fix(azurelinux-release): use CPE 2.3 binding with correct vendor for OS CPE#17685
Open
anphel31 wants to merge 1 commit into
Open
fix(azurelinux-release): use CPE 2.3 binding with correct vendor for OS CPE#17685anphel31 wants to merge 1 commit into
anphel31 wants to merge 1 commit into
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the CPE identifier emitted by azurelinux-release so that both /usr/lib/os-release (CPE_NAME=) and /usr/lib/system-release-cpe use a consistent CPE 2.3 formatted-string with the microsoft vendor and azure_linux product.
Changes:
- Bump
azurelinux-releaseRelease:from17→18and add a changelog entry. - Change
system-release-cpecontent to a CPE 2.3 formatted-string. - Change
os-releaseCPE_NAMEto a CPE 2.3 formatted-string and re-render the spec + refresh the lock fingerprint.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| base/comps/azurelinux-release/azurelinux-release.spec | Updates the emitted OS CPE strings and bumps Release/changelog in the source spec. |
| specs/a/azurelinux-release/azurelinux-release.spec | Re-rendered spec reflecting the updated CPE strings and release bump. |
| locks/azurelinux-release.lock | Updated input-fingerprint after the spec change. |
Comments suppressed due to low confidence (1)
base/comps/azurelinux-release/azurelinux-release.spec:302
CPE_NAMEis being switched to CPE 2.3 formatted-string binding, but the string is truncated. For compliance/interoperability, include all 13 components and use*for unspecified fields.
ANSI_COLOR="0;38;2;60;110;180"
LOGO=azurelinux-logo-icon
CPE_NAME="cpe:2.3:o:microsoft:azure_linux:%{dist_version}"
DEFAULT_HOSTNAME="azurelinux"
HOME_URL="%{dist_home_url}"
DOCUMENTATION_URL="https://aka.ms/azurelinux"
SUPPORT_URL="https://aka.ms/azurelinux"
reubeno
requested changes
Jun 11, 2026
reubeno
left a comment
reubeno
left a comment
Member
There was a problem hiding this comment.
Changes look good (thanks for fixing the inconsistency!), but will you please squash the 2 commits and make sure they have a conventional commit prefix?
Both /etc/os-release CPE_NAME and /usr/lib/system-release-cpe now emit a consistent, well-formed CPE 2.3 formatted string with the correct Microsoft vendor and azure_linux product name: cpe:2.3:o:microsoft:azure_linux:4.0:*:*:*:*:*:*:* Previously the two values had drifted (os-release used the legacy CPE 2.2 URI 'cpe:/o:azurelinuxproject:azurelinux:4.0' while system-release-cpe used 'cpe:/o:microsoft:azurelinux:4.0'). A CPE 2.3 formatted string must bind all 11 attributes, so the 7 unspecified trailing attributes are set to '*' wildcards to keep the string valid (13 components total).
anphel31
force-pushed
the
anphel/fix-oscpe
branch
from
5c615d2 to
1e12679
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Updates the CPE identifier shipped by
azurelinux-releaseto use the CPE 2.3formatted-string binding with the correct Microsoft vendor and
azure_linuxproduct name. This affects both places the CPE is emitted:
CPE_NAME=in/etc/os-release(via/usr/lib/os-release)/usr/lib/system-release-cpefile (and its/etc/system-release-cpesymlink)Before
os-releaseCPE_NAMEcpe:/o:azurelinuxproject:azurelinux:4.0system-release-cpecpe:/o:microsoft:azurelinux:4.0After
os-releaseCPE_NAMEcpe:2.3:o:microsoft:azure_linux:4.0:*:*:*:*:*:*:*system-release-cpecpe:2.3:o:microsoft:azure_linux:4.0:*:*:*:*:*:*:*Both files now carry an identical, consistent value.
Motivation
The two CPE strings were inconsistent with each other (
azurelinuxprojectvsmicrosoftvendor) and both used the legacy CPE 2.2 URI binding (cpe:/o:...).This change standardizes on:
cpe:2.3:o:...), the current specmicrosoftas the vendorazure_linuxas the product nameChanges
base/comps/azurelinux-release/azurelinux-release.specCPE_NAMEin the generated os-release block →cpe:2.3:o:microsoft:azure_linux:4.0:*:*:*:*:*:*:*system-release-cpecontent →cpe:2.3:o:microsoft:azure_linux:4.0:*:*:*:*:*:*:*Release:bump 17 → 18 + changelog entryspecs/a/azurelinux-release/azurelinux-release.speclocks/azurelinux-release.lockTesting
azldev comp build -p azurelinux-releasesucceeds; all subpackages produced.azurelinux-release-identity-basic→/usr/lib/os-releasecontainsCPE_NAME="cpe:2.3:o:microsoft:azure_linux:4.0:*:*:*:*:*:*:*"azurelinux-release-common→/usr/lib/system-release-cpecontainscpe:2.3:o:microsoft:azure_linux:4.0:*:*:*:*:*:*:*azldev comp renderreports no drift post-commit.