Add CPEs for libpng and freetype. CPEs are the way that MITRE tracks different projects and versions, and that's the input required by Vomit, Google's automated vulnerability notification system. At present Vomit is unable to identify the versions for these components and is therefore reporting the wrong CVEs in crbugs. Adding these CPEPrefix lines will enable Vomit to notify for any vulnerabilities affecting these versions. This is copied from https://crrev.com/746237 and other related CLs. Change-Id: I0f04446763510ca4cc85746adb410ae9f3f4e135 Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/73191 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Lei Zhang <thestig@chromium.org>
diff --git a/third_party/freetype/README.pdfium b/third_party/freetype/README.pdfium index 461c194..1a26701 100644 --- a/third_party/freetype/README.pdfium +++ b/third_party/freetype/README.pdfium
@@ -1,6 +1,7 @@ Name: FreeType URL: http://www.freetype.org/ Version: VER-2-10-2-48 +cpe:/a:freetype:freetype:2.10.1 Revision: 986a340dd52825ceaa142ae19473de0ee52d57f2 Security Critical: yes License: FreeType License (FTL)
diff --git a/third_party/libpng16/README.pdfium b/third_party/libpng16/README.pdfium index 0d9c30c..a4bcb63 100644 --- a/third_party/libpng16/README.pdfium +++ b/third_party/libpng16/README.pdfium
@@ -1,6 +1,7 @@ Name: libpng URL: http://libpng.org/ Version: 1.6.37 +CPEPrefix: cpe:/a:libpng:libpng:1.6.37 Security Critical: yes License: libpng license License Android Compatible: yes