Making Security Measurable › CPE - Common Platform Enumeration

Updated CPE Specification 2.0 Draft

13 messages

Updated CPE Specification 2.0 Draft

Reply Threaded

I have tried to update the CPE Specification to account for the recent
discussions we have had over the email list and conference calls.
Please take a few minutes to read this over and supply comments where
necessary. Below are some of the topics that have been addressed:

* removed the string representation of the CPE Language
* formalized the requirements section
* information about submitting new names to CPE Dictionary
* intro paragraph to Matching
* what to do when vendors share the same organization-specific label
but with a different DNS suffix
* updated schemas

In regards to the conversation about including the vendor name, as of
now I feel like there has been arguments in both directions and I have
not see a solution without a hole in it. So I am inclined to leave the
name structure as is. The conversation is by no means closed so please
send along additional comments as desired.

There are two areas that still need work. Sections 7.1 and 7.2. Both
of these deal with the matching algorithm. Neal - do you have time to
take a crack at this? If others want to make an attempt we would be
excited to see what you come up with.

The goal is to have this draft finalized by the end of this month and
to release the official 2.0 specification on Friday September 14th.

I'm now going to work on the website and update it to reflect this new
draft.

Thanks
Drew

---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515

cpe-dictionary_2.0.xsd (7K) Download Attachment

cpe-language_2.0.xsd (8K) Download Attachment

cpe-specification_2.0_draft_20070815.doc (390K) Download Attachment

Karthik Raman

Re: Updated CPE Specification 2.0 Draft

Reply Threaded

Some javascript/style in this post has been disabled (why?)

Hi all,

There's a question from one of our developers, Steve.

On page 5 it says

• Each facet of a CPE Name MUST exhibit the prefix property.

Then on page 19 it gives two example,

K = {"cpe:/o:microsoft:windows:2000:pro",
"cpe:/a:microsoft:ie:5.5"}

X = "cpe://microsoft:windows:2000::sp1/microsoft:ie:5.5"

Should each facet have a prefix? Is the prefix not used when combined cpe names are used? The doc is not clear on this aspect.

Warm regards,

Karthik Raman
Research Scientist

McAfee Threat Intelligence Service
McAfee, Inc.

+44.(0)1296.318700 Main

+44.(0)1296.617705 Direct

+44.(0)7938.063297 Mobile

+44.(0)1296.318729 Fax
[hidden email]

www.avertlabs.com
www.mcafee.com

McAfee® Avert® Labs Blog

AudioParasitics – The Official PodCast of McAfee^® Avert^® Labs

Safe online? Avoid dangerous web sites using McAfee SiteAdvisor™ - a FREE download from http://www.siteadvisor.com?cid=27092. Don’t search or surf without it!

-----Original Message-----
From: Buttner, Drew [[hidden email]]
Sent: Wednesday, August 15, 2007 3:49 PM
To: [hidden email]
Subject: [CPE-DISCUSSION-LIST] Updated CPE Specification 2.0 Draft

I have tried to update the CPE Specification to account for the recent discussions we have had over the email list and conference calls.
Please take a few minutes to read this over and supply comments where necessary. Below are some of the topics that have been addressed:

* removed the string representation of the CPE Language
* formalized the requirements section
* information about submitting new names to CPE Dictionary
* intro paragraph to Matching
* what to do when vendors share the same organization-specific label but with a different DNS suffix
* updated schemas

In regards to the conversation about including the vendor name, as of now I feel like there has been arguments in both directions and I have not see a solution without a hole in it. So I am inclined to leave the name structure as is. The conversation is by no means closed so please send along additional comments as desired.

There are two areas that still need work. Sections 7.1 and 7.2. Both of these deal with the matching algorithm. Neal - do you have time to take a crack at this? If others want to make an attempt we would be excited to see what you come up with.

The goal is to have this draft finalized by the end of this month and to release the official 2.0 specification on Friday September 14th.

I'm now going to work on the website and update it to reflect this new draft.

Thanks
Drew

---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515

Andrew Buttner

Re: Updated CPE Specification 2.0 Draft

Reply Threaded

Note: I think you pulled those examples from page 17 that is part of
section 7.1 and 7.2. Both of these sections need to be completely
re-written so please do not spend time reviewing them at this time.
All the other sections have been finished.

>Should each facet have a prefix? Is the prefix not used when
>combined cpe names are used? The doc is not clear on this aspect.

The word "facet" should be removed from the requirement. It was left
over from when a CPE Name could contain multiple parts. The
requirement should read "Each CPE Name MUST exhibit the prefix
property."

Thanks for the catch!!

Drew

Karthik Raman

Re: Updated CPE Specification 2.0 Draft

Reply Threaded

** It was left over from when a CPE Name could contain multiple parts.
**

Does this mean that in 2.0 a CPE reference cannot specify a
hardware/OS/software combination in a single reference?

Thanks,

Karthik

-----Original Message-----
From: Buttner, Drew [mailto:[hidden email]]
Sent: Wednesday, August 15, 2007 6:21 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Updated CPE Specification 2.0 Draft

Note: I think you pulled those examples from page 17 that is part of
section 7.1 and 7.2. Both of these sections need to be completely
re-written so please do not spend time reviewing them at this time.
All the other sections have been finished.

>Should each facet have a prefix? Is the prefix not used when combined
>cpe names are used? The doc is not clear on this aspect.

The word "facet" should be removed from the requirement. It was left
over from when a CPE Name could contain multiple parts. The requirement
should read "Each CPE Name MUST exhibit the prefix property."

Thanks for the catch!!

Drew

Lemire, David P.

Re: Updated CPE Specification 2.0 Draft

Reply Threaded

In reply to this post by Andrew Buttner

Drew,

Some comments, mixture of editorial and more conceptual.

Regards,

Dave
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~ David Lemire (Contractor - A&N Associates, Inc.)
~ VAO Engineering and Integration, NSA
~ [hidden email]
~ (410) 854-8727
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-----Original Message-----
From: Buttner, Drew [mailto:[hidden email]]
Sent: Wednesday, August 15, 2007 10:49 AM
To: [hidden email]
Subject: [CPE-DISCUSSION-LIST] Updated CPE Specification 2.0 Draft

I have tried to update the CPE Specification to account for the recent
discussions we have had over the email list and conference calls.
Please take a few minutes to read this over and supply comments where
necessary. Below are some of the topics that have been addressed:

* removed the string representation of the CPE Language
* formalized the requirements section
* information about submitting new names to CPE Dictionary
* intro paragraph to Matching
* what to do when vendors share the same organization-specific label
but with a different DNS suffix
* updated schemas

In regards to the conversation about including the vendor name, as of
now I feel like there has been arguments in both directions and I have
not see a solution without a hole in it. So I am inclined to leave the
name structure as is. The conversation is by no means closed so please
send along additional comments as desired.

There are two areas that still need work. Sections 7.1 and 7.2. Both
of these deal with the matching algorithm. Neal - do you have time to
take a crack at this? If others want to make an attempt we would be
excited to see what you come up with.

The goal is to have this draft finalized by the end of this month and
to release the official 2.0 specification on Friday September 14th.

I'm now going to work on the website and update it to reflect this new
draft.

Thanks
Drew

---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515

cpe-specification_2.0_draft_20070815.DPL.doc (403K) Download Attachment

Waltermire, Dave [USA]

Re: Updated CPE Specification 2.0 Draft

Reply Threaded

All,

David wrote the following in his comments in the document:

"I suspect I might be swimming against the tide here, but: In my mind,
"windows" is not a product, it's a product line. "windows_2000" is a
product; "windows_vista" is a product, each of which has different
editions and versions. I believe all of the examples in here that refer
to Microsoft Windows <WhatHaveYou> are incorrect. I realize my
perspective is inconsistent with what's in the current CPE dictionary on
the NVD website."

From what I recall the major justification for this approach, which is
largely different than any other vendor, is to allow the CPE name:
cpe:/o:microsoft:windows and other variations. I am beginning to think
that this approach is not that useful. I have yet to run into a use
case for referring to all Windows operating systems. Referring to all
windows operating systems is also dangerous from a future perspective.
You could imply that you are referring to all CURRENT Windows OSs, but
in reality you are referring to all CURRENT and FUTURE OSs that bear
that name. This can be very bad.

Do we really need this capability? Can we move to something like:
cpe:/o:microsoft:windows_xp or cpe:/o:microsoft:windows_vista?

Dave

> -----Original Message-----
> From: Lemire, David P. [mailto:[hidden email]]
> Sent: Thursday, August 16, 2007 10:12 AM
> To: [hidden email]
> Subject: Re: [CPE-DISCUSSION-LIST] Updated CPE Specification 2.0 Draft
>
> Drew,
>
> Some comments, mixture of editorial and more conceptual.
>
> Regards,
>
> Dave
> +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ~ David Lemire (Contractor - A&N Associates, Inc.) ~ VAO
> Engineering and Integration, NSA ~ [hidden email] ~
> (410) 854-8727
> +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>
> -----Original Message-----
> From: Buttner, Drew [mailto:[hidden email]]
> Sent: Wednesday, August 15, 2007 10:49 AM
> To: [hidden email]
> Subject: [CPE-DISCUSSION-LIST] Updated CPE Specification 2.0 Draft
>
>
> I have tried to update the CPE Specification to account for
> the recent discussions we have had over the email list and
> conference calls.
> Please take a few minutes to read this over and supply
> comments where necessary. Below are some of the topics that
> have been addressed:
>
> * removed the string representation of the CPE Language
> * formalized the requirements section
> * information about submitting new names to CPE Dictionary
> * intro paragraph to Matching
> * what to do when vendors share the same
> organization-specific label but with a different DNS suffix
> * updated schemas
>
> In regards to the conversation about including the vendor
> name, as of now I feel like there has been arguments in both
> directions and I have not see a solution without a hole in
> it. So I am inclined to leave the name structure as is. The
> conversation is by no means closed so please send along
> additional comments as desired.
>
> There are two areas that still need work. Sections 7.1 and
> 7.2. Both of these deal with the matching algorithm. Neal -
> do you have time to take a crack at this? If others want to
> make an attempt we would be excited to see what you come up with.
>
> The goal is to have this draft finalized by the end of this
> month and to release the official 2.0 specification on Friday
> September 14th.
>
> I'm now going to work on the website and update it to reflect
> this new draft.
>
> Thanks
> Drew
>
>
> ---------
>
> Andrew Buttner
> The MITRE Corporation
> [hidden email]
> 781-271-3515
>
>

Banghart, John

Re: Updated CPE Specification 2.0 Draft

Reply Threaded

Isn't part of the usefulness of the current approach the ability to
conduct a search of all related products? From a vulnerability
perspective, cpe:/o:microsoft/windows might not be useful, but from an
asset management perspective it probably would be.

This does raise another issue in my mind, and if it has been addressed
in the past, please accept my apologies. What criteria is used to
determine whether a piece of software is a new product, or a new version
of an existing one? For example, is Solaris 10 an updated version of
Solaris 9, or are there enough changes to qualify as a new product
entirely? If so, what is the CPE? Should it be cpe:/o:sun:solaris:10
or cpe:/o:sun:solaris_10?

Again, my apologies if this has already been hashed through.

--
John Banghart
Associate
Booz | Allen | Hamilton
Tel (703) 377-5040
[hidden email]
-----Original Message-----
From: Waltermire, Dave [mailto:[hidden email]]
Sent: Thursday, August 16, 2007 1:09 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Updated CPE Specification 2.0 Draft

All,

David wrote the following in his comments in the document:

"I suspect I might be swimming against the tide here, but: In my mind,
"windows" is not a product, it's a product line. "windows_2000" is a
product; "windows_vista" is a product, each of which has different
editions and versions. I believe all of the examples in here that refer
to Microsoft Windows <WhatHaveYou> are incorrect. I realize my
perspective is inconsistent with what's in the current CPE dictionary on
the NVD website."

From what I recall the major justification for this approach, which is
largely different than any other vendor, is to allow the CPE name:
cpe:/o:microsoft:windows and other variations. I am beginning to think
that this approach is not that useful. I have yet to run into a use
case for referring to all Windows operating systems. Referring to all
windows operating systems is also dangerous from a future perspective.
You could imply that you are referring to all CURRENT Windows OSs, but
in reality you are referring to all CURRENT and FUTURE OSs that bear
that name. This can be very bad.

Do we really need this capability? Can we move to something like:
cpe:/o:microsoft:windows_xp or cpe:/o:microsoft:windows_vista?

Dave

Andrew Buttner

Re: Updated CPE Specification 2.0 Draft

Reply Threaded

In reply to this post by Karthik Raman

>** It was left over from when a CPE Name could contain multiple parts.
>**
>
>Does this mean that in 2.0 a CPE reference cannot specify a
>hardware/OS/software combination in a single reference?

in the draft 2.0 CPE Specification, a CPE Name cannot specify a
hardware/OS/application combination. A CPE Name identifies only a
single part. The CPE Language however has been added to enable the
identification of complex platform types that might be of such a
combination.

Thanks
Drew

Andrew Buttner

Re: Updated CPE Specification 2.0 Draft

Reply Threaded

In reply to this post by Banghart, John

>This does raise another issue in my mind, and if it has been addressed
>in the past, please accept my apologies. What criteria is used to
>determine whether a piece of software is a new product, or a
>new version
>of an existing one? For example, is Solaris 10 an updated version of
>Solaris 9, or are there enough changes to qualify as a new product
>entirely? If so, what is the CPE? Should it be cpe:/o:sun:solaris:10
>or cpe:/o:sun:solaris_10?

This is a really good point an one that needs to be address in the
specification. I will try to give it some thought. If anyone has an
idea of how to approach this, please let us know. This is again
another area where we will inevitably be guessing until the software
vendor steps in.

Thanks
Drew

Andrew Buttner

Re: Updated CPE Specification 2.0 Draft

Reply Threaded

In reply to this post by Waltermire, Dave [USA]

It is correct that the reason we break out "windows" as the product is
to allow the ability to refer to all windows with the CPE Name
cpe:/o:microsoft:windows. Although I would argue that the real product
is in line with the kernel. In the windows case, there are four base
kernels that I know of: (am I missing some?)

windows
windows_9x
windows_nt
windows_ce

I can see it possible to need to refer to all Windows NT systems (NT,
2K, XP, Vista, 03)

Drew

>-----Original Message-----
>From: Waltermire, Dave [mailto:[hidden email]]
>Sent: Thursday, August 16, 2007 1:09 PM
>To: cpe-discussion-list CPE Community Forum
>Subject: Re: [CPE-DISCUSSION-LIST] Updated CPE Specification 2.0 Draft
>
>All,
>
>David wrote the following in his comments in the document:
>
>"I suspect I might be swimming against the tide here, but: In my

mind,

>"windows" is not a product, it's a product line. "windows_2000" is a
>product; "windows_vista" is a product, each of which has different
>editions and versions. I believe all of the examples in here
>that refer
>to Microsoft Windows <WhatHaveYou> are incorrect. I realize my
>perspective is inconsistent with what's in the current CPE
>dictionary on
>the NVD website."
>
>From what I recall the major justification for this approach, which is
>largely different than any other vendor, is to allow the CPE name:
>cpe:/o:microsoft:windows and other variations. I am beginning to

think

>that this approach is not that useful. I have yet to run into a use
>case for referring to all Windows operating systems. Referring to all
>windows operating systems is also dangerous from a future perspective.
>You could imply that you are referring to all CURRENT Windows OSs, but
>in reality you are referring to all CURRENT and FUTURE OSs that bear
>that name. This can be very bad.
>
>Do we really need this capability? Can we move to something like:
>cpe:/o:microsoft:windows_xp or cpe:/o:microsoft:windows_vista?
>
>Dave
>
>> -----Original Message-----
>> From: Lemire, David P. [mailto:[hidden email]]
>> Sent: Thursday, August 16, 2007 10:12 AM
>> To: [hidden email]
>> Subject: Re: [CPE-DISCUSSION-LIST] Updated CPE Specification
>2.0 Draft
>>
>> Drew,
>>
>> Some comments, mixture of editorial and more conceptual.
>>
>> Regards,
>>
>> Dave
>> +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> ~ David Lemire (Contractor - A&N Associates, Inc.) ~ VAO
>> Engineering and Integration, NSA ~ [hidden email] ~
>> (410) 854-8727
>> +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>>
>> -----Original Message-----
>> From: Buttner, Drew [mailto:[hidden email]]
>> Sent: Wednesday, August 15, 2007 10:49 AM
>> To: [hidden email]
>> Subject: [CPE-DISCUSSION-LIST] Updated CPE Specification 2.0 Draft
>>
>>
>> I have tried to update the CPE Specification to account for
>> the recent discussions we have had over the email list and
>> conference calls.
>> Please take a few minutes to read this over and supply
>> comments where necessary. Below are some of the topics that
>> have been addressed:
>>
>> * removed the string representation of the CPE Language
>> * formalized the requirements section
>> * information about submitting new names to CPE Dictionary
>> * intro paragraph to Matching
>> * what to do when vendors share the same
>> organization-specific label but with a different DNS suffix
>> * updated schemas
>>
>> In regards to the conversation about including the vendor
>> name, as of now I feel like there has been arguments in both
>> directions and I have not see a solution without a hole in
>> it. So I am inclined to leave the name structure as is. The
>> conversation is by no means closed so please send along
>> additional comments as desired.
>>
>> There are two areas that still need work. Sections 7.1 and
>> 7.2. Both of these deal with the matching algorithm. Neal -
>> do you have time to take a crack at this? If others want to
>> make an attempt we would be excited to see what you come up with.
>>
>> The goal is to have this draft finalized by the end of this
>> month and to release the official 2.0 specification on Friday
>> September 14th.
>>
>> I'm now going to work on the website and update it to reflect
>> this new draft.
>>
>> Thanks
>> Drew
>>
>>
>> ---------
>>
>> Andrew Buttner
>> The MITRE Corporation
>> [hidden email]
>> 781-271-3515
>>
>>
>

Lemire, David P.

Re: Updated CPE Specification 2.0 Draft

Reply Threaded

In reply to this post by Andrew Buttner

It seems to me that from a vulnerability perspective the ability to refer to
all, or at least multiple, Windows products/versions is mostly useful in
conjunction with applications than with Windows itself; especially an
application that runs on multiple OSes. Certainly I know of applications
that still run fine on my old Win98 box and also run fine on my WinXPsp2
box. But I'd guess (possibly showing my ignorance) that vulnerabilities
that apply broadly across more-or-less all versions of Windows aren't that
common.

If, for example, GDR's Great Document Reader v1.0 is available on Windows,
Mac OS X, and linux, a vulnerability in the app may only apply to the
Windows version. In this case, using the current way of expressing Windows
as a product, you'd need a CPE language statement somewhere along the lines
of (sorry, but I'm not even going to attempt the XML):

cpe://a:gdr-inc:great_document_reader:1.0
AND
cpe://o:microsoft:windows

versus

cpe://a:gdr-inc:great_document_reader:1.0
AND
( cpe://o:microsoft:windows_98:se
OR
cpe://o:microsoft:windows_NT:4.0
OR
... )

So, the current approach seems more useful WRT vulnerabilities of things
that run *on* Windows than to vulnerabilities *of* Windows, which seem more
likely to tie to specific windows products.

OTOH, if there are individual CPE names for the different OS versions of the
application itself, then we wouldn't care so much, since the vulnerability
would apply to:

cpe://a:gdr-inc:great_document_reader_windows:1.0

Now I have more CPE definition entries, each corresponding to slight
"variations on a theme", but less need to dive into CPE Language to spec out
where a particular vulnerability appears.

Dave

-----Original Message-----
From: Buttner, Drew [mailto:[hidden email]]
Sent: Thursday, August 16, 2007 9:45 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Updated CPE Specification 2.0 Draft

It is correct that the reason we break out "windows" as the product is
to allow the ability to refer to all windows with the CPE Name
cpe:/o:microsoft:windows. Although I would argue that the real product
is in line with the kernel. In the windows case, there are four base
kernels that I know of: (am I missing some?)

windows
windows_9x
windows_nt
windows_ce

I can see it possible to need to refer to all Windows NT systems (NT,
2K, XP, Vista, 03)

Drew

mind,

think

Andrew Buttner

Re: Updated CPE Specification 2.0 Draft

Reply Threaded

I agree with your examples and the need for roll-up names. I will add
that one thing we want to do with the spec is be consistent across the
entire naming convention. So if roll-ups are needed in the application
space, we want to make sure this functionality is implemented in a
general sense. I think we have done this. We may not need/use it with
Windows, but at least the spec works the same way for everything and a
user only has to learn one way of doing things.

re: the second half of the email ....

I think this discussion turns into the one about where the line between
CPE and OVAL should be drawn. CPE is only meant to be able to give a
rudimentary ability to define the logic need to determine when a
vulnerability exists (or applies) If more precise logic is needed, a
more detailed language like OVAL should be used. Of course there is
going to be some overlap between what can be done with CPE and what can
be done with OVAL. I think having overlap is a good thing.

>-----Original Message-----
>From: Lemire, David P. [mailto:[hidden email]]
>Sent: Friday, August 17, 2007 9:58 AM
>To: cpe-discussion-list CPE Community Forum
>Subject: Re: [CPE-DISCUSSION-LIST] Updated CPE Specification 2.0 Draft
>
>It seems to me that from a vulnerability perspective the
>ability to refer to
>all, or at least multiple, Windows products/versions is mostly
>useful in
>conjunction with applications than with Windows itself; especially an
>application that runs on multiple OSes. Certainly I know of
>applications
>that still run fine on my old Win98 box and also run fine on
>my WinXPsp2
>box. But I'd guess (possibly showing my ignorance) that
>vulnerabilities
>that apply broadly across more-or-less all versions of Windows
>aren't that
>common.
>
>If, for example, GDR's Great Document Reader v1.0 is available
>on Windows,
>Mac OS X, and linux, a vulnerability in the app may only apply to the
>Windows version. In this case, using the current way of
>expressing Windows
>as a product, you'd need a CPE language statement somewhere
>along the lines
>of (sorry, but I'm not even going to attempt the XML):
>
> cpe://a:gdr-inc:great_document_reader:1.0
> AND
> cpe://o:microsoft:windows
>
>versus
>
> cpe://a:gdr-inc:great_document_reader:1.0
> AND
> ( cpe://o:microsoft:windows_98:se
> OR
> cpe://o:microsoft:windows_NT:4.0
> OR
> ... )
>
>So, the current approach seems more useful WRT vulnerabilities
>of things
>that run *on* Windows than to vulnerabilities *of* Windows,
>which seem more
>likely to tie to specific windows products.
>
>OTOH, if there are individual CPE names for the different OS
>versions of the
>application itself, then we wouldn't care so much, since the
>vulnerability
>would apply to:
>
> cpe://a:gdr-inc:great_document_reader_windows:1.0
>
>Now I have more CPE definition entries, each corresponding to slight
>"variations on a theme", but less need to dive into CPE
>Language to spec out
>where a particular vulnerability appears.
>
> Dave
>
>
>
>
>-----Original Message-----
>From: Buttner, Drew [mailto:[hidden email]]
>Sent: Thursday, August 16, 2007 9:45 PM
>To: [hidden email]
>Subject: Re: [CPE-DISCUSSION-LIST] Updated CPE Specification 2.0 Draft
>
>
>It is correct that the reason we break out "windows" as the product is
>to allow the ability to refer to all windows with the CPE Name
>cpe:/o:microsoft:windows. Although I would argue that the real

product

>is in line with the kernel. In the windows case, there are four base
>kernels that I know of: (am I missing some?)
>
>windows
>windows_9x
>windows_nt
>windows_ce
>
>I can see it possible to need to refer to all Windows NT systems (NT,
>2K, XP, Vista, 03)
>
>Drew
>
>
>
>>-----Original Message-----
>>From: Waltermire, Dave [mailto:[hidden email]]
>>Sent: Thursday, August 16, 2007 1:09 PM
>>To: cpe-discussion-list CPE Community Forum
>>Subject: Re: [CPE-DISCUSSION-LIST] Updated CPE Specification 2.0

Draft

>>
>>All,
>>
>>David wrote the following in his comments in the document:
>>
>>"I suspect I might be swimming against the tide here, but: In my
>mind,
>>"windows" is not a product, it's a product line. "windows_2000" is a
>>product; "windows_vista" is a product, each of which has different
>>editions and versions. I believe all of the examples in here
>>that refer
>>to Microsoft Windows <WhatHaveYou> are incorrect. I realize my
>>perspective is inconsistent with what's in the current CPE
>>dictionary on
>>the NVD website."
>>
>>From what I recall the major justification for this approach, which

is
>>largely different than any other vendor, is to allow the CPE name:
>>cpe:/o:microsoft:windows and other variations. I am beginning to
>think
>>that this approach is not that useful. I have yet to run into a use
>>case for referring to all Windows operating systems. Referring to
all
>>windows operating systems is also dangerous from a future
perspective.
>>You could imply that you are referring to all CURRENT Windows OSs,
but

>>in reality you are referring to all CURRENT and FUTURE OSs that bear
>>that name. This can be very bad.
>>
>>Do we really need this capability? Can we move to something like:
>>cpe:/o:microsoft:windows_xp or cpe:/o:microsoft:windows_vista?
>>
>>Dave
>>
>>> -----Original Message-----
>>> From: Lemire, David P. [mailto:[hidden email]]
>>> Sent: Thursday, August 16, 2007 10:12 AM
>>> To: [hidden email]
>>> Subject: Re: [CPE-DISCUSSION-LIST] Updated CPE Specification
>>2.0 Draft
>>>
>>> Drew,
>>>
>>> Some comments, mixture of editorial and more conceptual.
>>>
>>> Regards,
>>>
>>> Dave
>>> +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>> ~ David Lemire (Contractor - A&N Associates, Inc.) ~ VAO
>>> Engineering and Integration, NSA ~ [hidden email] ~
>>> (410) 854-8727
>>> +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>
>>>
>>> -----Original Message-----
>>> From: Buttner, Drew [mailto:[hidden email]]
>>> Sent: Wednesday, August 15, 2007 10:49 AM
>>> To: [hidden email]
>>> Subject: [CPE-DISCUSSION-LIST] Updated CPE Specification 2.0 Draft
>>>
>>>
>>> I have tried to update the CPE Specification to account for
>>> the recent discussions we have had over the email list and
>>> conference calls.
>>> Please take a few minutes to read this over and supply
>>> comments where necessary. Below are some of the topics that
>>> have been addressed:
>>>
>>> * removed the string representation of the CPE Language
>>> * formalized the requirements section
>>> * information about submitting new names to CPE Dictionary
>>> * intro paragraph to Matching
>>> * what to do when vendors share the same
>>> organization-specific label but with a different DNS suffix
>>> * updated schemas
>>>
>>> In regards to the conversation about including the vendor
>>> name, as of now I feel like there has been arguments in both
>>> directions and I have not see a solution without a hole in
>>> it. So I am inclined to leave the name structure as is. The
>>> conversation is by no means closed so please send along
>>> additional comments as desired.
>>>
>>> There are two areas that still need work. Sections 7.1 and
>>> 7.2. Both of these deal with the matching algorithm. Neal -
>>> do you have time to take a crack at this? If others want to
>>> make an attempt we would be excited to see what you come up with.
>>>
>>> The goal is to have this draft finalized by the end of this
>>> month and to release the official 2.0 specification on Friday
>>> September 14th.
>>>
>>> I'm now going to work on the website and update it to reflect
>>> this new draft.
>>>
>>> Thanks
>>> Drew
>>>
>>>
>>> ---------
>>>
>>> Andrew Buttner
>>> The MITRE Corporation
>>> [hidden email]
>>> 781-271-3515
>>>
>>>
>>
>

Andrew Buttner

Re: Updated CPE Specification 2.0 Draft

Reply Threaded

In reply to this post by Andrew Buttner

>It is correct that the reason we break out "windows" as the
>product is to allow the ability to refer to all windows with
>the CPE Name cpe:/o:microsoft:windows. Although I would argue
>that the real product is in line with the kernel. In the
>windows case, there are four base kernels that I know of: (am
>I missing some?)
>
>windows
>windows_9x
>windows_nt
>windows_ce
>
>I can see it possible to need to refer to all Windows NT systems
>(NT, 2K, XP, Vista, 03)

From some of the information and diagrams I have seen, the above list
should be reduced to three? Also using a hyphen instead of an
underscore since the latter is used as a filler for white space.

windows (1.0, 2.0, 3.0, 3.1, 95, 98, ME)
windows-nt (NT, 2K, XP, 2003, Vista)
windows-ce (1.0, 2.0, 3.0 ...)

Unless there is objection, I would like to convert the Windows examples
in the 2.0 spec to follow the above. Examples would look like:

cpe:/o:microsoft:windows:3.1
cpe:/o:microsoft:windows:95
cpe:/o:microsoft:windows:98
cpe:/o:microsoft:windows_nt:3.1
cpe:/o:microsoft:windows_nt:4.0
cpe:/o:microsoft:windows_nt:2000
cpe:/o:microsoft:windows_nt:xp
cpe:/o:microsoft:windows_nt:2003
cpe:/o:microsoft:windows_nt:vista

Any reasons not to do this?

Thanks
Drew