On Thu, Dec 15, 2016 at 8:17 PM, Petter Reinholdtsen wrote: > I was looking at the automatic CVE tracking a bit today, and hoped to > figure out which packages had the CPE field already in their > debian/upstream/metadata file. But according to UDD there are none:
I expect that is because UMEGAYA is not working right now: https://wiki.debian.org/UpstreamMetadata > Help! there is a bug that I do not manage to solve by myself. -- Charles > https://lists.debian.org/debian-qa/2014/06/msg00022.html Also, please note that UMEGAYA was only tracking metadata files in VCS repos, not the ones in the archive and there are definitely some in the archive that aren't in any VCS. > Is there any other way to find the packages using the CPE field in the > metadata file without unpacking every source package in the archive? Is > the import of d/upstream/metadata incomplete? Looks like only two packages in Debian have it: https://codesearch.debian.net/search?q=path:debian/upstream+CPE: https://codesearch.debian.net/search?q=path:debian/upstream/metadata+CPE: To confirm, on stretch do `apt-file -I dsc search debian/upstream` (for jessie I think `apt-file -a source search debian/upstream`) and then download and unpack the packages that contain that file and grep them for CPE. -- bye, pabs https://wiki.debian.org/PaulWise
