# Ports: - Add CPE info  what does it mean?



## getopt (Apr 24, 2015)

Some ports are committed with this in the description: 

```
- Add CPE info
```

What does it mean?


----------



## SirDice (Apr 24, 2015)

https://wiki.freebsd.org/Ports/CPE


----------



## SirDice (Apr 24, 2015)

Not a binary but the port, and by extension a package, should have a proper CPE string. So tools like pkg-audit(8) could get better information from the vulnerability database.


----------



## kpa (Apr 25, 2015)

The CPE strings are added to the pkg package metadata as annotations, for example this is for of  lang/perl5.18:


```
% pkg info -A perl5-5.18.4_13     
perl5-5.18.4_13:
        cpe            : cpe:2.3:a:perl:perl:5.18.4:::::freebsd10:x64:13
        repo_type      : binary
        repository     : local
```

This is explained in the wiki as well.


----------



## kpa (Apr 25, 2015)

getopt said:


> Much more interesting is this `> pkg info -aA | grep cpe`.
> Asking myself how useful CPE really is?



Better yet:

`% pkg query "%n-%v %Av" | grep cpe`

Output from pkg-info(8) might be more human readable but if you're doing scripting pkg-query(8) is superior because it outputs everything on one line with a format you can specify.

I can imagine that with CPE information available it is easier to decide if an installed port is vulnerable on the platform used because you have a well defined data format with fields for (for example) machine architecture that would otherwise coded in some custom format, now pkg-audit(8) can use the CPE fields directly without conversions.


----------

