Updated Draft CPE Specification 2.0

Attached is the most recent draft of the CPE Specification 2.0.  This
draft includes the new name structure that added the update and
language components.  I think all the outstanding issues for version
2.0 have now been addressed.  Please take a minute to re-read the draft
as this will be the last chance to provide feedback.  Hopefully there
will be very little as issues have already been addressed.

My plan is to merge in any comments on Tuesday Sept 4th and send out a
Release Candidate to the community.  The release candidate will not be
changed with the exception of spelling mistakes and clarifications, so
vendors can feel confident about implementing at that time.  The
official specification will be released on Friday Sept 14th.

Thanks
Drew


---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515

Drew,

A few minor comments:

1) On page 6, where the prefix property is discussed, the example
provided is "For example, microsoft:windows:xp would be a subset of
microsoft:windows."  This should be updated or replaced, give previous
discussions on this list about naming Windows products; at least
"windows" should be "windows-nt".

2) On page 8, where it says "Empty components are legal." -- I'm
struggling to think of a meaningful CPE name with an empty "Part" component.

3) Also on page 8, just before the "Part Component" description,
"Updated" should be "Update".

4) On page 13, shouldn't the example for RHEL be "adv_srv" instead of
"advanced_srv", given the abbreviations listed in 5.3?

5) On page 14, in the example XML, in the line:

   <cpe:fact-ref name="cpe:/o:micorsoft:windows:xp" />

"micorsoft" is misspelled, and "windows" should be "windows-nt".

        Dave


David Lemire
Principal Consultant
& Technical Director
A&N Associates, Inc.
999 Corporate Blvd, Suite 100
Linthicum, Maryland 21090
TEL: 410-859-5449 x111
FAX: 410-859-5292
[hidden email]
www.anassoc.com



Buttner, Drew wrote:

>1) On page 6, where the prefix property is discussed, the example
>provided is "For example, microsoft:windows:xp would be a subset of
>microsoft:windows."  This should be updated or replaced, give previous

>discussions on this list about naming Windows products; at least
>"windows" should be "windows-nt".

Thanks!



>2) On page 8, where it says "Empty components are legal." -- I'm
>struggling to think of a meaningful CPE name with an empty
>"Part" component.

I agree that there might not be a meaningful case, but allowing it
makes it consistent with every other component.  Is the consistency a
better trade-off than the downside of someone actually leaving that
component empty?



>3) Also on page 8, just before the "Part Component" description,
>"Updated" should be "Update".

Thanks


>4) On page 13, shouldn't the example for RHEL be "adv_srv" instead of
>"advanced_srv", given the abbreviations listed in 5.3?

Yes


>5) On page 14, in the example XML, in the line:
>
>   <cpe:fact-ref name="cpe:/o:micorsoft:windows:xp" />
>
>"micorsoft" is misspelled, and "windows" should be "windows-nt".

Thank you very much for these comments.  I will make sure that they get
merged in before the release candidate.

Drew