Making Security Measurable › CPE - Common Platform Enumeration

CPE - Master List location.

2 messages Options
Embed this post
Permalink
Kent_Landfield

CPE - Master List location.

Reply Threaded More More options
Print post
Permalink
Some javascript/style in this post has been disabled (why?)

All,

 

I am cross posting this to the scap-dev and the cpe mailing lists at the request of a few since it affects both communities… 

 

In a conversation at BlackHat (yes useful work does occur at BlackHat) Monty Ijzerman asked a simple question that I did not have an answer for….  Where is the master CPE Dictionary? 

 

A simple question with a complicated answer…  Here is what I see from looking at the various places.  There is a version of the CPE dictionary at NIST and at MITRE.

NIST:    http://nvd.nist.gov/download/cpe-dictionary.xml

MITRE: http://cpe.mitre.org/files/cpe-dictionary_draft1.xml

 

Products are claiming CPE support but the question is whose content are they supporting?

 

In talking with people it appears the CPE dictionary at NIST is one developed by operational necessity.  The one at Mitre is a 1.0 draft.  The one at NIST has 11795 CPE entries.  The one at Mitre has 616 entries as of yesterday.  Additionally it does not appear that the names for the same items are identical. Sort of defeats the whole purpose of the dictionary doesn’t it?

 

We need to get a master dictionary established and the process around updating it documented and published on the web. We are now starting to see products and databases that are going to start using this information on a daily basis and there is currently confusion as to which to use.

 

So how do we get this stable?

 

What I see needs to be done is:

            1) Figure out who is responsible for maintaining the actual master dictionary daily

            2) Make any needed corrections required to assure that dictionary matches the published specification

            3) Publish management and submissions guidance in the appropriate places so vendors and the community

               know what the proper process is for submitting new names or contesting existing naming.

 

I really don’t care who the responsible party is, only that we have one. CPE is one of the most critical pieces in getting the plumbing between products working and quality SCAP content created and published. We saw it in the OVAL certification testing where two products were calling the same OS different things. That was corrected by simply agreeing on the names transmitted in the OVAL Results that the secondary product was consuming.  There has been lots of discussion on the CPE Language surrounding the expressiveness of it but we are missing the boat here folks.  Let’s start with the simple names and simple things first and get them right and then move on.

 

Let’s spend some cycles and focus on the dictionary.

 

--

Kent Landfield
Director, Security Research
McAfee, Inc.
+1 972.963.7096 Direct
+1 817.637.8026 Mobile
[hidden email]
www.mcafee.com

 
Andrew Buttner

Re: CPE - Master List location.

Reply Threaded More More options
Print post
Permalink
Very good points that need to be addressed quickly!!  I will try to
answer things as best as I can.

The official CPE Dictionary lives one the CPE web site.  NVD is in the
process of converting their product dictionary to CPE and then plans to
submit it to the CPE community to take the place of the current draft
on the CPE site.  NVD will then mirror the official CPE Dictionary on
their site.  We are hoping to have the first draft of all of this
available shortly.  This will continue to be draft until Version 2.0 of
the specification is released, at which time the CPE Dictionary will be
converted and released as official.

I apologize for the confusion and delay in all of this.  Unfortunately
focus has currently been applied to the specification and that has let
the dictionary get a bit out of date.


>What I see needs to be done is:
>
>1) Figure out who is responsible for maintaining
>the actual master dictionary daily

the CPE project is ultimately responsible for this work.



>2) Make any needed corrections required to assure
>that dictionary matches the published specification

This work is currently being done and the plan is to have it finished
by the time 2.0 is released.



>3) Publish management and submissions guidance in
>the appropriate places so vendors and the community know what
>the proper process is for submitting new names or contesting
>existing naming.

Definitely needed, although I am not sure when this will get done.  My
guess is that this will have to wait until after the SCAP conference.
In the meantime, all new submissions should be made by sending names to
[hidden email].


>Let's spend some cycles and focus on the dictionary.

This is being done and I hope that we can release the next draft
shortly.

Thanks
Drew
Free Embeddable Forum Powered by Nabble Help