https://bugzilla.suse.com/show_bug.cgi?id=1217921 https://bugzilla.suse.com/show_bug.cgi?id=1217921#c1 --- Comment #1 from roke beedell <rokejulianlockhart+1674683091@outlook.com> --- Created attachment 871230 --> https://bugzilla.suse.com/attachment.cgi?id=871230&action=edit Specification Documentation (In reply to roke beedell from comment #0)
Created attachment 871229 [details] os-release as of cpe:2.3:o:opensuse:tumbleweed:20231208.
The Common Platform Enumeration Operating System Identifier (as hostnamectl and /etc/os-release report) format adheres to the pre-2.3 version, as its lack of version demonstrates. https://nvd.nist.gov/products/cpe/detail/34AB288B-8A0F-4C9D-9C61- 6E11BC2CE0E8?namingFormat=2.3&orderBy=CPEURI&keyword=cpe%3A2. 3%3Ao%3Aopensuse%3Atumbleweed%3A- %3A*%3A*%3A*%3A*%3A*%3A*%3A*&status=FINAL%2CDEPRECATED demonstrates how it should be formatted.
More specifically, per https://doi.org/10.6028/NIST.IR.7695#page=7&zoom=auto,-332,731 (from https://csrc.nist.gov/pubs/ir/7695/final) states:
This method of naming is known as a well-formed CPE name (WFN). It is an abstract logical construction. The CPE Naming specification defines procedures for binding WFNs to machine-readable encodings, as well as unbinding those encodings back to WFNs. One of the bindings, called a Uniform Resource Identifier (URI) binding, is included in CPE version 2.3 for backward compatibility with CPE version 2.2 [CPE22]. The URI binding representation of the WFN above is:
cpe:/a:microsoft:internet_explorer:8.0.6001:beta
The second binding defined in CPE 2.3 is called a formatted string binding. It has a somewhat different syntax than the URI binding, and it also supports additional product attributes. With the formatted string binding, the WFN above can be represented by the following.
cpe:2.3:a:microsoft:internet_explorer:8.0.6001:beta:*:*:*:*:*:*
We should be proactive in adhering to 2.3 rather than relying upon backward compatibility with 2.2. -- You are receiving this mail because: You are on the CC list for the bug.