-$(LLV + LLVM_SOURCE = llvm-$(LLVM_VERSION).src.tar.xz + LLVM_LICENSE = Apache-2.0 with exceptions + LLVM_LICENSE_FILES = LICENSE.TXT ++LLVM_CPE_ID_VENDOR = $(LLVM_NAME) + LLVM_SUPPORTS_IN_SOURCE_BUILD = NO + LLVM_INSTALL_STAGING = YES + +diff --git a/package/lxc/lxc.mk b/package/lxc/lxc.mk +index 53e3c85c6d..9788f04230 100644 +--- a/package/lxc/lxc.mk ++++ b/package/lxc/lxc.mk +@@ -8,6 +8,7 @@ LXC_VERSION = 3.2.1 + LXC_SITE = https://linuxcontainers.org/downloads/lxc + LXC_LICENSE = LGPL-2.1+ + LXC_LICENSE_FILES = COPYING ++LXC_CPE_ID_VENDOR = linuxcontainers + LXC_DEPENDENCIES = host-pkgconf + LXC_INSTALL_STAGING = YES + # We're patching configure.ac +diff --git a/package/lz4/lz4.mk b/package/lz4/lz4.mk +index 1d32666ccc..856d791d8a 100644 +--- a/package/lz4/lz4.mk ++++ b/package/lz4/lz4.mk +@@ -9,6 +9,7 @@ LZ4_SITE = $(call github,lz4,lz4,v$(LZ4_VERSION)) + LZ4_INSTALL_STAGING = YES + LZ4_LICENSE = BSD-2-Clause (library), GPL-2.0+ (programs) + LZ4_LICENSE_FILES = lib/LICENSE programs/COPYING ++LZ4_CPE_ID_VENDOR = yann_collet + + # CVE-2014-4715 is misclassified (by our CVE tracker) as affecting version + # 1.9.2, while in fact this issue has been fixed since lz4-r130: +diff --git a/package/memtester/memtester.mk b/package/memtester/memtester.mk +index 0e64d8cde2..ec821adbe8 100644 +--- a/package/memtester/memtester.mk ++++ b/package/memtester/memtester.mk +@@ -8,6 +8,7 @@ MEMTESTER_VERSION = 4.3.0 + MEMTESTER_SITE = http://pyropus.ca/software/memtester/old-versions + MEMTESTER_LICENSE = GPL-2.0 + MEMTESTER_LICENSE_FILES = COPYING ++MEMTESTER_CPE_ID_VENDOR = pryopus + + MEMTESTER_TARGET_INSTALL_OPTS = INSTALLPATH=$(TARGET_DIR)/usr + +diff --git a/package/mii-diag/mii-diag.mk b/package/mii-diag/mii-diag.mk +index 6efd5be80d..a7c6483221 100644 +--- a/package/mii-diag/mii-diag.mk ++++ b/package/mii-diag/mii-diag.mk +@@ -10,6 +10,7 @@ MII_DIAG_PATCH = mii-diag_$(MII_DIAG_VERSION)-3.diff.gz + MII_DIAG_SITE = http://snapshot.debian.org/archive/debian/20141023T043132Z/pool/main/m/mii-diag + MII_DIAG_LICENSE = GPL # No version specified + MII_DIAG_LICENSE_FILES = mii-diag.c ++MII_DIAG_CPE_ID_VENDOR = debian + + MII_DIAG_MAKE_OPTS = $(TARGET_CONFIGURE_OPTS) + +diff --git a/package/mpfr/mpfr.mk b/package/mpfr/mpfr.mk +index ef2999eb16..837aff3aa5 100644 +--- a/package/mpfr/mpfr.mk ++++ b/package/mpfr/mpfr.mk +@@ -9,6 +9,7 @@ MPFR_SITE = http://www.mpfr.org/mpfr-$(MPFR_VERSION) + MPFR_SOURCE = mpfr-$(MPFR_VERSION).tar.xz + MPFR_LICENSE = LGPL-3.0+ + MPFR_LICENSE_FILES = COPYING.LESSER ++MPFR_CPE_ID_VENDOR = gnu + MPFR_INSTALL_STAGING = YES + MPFR_DEPENDENCIES = gmp + HOST_MPFR_DEPENDENCIES = host-gmp +diff --git a/package/mrouted/mrouted.mk b/package/mrouted/mrouted.mk +index b9a4eaba45..6ee7fd5dfd 100644 +--- a/package/mrouted/mrouted.mk ++++ b/package/mrouted/mrouted.mk +@@ -9,6 +9,7 @@ MROUTED_SITE = $(call github,troglobit,mrouted,$(MROUTED_VERSION)) + MROUTED_DEPENDENCIES = host-bison + MROUTED_LICENSE = BSD-3-Clause + MROUTED_LICENSE_FILES = LICENSE ++MROUTED_CPE_ID_VENDOR = troglobit + + define MROUTED_CONFIGURE_CMDS + (cd $(@D); \ +diff --git a/package/mtd/mtd.mk b/package/mtd/mtd.mk +index 3477460200..035b624ab2 100644 +--- a/package/mtd/mtd.mk ++++ b/package/mtd/mtd.mk +@@ -9,6 +9,8 @@ MTD_SOURCE = mtd-utils-$(MTD_VERSION).tar.bz2 + MTD_SITE = ftp://ftp.infradead.org/pub/mtd-utils + MTD_LICENSE = GPL-2.0 + MTD_LICENSE_FILES = COPYING ++MTD_CPE_ID_VENDOR = mtd-utils_project ++MTD_CPE_ID_NAME = mtd-utils + MTD_INSTALL_STAGING = YES + + ifeq ($(BR2_PACKAGE_MTD_JFFS_UTILS),y) +diff --git a/package/ncurses/ncurses.mk b/package/ncurses/ncurses.mk +index c11650c766..5c5e497488 100644 +--- a/package/ncurses/ncurses.mk ++++ b/package/ncurses/ncurses.mk +@@ -10,6 +10,7 @@ NCURSES_INSTALL_STAGING = YES + NCURSES_DEPENDENCIES = host-ncurses + NCURSES_LICENSE = MIT with advertising clause + NCURSES_LICENSE_FILES = COPYING ++NCURSES_CPE_ID_VENDOR = gnu + NCURSES_CONFIG_SCRIPTS = ncurses$(NCURSES_LIB_SUFFIX)6-config + NCURSES_PATCH = \ + $(addprefix https://invisible-mirror.net/archives/ncurses/$(NCURSES_VERSION)/, \ +diff --git a/package/netsnmp/netsnmp.mk b/package/netsnmp/netsnmp.mk +index 904279d1fb..09ca33f754 100644 +--- a/package/netsnmp/netsnmp.mk ++++ b/package/netsnmp/netsnmp.mk +@@ -9,6 +9,8 @@ NETSNMP_SITE = https://downloads.sourceforge.net/project/net-snmp/net-snmp/$(NET + NETSNMP_SOURCE = net-snmp-$(NETSNMP_VERSION).tar.gz + NETSNMP_LICENSE = Various BSD-like + NETSNMP_LICENSE_FILES = COPYING ++NETSNMP_CPE_ID_VENDOR = net-snmp ++NETSNMP_CPE_ID_NAME = $(NETSNMP_CPE_ID_VENDOR) + NETSNMP_INSTALL_STAGING = YES + NETSNMP_CONF_ENV = ac_cv_NETSNMP_CAN_USE_SYSCTL=no + NETSNMP_CONF_OPTS = \ +diff --git a/package/nfs-utils/nfs-utils.mk b/package/nfs-utils/nfs-utils.mk +index 7af229a57e..57d05b5c6b 100644 +--- a/package/nfs-utils/nfs-utils.mk ++++ b/package/nfs-utils/nfs-utils.mk +@@ -10,6 +10,8 @@ NFS_UTILS_SITE = https://www.kernel.org/pub/linux/utils/nfs-utils/$(NFS_UTILS_VE + NFS_UTILS_LICENSE = GPL-2.0+ + NFS_UTILS_LICENSE_FILES = COPYING + NFS_UTILS_DEPENDENCIES = host-nfs-utils host-pkgconf libtirpc ++NFS_UTILS_CPE_ID_VENDOR = linux-nfs ++NFS_UTILS_AUTORECONF = YES + + NFS_UTILS_CONF_ENV = knfsd_cv_bsd_signals=no + +diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk +index d50572128a..8b531a7a3e 100644 +--- a/package/openssh/openssh.mk ++++ b/package/openssh/openssh.mk +@@ -5,6 +5,8 @@ + ################################################################################ + + OPENSSH_VERSION = 8.2p1 ++OPENSSH_CPE_ID_VERSION = 8.2 ++OPENSSH_CPE_ID_VERSION_MINOR = p1 + OPENSSH_SITE = http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable + OPENSSH_LICENSE = BSD-3-Clause, BSD-2-Clause, Public Domain + OPENSSH_LICENSE_FILES = LICENCE +@@ -12,6 +14,7 @@ OPENSSH_CONF_ENV = \ + LD="$(TARGET_CC)" \ + LDFLAGS="$(TARGET_CFLAGS)" \ + LIBS=`$(PKG_CONFIG_HOST_BINARY) --libs openssl` ++OPENSSH_CPE_ID_VENDOR = openbsd + OPENSSH_CONF_OPTS = \ + --sysconfdir=/etc/ssh \ + --with-default-path=$(BR2_SYSTEM_DEFAULT_PATH) \ +diff --git a/package/pax-utils/pax-utils.mk b/package/pax-utils/pax-utils.mk +index b31468eca2..a6618851ba 100644 +--- a/package/pax-utils/pax-utils.mk ++++ b/package/pax-utils/pax-utils.mk +@@ -9,6 +9,7 @@ PAX_UTILS_SITE = http://distfiles.gentoo.org/distfiles + PAX_UTILS_SOURCE = pax-utils-$(PAX_UTILS_VERSION).tar.xz + PAX_UTILS_LICENSE = GPL-2.0 + PAX_UTILS_LICENSE_FILES = COPYING ++PAX_UTILS_CPE_ID_VENDOR = gentoo + + PAX_UTILS_DEPENDENCIES = host-pkgconf + PAX_UTILS_CONF_OPTS = --without-python +diff --git a/package/paxtest/paxtest.mk b/package/paxtest/paxtest.mk +index e632e222c3..1b8d6699b6 100644 +--- a/package/paxtest/paxtest.mk ++++ b/package/paxtest/paxtest.mk +@@ -8,6 +8,7 @@ PAXTEST_VERSION = 0.9.15 + PAXTEST_SITE = https://www.grsecurity.net/~spender + PAXTEST_LICENSE = GPL-2.0+ + PAXTEST_LICENSE_FILES = README ++PAXTEST_CPE_ID_VENDOR = grsecurity + + define PAXTEST_BUILD_CMDS + $(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) $(MAKE) -C $(@D) \ +diff --git a/package/pcre/pcre.mk b/package/pcre/pcre.mk +index 3c280e593f..b37a2ca9b7 100644 +--- a/package/pcre/pcre.mk ++++ b/package/pcre/pcre.mk +@@ -9,6 +9,7 @@ PCRE_SITE = https://ftp.pcre.org/pub/pcre + PCRE_SOURCE = pcre-$(PCRE_VERSION).tar.bz2 + PCRE_LICENSE = BSD-3-Clause + PCRE_LICENSE_FILES = LICENCE ++PCRE_CPE_ID_VENDOR = $(PCRE_NAME) + PCRE_INSTALL_STAGING = YES + PCRE_CONFIG_SCRIPTS = pcre-config + +diff --git a/package/pixman/pixman.mk b/package/pixman/pixman.mk +index a446ebca46..52d4e36f2e 100644 +--- a/package/pixman/pixman.mk ++++ b/package/pixman/pixman.mk +@@ -9,6 +9,7 @@ PIXMAN_SOURCE = pixman-$(PIXMAN_VERSION).tar.xz + PIXMAN_SITE = https://xorg.freedesktop.org/releases/individual/lib + PIXMAN_LICENSE = MIT + PIXMAN_LICENSE_FILES = COPYING ++PIXMAN_CPE_ID_VENDOR = $(PIXMAN_NAME) + + PIXMAN_INSTALL_STAGING = YES + PIXMAN_DEPENDENCIES = host-pkgconf +diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk +index f9385177ac..21e510365e 100644 +--- a/package/pkg-generic.mk ++++ b/package/pkg-generic.mk +@@ -971,6 +971,41 @@ else + $(2)_KCONFIG_VAR = BR2_PACKAGE_$(2) + endif + ++$(2)_CPE_ID_VENDOR ?= $$($(2)_NAME)_project ++$(2)_CPE_ID_NAME ?= $$($(2)_NAME) ++$(2)_CPE_ID_VERSION ?= $$($(2)_VERSION) ++$(2)_CPE_ID_VERSION_MINOR ?= * ++$(2)_CPE_ID ?= $$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION):$$($(2)_CPE_ID_VERSION_MINOR) ++ ++ifneq ($(filter linux linux-headers,$(1)),) ++$(2)_CPE_PREFIX = $(CPE_PREFIX_OS) ++else ++$(2)_CPE_PREFIX = $(CPE_PREFIX_APP) ++endif ++ ++$(1)-cpe-info: PKG=$(2) ++ifeq ($(BR2_TOOLCHAIN_EXTERNAL),y) ++$(1)-cpe-info: toolchain ++endif ++$(1)-cpe-info: ++ifeq ($$($(2)_TYPE),target) ++ifneq ($$($(2)_NAME),toolchain-external) ++ifneq ($(findstring TOOLCHAIN_EXTERNAL, $(2)),) ++ifeq ($(BR2_TOOLCHAIN_EXTERNAL_GLIBC),y) ++ $$(eval $(2)_VERSION = $$(shell $$(call TOOLCHAIN_CPE_INFO))) ++ $$(eval $(2)_CPE_ID_VENDOR = gnu) ++ $$(eval $(2)_CPE_ID_NAME = glibc) ++ $$(eval $(2)_ACTUAL_SOURCE_SITE = https://github.com/bminor/glibc/releases) ++ $$(eval $(2)_RAWNAME = glibc) ++endif # ifeq ($(BR2_TOOLCHAIN_EXTERNAL_CUSTOM_GLIBC),y) ++endif # ifneq ($(findstring TOOLCHAIN_EXTERNAL, $(2)),) ++endif # ifneq ($$($(2)_NAME),toolchain-external) ++ifneq ($$(call qstrip,$$($(2)_SOURCE)),) ++ @$$(call MESSAGE,"Collecting cpe info") ++ $(Q)$$(call cpe-manifest,$$($(2)_CPE_PREFIX):$$($(2)_CPE_ID):$(CPE_SUFFIX),$$($(2)_RAWNAME),$$($(2)_VERSION),$$($(2)_ACTUAL_SOURCE_SITE)) ++endif # ifneq ($$(call qstrip,$$($(2)_SOURCE)),) ++endif # ifeq ($$($(2)_TYPE),target) ++ + # legal-info: declare dependencies and set values used later for the manifest + ifneq ($$($(2)_LICENSE_FILES),) + $(2)_MANIFEST_LICENSE_FILES = $$($(2)_LICENSE_FILES) +@@ -1116,6 +1151,7 @@ DL_TOOLS_DEPENDENCIES += $$(call extractor-system-dependency,$$($(2)_SOURCE)) + $(1)-clean-for-reconfigure \ + $(1)-clean-for-reinstall \ + $(1)-configure \ ++ $(1)-cpe-info \ + $(1)-depends \ + $(1)-dirclean \ + $(1)-external-deps \ +diff --git a/package/pkg-utils.mk b/package/pkg-utils.mk +index d88a14ab0f..9818eda12d 100644 +--- a/package/pkg-utils.mk ++++ b/package/pkg-utils.mk +@@ -223,3 +223,11 @@ legal-deps = \ + $(filter-out $(if $(1:host-%=),host-%),\ + $(call non-virtual-deps,\ + $($(call UPPERCASE,$(1))_FINAL_RECURSIVE_DEPENDENCIES))),$(p) [$($(call UPPERCASE,$(p))_LICENSE)]) ++ ++# ++# cpe-info helper functions ++# ++ ++define cpe-manifest # cpe, pkg name, version, url ++ echo '"$(1)","$(2)","$(3)","$(4)"' >>$(CPE_MANIFEST_CSV) ++endef +diff --git a/package/policycoreutils/policycoreutils.mk b/package/policycoreutils/policycoreutils.mk +index a06c7847ab..183c9b4925 100644 +--- a/package/policycoreutils/policycoreutils.mk ++++ b/package/policycoreutils/policycoreutils.mk +@@ -8,6 +8,7 @@ POLICYCOREUTILS_VERSION = 3.0 + POLICYCOREUTILS_SITE = https://github.com/SELinuxProject/selinux/releases/download/20191204 + POLICYCOREUTILS_LICENSE = GPL-2.0 + POLICYCOREUTILS_LICENSE_FILES = COPYING ++POLICYCOREUTILS_CPE_ID_VENDOR = selinuxproject + + POLICYCOREUTILS_DEPENDENCIES = libsemanage libcap-ng $(TARGET_NLS_DEPENDENCIES) + POLICYCOREUTILS_MAKE_OPTS = LDLIBS=$(TARGET_NLS_LIBS) +diff --git a/package/pppd/pppd.mk b/package/pppd/pppd.mk +index 685666a200..118f9fc334 100644 +--- a/package/pppd/pppd.mk ++++ b/package/pppd/pppd.mk +@@ -10,6 +10,8 @@ PPPD_LICENSE = LGPL-2.0+, LGPL, BSD-4-Clause, BSD-3-Clause, GPL-2.0+ + PPPD_LICENSE_FILES = \ + pppd/tdb.c pppd/plugins/pppoatm/COPYING \ + pppdump/bsd-comp.c pppd/ccp.c pppd/plugins/passprompt.c ++PPPD_CPE_ID_VENDOR = samba ++PPPD_CPE_ID_NAME = ppp + + # 0001-pppd-Fix-bounds-check.patch + PPPD_IGNORE_CVES += CVE-2020-8597 +diff --git a/package/proftpd/proftpd.mk b/package/proftpd/proftpd.mk +index e126d0e0a4..94276233c8 100644 +--- a/package/proftpd/proftpd.mk ++++ b/package/proftpd/proftpd.mk +@@ -8,6 +8,7 @@ PROFTPD_VERSION = 1.3.6c + PROFTPD_SITE = $(call github,proftpd,proftpd,v$(PROFTPD_VERSION)) + PROFTPD_LICENSE = GPL-2.0+ + PROFTPD_LICENSE_FILES = COPYING ++PROFTPD_CPE_ID_VENDOR = $(PROFTPD_NAME) + + PROFTPD_CONF_ENV = \ + ac_cv_func_setpgrp_void=yes \ +diff --git a/package/protobuf/protobuf.mk b/package/protobuf/protobuf.mk +index 381649a4e7..27792ca082 100644 +--- a/package/protobuf/protobuf.mk ++++ b/package/protobuf/protobuf.mk +@@ -12,6 +12,7 @@ PROTOBUF_SOURCE = protobuf-cpp-$(PROTOBUF_VERSION).tar.gz + PROTOBUF_SITE = https://github.com/google/protobuf/releases/download/v$(PROTOBUF_VERSION) + PROTOBUF_LICENSE = BSD-3-Clause + PROTOBUF_LICENSE_FILES = LICENSE ++PROTOBUF_CPE_ID_VENDOR = google + + # N.B. Need to use host protoc during cross compilation. + PROTOBUF_DEPENDENCIES = host-protobuf +diff --git a/package/pure-ftpd/pure-ftpd.mk b/package/pure-ftpd/pure-ftpd.mk +index 7b7c7d9637..7e3d18b433 100644 +--- a/package/pure-ftpd/pure-ftpd.mk ++++ b/package/pure-ftpd/pure-ftpd.mk +@@ -9,6 +9,7 @@ PURE_FTPD_SITE = https://download.pureftpd.org/pub/pure-ftpd/releases + PURE_FTPD_SOURCE = pure-ftpd-$(PURE_FTPD_VERSION).tar.bz2 + PURE_FTPD_LICENSE = ISC + PURE_FTPD_LICENSE_FILES = COPYING ++PURE_FTPD_CPE_ID_VENDOR = pureftpd + PURE_FTPD_DEPENDENCIES = $(if $(BR2_PACKAGE_LIBICONV),libiconv) + + # 0001-listdir-reuse-a-single-buffer-to-store-every-file-name-to-display.patch +diff --git a/package/python-lxml/python-lxml.mk b/package/python-lxml/python-lxml.mk +index cfb87bb6fd..2659a0b982 100644 +--- a/package/python-lxml/python-lxml.mk ++++ b/package/python-lxml/python-lxml.mk +@@ -15,6 +15,8 @@ PYTHON_LXML_LICENSE_FILES = \ + doc/licenses/BSD.txt \ + doc/licenses/elementtree.txt \ + src/lxml/isoschematron/resources/rng/iso-schematron.rng ++PYTHON_LXML_CPE_ID_VENDOR = lxml ++PYTHON_LXML_CPE_ID_NAME = lxml + + # python-lxml can use either setuptools, or distutils as a fallback. + # So, we use setuptools. +diff --git a/package/python-setuptools/python-setuptools.mk b/package/python-setuptools/python-setuptools.mk +index 2cb575ae22..ade5ca5521 100644 +--- a/package/python-setuptools/python-setuptools.mk ++++ b/package/python-setuptools/python-setuptools.mk +@@ -11,6 +11,8 @@ PYTHON_SETUPTOOLS_SOURCE = setuptools-$(PYTHON_SETUPTOOLS_VERSION).zip + PYTHON_SETUPTOOLS_SITE = https://files.pythonhosted.org/packages/b0/f3/44da7482ac6da3f36f68e253cb04de37365b3dba9036a3c70773b778b485 + PYTHON_SETUPTOOLS_LICENSE = MIT + PYTHON_SETUPTOOLS_LICENSE_FILES = LICENSE ++PYTHON_SETUPTOOLS_CPE_ID_VENDOR = python ++PYTHON_SETUPTOOLS_CPE_ID_NAME = setuptools + PYTHON_SETUPTOOLS_SETUP_TYPE = setuptools + HOST_PYTHON_SETUPTOOLS_NEEDS_HOST_PYTHON = python2 + +diff --git a/package/python/python.mk b/package/python/python.mk +index ccaaadd012..2d4c5a3721 100644 +--- a/package/python/python.mk ++++ b/package/python/python.mk +@@ -10,6 +10,7 @@ PYTHON_SOURCE = Python-$(PYTHON_VERSION).tar.xz + PYTHON_SITE = https://python.org/ftp/python/$(PYTHON_VERSION) + PYTHON_LICENSE = Python-2.0, others + PYTHON_LICENSE_FILES = LICENSE ++PYTHON_CPE_ID_VENDOR = $(PYTHON_NAME) + PYTHON_LIBTOOL_PATCH = NO + + # Python needs itself to be built, so in order to cross-compile +diff --git a/package/qemu/qemu.mk b/package/qemu/qemu.mk +index 7fe64e3605..2efc09670e 100644 +--- a/package/qemu/qemu.mk ++++ b/package/qemu/qemu.mk +@@ -12,6 +12,7 @@ QEMU_LICENSE_FILES = COPYING COPYING.LIB + # NOTE: there is no top-level license file for non-(L)GPL licenses; + # the non-(L)GPL license texts are specified in the affected + # individual source files. ++QEMU_CPE_ID_VENDOR = $(QEMU_NAME) + + #------------------------------------------------------------- + # Target-qemu +diff --git a/package/rapidjson/rapidjson.mk b/package/rapidjson/rapidjson.mk +index 9f1c82ce40..d3bcef7df1 100644 +--- a/package/rapidjson/rapidjson.mk ++++ b/package/rapidjson/rapidjson.mk +@@ -8,6 +8,7 @@ RAPIDJSON_VERSION = 1.1.0 + RAPIDJSON_SITE = $(call github,miloyip,rapidjson,v$(RAPIDJSON_VERSION)) + RAPIDJSON_LICENSE = MIT + RAPIDJSON_LICENSE_FILES = license.txt ++RAPIDJSON_CPE_ID_VENDOR = tencent + + # rapidjson is a header-only C++ library + RAPIDJSON_INSTALL_TARGET = NO +diff --git a/package/readline/readline.mk b/package/readline/readline.mk +index f5d7d5bf9e..04872ac868 100644 +--- a/package/readline/readline.mk ++++ b/package/readline/readline.mk +@@ -14,6 +14,7 @@ READLINE_CONF_ENV = bash_cv_func_sigsetjmp=yes \ + READLINE_CONF_OPTS = --disable-install-examples + READLINE_LICENSE = GPL-3.0+ + READLINE_LICENSE_FILES = COPYING ++READLINE_CPE_ID_VENDOR = gnu + + define READLINE_INSTALL_INPUTRC + $(INSTALL) -D -m 644 package/readline/inputrc $(TARGET_DIR)/etc/inputrc +diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk +index 1a5fefff06..891a0d29e6 100644 +--- a/package/refpolicy/refpolicy.mk ++++ b/package/refpolicy/refpolicy.mk +@@ -9,6 +9,7 @@ REFPOLICY_SOURCE = refpolicy-$(REFPOLICY_VERSION).tar.bz2 + REFPOLICY_SITE = https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_2_20190609 + REFPOLICY_LICENSE = GPL-2.0 + REFPOLICY_LICENSE_FILES = COPYING ++REFPOLICY_CPE_ID_VENDOR = tresys + REFPOLICY_INSTALL_STAGING = YES + REFPOLICY_DEPENDENCIES = \ + host-m4 \ +diff --git a/package/rsyslog/rsyslog.mk b/package/rsyslog/rsyslog.mk +index 27d482fdec..bd129f1724 100644 +--- a/package/rsyslog/rsyslog.mk ++++ b/package/rsyslog/rsyslog.mk +@@ -8,6 +8,7 @@ RSYSLOG_VERSION = 8.2002.0 + RSYSLOG_SITE = http://rsyslog.com/files/download/rsyslog + RSYSLOG_LICENSE = GPL-3.0, LGPL-3.0, Apache-2.0 + RSYSLOG_LICENSE_FILES = COPYING COPYING.LESSER COPYING.ASL20 ++RSYSLOG_CPE_ID_VENDOR = $(RSYSLOG_NAME) + RSYSLOG_DEPENDENCIES = zlib libestr liblogging libfastjson host-pkgconf + RSYSLOG_CONF_ENV = ac_cv_prog_cc_c99='-std=c99' + RSYSLOG_PLUGINS = imdiag imfile impstats imptcp \ +diff --git a/package/rt-tests/rt-tests.mk b/package/rt-tests/rt-tests.mk +index abc32f4fb2..acf219a6a5 100644 +--- a/package/rt-tests/rt-tests.mk ++++ b/package/rt-tests/rt-tests.mk +@@ -9,6 +9,7 @@ RT_TESTS_SOURCE = rt-tests-$(RT_TESTS_VERSION).tar.xz + RT_TESTS_VERSION = 1.6 + RT_TESTS_LICENSE = GPL-2.0+ + RT_TESTS_LICENSE_FILES = COPYING ++RT_TESTS_CPE_ID_VENDOR = kernel + + ifeq ($(BR2_PACKAGE_PYTHON3),y) + RT_TESTS_DEPENDENCIES = python3 +diff --git a/package/sed/sed.mk b/package/sed/sed.mk +index 6bb3220553..64fb2035b0 100644 +--- a/package/sed/sed.mk ++++ b/package/sed/sed.mk +@@ -9,6 +9,7 @@ SED_SOURCE = sed-$(SED_VERSION).tar.xz + SED_SITE = $(BR2_GNU_MIRROR)/sed + SED_LICENSE = GPL-3.0 + SED_LICENSE_FILES = COPYING ++SED_CPE_ID_VENDOR = gnu + + SED_CONF_OPTS = \ + --bindir=/bin \ +diff --git a/package/setools/setools.mk b/package/setools/setools.mk +index 63ca3651e8..7b1c1a4b64 100644 +--- a/package/setools/setools.mk ++++ b/package/setools/setools.mk +@@ -10,6 +10,7 @@ SETOOLS_DEPENDENCIES = libselinux libsepol python-setuptools host-bison host-fle + SETOOLS_INSTALL_STAGING = YES + SETOOLS_LICENSE = GPL-2.0+, LGPL-2.1+ + SETOOLS_LICENSE_FILES = COPYING COPYING.GPL COPYING.LGPL ++SETOOLS_CPE_ID_VENDOR = selinuxproject + SETOOLS_SETUP_TYPE = setuptools + HOST_SETOOLS_DEPENDENCIES = host-libselinux host-libsepol host-python-networkx + +diff --git a/package/setserial/setserial.mk b/package/setserial/setserial.mk +index 66ca59d79d..2e29e4c803 100644 +--- a/package/setserial/setserial.mk ++++ b/package/setserial/setserial.mk +@@ -10,6 +10,7 @@ SETSERIAL_SOURCE = setserial_$(SETSERIAL_VERSION).orig.tar.gz + SETSERIAL_SITE = http://snapshot.debian.org/archive/debian/20141023T043132Z/pool/main/s/setserial + SETSERIAL_LICENSE = GPL-2.0 + SETSERIAL_LICENSE_FILES = debian/copyright ++ + # make all also builds setserial.cat which needs nroff + SETSERIAL_MAKE_OPTS = setserial + +diff --git a/package/smcroute/smcroute.mk b/package/smcroute/smcroute.mk +index 1a36c75d47..0db0e084f6 100644 +--- a/package/smcroute/smcroute.mk ++++ b/package/smcroute/smcroute.mk +@@ -9,6 +9,7 @@ SMCROUTE_SOURCE = smcroute-$(SMCROUTE_VERSION).tar.xz + SMCROUTE_SITE = https://github.com/troglobit/smcroute/releases/download/$(SMCROUTE_VERSION) + SMCROUTE_LICENSE = GPL-2.0+ + SMCROUTE_LICENSE_FILES = COPYING ++SMCROUTE_CPE_ID_VENDOR = troglobit + + SMCROUTE_CONF_OPTS = ac_cv_func_setpgrp_void=yes + #BUG:The package Makefile uses CC?= even though the package is autotools based +diff --git a/package/spawn-fcgi/spawn-fcgi.mk b/package/spawn-fcgi/spawn-fcgi.mk +index ed97d0a7b4..8caa1e2b3c 100644 +--- a/package/spawn-fcgi/spawn-fcgi.mk ++++ b/package/spawn-fcgi/spawn-fcgi.mk +@@ -9,5 +9,6 @@ SPAWN_FCGI_SITE = http://www.lighttpd.net/download + SPAWN_FCGI_SOURCE = spawn-fcgi-$(SPAWN_FCGI_VERSION).tar.bz2 + SPAWN_FCGI_LICENSE = BSD-3-Clause + SPAWN_FCGI_LICENSE_FILES = COPYING ++SPAWN_FCGI_CPE_ID_VENDOR = lighttpd + + $(eval $(autotools-package)) +diff --git a/package/sqlite/sqlite.mk b/package/sqlite/sqlite.mk +index 3283d40cb1..a3061591b1 100644 +--- a/package/sqlite/sqlite.mk ++++ b/package/sqlite/sqlite.mk +@@ -5,11 +5,13 @@ + ################################################################################ + + SQLITE_VERSION = 3310100 ++SQLITE_CPE_ID_VERSION = 3.31.1 + SQLITE_SOURCE = sqlite-autoconf-$(SQLITE_VERSION).tar.gz + SQLITE_SITE = https://www.sqlite.org/2020 + SQLITE_LICENSE = Public domain + SQLITE_LICENSE_FILES = tea/license.terms + SQLITE_INSTALL_STAGING = YES ++SQLITE_CPE_ID_VENDOR = $(SQLITE_NAME) + + ifeq ($(BR2_PACKAGE_SQLITE_STAT4),y) + SQLITE_CFLAGS += -DSQLITE_ENABLE_STAT4 +diff --git a/package/strongswan/strongswan.mk b/package/strongswan/strongswan.mk +index 7f1752ce57..1f7437fa31 100644 +--- a/package/strongswan/strongswan.mk ++++ b/package/strongswan/strongswan.mk +@@ -12,6 +12,7 @@ STRONGSWAN_PATCH = \ + $(STRONGSWAN_SITE)/patches/28_gmp_pkcs1_overflow_patch/strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch + STRONGSWAN_LICENSE = GPL-2.0+ + STRONGSWAN_LICENSE_FILES = COPYING LICENSE ++STRONGSWAN_CPE_ID_VENDOR = $(STRONGSWAN_NAME) + STRONGSWAN_DEPENDENCIES = host-pkgconf + STRONGSWAN_INSTALL_STAGING = YES + STRONGSWAN_CONF_OPTS += \ +diff --git a/package/tar/tar.mk b/package/tar/tar.mk +index 9e0a40e561..643eff1cbc 100644 +--- a/package/tar/tar.mk ++++ b/package/tar/tar.mk +@@ -12,6 +12,7 @@ TAR_SITE = $(BR2_GNU_MIRROR)/tar + TAR_CONF_OPTS = --exec-prefix=/ + TAR_LICENSE = GPL-3.0+ + TAR_LICENSE_FILES = COPYING ++TAR_CPE_ID_VENDOR = gnu + + ifeq ($(BR2_PACKAGE_ACL),y) + TAR_DEPENDENCIES += acl +diff --git a/package/tcl/tcl.mk b/package/tcl/tcl.mk +index 6d750b3cd2..913891e897 100644 +--- a/package/tcl/tcl.mk ++++ b/package/tcl/tcl.mk +@@ -10,6 +10,7 @@ TCL_SOURCE = tcl$(TCL_VERSION)-src.tar.gz + TCL_SITE = http://downloads.sourceforge.net/project/tcl/Tcl/$(TCL_VERSION) + TCL_LICENSE = TCL + TCL_LICENSE_FILES = license.terms ++TCL_CPE_ID_VENDOR = $(TCL_NAME) + TCL_SUBDIR = unix + TCL_INSTALL_STAGING = YES + TCL_AUTORECONF = YES +diff --git a/package/tcpdump/tcpdump.mk b/package/tcpdump/tcpdump.mk +index 01a46b9b5f..9687e3c497 100644 +--- a/package/tcpdump/tcpdump.mk ++++ b/package/tcpdump/tcpdump.mk +@@ -8,6 +8,7 @@ TCPDUMP_VERSION = 4.9.3 + TCPDUMP_SITE = http://www.tcpdump.org/release + TCPDUMP_LICENSE = BSD-3-Clause + TCPDUMP_LICENSE_FILES = LICENSE ++TCPDUMP_CPE_ID_VENDOR = $(TCPDUMP_NAME) + TCPDUMP_CONF_ENV = \ + ac_cv_linux_vers=2 \ + td_cv_buggygetaddrinfo=no \ +diff --git a/package/tftpd/tftpd.mk b/package/tftpd/tftpd.mk +index 57905fda05..301a222e39 100644 +--- a/package/tftpd/tftpd.mk ++++ b/package/tftpd/tftpd.mk +@@ -10,6 +10,8 @@ TFTPD_SITE = $(BR2_KERNEL_MIRROR)/software/network/tftp/tftp-hpa + TFTPD_CONF_OPTS = --without-tcpwrappers + TFTPD_LICENSE = BSD-4-Clause + TFTPD_LICENSE_FILES = tftpd/tftpd.c ++TFTPD_CPE_ID_VENDOR = $(TFTPD_NAME)-hpa_project ++TFTPD_CPE_ID_NAME = $(TFTPD_NAME)-hpa + + define TFTPD_INSTALL_TARGET_CMDS + $(INSTALL) -D $(@D)/tftp/tftp $(TARGET_DIR)/usr/bin/tftp +diff --git a/package/uboot-tools/uboot-tools.mk b/package/uboot-tools/uboot-tools.mk +index a06c25998f..61e22f6ae8 100644 +--- a/package/uboot-tools/uboot-tools.mk ++++ b/package/uboot-tools/uboot-tools.mk +@@ -9,6 +9,8 @@ UBOOT_TOOLS_SOURCE = u-boot-$(UBOOT_TOOLS_VERSION).tar.bz2 + UBOOT_TOOLS_SITE = ftp://ftp.denx.de/pub/u-boot + UBOOT_TOOLS_LICENSE = GPL-2.0+ + UBOOT_TOOLS_LICENSE_FILES = Licenses/gpl-2.0.txt ++UBOOT_TOOLS_CPE_ID_VENDOR = denx ++UBOOT_TOOLS_CPE_ID_NAME = u-boot + UBOOT_TOOLS_INSTALL_STAGING = YES + + # u-boot 2020.01+ needs make 4.0+ +diff --git a/package/util-linux/util-linux.mk b/package/util-linux/util-linux.mk +index b6ccaaa78d..42343eaf45 100644 +--- a/package/util-linux/util-linux.mk ++++ b/package/util-linux/util-linux.mk +@@ -21,6 +21,7 @@ UTIL_LINUX_LICENSE_FILES = README.licensing \ + Documentation/licenses/COPYING.ISC \ + Documentation/licenses/COPYING.LGPL-2.1-or-later + ++UTIL_LINUX_CPE_ID_VENDOR = kernel + UTIL_LINUX_INSTALL_STAGING = YES + UTIL_LINUX_DEPENDENCIES = host-pkgconf $(TARGET_NLS_DEPENDENCIES) + UTIL_LINUX_CONF_OPTS += \ +diff --git a/package/valgrind/valgrind.mk b/package/valgrind/valgrind.mk +index 41b2625191..94230fd4b8 100644 +--- a/package/valgrind/valgrind.mk ++++ b/package/valgrind/valgrind.mk +@@ -9,6 +9,7 @@ VALGRIND_SITE = ftp://sourceware.org/pub/valgrind + VALGRIND_SOURCE = valgrind-$(VALGRIND_VERSION).tar.bz2 + VALGRIND_LICENSE = GPL-2.0, GFDL-1.2 + VALGRIND_LICENSE_FILES = COPYING COPYING.DOCS ++VALGRIND_CPE_ID_VENDOR = $(VALGRIND_NAME) + VALGRIND_CONF_OPTS = \ + --disable-ubsan \ + --without-mpicc +diff --git a/package/vim/vim.mk b/package/vim/vim.mk +index 1fbb6a6b86..2bd3d437e4 100644 +--- a/package/vim/vim.mk ++++ b/package/vim/vim.mk +@@ -23,6 +23,7 @@ VIM_CONF_ENV = \ + VIM_CONF_OPTS = --with-tlib=ncurses --enable-gui=no --without-x + VIM_LICENSE = Charityware + VIM_LICENSE_FILES = README.txt ++VIM_CPE_ID_VENDOR = $(VIM_NAME) + + ifeq ($(BR2_PACKAGE_ACL),y) + VIM_CONF_OPTS += --enable-acl +diff --git a/package/wget/wget.mk b/package/wget/wget.mk +index ed3f1fdff9..65c132e453 100644 +--- a/package/wget/wget.mk ++++ b/package/wget/wget.mk +@@ -10,6 +10,7 @@ WGET_SITE = $(BR2_GNU_MIRROR)/wget + WGET_DEPENDENCIES = host-pkgconf + WGET_LICENSE = GPL-3.0+ + WGET_LICENSE_FILES = COPYING ++WGET_CPE_ID_VENDOR = gnu + + ifeq ($(BR2_PACKAGE_GNUTLS),y) + WGET_CONF_OPTS += --with-ssl=gnutls +diff --git a/package/wireless-regdb/wireless-regdb.mk b/package/wireless-regdb/wireless-regdb.mk +index 31b62e36e1..f51aba75df 100644 +--- a/package/wireless-regdb/wireless-regdb.mk ++++ b/package/wireless-regdb/wireless-regdb.mk +@@ -9,6 +9,7 @@ WIRELESS_REGDB_SOURCE = wireless-regdb-$(WIRELESS_REGDB_VERSION).tar.xz + WIRELESS_REGDB_SITE = $(BR2_KERNEL_MIRROR)/software/network/wireless-regdb + WIRELESS_REGDB_LICENSE = ISC + WIRELESS_REGDB_LICENSE_FILES = LICENSE ++WIRELESS_REGDB_CPE_ID_VENDOR = kernel + + ifeq ($(BR2_PACKAGE_CRDA),y) + define WIRELESS_REGDB_INSTALL_CRDA_TARGET_CMDS +diff --git a/package/wireless_tools/wireless_tools.mk b/package/wireless_tools/wireless_tools.mk +index b87ab20fb2..01d03218d6 100644 +--- a/package/wireless_tools/wireless_tools.mk ++++ b/package/wireless_tools/wireless_tools.mk +@@ -10,6 +10,8 @@ WIRELESS_TOOLS_SITE = https://hewlettpackard.github.io/wireless-tools + WIRELESS_TOOLS_SOURCE = wireless_tools.$(WIRELESS_TOOLS_VERSION).tar.gz + WIRELESS_TOOLS_LICENSE = GPL-2.0 + WIRELESS_TOOLS_LICENSE_FILES = COPYING ++WIRELESS_TOOLS_CPE_ID_VERSION = $(WIRELESS_TOOLS_VERSION_MAJOR) ++WIRELESS_TOOLS_CPE_ID_VERSION_MINOR = pre9 + WIRELESS_TOOLS_INSTALL_STAGING = YES + + WIRELESS_TOOLS_BUILD_TARGETS = iwmulticall +diff --git a/package/wpa_supplicant/wpa_supplicant.mk b/package/wpa_supplicant/wpa_supplicant.mk +index 8e7b9c3a65..93763c3973 100644 +--- a/package/wpa_supplicant/wpa_supplicant.mk ++++ b/package/wpa_supplicant/wpa_supplicant.mk +@@ -8,6 +8,7 @@ WPA_SUPPLICANT_VERSION = 2.9 + WPA_SUPPLICANT_SITE = http://w1.fi/releases + WPA_SUPPLICANT_LICENSE = BSD-3-Clause + WPA_SUPPLICANT_LICENSE_FILES = README ++WPA_SUPPLICANT_CPE_ID_VENDOR = w1.fi + WPA_SUPPLICANT_CONFIG = $(WPA_SUPPLICANT_DIR)/wpa_supplicant/.config + WPA_SUPPLICANT_SUBDIR = wpa_supplicant + WPA_SUPPLICANT_DBUS_OLD_SERVICE = fi.epitest.hostap.WPASupplicant +diff --git a/package/xerces/xerces.mk b/package/xerces/xerces.mk +index c75a8b0d35..d9dc3992ed 100644 +--- a/package/xerces/xerces.mk ++++ b/package/xerces/xerces.mk +@@ -9,6 +9,8 @@ XERCES_SOURCE = xerces-c-$(XERCES_VERSION).tar.xz + XERCES_SITE = http://archive.apache.org/dist/xerces/c/3/sources + XERCES_LICENSE = Apache-2.0 + XERCES_LICENSE_FILES = LICENSE ++XERCES_CPE_ID_VENDOR = apache ++XERCES_CPE_ID_NAME = $(XERCES_NAME)-c\+\+ + XERCES_INSTALL_STAGING = YES + + define XERCES_DISABLE_SAMPLES +diff --git a/package/xz/xz.mk b/package/xz/xz.mk +index dbf874e9b9..5c464d91dd 100644 +--- a/package/xz/xz.mk ++++ b/package/xz/xz.mk +@@ -11,6 +11,7 @@ XZ_INSTALL_STAGING = YES + XZ_CONF_ENV = ac_cv_prog_cc_c99='-std=gnu99' + XZ_LICENSE = Public Domain, GPL-2.0+, GPL-3.0+, LGPL-2.1+ + XZ_LICENSE_FILES = COPYING COPYING.GPLv2 COPYING.GPLv3 COPYING.LGPLv2.1 ++XZ_CPE_ID_VENDOR = tukaani + + ifeq ($(BR2_TOOLCHAIN_HAS_THREADS),y) + XZ_CONF_OPTS = --enable-threads +diff --git a/toolchain/toolchain-external/pkg-toolchain-external.mk b/toolchain/toolchain-external/pkg-toolchain-external.mk +index 6d91cb5d1e..14065345d7 100644 +--- a/toolchain/toolchain-external/pkg-toolchain-external.mk ++++ b/toolchain/toolchain-external/pkg-toolchain-external.mk +@@ -453,6 +453,13 @@ define TOOLCHAIN_EXTERNAL_INSTALL_SYSROOT_LIBS + $(call copy_toolchain_sysroot,$${SYSROOT_DIR},$${ARCH_SYSROOT_DIR},$${ARCH_SUBDIR},$${ARCH_LIB_DIR},$${SUPPORT_LIB_DIR}) + endef + ++define TOOLCHAIN_CPE_INFO ++ ARCH_SYSROOT_DIR="$(call toolchain_find_sysroot,$(TOOLCHAIN_EXTERNAL_CC) $(TOOLCHAIN_EXTERNAL_CFLAGS))" ; \ ++ MAJ=`awk '{ if ($$1 = /#define/ && ($$2= /__GLIBC__/)){printf $$3};}' $${ARCH_SYSROOT_DIR}/usr/include/features.h` ; \ ++ MIN=`awk '{ if ($$1 = /#define/ && ($$2 = /_GLIBC_MINOR/)){printf $$3};}' $${ARCH_SYSROOT_DIR}/usr/include/features.h` ; \ ++ echo $${MAJ}.$${MIN} ++endef ++ + # Create a symlink from (usr/)$(ARCH_LIB_DIR) to lib. + # Note: the skeleton package additionally creates lib32->lib or lib64->lib + # (as appropriate)