Abstract and Concrete CPE Names in the Dictionary

Drew,

From what I have been able to determine from Dave's emails, his use case is
based on the need to create database records that represent authoritative,
discrete product references in the CPE name format.  I would define a
discrete product reference as a CPE name that refers to a SKU or
electronically distributed content.  CPE names used in this fashion are not
generated by reference or by report, thus he is forced to look to the
official CPE dictionary.  Since this is a database application he is unable
to use the system inventory approach using OVAL definitions to qualify what
CPE names to use.  Instead he is looking for another authoritative hint.

Furthermore, it is not enough that all CPE names are unique; he is looking
for the set of CPE names that correspond directly on a one-to-one basis with
actual installed software.  Said a different way he needs the ability for a
tool to be able to associate a discrete product with a corresponding CPE
name.  This mapping must be able to occur at differing levels of abstraction
relative to the CPE components.  I believe for most products that we have
the granularity in the CPE name to accomplish this so why not do this?

These capabilities are key for asset, license and procurement management
applications.  These use cases are definitely within the intended scope of
CPE, as references to standard product names are needed.  If all he needs to
support these use-cases is a flag that indicates if a CPE name refers to a
discrete product or not, I think we need to find a way to support this in an
official CPE capacity.  If the CPE standard does not support these
use-cases, we risk alienating users/vendors.  The worst case scenario for
this situation is the creation of a competing standard.  This is not a win
for CPE.  We need to find a way forward to make this work.

Dave

-----Original Message-----
From: Buttner, Drew [mailto:[hidden email]]

Sent: Tuesday, June 10, 2008 1:45 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Abstract and Concrete CPE Names in the
Dictionary

>They wish to express a definitive "has this" or "is this" relationship
>to the finest degree possible in CPE.  To the language level is
>preferred; however, I believe to the edition level is sufficient for
>most use cases.

This relationship is something that they need to define anyway (CPE doesn't
try to define it) so it is perfectly acceptable for them to say that the CPE
Name that has been assigned to the asset means "the asset is of this
platform type".



>To represent a "has this" or "is this" relationship to the desired level
>of specificity, a CPE assigned to an asset must be unique,

All CPE Names must be unique by definition.



>of the finest granularity possible

I would reword this to say "must be at the granularity they desire".  You
even stated that going down to language is not desired.



>and must not be susceptible to the scenario I laid
>out in question 2.a of my original email.

Agreed and I think this is covered.



>Currently, my stakeholders have a need to extract the entries from the
>dictionary that represent products or hardware that an asset can have or
>be.
>There is no need from my stakeholders to extract CPEs that represent
>"relates to" or "in the family of" information.

I think this might be the root of the confusion.  CPE does nothing to try
and support this.  All that CPE is trying to do is provide a list of all the
known identifiers.  The amount of metadata provided is very sparse.  Just
enough to know what it is that has been identified.  I think what you need
is additional metadata associated with a CPE that would enable you to search
through the list and find the CPE Names that are desired.

I think this is a very important use case but is one that is outside the
scope of CPE.  This problem is very similar to one that faces the CVE
community.  CVE is a list of vulnerability identifiers.  Users that need
more metadata rely on an external databases to get it.  These external
databases (NVD is an example) use the CVE identifier to tag each entry and
associate metadata to it.

I think what you need is for the "National Product Database" to be created.
Agree?  This is something that had come up at CPE Developer Days as well.



>Furthermore, my
>stakeholders have a need for a logical language that can be used to
>construct queries to identify assets that have certain configurations.
>These queries may be very general and leverage the wildcard features of
>the matching algorithm.  These queries may also be very specific and target
>a single language or edition of a product.  In the later case, the
>matching algorithm and library need to be able to return only assets that
have
>the exact product installed (which is where my concern for issue 2.a comes
>in).

This seems to align with the goals of OVAL.


Thanks
Drew

My response is in-line below.

> >These capabilities are key for asset, license and procurement management
> >applications.
>
> I completely agree, and hopefully CPE enables these types of
> capabilities, but is it best for CPE to try and provide full support?
> Or is it better for CPE work with other efforts to provide full
> support?
>
> >These use cases are definitely within the intended scope of
> >CPE, as references to standard product names are needed.  If all he
> >needs to support these use-cases is a flag that indicates if a CPE
> >name refers to a discrete product or not, I think we need to find
> >a way to support this in an official CPE capacity.
>
> I very much want to hear from others in the community about the above
> statement.  Is this within the scope of CPE?  Should CPE work to define
> additional metadata related to the identifier?  Or should CPE leave
> this metadata work to others and focus solely on building the list of
> identifiers?

Why shouldn't CPE try to provide support for these types of capabilities?  Why
add another standard to the mix when CPE can handle this use case with some
minor changes?  Admittedly, CPE cannot be all things to all people but it should
handle the basic problem of communicating product/platform information across
various domains.  The domains need to include not only vulnerability and
checklist data providers but other aspects of an enterprise such as asset and
licensing management.  My understanding is that the CPE community has decided
that part, vendor, product, version, update, edition, and language are
sufficient to uniquely identify a product.  Is this understanding correct?  If
not what could be added to allow for unique identification?

Another way to solve this without even requiring adding a bit is if the
"official" dictionary contains CPEs down to the language level, even if that
requires specifying default values for some of the components.  According to the
matching algorithm, CPEs using fewer component lengths are implied.  Data
providers could provide the meta-data for CPEs of fewer components as needed or
desired.

Taking the previous solution a bit farther I would argue that an official "CPE"
identifier is always all seven components.  Shorter CPEs are merely useful in
the context of matching or where less specificity is needed.  Since you are
concerned with meta-data creep why not have the "official" dictionary provide
just the identifiers with maybe a brief description and no other additional
meta-data?  Titles, references, checks, and any other meta-data would be
value-add to the CPE provided by data providers (like the NVD).

Addressing your points:

> * What is discrete to one user might not be discrete to another.  How
> would CPE make this determination?  Is WinXP Pro discrete (I think that
> is what you buy) or is WinXP Pro SP1 discrete (after you download the
> SP)?  Actually, in reality you buy WinXP Pro English so is that
> discrete?  This is similar to the issue of providing weights to
> vulnerabilities.  Everyone has a different answer for what the weight
> should be.  If the enumeration tries to set one as official, those that
> don't agree will be alienated.

I strongly disagree with the analogy to CVEs and CVSS scoring.  What is being
talked about here is what constitutes an official identifier not what is the
particular value for a piece of meta-data.

As mentioned earlier, an "official" CPE should be as fine-grained as the
standard currently defines.  Less granular CPEs are always implied by the more
specific ones.  In this way no one is "alienated"; users of the less granular
CPEs still have an agreed upon identifier.  Taking your examples above:
Initial release of the English Language version of WinXP Pro could be:
cpe:/o:microsoft:windows_xp::gold:pro:en

Once Service Pack 1 is released (either for download or eventually sold retail)
a new entry would be:
cpe:/o:microsoft:windows_xp::sp1:pro:en

If a reference to only Microsoft Windows XP is desired then the cpe:

cpe:/o:microsoft:windows_xp

would refer to both of these CPEs in this example.

>
> * Does expanding the scope of CPE beyond the task of providing
> identifiers reduce our ability to succeed?  This is a lesson that has
> been learned in the past.  CVE was one of the first to just focus on
> the identifier and leave the metadata problem to others.

I have two points to this.  First the problem that CPE is trying to solve is
more difficult than for CVEs.  Not only do we wish to communicate about specific
products but we wish to also talk about groups of them as well.  Second CPE
already extends beyond just the task of providing identifiers.  The CPE language
structure codifies how to combine various products together to create a
platform, and the CPE dictionary specification describes how to communicate
lists of CPEs along with the meta-data.  I agree that CPE should not attempt to
describe every possible association of meta-data to a particular identifier.
But CPE should specify a minimum set of "globally useful" meta-data as well as a
mechanism to allow for arbitrary meta-data associations, facilitating
communication of this meta-data between products which use CPEs.  In the current
version of the CPE specification the required encoded meta-data could be the
seven component pieces of a CPE identifier.

>
> * This type of metadata is perfect for an external data repository
> built on CPE.  This allows CPE to focus on the identifiers, and the
> repository to focus on supplying the use-case specific metadata.  These
> repositories would not be competing with CPE, but rather leveraging
> CPE.  CPE would allow these repositories to share information, and
> users to pull information from each of the repositories.

See above.

> Should CPE focus on just the identifier?
> Or should it also focus on providing a repository of metadata related
> to the identifier?

Ultimately, I would like to see CPE as a means to communicate about products.  I
think the CPE specification should not only provide a means to associate an
identifier with a product but also a way to communicate about that product or
groups of products.  The CPE specification should also provide a standardized
means to associate arbitrary meta-data with a CPE as well as a way to describe
this meta-data.

-Harold

Hi Ernest,

Do your tools use vendor provided data to name the vendor and application, e.g.
those strings from an RPM distribution?  Or, are the vendor and application
names hand added?

Cheers,

       -Gary-

On 11 Jun 2008 at 21:45, Ernest Park wrote:

> Neither. I use Palamida IP Amplifier product. I added custom signatures and
> additional vendor, app, release metadata.
>
> So, step 1. Use a tool that can scan unknown code and create an inventory.
> Ideally, choose a tool that outputs CPE constructs or a CPE URI. I push out
> the pieces, since I need to massage and correct misassociations later. By
> having the pieces, I can be certain of vendor, app, and just fix a release
> name.
>
>
>
> IP Amp scans and IDs the unknown files. Once I have the products IDed, I start
> layering metadata in - so all Apache prods get a "vendor" attriibute like
> apache_software_foundation, and so on.