Date: 2022-01-16
accepted
One of vulner's usecases is
as a Funtoo Linux user I want to have awareness about CVEs on my system
Using CPE as a representation of given software allows to track vulnerabilities (CVEs) for that software in a reliable way.
The usecase is related to this Funtoo Linux Optimization Proposal. There is already metarepo-cpe-tag repository that was developed with a purpose of implementing mentioned FLOP so that later it can be included as a plugin for ego (Funtoo's configuration and management meta-tool)
cpe-tag lib should reuse logic that allows finding CPEs for given software.
This logic shall be taken from metarepo-cpe-tag python codebase.
- Consistency between
vulnerandego(or any other Funtoo Linux tooling). - No need to maintain logic that converts packages into CPEs.
vulnerbinary needs CPython3 and subset of pypi packages used by metarepo-cpe-tag to be present at runtime.