CPE Dictionary Update

All,

I have taken the different submissions that we have received over the
past few months and merged them together into a single dictionary file.
(warning - this file is BIG)  I'd like to get this out into the
community for everyone to start looking at.  Many thanks to Red Hat,
Apple, Lt. Col. Wolfkiel, and Thomas Jones.

** Please note that these dictionary entries are not official until
they are published in the Official CPE Dictionary hosted by NIST. **

I've tried to do a little validation on these names to make sure they
follow the spec, but I know that I did not get everything.  My feeling
is that it is better right now to get stuff out there so we can all
start working with it, and we can use the deprecation feature if
necessary to change certain names.  We need to get a working dictionary
released.

Anyway, if anyone else wants to look over the enclosed CPE Names and
provide feedback that would be great.  Also, if you have additional
names that could be merged in, please forward them to me and I will do
my best to add them in.  Thanks!

A few things I am looking for:

- names that don't follow the spec
- names that you don't agree with (and a reason why)
- vendors willing to validate/expand their names
- additional names

Please post any questions or concerns to the list so we can work
through them.  I would really like to get a working dictionary online
as I think it is the most important obstacle standing in the way of CPE
adoption at this moment.

Thanks
Drew

---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515

> A few things I am looking for:
> - vendors willing to validate/expand their names
> - additional names

Some fixes based on our current product portfolio; this covers everything
released up until today in the RHEL product family.  I'm still behind
working on the JBoss names.

*** Corrections:

        <cpe-item name="cpe:/a:redhat:rhel_global_file_system:3">
              <title xml:lang="en-us">Red Hat Global File System 3</title>
        <cpe-item name="cpe:/a:redhat:rhel_global_file_system:4">
              <title xml:lang="en-us">Red Hat Global File System 4</title>

     I've since discovered that the version numbers are incorrect, we
     actually named the GFS for EL3 as 6.0 and the GFS for EL4 as 6.1
     therefore these entries should be:

        <cpe-item name="cpe:/a:redhat:rhel_global_file_system:6.0">
              <title xml:lang="en-us">Red Hat Global File System 6.0 for Enterprise Linux 3</title>
        <cpe-item name="cpe:/a:redhat:rhel_global_file_system:6.1">
              <title xml:lang="en-us">Red Hat Global File System 6.1 for Enterprise Linux 4</title>

*** To add rhel-4.6:

        <cpe-item name="cpe:/o:redhat:enterprise_linux:4:update6:as">
              <title xml:lang="en-us">Red Hat Enterprise Linux 4 Update6 Advanced Server</title>

        <cpe-item name="cpe:/o:redhat:enterprise_linux:4:update6:desktop">
              <title xml:lang="en-us">Red Hat Enterprise Linux 4 Update6 Desktop</title>

        <cpe-item name="cpe:/o:redhat:enterprise_linux:4:update6:es">
              <title xml:lang="en-us">Red Hat Enterprise Linux 4 Update6 Enterprise Server</title>

        <cpe-item name="cpe:/o:redhat:enterprise_linux:4:update6:ws">
              <title xml:lang="en-us">Red Hat Enterprise Linux 4 Update6 Workstation Server</title>

*** To add rhel-5.1 (we started calling it 5.1):

        <cpe-item name="cpe:/o:redhat:enterprise_linux:5:update1:client">
              <title xml:lang="en-us">Red Hat Enterprise Linux Desktop (v.5.1 client) </title>

        <cpe-item name="cpe:/o:redhat:enterprise_linux:5:update1:client_workstation">
              <title xml:lang="en-us">Red Hat Enterprise Linux Desktop Workstation (v.5.1 client)</title>

        <cpe-item name="cpe:/o:redhat:enterprise_linux:5:update1:server">
              <title xml:lang="en-us">Red Hat Enterprise Linux (v.5.1 server)</title>

*** Corrections:

        <cpe-item name="cpe:/a:redhat:rhel_developer_suite:2">
              <title xml:lang="en-us">Red Hat Developer Suite 2</title>

  We have two versions of RHDS2, 2.0 for EL3 and 2.1 for EL4 so the
  entry about should actually be:

        <cpe-item name="cpe:/a:redhat:rhel_developer_suite:2.0">
              <title xml:lang="en-us">Red Hat Developer Suite 2.0 for Enterprise Linux 3</title>

        <cpe-item name="cpe:/a:redhat:rhel_developer_suite:2.1">
              <title xml:lang="en-us">Red Hat Developer Suite 2.1 for Enterprise Linux 4</title>

*** Add satellite server versions

        <cpe-item name="cpe:/a:redhat:network_satellite_server:3.7">
         <title xml:lang="en-us">Red Hat Network Satellite Server 3.7 for Enterprise Linux 2.1, 3, 4</title>

        <cpe-item name="cpe:/a:redhat:network_satellite_server:4.0">
         <title xml:lang="en-us">Red Hat Network Satellite Server 4.0 for Enterprise Linux 3, 4</title>

        <cpe-item name="cpe:/a:redhat:network_satellite_server:4.1">
         <title xml:lang="en-us">Red Hat Network Satellite Server 4.1 for Enterprise Linux 3, 4</title>

        <cpe-item name="cpe:/a:redhat:network_satellite_server:4.2">
         <title xml:lang="en-us">Red Hat Network Satellite Server 4.2 for Enterprise Linux 3, 4</title>

        <cpe-item name="cpe:/a:redhat:network_satellite_server:5.0">
         <title xml:lang="en-us">Red Hat Network Satellite Server 5.0 for Enterprise Linux 4</title>

*** Add Proxy product

        <cpe-item name="cpe:/a:redhat:network_proxy">
              <title xml:lang="en-us">Red Hat Network Proxy</title>

        <cpe-item name="cpe:/a:redhat:network_proxy:3.7">
         <title xml:lang="en-us">Red Hat Network Proxy 3.7 for Enterprise Linux 2.1, 3, 4</title>

        <cpe-item name="cpe:/a:redhat:network_proxy:4.0">
         <title xml:lang="en-us">Red Hat Network Proxy 4.0 for Enterprise Linux 3, 4</title>

        <cpe-item name="cpe:/a:redhat:network_proxy:4.1">
         <title xml:lang="en-us">Red Hat Network Proxy 4.1 for Enterprise Linux 3, 4</title>

        <cpe-item name="cpe:/a:redhat:network_proxy:4.2">
         <title xml:lang="en-us">Red Hat Network Proxy 4.2 for Enterprise Linux 3, 4</title>

        <cpe-item name="cpe:/a:redhat:network_proxy:5.0">
         <title xml:lang="en-us">Red Hat Network Proxy 5.0 for Enterprise Linux 4</title>

** Add Certificate System Product

        <cpe-item name="cpe:/a:redhat:certificate_system">
              <title xml:lang="en-us">Red Hat Certificate System</title>

        <cpe-item name="cpe:/a:redhat:certificate_system:7.1">
              <title xml:lang="en-us">Red Hat Certificate System 7.1</title>

        <cpe-item name="cpe:/a:redhat:certificate_system:7.2">
              <title xml:lang="en-us">Red Hat Certificate System 7.1</title>

        <cpe-item name="cpe:/a:redhat:certificate_system:7.3">
              <title xml:lang="en-us">Red Hat Certificate System 7.1</title>

** Add Directory Server Product

        <cpe-item name="cpe:/a:redhat:directory_server">
              <title xml:lang="en-us">Red Hat Directory Server</title>

        <cpe-item name="cpe:/a:redhat:directory_server:7.1">
              <title xml:lang="en-us">Red Hat Directory Server 7.1</title>

        <cpe-item name="cpe:/a:redhat:directory_server:8">
              <title xml:lang="en-us">Red Hat Directory Server 8</title>

Thanks, Mark
--
Mark J Cox / Red Hat Security Response Team

>*** To add rhel-5.1 (we started calling it 5.1):
>
>        <cpe-item
>name="cpe:/o:redhat:enterprise_linux:5:update1:client">
>              <title xml:lang="en-us">Red Hat Enterprise Linux
>Desktop (v.5.1 client) </title>

regarding the general availability release, would we consider this
v.5.0?  Remember that there should be a CPE Name that represents any
version 5 platform:

cpe:/o:redhat:enterprise_linux:5 -- Red Hat Enterprise Linux 5

and then a name for each individual release.

cpe:/o:redhat:enterprise_linux:5:ga -- ??
cpe:/o:redhat:enterprise_linux:5:update1 -- Red Hat Enterprise Linux
(v.5.1)





>*** Add satellite server versions
>
>        <cpe-item name="cpe:/a:redhat:network_satellite_server:3.7">
>          <title xml:lang="en-us">Red Hat Network Satellite
>Server 3.7 for Enterprise Linux 2.1, 3, 4</title>


I noticed that they new apps don't have rhel as part of their name.
For example:

cpe:/a:redhat:rhel_application_server
cpe:/a:redhat:rhel_developer_suite
etc.

I think we had "rhel" included since these apps were specific to rhel
and were completely different than non-rhel versions.  We wanted to
differentiate this in the product name.  Should we add rhel to the new
names?  Should we reconsider the use of rhel in the existing names?

Thanks
Drew

> regarding the general availability release, would we consider this
> v.5.0?  Remember that there should be a CPE Name that represents any
> version 5 platform:

I don't think we've ever officially called it 5.0, and the installed Red
Hat release package identifies it as "release 5".  So perhaps "ga" to
match the other entries.

> I think we had "rhel" included since these apps were specific to rhel
> and were completely different than non-rhel versions.  We wanted to
> differentiate this in the product name.  Should we add rhel to the new
> names?  Should we reconsider the use of rhel in the existing names?

Right, I've used the rhel_ prefix to identify what we class as 'layered
products', a collection of application packages that are not stand-alone
and are designed to run on top of Red Hat Enterprise Linux (only).

We have other products that are not layered products; some of which
already run on many platforms.  Directory Server and Certificate System
for example are true stand-alone applications, are cross-platform, and
already are run on Solaris, HPUX, etc.

FYI also http://www.redhatmagazine.com/2008/02/04/tips-and-tricks-rhel-ref/

Thanks, Mark
--
Mark J Cox / Red Hat Security Response Team

>> regarding the general availability release, would we consider this
>> v.5.0?  Remember that there should be a CPE Name that represents any
>> version 5 platform:
>
>I don't think we've ever officially called it 5.0, and the
>installed Red
>Hat release package identifies it as "release 5".  So perhaps "ga" to
>match the other entries.


so:

cpe:/o:redhat:enterprise_linux:5 -- Red Hat Enterprise Linux 5
cpe:/o:redhat:enterprise_linux:5::client -- Red Hat Enterprise Linux
Desktop (v.5 client)

cpe:/o:redhat:enterprise_linux:5:ga -- Red Hat Enterprise Linux 5
(general availability)
cpe:/o:redhat:enterprise_linux:5:ga:client -- Red Hat Enterprise Linux
Desktop (general availability client)

cpe:/o:redhat:enterprise_linux:5:update1 -- Red Hat Enterprise Linux
(v.5.1)
cpe:/o:redhat:enterprise_linux:5:update1:client -- Red Hat Enterprise
Linux Desktop (v.5.1 client)


or should the (v.5) tag be associated with the ga release?

Thanks
Drew

I've added some additional names to the draft CPE Dictionary file that
was previously sent out.  This update contains a handful of new names
for HP-UX and IBM AIX.  It also contains a couple of names submitted by
Shavlik Technologies for their products.  Many thanks to Shavlik and we
hope other vendors will also submit names for their products.

** Please note that these dictionary entries are not official until
they are published in the Official CPE Dictionary hosted by NIST. **

If there are any corrections to the current names, or if there are
submissions that you would like to make, please don't hesitate to
contact the CPE team at [hidden email] or through this community
discussion list.

Thanks
Drew

---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515

CPE community,

On April 15 NIST plans to release a new version of the Official CPE
dictionary that will be greatly expanded and improved (available at
http://nvd.nist.gov/cpe.cfm). This event will kick off a cycle of consistent
updates to the official CPE dictionary (probably on a monthly basis) and
will mark the time at which we will accept CPE products
validations in the SCAP validation program.

Thanks,
Peter Mell
NIST NVD Program Manager
http://nvd.nist.gov