CPE values for generic systems

:-) I guess I was one of them…

 

I really look at the component standards in different ways that might be useful to consider… I don't want component standards to serve one master…

 

CPE is a standalone standard for exchanging structured naming information. This information can be used between products as in passing system information to another application. This assures the applications can "speak the same language" and know what the type of system the target was to the level of specificity passed.  CPE can be used in databases to relate "Affected Platforms" and system information in a consistent way.  CPEs can also be used to stitch the other five component standards that make up SCAP together.  This allows XCCDF and maybe one day OVAL to target checking to the indicated platforms.

 

CPE came about because of a problem that occurred during the initial OVAL certification testing when two seemingly OVAL compatible products could not exchange system information. One called it Win2k and the other called it Windows 2000 Professional. When the system ID tables were updated to reflect the same system representation, everything worked as expected…  The need to properly exchange a standard representation of a system name (as we know it for this thread) was born, grew into XCCDF-P and morphed into CPE. This was not SCAP centered; this is structured system naming centered. How it is applied is dependent on the usage. CPE should not be developed solely for a single use case.  We could have done that with CVE nine years ago but we did not. We wanted it to be generic, simple and not targeted at a specific usage.  I'd call CVE a success today considering its wide ranging usage.  A usage I might make clear is far beyond what it was initially considered and targeted for.  If we had not taken the simple approach, it would not have found its way into as many security products, databases, and alert communications and inter-applications uses as it has.  We need CPE to be robust but at the same time not target it towards a single use case.  

 

What started this conversation was a request to add a few entries to the CPE dictionary that would allow applications to exchange a state of "unknown" to another application or consumer in CPE format.  CPE needs that ability in the dictionary as a natural extension for inter-application / product communications of structured naming information. This is not inconsistent with CPE and its usage.

 

Keeping it simple has succeeded in the past. Let's not complicate it.

 

--

Kent Landfield
Director, Risk and Compliance Security Research
McAfee, Inc.
+1 972.963.7096 Direct
+1 214.385.1138 Mobile
[hidden email]
www.mcafee.com

 

---

From: Tim Keanini [mailto:[hidden email]]

Sent: Friday, August 15, 2008 2:26 PM

To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Conflicting Technical Use Cases WAS: CPE values for generic systems

 

Kent, as you point out, the original subject matter was branched as indicated by the subject line but not everyone made the jump.

 

My post was directed at Dave Mann's comments and I hope nothing in my post suggested that I was calling CPE a discovery tool – I was simply pointing out a relationship that supported Dave's hunch that  based on CPE's origin and SCAP market drivers, the CREDENTIALED END POINT MANAGEMENT mindset is dominant. 

 

To sum it up:  CPE's primary objective is to meet the needs of SCAP and the Federal market it serves.   You can only have one primary objective so if any decision being made on this list compromises the primary objective, it is not valid.  If CPE's primary objective is to serve many different markets, then we have a much different set of requirements.

 

 

--tk

 

From: Kent Landfield [mailto:[hidden email]]
Sent: Friday, August 15, 2008 1:44 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Conflicting Technical Use Cases WAS: CPE values for generic systems

 

I think the initial request was a way to report unknown information in CPE format for exchanging information between products.  I don't think the original requestor said they wanted to use CPE as discovery tool.  I agree with Joe that we need to have a means to do this if CPE is going to be used as a means to convey information about systems between differing security and network products.  This really was a simple request so that proprietary info did not need to be used and agreed on between products.

 

--

Kent Landfield
Director, Risk and Compliance Security Research
McAfee, Inc.
+1 972.963.7096 Direct
+1 214.385.1138 Mobile
[hidden email]
www.mcafee.com

 

---

From: Wolfkiel, Joseph [mailto:[hidden email]]
Sent: Friday, August 15, 2008 1:13 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Conflicting Technical Use Cases WAS: CPE values for generic systems

 

For what it's worth, I'm working in the DoD requirements community and, if I'm successful, you will have at least one potential customer who will say "Provide your platform discovery data in CPE or we'll buy something else."

 

Certainly the OMB memos guiding Federal acquisitions that mandate SCAP compliance will move all the Federal Government toward CPE compliance.

 

I've already started the process of rebuilding at least one of our internally-built tools to speak CPE.

 

Lt Col Joseph L. Wolfkiel
Director, Computer Network Defense Research & Technology (CND R&T) Program Management Office
9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700

-----Original Message-----
From: Ernest Park [mailto:[hidden email]]
Sent: Friday, August 15, 2008 1:45 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Conflicting Technical Use Cases WAS: CPE values for generic systems

CPE is NOT a discovery mechanism. There are commercial and open source solutions that are readily available to do this. CPE allows us to insist on compliance to a standard for the output format for that automated discovery. How can CPE now try to automatically resolve unknown elements from the software world.  A number of companies for which members of this thread work are in the business of electronic scanning and discovery, inclusive of my employer.

 

What we need to ask for as a community is not to reinvent the wheel, but to make sure that the wheels fit tires of standard specification. If we insist that "discovery" tools output CPE compliant names as part of an inventory report, then we have acheived a milestone. That CPE output from commerically available data can then be used in other commercially available software without an API. I believe that it is the goal of interoperability with standardized names that allows us as a community to use best of breed solutions to manage all parts of our electronic infrastructure without pushing vendors to build customized integrations.

 

How nice would it be if I could take the discovery report from vendor A, input it into the policy management tool of vendor B, and use the same list for the inventory tracker of vendor C?

 

 

Regarding the rant, there is a linear relationship and a very limited hierarchy represented by a CPE name, just like phone number segments denote some hierarchy and relationship <XXX-YYY-ZZZZ>. XXX might denote a high level geographic location, YYY fine tunes it more, and ZZZZ is specific to a location within the hierarchy.

 

In CPE, there should be no more implied relationship than that. We do have the concept of parts, where the URI itself allows some additional sorting, but the name itself is not a database, and further data sorting and categorizing should be done at a level beyond the name, within specialized applications that do that.

 

Remember, if we ask a list to be a database, it constrains the list. The commercial market can add attributes and distinct data elements to the list, thereby evolving a database. The commercial market can build functionality integrating support for the list, such list that can then be used to collect database information from elsewhere.

 

The commercial vendor for whom I work lacks confidence in the need to support CPE. No customer has said - we have a CPE inventory manager. We need your scanner and policy tools to "talk CPE". When we as a community agree that this is a key and fundamental success of CPE, and when the consumer market realizes that interoperability of these distinct tools and datasources may be as close as common naming elements, then the rest of these discussions will become less relevant.

 

Lets insist that CPE compliance means the ability to respond to a formatted CPE query into XML, a database, or a structured datasource, such that the datasource needs minimally to contain certain key CPE elements, under which any number of additional public and proprietary attributes can be added. 

 

 

 

On Fri, Aug 15, 2008 at 1:22 PM, Tim Keanini <[hidden email]> wrote:

Dave,
This is valuable research and hope that there is some report of your
interviews published to other SCAP related working groups.  I know there
maybe some sensitivity to disclosure but a nice summary like the one
below would be helpful to other working groups.  All working groups
under the SCAP umbrella are dealing with similar issues.

I have always felt that CPE design proposals were biased toward
CREDENTIALED END POINT MANAGEMENT because of OVAL's credentialed view of
the world.  If we believe that automated discovery is a necessary part
of the SCAP program then OVAL will influence CPE and vice-versa.  If
this meets the requirements for SCAP, great.  If not, we will either
have to modify the design of the standard or modify the requirements but
let's just pray that somewhere there is a set of requirements that are
true to the needs of SCAP.  In other words, let's hope that this
CREDENTIALED END POINT MANAGEMENT bias satisfies the requirements of
SCAP.  Personally I have been disappointed at this requirements
gathering process and I think I speak for most commercial vendors in
expressing this frustration.

<TK rant>
The fundamental technical issue is that we are being asked to model a
space that is without question a graph.  It is a graph with many types
of nodes but more importantly, many types of relationships (certainly
more than is-member-of) and this lack of relationship types will stand
in the way of any real progress IMHO.  An example of the current state:
Each party brings their own centricity (their own root class) to the
discussion rendering a manifestation of the graph and then presents that
rendition as what we all should use. Other parties do the same and we
spin our wheels arguing about rendered hierarchies that have a
disproportionate amount of utility for one community at the expense of
another; when really we are talking about the same darn graph.  Who is
working on this graph-based model?  No one because in order for it to
succeed, we all have to be able to contribute without compromise to one
another.  The current model and political structures stand in the way of
this progress.
</TK rant>

--tk

-----Original Message-----
From: Mann, Dave [mailto:[hidden email]]
Sent: Friday, August 15, 2008 8:17 AM
To: [hidden email]
Subject: [CPE-DISCUSSION-LIST] Conflicting Technical Use Cases WAS: CPE
values for generic systems

Eric Fredericksen wrote:
>       During discovery our network scan engine will identify systems
to
> varying levels of accuracy. If we have credentials then everything is
> good. However, without credentials the fingerprinting algorithm will
> gather data and categorize the target.

Wolfkiel, Joseph wrote:
> I agree that returning scan results in some
> sort of CPE format is important to the DoD, and we do want to be able
> to communicate that we weren't able to determine the value, so I
> agree the ability to support unknowns seems like a necessary
function.



Eric, Joe et al,

I think we must open ourselves up to the very real possibility
that there are sets of technical use cases in which "platform"
information needs to be managed but that the ways of expressing
platform information in these cases will be fundementally different
from each other.  That is, we may need to consider more than one
way to express platform information.   Or, putting it yet another
way, we may need to accept that there are going to be sets of
use cases that CPE will not apply to.

I think that the situation may be analagous to how we think
about colors.   We all agree that there are colors.   I'm
wearing a maroon fleece sweater right now, for example.  But
what are colors?   How would we stuff "color" into our data
models so that we could effectively share color information?

For example, imagine that you taken by the color of my old
fleece sweater and decided that you wish to use it as the
main color in your branding.  You would need to be able to
specify this exact color to both your printer and
your web gurus so that your literature and web site would
both have the same "colors".  And if you wanted to paint your
barn or car the same color, you would need to specify the
color to the painter.

What's interesting here is that print, light display and paint
all use different encodings (called color spaces) to represent
colors.  See: http://en.wikipedia.org/wiki/Color_space  for a
starting point.   So here we have the same fleece jacket.
Agreement by all parties that it has the same color but different
ways of representing that color.   More deeply, the different
technical use cases (print, web, paint) demand these different
representations and worse, sometimes color spaces are non-comparable.



What I'm suggesting may be farily radical.  As I understood it,
the original goal of Neil Ziring's (NSA) XCCDF-P was to create
a scheme that would allows platforms to be identified in a
universal way and I believe that CPE has been trying to stay
true to that vision.   However, if I am correct and if the
concept of "platform" is similar to the concept of "color"
we may need to admit that CPE will be tremendously useful for
some technical uses but not for others and, in fact, that
other use cases might only be satisfied by a different,
perhaps incomparable "platform spaces".

Several weeks ago we posted an appeal for people to volunteer
to be interviewed regarding their own technical use cases.
We have interviewed many of you (huge thanks) and are still
actively seeking to interview others (please send me e-mail
if you are interested).   It is still too early for me to
give definitive results as we are still processing the information
as a team but given this thread, it might be useful for
me to share my current working hypothesis.

I think I'm hearing 4 different and largely incomparable
frames of reference for thinking about "platform":

+ NETWORK CENTRIC - Seen among network scanners.  Evidence
 for identifications starts with IP and climbs the network
 stack model to try to discover "platforms".

+ CREDENTIALED END POINT MANAGEMENT - Seen among configuration
 audit, end point management and asset inventory tools.
 Sees "platforms" as "units of management".   Typically
 needs OSes and applications to be seen as peer concepts.

+ FORENSICS/OS ARCHITECTURE VIEW - Seen among OS vendors
 and vulnerability analysis.  Typically views platforms
 and applications as a part of shipping OS.  Needs to identify
 system sub-components (files, librarys, shared dlls)

+ OS DEVELOPMENT/MARKETING VIEW - Seen among OS vendors
 and their customrs.  Sees "platforms" in terms of development
 efforts with requirements, schedules, gold dates, licenses
 and inventory numbers.  Must deal with suite and components
 issues (e.g. Office vs Word, what is "Tivioli"?).  This view
 may overlap with the end point management view.

My sense is that CPE will be the most closely aligned with
the "Credentialed End Point Management" view, as I think that
is the view that was largely driving the XCCDF issues that
ultimately gave birth to CPE.

I recognize that the implication of I'm suggesting means
that there will be winners and losers with respect to
CPE utility.  But if I'm correct, it will be impossible for
us to construct a "platform space" that will satisfy all
technical use cases.  If this is true, the best we will
be able to do is to a) identify those technical use cases
that CPE is good for and b) consider the possible need for
other platform encodings for other technical use cases if
the demand is big enough.

I'll close with one last observation.   Many, many, many
objects in our day to day lives have (by necessity) multiple
identification schemes associated with them.  Our cars have
both VINs and License Plates.  Books cary ISBNs, Library of
Congress IDs and UPCs.  My laptop has 4 different serial
numbers on it and a MITRE inventory number.   We may need
to accept that "platforms" are going to require multiple
"platform spaces" in the same way.

Feedback very much wanted on this...

-Dave
=================================================================
    [hidden email]    |      cell:781.424.6003
=================================================================

 

Drew,

For case #1, the desire was to show that a tool was unable to determine
which operating system was installed.  Based on the spec, "cpe:/o"
basically states that it is a match for all operating systems.  If you
used this cpeID as a cross ref to look up vulnerabilities from the NVD,
you'd get all vulnerabilities for every operating system.  It's not
clear to me that everyone agrees that being unable to determine OS
should require you to match all OSs.

For case #2, It's not clear in my mind how, exactly we'd manage the
[family] concept.  The case that comes to mind for me is if we have a
passive scanner (e.g. NetMap) that watches traffic pass, and determines
that a box is some flavor of UNIX (possibly by seeing a BIND, FTP, or
SMTP service running is a UNIX daemon), but that's all.  You would infer
a cpe of cpe:/o::[family=UNIX] and publish that as scan results.  This
is probably the case where I have the least strong feelings.  It would
also be reasonable to take the "Family" stuff and put it into a tag that
would be appended to the CPE as metadata and would fall outside the
spec.  We could also use "group," which is more generic. Example:

<platform_description>
    <cpeItem>cpe:/o</cpeItem>
    <family>product:UNIX</family>
</platform_description>

For case #3, I think we need to do something to prevent a blank
component from requiring a match against all possible values of that
component.  I think this is an inherent part of the cpeID string and
can't be gracefully resolved outside of the specification.  Even coming
to a convention such as populating empty components with "no_component",
"blank", or some other value would resolve this issue.

 

Lt Col Joseph L. Wolfkiel
Director, Computer Network Defense Research & Technology (CND R&T)
Program Management Office
9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700



-----Original Message-----

From: Buttner, Drew [mailto:[hidden email]]
Sent: Monday, August 18, 2008 10:09 PM
To: [hidden email]

Subject: Re: [CPE-DISCUSSION-LIST] CPE values for generic systems


I think I am hearing a request for 3 different technical needs in this
thread.

#1 - ability to name unknown platforms
#2 - ability to enumerate family / type information
#3 - ability to specify 'component does not apply'

For #1, you bring up the example of an unknown operating system.
Doesn't
the name "cpe:/o" satisfy this need?  What this name is supposed to
represent is the platform type of an operating system (any operating
system).  In other words, for your discovery use case, if you want to
report
that the system has an operating system installed but that you don't
have
any additional information, you could tag that part of the result set
with
"cpe:/o"

For #2, I agree that this type of enumeration is needed somewhere.  OVAL
needs the same thing and currently defines a <family> element to relay
this
information.  I'm intrigued by Lt. Col Wolfkiel's proposal, but I think
some
questions still remain.  I would think that if family information was
added
to the current CPE Name structure that it would want to be part of the
matching functionality.  Put another way, if we have a name for Sun
Solaris,
that we know that this platform type is part of the UNIX platform type.
Since the UNIX platform type would not have the same vendor component, I
don't see how matching would occur given the [family=xxxxx] proposal.
Are
we trying to push too much information into a name that is suppose to
enumerate a 'thing'?  Is the solution to this have a separate
enumeration
for family and then relate CPE Names to a certain family (or multiple
families).  This information could be available in a language format and
carried by those use cases that need such information?

For #3, I can see how this is different than the empty component, which
targets all things.  A blank version component would be used to identify
all
versions of a given vendor:product.  But what if the platform doesn't
have a
version?  (or more likely doesn't have an edition)  I'm not exactly sure
the
best way forward here.  Is creating a special character(s) going to
cause
problems down the road?

Maybe an even better question is if there really is a difference between
a
name that leaves a component blank and a name that uses a 'null' code.
In
both cases, would the platform type being identified be the same thing?

Definitely looking for more discussion on these points.

Thanks
Drew

---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515

OK. Now you've done it. You made me read through all 30+ pages of the CPE specification. :)

I am not going to try responding to the collection of philosophical positions expressed in this email thread. What I will do is

1) clarify what I was asking for
2) explain why I think the request is reasonable
3) make a proposal that follows the spec and achieves the desired goal
4) make a proposal for a modification of the spec that provides more capability of this type

PLEASE NOTE: I will be using the terms CATEGORY or CATEGORIZATION to mean GROUPING of items into a SET. This is not to be confused with creating a "unique categorization of a platform" by populating the CPE name components with unique values.

IMPORTANT – I would like to get a consensus on (3) before this thread expands the way it did last time. :) I ask this because anything taking the path of (4) (or any other expansion of the spec) will take too long for my current needs. Thanks in advance for your aid in this.

              ======================
1) We (my employer and this community) need to define and communicate CPE item categories (reminder: I mean groupings) that do not require enumeration (and hence constant updating) of all CPE names in the category. The reasons we need this capability were well enunciated in the thread(s) so I will refrain from reiterating them.

The category-type needs stated in my original posting were:

        CPE items with an unknown OS
        CPE items that are routers
        CPE items that are printers
        CPE items with an os in the unix family
       
I am studiously avoiding the terms "system" and "platform" because of the ambiguity involved.

              ======================
2) It looks to me like the CPE specification already supports categorization. I'll explain.

2.1) The CPE specification does not attempt to follow or enforce a philosophy that CPE names map to a unique product.

CPE section 4. - "Security guidance information and vulnerability information apply to a wide range of product and system categories. For example, some vulnerabilities affect an entire product line, while others affect only a particular product release or version. Some guidance applies to entire product family or system type, but other guidance can apply only to a particular version of an application running on a particular OS release.

• CPE MUST be able to express platform information across a wide range of specificity."

NOTE: There is a specific reference to "system type". I equate the category names unknown, unix, router, and printer to "system type" and categorization falls into "wide range of specificity".

       
2.2) The CPE specification acknowledges that it would be unrealistic to expect that we can design a system that works like IUPAC nomenclature does for chemistry (http://en.wikipedia.org/wiki/International_Union_of_Pure_and_Applied_Chemistry_nomenclature).

       

CPE section 4. - "One of the goals of the CPE Specification is to outline a way for unique names to be created in a defined way. For example, if two people were to try to create a new CPE Name for the same application, the hope is that by following the specification, that they will come up with the same name. It is realized though that this is unrealistic for a requirement."

2.3) The CPE naming structure already explicitly allows definition of categories in the matching algorithm and name structure.

CPE section 5.2 - "Empty components are legal; they designate a part of the platform name for which any aspect of the platform is valid."

CPE section 7.2 - "CPE Name Matching" -
                if comp(X,i) = comp(N,i) or comp(X,i) = ""
                then
                        r := true.
                else
                        r := false.

An empty component entry means "match everything". For example, cpe:/o:microsoft is the category of all Microsoft operating systems. The "prefix property" allows for grouping of across vendors and within products of a vendor. Why should CPE not allow categorization across products as apparently called out in (2.1) above?

              ======================
3) This is a proposal using the current CPE specification.

Here is some text from the specification:

CPE section 5.1 - "Note that the distinction between OS and Application is currently a bit of a grey area. The argument could be made that the OS is just another application."

CPE section 5.5 - "This example name below refers to a Cisco model 3825 integrated services router.
                        cpe:/h:cisco:router:3825"

The example above is already 95% of what I asked for a router class. :)
                       
So, reading the CPE specification without invoking any specific philosophy regarding the proper employment of the CPE specification leads me to propose the following possible solutions. Many use the term "unknown". Why? The OVAL specification has the concept of OS categorization (the family test) – and OVAL 5.5 is adding three new categories to that list. One of those is the category "unknown".

NOTE: There was some discussion of the semantics of "unknown" in this thread. In summary, the question was: "Is the intent of unknown to match every OS or to not match any OS?" I assert that the answer is not only product dependent but use-case dependent. I will therefore avoid taking sides on the "match everything" or "express uncertainty" debate.

                PROPOSED CATEGORY NAMES using CPE 2.1

== CPE items with an unknown OS ==
One or more of the following:

        cpe:/o
        cpe:/o:unknown

== CPE items that are routers ==
One or more of the following:

        cpe:/h::router
        cpe:/a::router
        cpe:/h:unknown:router
        cpe:/a:unknown:router

== CPE items that are printers ==
One or more of the following:

        cpe:/h::printer
        cpe:/a::printer
        cpe:/h:unknown:printer
        cpe:/a:unknown:printer

== CPE items with a UNIX OS ==
One or more of the following:

        cpe:/o:unix
        cpe:/o::unix
        cpe:/o:unknown:unix

This last one feels like it has a worse fit. However, note that OVAL already includes a category of UNIX (in addition to unknown, windows, etc)

STOP HERE! DO NOT READ FURTHER :) (until you respond to (3), please)

              ======================
4) Ok. I know the proposal made in (3) above is not aesthetically pleasing. :) I think that, at least in part, this is because the tokens "router", "printer", and "unix" do not properly fit their slots. They are, arguably, "roles" as indicated in at least one email in this thread. Other folks might want to think of these tokens as tags or attributes applied to the thing of interest. In either case they feel a bit "wrong".  They "inject impurity" into the CPE names because they are not specific products.

How can we do better? I observed that the XSD for CPE defines an acceptable CPE name component with a regular expression.

                       
        <xsd:pattern value="[c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\._\-~%]*){0,6}"/>

Perhaps we can alleviate our communal feeling of "wrongness" if we just expand the CPE naming convention to include regular expressions.  We already use regular expressions throughout the SCAP standards, so why not here? Moreover, use of regular expressions would simply require an extension of the matching algorithm as defined in the spec.

According to the specification these CPE names are an equivalence class:

        cpe:/o          cpe:/o:         cpe:/o::                cpe:/o:::
        cpe:/o::::      cpe:/o:::::     cpe:/o::::::

Using simplified regular expression syntax, the category could be expressed abstractly as

        cpe:/o:*        ….      cpe:/o:*:*:*:*:*:*

So printer and router categories might be defined as

        cpe:h:*:*router*

        cpe:h:*:*printer*

Two problems arise here:

a) Using regular expressions requires correctness by convention: CPE component strings must include the required token (e.g., printer or router).

I think that (a) is not a problem because even if we build a categorization extension to CPE where we "tag" or "decorate" individual items with properties we would still be compelled use the same approach: define a set of known tokens for attributes and require that tags be properly applied. Using regular expressions avoids building a whole new tagging or attribute system.

b) The current definition of CPE naming does not allow for insertion of regular expressions.

One method to deal with (b) is to introduce characters that indicate the regex, e.g., curly braces (example using more familiar syntax).

        cpe:{h|o}:cisco:{router|IOS}

A second method to deal with (b) is to introduce an entirely new URN. Call it "cpc" for common platform category (not that I am a fan of creating more TLAs).  This new thing allows regular expressions for defining categories (collections) of CPE names. Defined as: 

        "[c][pP][cC]:{REGEX}?(:{ REGEX }?){0,6}"

where REGEX represents the regular expression. The first { REGEX } instance is to match the "part" component of cpe names. Note that we can retain or omit the "empty entry" syntax to mean ".*" if we wish.

Our example then becomes

        cpc:{h|o}:cisco:{router|IOS}

This approach will provide for a great deal of flexibility in categorization without invoking a heavyweight implementation for categorization.

Regards,
Eric

Eric Fredericksen, PhD
Solutions Architect
Risk and Compliance Business Unit
McAfee, Inc.

949.297.5600 Main
949.297.5574 Direct
949.466.5196 Mobile
949.297.5575 Fax

[hidden email]
www.mcafee.com

This email may contain confidential and privileged information for the sole use of the intended recipient. Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies of this message. Thank you.

 

-----Original Message-----

From: Buttner, Drew [[hidden email]]

Sent: Monday, August 18, 2008 7:09 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] CPE values for generic systems

I think I am hearing a request for 3 different technical needs in this
thread.

#1 - ability to name unknown platforms
#2 - ability to enumerate family / type information
#3 - ability to specify 'component does not apply'

For #1, you bring up the example of an unknown operating system.  Doesn't
the name "cpe:/o" satisfy this need?  What this name is supposed to
represent is the platform type of an operating system (any operating
system).  In other words, for your discovery use case, if you want to report
that the system has an operating system installed but that you don't have
any additional information, you could tag that part of the result set with
"cpe:/o"

For #2, I agree that this type of enumeration is needed somewhere.  OVAL
needs the same thing and currently defines a <family> element to relay this
information.  I'm intrigued by Lt. Col Wolfkiel's proposal, but I think some
questions still remain.  I would think that if family information was added
to the current CPE Name structure that it would want to be part of the
matching functionality.  Put another way, if we have a name for Sun Solaris,
that we know that this platform type is part of the UNIX platform type.
Since the UNIX platform type would not have the same vendor component, I
don't see how matching would occur given the [family=xxxxx] proposal.  Are
we trying to push too much information into a name that is suppose to
enumerate a 'thing'?  Is the solution to this have a separate enumeration
for family and then relate CPE Names to a certain family (or multiple
families).  This information could be available in a language format and
carried by those use cases that need such information?

For #3, I can see how this is different than the empty component, which
targets all things.  A blank version component would be used to identify all
versions of a given vendor:product.  But what if the platform doesn't have a
version?  (or more likely doesn't have an edition)  I'm not exactly sure the
best way forward here.  Is creating a special character(s) going to cause
problems down the road?

Maybe an even better question is if there really is a difference between a
name that leaves a component blank and a name that uses a 'null' code.  In
both cases, would the platform type being identified be the same thing?

Definitely looking for more discussion on these points.

Thanks
Drew

---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515