Faceted Vocabulary

 

I share similar reservations regarding CPE.  As Tim stated “the specification document does much more to describe the current design than it does the functional objectives and design principles.”  To me the #1 functional objective for CPE is to describe a common language/pattern for naming platforms or platform components.  This goal is paramount to getting tools and data repositories to interoperate.  The bottom line is we need to be speaking the same language when we describe platforms.  Mixing and matching platform components with logical operators is way beyond the scope of simply defining a common name for a platform component (HW/OS/APP) in my opinion.

 

By adding a modicum of logical operations in a CPE we no longer have a distinct globally unique identifier for a platform or platform component.  For example:

 

cpe://microsoft:windows:vista!xp

 

Vs.

 

cpe://microsoft:windows:xp!vista

 

These CPEs are essentially the same, but I am unable to determine that by simply comparing the strings.  Instead I need to deconstruct the CPE representation and then analyze the logical operations.

 

As Ken pointed out one strength of CPE is that we can associate a CPE with a system inventory OVAL definition that defines what a CPE represents.  It would be a worthwhile goal to provide an inventory definition for all commonly used CPEs.  Given the examples above, we would need to either provide a complex inventory definition that is mapped to both or decompose the logic to lookup what OS specific inventory definitions to use.  This essentially limits the usefulness or at least complicates the use of CPEs in XML based processing such as XSLT and other tools.  This is not ideal.

 

By using CPE as part of a query schema we can represent the above as:

 

<or>

  <cpe id=”cpe://microsoft:windows:vista”/>

  <cpe id=”cpe://microsoft:windows:xp”/>

</or>

 

In this example both CPE references are globally unique and this construct is much easier to match against or process.

 

My recommendation: It might make sense to remove matching from the CPE notation altogether and instead develop a normalized matching scheme with specific bindings to support use in XML or other representations.  This should result in CPEs always being globally unique and useful as long-term identifiers, while still providing standardization around matching implementations.

 

Thoughts?

 

Dave

 

 

Welcome Tim,

  I'm in agreement with you about the nature of the problem and view one of the challenges is caused by one initiatize trying to serve two many masters. Coming at it as an Solution Architect, I want to see it tied to concrete realization -- i.e. I want to be able to answer true or false if a specific CPE is present on the system via simple mechanical process. Others are approaching it from a management or even abstract academic analysis.

 

Personally I would like CPE's to be matched to OVAL tests with a new test called <cpe_test ref="...cpe value.."/> (which may be a  reference to other tests). Then have a semi-open repository where new CPE's may be added (and to add, you must also include the OVAL test that matches). Once, a CPE has been added, then it is controlled, but the addition is open to anyone (so there is no time delay in addressing an issue)

Ken Lassesen,
HomeOffice: 360-297-4717   Cell: 360-509-2402  Fax: 928-832-6836
IM: [hidden email]  [hidden email]
[hidden email] 
CONFIDENTIALITY NOTICE
The information contained in this electronic message may contain confidential and privileged information and is intended only for use by the individual(s) or entity(ies) to whom it was addressed. Any unauthorized review, use, disclosure, or distribution of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and permanently delete and destroy the original message.

 

From: Tim Keanini Sr. [mailto:[hidden email]]
Sent: Wednesday, May 23, 2007 12:22 PM
To: [hidden email]
Subject: [CPE-DISCUSSION-LIST] Faceted Vocabulary

Greetings,

I’d like to make an observation.  I didn’t have time to boil it down so I apologize for the length.

I am painfully aware of the problems and inefficiencies related to not having CPE.  My conversations regarding a common namespace for IT related entities began back in 2001 and when I explained this notion and value proposition to customers; they were quick to associate a parallel to other common namespaces that transformed the marketplace like the book industry’s ISBN or the retail industry’s Universal Product Code (UPC).  It solved an identity problem (meaninglessly) for a global industry (or domain) and in the case of UPC, it transformed the balance of power between retailer (like supermarkets) and large manufacture [Alvin Toffler, Powershift].

Most of the discussion so far has been around the structure of the name; to offer more or less logical features and whether or not is it faithfully modeling the world it represents.  The current design of CPE is one of a faceted vocabulary system that can only work if the prescribed citation order (HW/OS/App) holds across the world we wish to represent.  There are many items that a CVE or CCE reference that will not play nicely with a single fixed citation order.  Allow me to explain.

A faceted (analytico-synthetic) vocabulary system has the attractive property of being inductive.  I can see how that feature would be attractive to the folks at NVD and how it would fit with the goal of any vendor creating their own name that was lawful to the CPE rules and syntactically correct.  An analytical study of the IT world is used to distinguish features and properties of the elements; these are then synthesized in to groups; and these groups in to larger groups so on and so on.  Essentially, it is a controlled vocabulary of concepts and their associated labels that can be used, in association with a notation and a prescribe citation order, to synthesize the classes that will populate the classification scheme [E. Jacob].  A simple example would be a faceted vocabulary used to classify the world of automobiles.  It would include mutually exclusive facets for “color” {red,blue,green},  “body style” {sedan, coupe, wagon}, and “transmission” {manual, automatic}.  Following the citation order “body style” – “transmission” – “color”, classes would be constructed by selecting a single value from each facet.  Example: (sedan, automatic, red)

It is because a faceted classification scheme adheres to a fixed citation order during the construction of individual classes, that the resulting structure, like an enumerative scheme is necessarily hierarchical.  This is also the reason why I believe we will continue to struggle to find a single fixed citation order for a dynamic world like information technology.  The minute we start talking about DLL’s, Loadable Kernel Modules, shared libraries like openSSL or libxml, the prescribed structure of the world begins to breakdown. 

I apologize for the length of this posting.  I'm simply trying to make sense of it all.

--tk