Commit 8e0d3fd1 authored by Adrian Taylor's avatar Adrian Taylor Committed by Commit Bot

Noting corner-case in CPEPrefix instructions.

Also, removing conflicting wording about what to do if there's
no CPE available.

R=dcheng@chromium.org

Bug: 895969
Change-Id: I17916054d78882b9a57a0067de5507a592292727
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2144611Reviewed-by: default avatarCharlie Reis <creis@chromium.org>
Reviewed-by: default avatarDaniel Cheng <dcheng@chromium.org>
Commit-Queue: Adrian Taylor <adetaylor@chromium.org>
Auto-Submit: Adrian Taylor <adetaylor@chromium.org>
Cr-Commit-Position: refs/heads/master@{#760184}
parent e49133f9
......@@ -138,8 +138,10 @@ are typically allocated only when a vulnerability is found. You should follow
the version number convention such that, when that does occur in future, we'll
be notified. If no CPE is available, please specify "unknown".
You may sometimes find that your package lacks a CPE, in which case this line
can be omitted. If it does have a CPE, though, you should specify it.
If you're using a patched or modified version which is halfway between two
public versions, please "round downwards" to the lower of the public versions
(it's better for us to be notified of false-positive vulnerabilities than
false-negatives).
### Add a LICENSE file and run related checks
......
......@@ -8,7 +8,7 @@ License: The license under which the package is distributed. Standard forms are
License File: (OPTIONAL) File that contains a copy of the package's license. Use the special value NOT_SHIPPED to indicate that the package is not included in the shipped product, so its license does not need to be included in about:credits and no license file is required.
Security Critical: Either yes or no depending on whether this package is shipped in releases. For example openssl is critical where cygwin is not.
License Android Compatible: (OPTIONAL) Whether the package uses a license compatible with Android. Required only if the package is compatible and the 'License' field uses a non-standard value.
CPEPrefix: (OPTIONAL) A 'common platform enumeration' version 2.2, as per https://nvd.nist.gov/products/cpe/search, which represents the upstream package. This will be used to report known vulnerabilities in the upstream software package, such that we can be sure to merge fixes for those vulnerabilities. Please ensure you're using the closest applicable upstream version, according to the standard format for the CPE for that package. For example, cpe:/a:xmlsoft:libxslt:1.0.10. If no CPE is available for the package, please specify "unknown".
CPEPrefix: (OPTIONAL) A 'common platform enumeration' version 2.2, as per https://nvd.nist.gov/products/cpe/search, which represents the upstream package. This will be used to report known vulnerabilities in the upstream software package, such that we can be sure to merge fixes for those vulnerabilities. Please ensure you're using the closest applicable upstream version, according to the standard format for the CPE for that package. For example, cpe:/a:xmlsoft:libxslt:1.0.10. If no CPE is available for the package, please specify "unknown". If you're using a patched or modified version which is halfway between two public versions, please "round downwards" to the lower of the public versions (it's better for us to be notified of false-positive vulnerabilities than false-negatives).
Description:
A short description of what the package is and is used for.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment