Posting to this mailing-list.
Gary,
Responses are embedded below:
Quoting Gary Gapinski <
[hidden email]>:
> The product name was changed from "National Vulnerability Database" to
> NVD. Was this intentional, and is this the permanent value?
>
> The product version was changed from "3.0" to "DEBUG". Was this
> intentional, and should this document be considered a "debug" document?
Neither value change was intentional and is an artifact of how the dictionary
is created at the moment. The top meta-data section is intended to only
describe who created the dictionary, and should not have an impact on the
contents. The posted dictionary has been modified to contain the previous
values in the meta-data section.
> Items such as "cpe:/a:microsoft:systems_management_server:2.0:sp1" with
> modification-date="2008-04-01T12:14:58.090-04:00" , which was not
> present in the 20080415 version, seem to have untrustworthy modification
> dates, as the timestamp antedates both the version in which it first
> appears as well as the prior version. Are these modification dates
> definitive, and, if so, do they represent the time at which the 30-day
> community review for draft items commence(s|d)?
The modification dates can be treated as definitive and trustworthy. The date
mismatch is a result of the clean-up process used to create the CPE dictionary.
It is a transient problem and should resolve itself going forward. Regarding
the 30-day community review process, as part of our presentation during CPE
developer days Dave Waltermire and I are planning on suggesting an initial CPE
life-cycle process that can be discussed and modified according to community
input. We hope to have a life-cycle process documented in the weeks following
the conference.
>
> What, if any, significance can be attached to situations where an item's
> modification-date is later than its deprecation_date?
Something about the cpe-item has changed. It could be that the original CPE
which deprecated the cpe-item has been modified to a newer CPE (perhaps as a
result of the replacement CPE being deprecated itself).
>
> Are these definitions available as NVD queries, as opposed to only in
> this (static and thus dated) document?
At the current time the answer to your question is no. Sometime this summer we
are planning on releasing a CPE Search Page and a Web Service interface both of
which will allow dynamic queries. At the same time we also plan to begin
producing automated nightly snapshots of the dictionary (instead of monthly).
-Harold
