module: add security info to module.yml

[mrodgers-witekio]

Add CPE and PURL references to module.yml file for use by Zephyr's SPDX generation tool.

See github issue in Zephyr repo: zephyrproject-rtos/zephyr#53479

The CPE added is the most recent one I could find for openthread in the NIST database: https://nvd.nist.gov/products/cpe/detail/5F57440F-9CB1-4BA2-BD81-FA00F15C8441

[kartben]

should it be like this instead? feels wrong to put an old version of the CPE, but I also understand that the "new" one probably doesn't "exist" until a CVE is reported against it? not sure if it's ok to basically guess? or maybe just put a wildcard even if that means people might get false positives?)

re pkg, I think the latest released version that our fork is based off of should be there too but again, not sure

Suggested change

	- cpe:2.3:o:google:openthread:2019-12-13:*:*:*:*:*:*:*
	- pkg:github/openthread/openthread
	- cpe:2.3:o:google:openthread:2023-07-06:*:*:*:*:*:*:*
	- pkg:github/openthread/openthread@thread-reference-20230706

[mrodgers-witekio]

Good question, I will ask around and see if I can find a good answer...

Like you say it doesn't seem right to either use the wrong version number, or to use a CPE that doesn't "exist" yet

[mrodgers-witekio]

Updated with your suggestion: the consensus internally is that it's better to specify the correct version number, and downstream users of the info can decide how to handle this if a CPE with this specific version does not exist yet.

[kartben]

Suggested change

	- cpe:2.3:o:google:openthread:2023-07-06*:*:*:*:*:*:*
	- cpe:2.3:o:google:openthread:2023-07-06:*:*:*:*:*:*

[mrodgers-witekio]

Updated again as I was missing a :* from the cpe, causing west spdx to skip it

[pdgendt]

This should be upstreamed as we follow the upstream branch directly.

[pdgendt]

-1 to prevent fly-by merge

EDIT: no permission though

[mrodgers-witekio]

Will move to upstream repo in a sec

[mrodgers-witekio]

See openthread/openthread#11206