Inclusive operation

Hello all,

I am working on development of the CPE declarations for Novell
products. So far so good. But I was wondering one thing. How does one
specify an inclusive operator for sp/sptp? For instance how would I
specify all versions of Novell Netware 5.1 with support pack greater than
4? e.g. cpe://novell:netware:5.1::sptp4+

Also in the dictionary as of 17:30cst the declaration for "Red Hat Linux"
includes a stray colon at the end. This is not needed. <Line 158 Char 39>

Thanks.
Thomas

There is currently no way to do this in CPE.

This touches on a bigger question for CPE that we have struggled with
since the beginning.  How much logic should be embedded in a name?  We
did not want to create a language for defining platforms, but rather we
wanted to create a naming scheme where structure of the name was known
so new names could be created by anyone with knowledge of the
specification.  In addition, this structure could support matching
operations where we could determine the truth value associated with a
given name based on the known truth values associated with related
names.

I will admit that CPE is currently straddling the fence here.  There
are some structures within the specification that make it look like a
language, and there is the goal to have a straight enumeration.  Which
path should we continue down?

- We could add more logic and produce a full language for describing a
desired platform.

- We could remove all logic and have a flat name that has no meaning
(cpe-123) but also remove the ability to match.

- We could continue to balance on the fence and try to find the best of
both worlds and realize that a line has to be drawn somewhere leaving
out certain types of logic.


Drew

To quote my old Scottish Chemistry Teacher... "No man can server two
masters",

Or in terms of sitting on the fence, picket fences tend to end up with
pickets where the sun don't shine....


My preference is to add more logic and produce a full language for
describing a desired platform.

IMHO

Ken Lassesen,
HomeOffice: 360-297-4717   Cell: 360-509-2402  Fax: 928-832-6836
IM: [hidden email]  [hidden email]
mailto:[hidden email]
CONFIDENTIALITY NOTICE
The information contained in this electronic message may contain
confidential and privileged information and is intended only for use by
the individual(s) or entity(ies) to whom it was addressed. Any
unauthorized review, use, disclosure, or distribution of this
communication is strictly prohibited. If you are not the intended
recipient, please contact the sender by reply email and permanently
delete and destroy the original message.


-----Original Message-----
From: Buttner, Drew [mailto:[hidden email]]
Sent: Thursday, April 26, 2007 7:18 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Inclusive operation

There is currently no way to do this in CPE.

This touches on a bigger question for CPE that we have struggled with
since the beginning.  How much logic should be embedded in a name?  We
did not want to create a language for defining platforms, but rather we
wanted to create a naming scheme where structure of the name was known
so new names could be created by anyone with knowledge of the
specification.  In addition, this structure could support matching
operations where we could determine the truth value associated with a
given name based on the known truth values associated with related
names.

I will admit that CPE is currently straddling the fence here.  There are
some structures within the specification that make it look like a
language, and there is the goal to have a straight enumeration.  Which
path should we continue down?

- We could add more logic and produce a full language for describing a
desired platform.

- We could remove all logic and have a flat name that has no meaning
(cpe-123) but also remove the ability to match.

- We could continue to balance on the fence and try to find the best of
both worlds and realize that a line has to be drawn somewhere leaving
out certain types of logic.


Drew

Some thoughts from the NVD Analyst standpoint...

>(Thomas) How does one
>specify an inclusive operator for sp/sptp? For instance how would I
>specify all versions of Novell Netware 5.1 with support pack greater
>than 4? e.g. cpe://novell:netware:5.1::sptp4+
RESPONSE:  As Drew stated, there is no way to express this in CPE, and
we have not defined a way in the NVD Analyst Documentation.  This is a
very rare occurance from my experience, and could easily be handled by
the analysts in a few different ways (high-level: adding a note to the
approriate comment field, or perhaps even adding an "and later"
designation much like we have an "and previous" designation).  This
would have to be discussed internally to decide the best way...those are
just for demonstration.  Obviously a goal would be for whatever
designation we decide to be machine-readable...I think we could make
that happen but it would take some thought.

>(Drew) - We could remove all logic and have a flat name that has no
meaning
>(cpe-123) but also remove the ability to match.
RESPONSE:  I think the matching functionality is a requirement, so my
impression is that this is not an option (please correct me if I'm
wrong)

>(Drew) - We could add more logic and produce a full language for
describing a
>desired platform.
RESPONSE:  Theoretically I think this is an amazing idea, but I wonder
about the feasability of implementing this given the make-up of the way
we currently do things.  If we were to switch to this format, a number
of concerns arise: 1) How long would it take to define the language (and
what do we do in the meantime)? 2) What are the consequences to the CPE
Dictionary (how many changes would have to be made)?  3) If we determine
there are a huge amount of changes that have to be made to the CPE
Dictionary, how long is that going to take and what resources do we use?
4) Will the language be flexible enough to provide for future caveats
(such as the one described by Thomas above)?  5) Will the new language
affect the average turnaround time of new vulnerability analysis?
{That's just an example...I am certain I could come up with more
questions and concerns if I had time to think about it some more).

>(Drew) - We could continue to balance on the fence and try to find the
best of both >worlds and realize that a line has to be drawn somewhere
leaving out certain types
>of logic.
RESPONSE:  I can see why this may seem like an undesirable choice, but I
think it is the one that makes the most sense (again, from an NVD
Analyst point-of-view).  I feel like we have been able to respond
favorably to caveats that have arisen, and should be able to continue to
respond favorably as new caveats emerge.


Let me know what you think..

Thanks!
Doug



-----Original Message-----
From: Buttner, Drew [mailto:[hidden email]]
Sent: Thursday, April 26, 2007 10:18 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Inclusive operation

There is currently no way to do this in CPE.

This touches on a bigger question for CPE that we have struggled with
since the beginning.  How much logic should be embedded in a name?  We
did not want to create a language for defining platforms, but rather we
wanted to create a naming scheme where structure of the name was known
so new names could be created by anyone with knowledge of the
specification.  In addition, this structure could support matching
operations where we could determine the truth value associated with a
given name based on the known truth values associated with related
names.

I will admit that CPE is currently straddling the fence here.  There are
some structures within the specification that make it look like a
language, and there is the goal to have a straight enumeration.  Which
path should we continue down?

- We could add more logic and produce a full language for describing a
desired platform.

- We could remove all logic and have a flat name that has no meaning
(cpe-123) but also remove the ability to match.

- We could continue to balance on the fence and try to find the best of
both worlds and realize that a line has to be drawn somewhere leaving
out certain types of logic.


Drew

Thomas,

 > Is there anyone on the list?
 >

   Yes, but I've gotten a little behind.

   It is not exactly possible to specify a version range in CPE 1.0.
We wanted to put something like this in, but the semantics ended
up being very complicated and still didn't cover all cases.

   So, if you want to specify several versions, you basically use
several names or use the inclusive or operator.   There is no
mechanism to say "sp4 or later".

...nz


On May 3, 2007, at 6:53 PM, Thomas R. Jones wrote: