Making Security Measurable › CPE - Common Platform Enumeration

Updated CPE Dictionary Posted

7 messages

Updated CPE Dictionary Posted

Reply Threaded

CPE Community Members,

I am pleased to announce the availability of an updated Official CPE dictionary
for CPE version 2.1. I would like to express my gratitude to all the vendors,
contributors, analysts and developers that have contributed to this effort.
This dictionary contains data for over 15,000 CPEs from 250+ vendors. Starting
with this release we plan to produce regular monthly updates to the Official CPE
dictionary expanding on this content based on community feedback and vendor/3rd
party contributions.

You can download the dictionary using the following URL:

http://nvd.nist.gov/cpe.cfm

Please note that we are providing additional CPE repository metadata using the
NVD CPE Metadata schema. This metadata includes: status, identification and
modification information from the official CPE dictionary repository. CPEs
included in this dictionary have one of two status values:

FINAL - The CPE has been accepted into the official dictionary.
DRAFT - A CPE that is currently undergoing CPE moderation and review by the
community. Draft CPEs will be made FINAL after a 30 day community review period.

For more information on the CPE dictionary please refer to:

The CPE homepage - http://cpe.mitre.org
The Official CPE Dictionary - http://nvd.nist.gov/cpe.cfm

I look forward to your comments and questions.

David Waltermire
NVD/SCAP Team Lead
http://nvd.nist.gov
O: 301-975-8441

Sudhir Gandhe

Re: Updated CPE Dictionary Posted

Reply Threaded

Some javascript/style in this post has been disabled (why?)

Dave,

I still see some of the CPE technologies follow 2.0 style –

<cpe-item deprecated="true" deprecation_date="2008-04-15T12:35:00.000-04:00" name="cpe:/o:microsoft:windows-nt:vista::business">

<title xml:lang="en-US">Microsoft Windows Vista any business</title>

</cpe-item>

<cpe-item deprecated="true" deprecation_date="2008-04-15T12:35:00.000-04:00" name="cpe:/o:microsoft:windows-nt:vista::enterprise">

<title xml:lang="en-US">Microsoft Windows Vista any enterprise</title>

</cpe-item>

<cpe-item deprecated="true" deprecation_date="2008-04-15T12:35:00.000-04:00" name="cpe:/o:microsoft:windows-nt:vista::home_basic">

<title xml:lang="en-US">Microsoft Windows Vista any home_basic</title>

</cpe-item>

<cpe-item deprecated="true" deprecation_date="2008-04-15T12:35:00.000-04:00" name="cpe:/o:microsoft:windows-nt:vista::home_premium">

<title xml:lang="en-US">Microsoft Windows Vista any home_premium</title>

</cpe-item>

<cpe-item deprecated="true" deprecation_date="2008-04-15T12:35:00.000-04:00" name="cpe:/o:microsoft:windows-nt:vista::starter">

<title xml:lang="en-US">Microsoft Windows Vista any starter</title>

</cpe-item>

<cpe-item deprecated="true" deprecation_date="2008-04-15T12:35:00.000-04:00" name="cpe:/o:microsoft:windows-nt:vista::ultimate">

<title xml:lang="en-US">Microsoft Windows Vista any ultimate</title>

</cpe-item>

The attribute deprecated is set to true in these cases. Does this mean the cpe-item is deprecated? If not, I do not see the deprecated_by attribute.

Respectfully.

Sudhir

-----Original Message-----
From: David Waltermire [mailto:[hidden email]]
Sent: Wednesday, April 16, 2008 9:07 AM
To: [hidden email]
Subject: [CPE-DISCUSSION-LIST] Updated CPE Dictionary Posted

CPE Community Members,

I am pleased to announce the availability of an updated Official CPE dictionary

for CPE version 2.1. I would like to express my gratitude to all the vendors,

contributors, analysts and developers that have contributed to this effort.

This dictionary contains data for over 15,000 CPEs from 250+ vendors. Starting

with this release we plan to produce regular monthly updates to the Official CPE

dictionary expanding on this content based on community feedback and vendor/3rd

party contributions.

You can download the dictionary using the following URL:

http://nvd.nist.gov/cpe.cfm

Please note that we are providing additional CPE repository metadata using the

NVD CPE Metadata schema. This metadata includes: status, identification and

modification information from the official CPE dictionary repository. CPEs

included in this dictionary have one of two status values:

FINAL - The CPE has been accepted into the official dictionary.

DRAFT - A CPE that is currently undergoing CPE moderation and review by the

community. Draft CPEs will be made FINAL after a 30 day community review period.

For more information on the CPE dictionary please refer to:

The CPE homepage - http://cpe.mitre.org

The Official CPE Dictionary - http://nvd.nist.gov/cpe.cfm

I look forward to your comments and questions.

David Waltermire

NVD/SCAP Team Lead

http://nvd.nist.gov

O: 301-975-8441

Harold Booth-2

Re: Updated CPE Dictionary Posted

Reply Threaded

In reply to this post by Waltermire, David

There are some missing references contained within the CPE dictionary (thanks go
to Gary Gapinski for letting us know). The references are on CPEs which have
been deprecated but the CPEs which replaced them were mistakenly left out of the
dictionary. The issue in our data has been resolved and a new version of the
CPE dictionary will be produced on Monday with the missing references. We are
waiting until Monday to allow for additional suggestions or corrections.

Regards,

-Harold

Sudhir Gandhe

FW: [CPE-DISCUSSION-LIST] Updated CPE Dictionary Posted

Reply Threaded

In reply to this post by Waltermire, David

Some javascript/style in this post has been disabled (why?)

Reposting my question. This is still valid with cpe-dictionary-v2.1-20080421.xml.

I see some of the CPE technologies follow 2.0 style –

<cpe-item deprecated="true" deprecation_date="2008-04-15T12:35:00.000-04:00" name="cpe:/o:microsoft:windows-nt:vista::business">

<title xml:lang="en-US">Microsoft Windows Vista any business</title>

</cpe-item>

<cpe-item deprecated="true" deprecation_date="2008-04-15T12:35:00.000-04:00" name="cpe:/o:microsoft:windows-nt:vista::enterprise">

<title xml:lang="en-US">Microsoft Windows Vista any enterprise</title>

</cpe-item>

<cpe-item deprecated="true" deprecation_date="2008-04-15T12:35:00.000-04:00" name="cpe:/o:microsoft:windows-nt:vista::home_basic">

<title xml:lang="en-US">Microsoft Windows Vista any home_basic</title>

</cpe-item>

<cpe-item deprecated="true" deprecation_date="2008-04-15T12:35:00.000-04:00" name="cpe:/o:microsoft:windows-nt:vista::home_premium">

<title xml:lang="en-US">Microsoft Windows Vista any home_premium</title>

</cpe-item>

<cpe-item deprecated="true" deprecation_date="2008-04-15T12:35:00.000-04:00" name="cpe:/o:microsoft:windows-nt:vista::starter">

<title xml:lang="en-US">Microsoft Windows Vista any starter</title>

</cpe-item>

<cpe-item deprecated="true" deprecation_date="2008-04-15T12:35:00.000-04:00" name="cpe:/o:microsoft:windows-nt:vista::ultimate">

<title xml:lang="en-US">Microsoft Windows Vista any ultimate</title>

</cpe-item>

The attribute deprecated is set to true in these cases. Does this mean the whole cpe-item is deprecated? Also, I do not see the deprecated_by attribute.

Respectfully.

Sudhir

Gary Gapinski-4

Re: FW: [CPE-DISCUSSION-LIST] Updated CPE Dictionary Posted

Reply Threaded

Some javascript/style in this post has been disabled (why?)

Sudhir Gandhe wrote:

Reposting my question. This is still valid with cpe-dictionary-v2.1-20080421.xml.

I see some of the CPE technologies follow 2.0 style –

    <cpe-item deprecated="true" deprecation_date="2008-04-15T12:35:00.000-04:00" name="cpe:/o:microsoft:windows-nt:vista::business">

        <title xml:lang="en-US">Microsoft Windows Vista any business</title>

        <meta:item-metadata modification-date="2008-04-15T19:57:00.663-04:00" status="FINAL" nvd-id="74545" />

    </cpe-item>

    <cpe-item deprecated="true" deprecation_date="2008-04-15T12:35:00.000-04:00" name="cpe:/o:microsoft:windows-nt:vista::enterprise">

        <title xml:lang="en-US">Microsoft Windows Vista any enterprise</title>

        <meta:item-metadata modification-date="2008-04-15T19:57:19.167-04:00" status="FINAL" nvd-id="74546" />

    </cpe-item>

    <cpe-item deprecated="true" deprecation_date="2008-04-15T12:35:00.000-04:00" name="cpe:/o:microsoft:windows-nt:vista::home_basic">

        <title xml:lang="en-US">Microsoft Windows Vista any home_basic</title>

        <meta:item-metadata modification-date="2008-04-15T19:57:19.290-04:00" status="FINAL" nvd-id="74542" />

    </cpe-item>

    <cpe-item deprecated="true" deprecation_date="2008-04-15T12:35:00.000-04:00" name="cpe:/o:microsoft:windows-nt:vista::home_premium">

        <title xml:lang="en-US">Microsoft Windows Vista any home_premium</title>

        <meta:item-metadata modification-date="2008-04-15T19:57:22.573-04:00" status="FINAL" nvd-id="74543" />

    </cpe-item>

    <cpe-item deprecated="true" deprecation_date="2008-04-15T12:35:00.000-04:00" name="cpe:/o:microsoft:windows-nt:vista::starter">

        <title xml:lang="en-US">Microsoft Windows Vista any starter</title>

        <meta:item-metadata modification-date="2008-04-15T19:57:06.417-04:00" status="FINAL" nvd-id="74541" />

    </cpe-item>

    <cpe-item deprecated="true" deprecation_date="2008-04-15T12:35:00.000-04:00" name="cpe:/o:microsoft:windows-nt:vista::ultimate">

        <title xml:lang="en-US">Microsoft Windows Vista any ultimate</title>

        <meta:item-metadata modification-date="2008-04-15T19:57:23.917-04:00" status="FINAL" nvd-id="74544" />

     </cpe-item>

The attribute deprecated is set to true in these cases. Does this mean the whole cpe-item is deprecated? Also, I do not see the deprecated_by attribute.

The v2.1 specification does not define the extent of deprecation, but it seems reasonable to assume the the item is deprecated but the deprecation itself is not. The v2.1 specification also leaves deprecation_date and deprecated_by attributes unexplained. The schema does not constrain these in any combination, thus an item can be deprecated_by without being deprecated, etc.

It seems reasonable to mandate the deprecation_date when deprecated is true, and mandate deprecated_by when deprecated is true, but the latter only if deprecation is always accompanied by replacement. It is also reasonable to mandate the absence of the deprecation_date and deprecated_by attributes when deprecated is false.

Regards,

Gary

Andrew Buttner

Re: FW: [CPE-DISCUSSION-LIST] Updated CPE Dictionary Posted

Reply Threaded

>It seems reasonable to mandate the deprecation_date when deprecated is
>true, and mandate deprecated_by when deprecated is true, but the
latter
>only if deprecation is always accompanied by replacement. It is also
>reasonable to mandate the absence of the deprecation_date and
>deprecated_by attributes when deprecated is false.

I couldn't agree more, but W3C schema does not allow us to validate
these types of co-constraints. To do so we would have to introduce a
language like Schematron (as we have done with OVAL) to cover this.
The thinking with CPE was that it was not needed that much and the
overhead of requiring it was not worth the gain. If there are thoughts
in the other direction, let us know and we can look into adding
Schematron in a future release.

I do agree that some documentation surrounding the deprecated
attributes is needed. I will add this to the tracker for future
versions.

Note that one should just ignore the 'deprecated_by' and
'deprecated_date' attributes unless 'deprecated' is set to TRUE.

Thanks
Drew

Andrew Buttner

Re: FW: [CPE-DISCUSSION-LIST] Updated CPE Dictionary Posted

Reply Threaded

In reply to this post by Sudhir Gandhe

The main purpose of the 'deprecated' element is to mark certain ids as
no longer in use. Remember that CPE is mainly an enumeration. Each
CPE Name is a globally unique id. There really is no such thing as
modifying a name, rather what we do is create a new CPE Name and
deprecate the old one.

The names that follow the 2.0 style are still globally unique ids and
must be deprecated so they aren't used again to identify something
else, resulting in conflict.

The <cpe-item>s that you refer to were Names that were issued and then
retracted. The lack of a 'deprecated_by' value means that they have no
corresponding CPE Name currently in existence. Maybe the original name
was issued in error?

Thanks
Drew

>-----Original Message-----
>From: Sudhir Gandhe [mailto:[hidden email]]
>Sent: Tuesday, April 22, 2008 1:38 PM
>To: cpe-discussion-list CPE Community Forum
>Subject: [CPE-DISCUSSION-LIST] FW: [CPE-DISCUSSION-LIST] Updated CPE
>Dictionary Posted
>
>Reposting my question. This is still valid with cpe-dictionary-v2.1-
>20080421.xml.
>
>
>
>
>
>I see some of the CPE technologies follow 2.0 style -
>
>
>
> <cpe-item deprecated="true" deprecation_date="2008-04-
>15T12:35:00.000-04:00" name="cpe:/o:microsoft:windows-
>nt:vista::business">
>
> <title xml:lang="en-US">Microsoft Windows Vista any
>business</title>
>
> <meta:item-metadata

modification-date="2008-04-15T19:57:00.663-

>04:00" status="FINAL" nvd-id="74545" />
>
> </cpe-item>
>
> <cpe-item deprecated="true" deprecation_date="2008-04-
>15T12:35:00.000-04:00" name="cpe:/o:microsoft:windows-
>nt:vista::enterprise">
>
> <title xml:lang="en-US">Microsoft Windows Vista any
>enterprise</title>
>
> <meta:item-metadata

modification-date="2008-04-15T19:57:19.167-

>04:00" status="FINAL" nvd-id="74546" />
>
> </cpe-item>
>
> <cpe-item deprecated="true" deprecation_date="2008-04-
>15T12:35:00.000-04:00" name="cpe:/o:microsoft:windows-
>nt:vista::home_basic">
>
> <title xml:lang="en-US">Microsoft Windows Vista any
>home_basic</title>
>
> <meta:item-metadata

modification-date="2008-04-15T19:57:19.290-

>04:00" status="FINAL" nvd-id="74542" />
>
> </cpe-item>
>
> <cpe-item deprecated="true" deprecation_date="2008-04-
>15T12:35:00.000-04:00" name="cpe:/o:microsoft:windows-
>nt:vista::home_premium">
>
> <title xml:lang="en-US">Microsoft Windows Vista any
>home_premium</title>
>
> <meta:item-metadata

modification-date="2008-04-15T19:57:22.573-

>04:00" status="FINAL" nvd-id="74543" />
>
> </cpe-item>
>
> <cpe-item deprecated="true" deprecation_date="2008-04-
>15T12:35:00.000-04:00" name="cpe:/o:microsoft:windows-
>nt:vista::starter">
>
> <title xml:lang="en-US">Microsoft Windows Vista any
>starter</title>
>
> <meta:item-metadata

modification-date="2008-04-15T19:57:06.417-

>04:00" status="FINAL" nvd-id="74541" />
>
> </cpe-item>
>
> <cpe-item deprecated="true" deprecation_date="2008-04-
>15T12:35:00.000-04:00" name="cpe:/o:microsoft:windows-
>nt:vista::ultimate">
>
> <title xml:lang="en-US">Microsoft Windows Vista any
>ultimate</title>
>
> <meta:item-metadata

modification-date="2008-04-15T19:57:23.917-

>04:00" status="FINAL" nvd-id="74544" />
>
> </cpe-item>
>
>
>
>The attribute deprecated is set to true in these cases. Does this mean
>the whole cpe-item is deprecated? Also, I do not see the deprecated_by
>attribute.
>
>
>
>
>
>
>
>Respectfully.
>
>Sudhir
>
>