|
1 | 1 | # Identifying Red Hat components using CPEs |
| 2 | +Common Platform Enumeration (CPE) is a standardized method of describing and identifying classes of applications, |
| 3 | +operating systems, and hardware devices present among an enterprise's computing assets. |
2 | 4 |
|
| 5 | +Red Hat uses CPEs to uniquely identify each product and version, following the CPE 2.2 schema. |
3 | 6 |
|
4 | 7 | ## RHEL 10 CPEs |
5 | 8 | Starting with RHEL 10, we will change the way CPEs are assigned to RHEL: |
6 | 9 |
|
7 | | -* Minor versions will be used in CPEs for mainstream RHEL versionss |
8 | | -* The cpe:/o prefix will be used instead of mixed usage of cpe:/o and cpe:/a for all RHEL variants |
| 10 | +* Minor versions will be used in CPEs for mainstream RHEL versions |
| 11 | +* The `cpe:/o` prefix will be used instead of mixed usage of `cpe:/o` and `cpe:/a` for all RHEL variants |
9 | 12 | * The channel specifiers are being dropped |
10 | 13 |
|
11 | 14 |
|
12 | 15 | ### Minor Version CPEs |
13 | | -Previously, for RHEL 9 and earlier we assigned generic CPEs like cpe:/o:redhat:enterprise_linux:9 for the entire |
14 | | -lifetime of a major release. Minor versions were only reflected in xUS CPEs (e.g., cpe:/a:redhat:rhel_eus:9.2::appstream). |
| 16 | +Previously, for RHEL 9 and earlier we assigned generic CPEs like `cpe:/o:redhat:enterprise_linux:9` for the entire |
| 17 | +lifetime of a major release. Minor versions were only reflected in xUS CPEs (e.g., `cpe:/a:redhat:rhel_eus:9.2::appstream`). |
15 | 18 |
|
16 | 19 | Starting with RHEL 10 and all following versions of RHEL, we will use minor versions in mainstream CPEs, |
17 | | -e.g., cpe:/o:redhat:enterprise_linux:10.0, incrementing with each subsequent minor release. This will apply to the |
| 20 | +e.g., `cpe:/o:redhat:enterprise_linux:10.0`, incrementing with each subsequent minor release. This will apply to the |
18 | 21 | MAIN, GA, and MAIN.EUS variants. This makes it easier to determine which version of RHEL an advisory was released for |
19 | 22 | without consulting ET product configuration. This also improves our way of tracking releases and which sets of |
20 | 23 | advisories they shipped. More granular minor versions also allow for the use of version ranges later on, which can be |
21 | 24 | used to sets of versions (without having to enumerate them all) where the security status such as "fixed" is applicable. |
22 | 25 |
|
23 | 26 | ### CPE Type Standardization |
24 | | -Previously, we used a mix of cpe:/o (operating system) and cpe:/a (application) for different variants of RHEL |
| 27 | +Previously, we used a mix of `cpe:/o` (operating system) and `cpe:/a` (application) for different variants of RHEL |
25 | 28 | (for example, base OS used o and Appstream used a). It is unclear why we decided on this different usage and we've |
26 | 29 | encountered various issues in our security data files where consumers have to account for both prefixes even though |
27 | 30 | they identify the same products. |
28 | 31 |
|
29 | | -Starting with RHEL 10 and all following versions of RHEL, we will standardize on cpe:/o for all RHEL-related components |
30 | | -(those shipped under the RHEL product in Errata Tool). EUS CPEs will also transition from cpe:/a to cpe:/o, for example: |
31 | | -Base OS: cpe:/o:redhat:enterprise_linux_eus:10.2 |
32 | | -AppStream: cpe:/o:redhat:enterprise_linux_eus:10.2 |
| 32 | +Starting with RHEL 10 and all following versions of RHEL, we will standardize on `cpe:/o` for all RHEL-related components |
| 33 | +(those shipped under the RHEL product in Errata Tool). EUS CPEs will also transition from `cpe:/a` to `cpe:/o`, for example: |
| 34 | +Base OS: `cpe:/o:redhat:enterprise_linux_eus:10.2` |
| 35 | +AppStream: `cpe:/o:redhat:enterprise_linux_eus:10.2` |
33 | 36 |
|
34 | 37 | ### Removal of channel specifiers and consistent naming of EUS CPEs |
35 | | -CPEs for RHEL 9 and earlier used channel specifiers such as ::appstream and ::baseos to differentiate between different |
| 38 | +CPEs for RHEL 9 and earlier used channel specifiers such as `::appstream` and `::baseos` to differentiate between different |
36 | 39 | Errata Tool Variants and pin a specific CPE to a set of RPM repositories. These specifiers were never used externally |
37 | 40 | by any vendor or any of our external documents for any reason other than arbitrary differentiation between groups of |
38 | 41 | content. Starting with RHEL 10, we will drop the use of channel specifiers for RHEL. We will continue using them for |
|
0 commit comments