Making Security Measurable › CPE - Common Platform Enumeration

Vendor to CPE mapping

17 messages

Vendor to CPE mapping

Reply Threaded

At CSEC we created a plateaued mapping where we mapped the Vendors, Assets and then Asset Versions. As we mapped one layer we narrowed the scope of the next plateau to include only those Assets and then Asset Versions that would be applicable. The initial mapping was automated and then was supplemented/enhanced with a U/I (in the zip as cpe.jpg). The benefit to the end user community is an Asset data tree that permits them to navigate to a specific Asset Version to determine applicable vulnerabilities (also a screen shot in the zip named cpe_tree.jpg). The cpe.jpg screenshot illustrates the biggest problem with the data in that the CPE does not stay current as new software versions are released. We had to decide whether to not map new version vendor provided data or to map it to older versions in the CPE. If we didn't map it no vendor provided vulnerabilities for that Asset Version would be assigned. The task is daunting but not unobtainable.

Steve Meulmeester

TVAS Developer

cpe_mapping.zip (309K) Download Attachment

Wolfkiel, Joseph

Re: Vendor to CPE mapping

Reply Threaded

Some javascript/style in this post has been disabled (why?)

I'm hoping this process will begin the work of figuring out how to deal with the problem of introducing new CPEs. Ideally, if a tool has the functionality similar to what TVAS built, it would construct a CPE as a best-effort mapping against the spec and return it to the vendor who can then quickly submit to MITRE for inclusion into the dictionary. MITRE would accept it, deprecate it if a different CPE is created, then it would appear in the next publication of the dictionary. In a best case scenario, this would all happen within a day or so of a new CPE requirement being generated.

Lt Col Joseph L. Wolfkiel
Director, Computer Network Defense Research & Technology (CND R&T) Program Management Office
9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700

From: Steve Meulmeester [mailto:[hidden email]]
Sent: Thursday, April 16, 2009 10:37 AM
To: [hidden email]
Subject: [CPE-DISCUSSION-LIST] Vendor to CPE mapping

Steve Meulmeester

TVAS Developer

smime.p7s (6K) Download Attachment

Andrew Buttner

Re: Vendor to CPE mapping

Reply Threaded

In reply to this post by Steve Meulmeester

Steve,

Thank you very much for sharing this work with the CPE Community. I think one of the more telling pieces of it is continued justification about the need for CPE. In the asset_versions.txt file you see Assurent names of:

Adobe Systems:Acrobat (Standard):8.1.1
Adobe Systems:Acrobat:8.1.2

This of course is within one tool. Inconsistencies like this are even more prevalent when we look at many different tools in the market. CPE tries to standardize this and move everyone toward a common name.

I interested in what CPE as a project can / should do with this mapping of Assurent names to CPE Names? I think it is probably outside the scope of CPE to hold a map to individual tool names. CPE is pushing for tool vendors like Assurent to hold these maps, or better yet for tool vendors to use CPE Names directly. I am open to ideas if someone would like to share.

Having said that, the discussion we had on the list was about CPE putting together a mapping between CPE Name and return strings from certain API calls. For example, let's say that ACME OS has an API getVersion() that returns the installed version of the OS. Maybe the return of the API is "ACME OS 3.4.5" when that version is installed. For the CPE Name cpe:/o:acme:os:3.4.5 we could add a reference that says something like acme / getVersion = "ACME OS 3.4.5". Is this really feasible on the CPE end though?

Thanks
Drew

>-----Original Message-----
>From: Steve Meulmeester [mailto:[hidden email]]
>Sent: Thursday, April 16, 2009 10:37 AM
>To: cpe-discussion-list CPE Community Forum
>Subject: [CPE-DISCUSSION-LIST] Vendor to CPE mapping
>
>At CSEC we created a plateaued mapping where we mapped the Vendors,
>Assets and then Asset Versions. As we mapped one layer we narrowed the
>scope of the next plateau to include only those Assets and then Asset
>Versions that would be applicable. The initial mapping was automated and
>then was supplemented/enhanced with a U/I (in the zip as cpe.jpg). The
>benefit to the end user community is an Asset data tree that permits
>them to navigate to a specific Asset Version to determine applicable
>vulnerabilities (also a screen shot in the zip named cpe_tree.jpg). The
>cpe.jpg screenshot illustrates the biggest problem with the data in that
>the CPE does not stay current as new software versions are released. We
>had to decide whether to not map new version vendor provided data or to
>map it to older versions in the CPE. If we didn't map it no vendor
>provided vulnerabilities for that Asset Version would be assigned. The
>task is daunting but not unobtainable.
>
>Steve Meulmeester
>TVAS Developer

Steve Meulmeester

Re: Vendor to CPE mapping

Reply Threaded

Drew,

We found that one of the real benefits of the mapping to the CPE was that it gave us a tangible target to align to and without it we would be attempting to define our own version of a CPE. I agree that the ideal model would be where software/hardware vendors and those around the edges all communicated about components in a common language although. But communicating depends on the target's needs.

The data structure to generically define a component and make it usable for any user/machine purpose is enormously complex and not unlike what a manufacturer needs to support. When you go into a chevy dealer to buy a pickup they hand you a brochure and ask you the colour, weight capacity and maybe engine configuration. You drive out with a blue half ton silverado which is in fact a highly complex structure of other components which may or may not be found in other models/brands. But depending if you are designing the truck, manufacturing it, selling or buying it the information requirement changes. Most people don't care what alternator a car comes with but those designing, manufacturing, costing and installing it are heavily interested. Most importantly the underlying data must be unified and support all otherwise what are you building and how much does it cost.

We were tasked with determining whether we could use the CPE data to automatically scan PCs for their configuration and then update the platform with required patches. At this point we did not think that the CPE could support this activity in a consistent way. The important point derived from this requirement was the concept of what the CPE was supposed to do. For my Chevy analogy I described four types of user activities. I am not sure at this point whether I understand how the CPE is supposed to be used and without that it would appear difficult to assess its effectiveness. Has there been any work done on defining what actitivies the CPE should support and if anyone has tried to define a usable generic model to support them?

Thanks,

Steve Meulmeester

On Wed, May 6, 2009 at 6:45 AM, Buttner, Drew <[hidden email]> wrote:

Steve,

Thank you very much for sharing this work with the CPE Community. I think one of the more telling pieces of it is continued justification about the need for CPE. In the asset_versions.txt file you see Assurent names of:

Adobe Systems:Acrobat (Standard):8.1.1
Adobe Systems:Acrobat:8.1.2

This of course is within one tool. Inconsistencies like this are even more prevalent when we look at many different tools in the market. CPE tries to standardize this and move everyone toward a common name.

I interested in what CPE as a project can / should do with this mapping of Assurent names to CPE Names? I think it is probably outside the scope of CPE to hold a map to individual tool names. CPE is pushing for tool vendors like Assurent to hold these maps, or better yet for tool vendors to use CPE Names directly. I am open to ideas if someone would like to share.

Having said that, the discussion we had on the list was about CPE putting together a mapping between CPE Name and return strings from certain API calls. For example, let's say that ACME OS has an API getVersion() that returns the installed version of the OS. Maybe the return of the API is "ACME OS 3.4.5" when that version is installed. For the CPE Name cpe:/o:acme:os:3.4.5 we could add a reference that says something like acme / getVersion = "ACME OS 3.4.5". Is this really feasible on the CPE end though?

Thanks
Drew

>-----Original Message-----
>From: Steve Meulmeester [mailto:[hidden email]]
>Sent: Thursday, April 16, 2009 10:37 AM

>To: cpe-discussion-list CPE Community Forum
>Subject: [CPE-DISCUSSION-LIST] Vendor to CPE mapping
>

>At CSEC we created a plateaued mapping where we mapped the Vendors,
>Assets and then Asset Versions. As we mapped one layer we narrowed the
>scope of the next plateau to include only those Assets and then Asset
>Versions that would be applicable. The initial mapping was automated and
>then was supplemented/enhanced with a U/I (in the zip as cpe.jpg). The
>benefit to the end user community is an Asset data tree that permits
>them to navigate to a specific Asset Version to determine applicable
>vulnerabilities (also a screen shot in the zip named cpe_tree.jpg). The
>cpe.jpg screenshot illustrates the biggest problem with the data in that
>the CPE does not stay current as new software versions are released. We
>had to decide whether to not map new version vendor provided data or to
>map it to older versions in the CPE. If we didn't map it no vendor
>provided vulnerabilities for that Asset Version would be assigned. The
>task is daunting but not unobtainable.
>
>Steve Meulmeester
>TVAS Developer

Andrew Buttner

Re: Vendor to CPE mapping

Reply Threaded

>We found that one of the real benefits of the mapping to the CPE was
>that it gave us a tangible target to align to and without it we would be
>attempting to define our own version of a CPE. I agree that the ideal
>model would be where software/hardware vendors and those around the
>edges all communicated about components in a common language although.

Absolutely. This is probably the main target benefit of CPE Names.

>The data structure to generically define a component and make it usable
>for any user/machine purpose is enormously complex and not unlike what a
>manufacturer needs to support.

Note that CPE did not try to create such a data structure. The components of a CPE Name are there to help dynamic creation of a unique name (instead of relying on a man in the middle) and to support matching. It was never intended to be a structure to hold information about a platform or be used to transfer information about a platform. A CPE Name is just an id associated with a given platform type.

>When you go into a chevy dealer to buy a
>pickup they hand you a brochure and ask you the colour, weight capacity
>and maybe engine configuration. You drive out with a blue half ton
>silverado which is in fact a highly complex structure of other
>components which may or may not be found in other models/brands. But
>depending if you are designing the truck, manufacturing it, selling or
>buying it the information requirement changes. Most people don't care
>what alternator a car comes with but those designing, manufacturing,
>costing and installing it are heavily interested. Most importantly the
>underlying data must be unified and support all otherwise what are you
>building and how much does it cost.
>
>We were tasked with determining whether we could use the CPE data to
>automatically scan PCs for their configuration and then update the
>platform with required patches.

If I read this correctly, you need to match the return of a software inventory tool, to the target platform tag associated with a patch ...

>At this point we did not think that the
>CPE could support this activity in a consistent way. The important
>point derived from this requirement was the concept of what the CPE was
>supposed to do. For my Chevy analogy I described four types of user
>activities. I am not sure at this point whether I understand how the CPE
>is supposed to be used and without that it would appear difficult to
>assess its effectiveness. Has there been any work done on defining what
>actitivies the CPE should support and if anyone has tried to define a
>usable generic model to support them?

Yes. There was a technical use case analysis done and that resulted in defining one target use case to base support. That is the Software Inventory use case. Basically, CPE needs to be able to provide a common identifier for things that a software inventory tool would typically collect. This was further defined to be something:

* A user can download or buy it.
* There is a vendor/organization that produces it.
* An enterprise IT administrator can push it out over the enterprise network and install it into their environment.
* It is (or can be) recorded by an asset management tool.

Turns out that by focusing on this use case, we can support many of the tasks being performed by the community. Patch and vuln management benefit from having common ids for the target software pieces that a software inventory tool has found on the network.

To see this report go to:

http://n2.nabble.com/CPE-Technical-Use-Case-Analysis-td2323628.html

Thanks
Drew

unifiedcompliance

Re: Vendor to CPE mapping

Reply Threaded

In reply to this post by Steve Meulmeester

Okay, the UCF team is going to chime in a bit about CPE mapping, vendor names, etc.

I've attached a Word doc and two Excel Examples that are mentioned in the Word Doc. The question put to us was

1) Can the CPE list be extended to include assets that are not hardware, applications, and operating systems, and

2) Can the CPE list be extended so that it is hierarchical in nature so that assets can be tied to their compliance controls.

The answer to both is a tentative yes, but with a lot of work. First, we've found huge issues with the current state of the list regarding vendor names. Since when is a person a vendor? There are a couple of people listed as vendors. Wild. We also found out that the current methodology doesn't allow for acquisition of vendors, selling of products, etc.

So our first proposal outlined in the Word document is to separate the vendor list from the product list and track vendors in a taxonomic hierarchy. And yes, ASSIGN NUMERIC IDs to them.

Our second proposal is a much more stringent approach to list management. Common mistakes such as version 7 as well as version 7.0 of the same product are listed. Misspellings. Etc.

The UCF team are committed to working with the CPE team to either A) extend CPE to include additional asset categories and subclasses, or B) working with the CPE team to fully research and vet all entries and suggest changes to the CPE list entry while maintaining a superset of information that allows us to track assets beyond applications, operating system, and hardware.

We are very much looking forward to the feedback our writeup proposes.

CPEIssues.zip

Thomas R. Jones

Re: Vendor to CPE mapping

Reply Threaded

Statements inline below.

Sent from my iPhone

On May 17, 2009, at 10:39 PM, unifiedcompliance <[hidden email]
> wrote:

> Okay, the UCF team is going to chime in a bit about CPE mapping,
> vendor
> names, etc.
>
> I've attached a Word doc and two Excel Examples that are mentioned
> in the
> Word Doc. The question put to us was
>
> 1) Can the CPE list be extended to include assets that are not
> hardware,
> applications, and operating systems, and
>
> 2) Can the CPE list be extended so that it is hierarchical in nature
> so that
> assets can be tied to their compliance controls.
>
> The answer to both is a tentative yes, but with a lot of work.
> First, we've
> found huge issues with the current state of the list regarding
> vendor names.
> Since when is a person a vendor?

Easily. A "vendor" does not imply a commercial entity. Think open
source developers. Think of the computer science students. Both
contribute software but do not represent commercial organizations.

> There are a couple of people listed as
> vendors. Wild. We also found out that the current methodology
> doesn't allow
> for acquisition of vendors, selling of products, etc.
>
In the situation that a specific product or entity is sold or acquired
does not negate the need for a preexisting cpe declaration. The
product or vendor was released as such; and should be able to be
referenced after that product or vendor ceases to exist.

I'd have to look at the newest cpe standard, but seemingly a new cpe
would need to be defined. Anyone?

> So our first proposal outlined in the Word document is to separate the
> vendor list from the product list and track vendors in a taxonomic
> hierarchy. And yes, ASSIGN NUMERIC IDs to them.
>
Admittedly, I have been overwhelmed with too much work too little
time. But has this age old proposal not been determined yet?

> Our second proposal is a much more stringent approach to list
> management.
> Common mistakes such as version 7 as well as version 7.0 of the same
> product
> are listed. Misspellings. Etc.
>
> The UCF team are committed to working with the CPE team to either A)
> extend
> CPE to include additional asset categories and subclasses, or B)
> working
> with the CPE team to fully research and vet all entries and suggest
> changes
> to the CPE list entry while maintaining a superset of information that
> allows us to track assets beyond applications, operating system, and
> hardware.
>
> We are very much looking forward to the feedback our writeup proposes.
>
> http://n2.nabble.com/file/n2930539/CPEIssues.zip CPEIssues.zip
> --
> View this message in context: http://n2.nabble.com/Vendor-to-CPE-mapping-tp2647861p2930539.html
> Sent from the CPE - Common Platform Enumeration mailing list archive
> at Nabble.com.

Andrew Buttner

Re: Vendor to CPE mapping

Reply Threaded

Dorian,

I'm not sure if others are having the same problem, but the .zip file does not seem to be valid and I cannot open it. You may want to try sending this directly to the list instead of through the Nabble interface.

>> The answer to both is a tentative yes, but with a lot of work.
>> First, we've
>> found huge issues with the current state of the list regarding
>> vendor names.
>> Since when is a person a vendor?
>
>Easily. A "vendor" does not imply a commercial entity. Think open
>source developers. Think of the computer science students. Both
>contribute software but do not represent commercial organizations.

Yes, CPE needed a convention for creating names for platforms that were not from a commercial organization. (think open source) We felt that the best solution was to use the initial developer's name.

>> There are a couple of people listed as
>> vendors. Wild. We also found out that the current methodology
>> doesn't allow
>> for acquisition of vendors, selling of products, etc.
>
>In the situation that a specific product or entity is sold or acquired
>does not negate the need for a preexisting cpe declaration. The
>product or vendor was released as such; and should be able to be
>referenced after that product or vendor ceases to exist.

This is a known issue with the current CPE specification. There has been talk in the past about using aliases to represent these changed names. I can say that this issue is something that is sure to be solved by a future major version, but right now we are living with this deficiency until we have a better idea about what the next major version should look like.

>I'd have to look at the newest cpe standard, but seemingly a new cpe
>would need to be defined. Anyone?

Currently, yes. If vendors merge, or if one vendor is bought by another, then any CPE Name created from that point forward would be with the new vendor name. Existing CPE Names would not be changed.

>> So our first proposal outlined in the Word document is to separate the
>> vendor list from the product list and track vendors in a taxonomic
>> hierarchy. And yes, ASSIGN NUMERIC IDs to them.
>>
>Admittedly, I have been overwhelmed with too much work too little
>time. But has this age old proposal not been determined yet?

I think this idea has a lot of merit. Numeric ids have been talked about a lot in the past. As has the notion of splitting out the vendor component into a separate enumeration. I think there is promise in this, especially if we change the way CPE Matching works and use a solution that does not rely on the URI structure. This is again a version 3 discussion.

The CPE team here at MITRE has had some focused discussions on what some different version 3 proposals might look like. We have been trying to determine the different needs of the community as well as determine where the current specification falls down. Many of these ideas have been shared with the community. Our next step is to formalize these ideas into official proposals that we can discuss as a community. I will try to put more effort into this to get these moving again.

Thanks
Drew

Andrew Buttner

Re: Vendor to CPE mapping

Reply Threaded

In reply to this post by unifiedcompliance

>Our second proposal is a much more stringent approach to list
>management. Common mistakes such as version 7 as well as
>version 7.0 of the same product are listed. Misspellings. Etc.

Note that these are intended to be DIFFERENT platform types. '7' is the platform type that represent all version 7 platforms. (ie 7.0, 7.1, 7.2, etc.) '7.0' is used to identify the first version 7 platform.

Thanks
Drew

unifiedcompliance

Re: Vendor to CPE mapping

Reply Threaded

In reply to this post by Steve Meulmeester

Some javascript/style in this post has been disabled (why?)

So that means that 7 and 7.0 are different somehow? Wouldln't normalized database nomenclature state that 7.0 begins the subordination of all further 7.x versions?

Dorian J. Cougias
Founder and Lead Analyst, Unified Compliance Framework

-------

This e-mail legal notice is enforceable and binding on any recipient or addressee in terms of the international Electronic Communications and Transaction Act (ECT) 25 of 2002 and the Uniform Electronic Transactions Act (UETA) of the United States. This message contains information intended solely for the addressee, which may be legally privileged and is confidential. If you are not the intended recipient, you shall not peruse, use, disseminate, distribute or copy this message or any file attached to this message. If you have received this message in error, please e-mail the sender by replying to this message. Any agreements concluded with Network Frontiers LLC or the Unified Compliance Framework by using electronic correspondence shall only come into effect once Network Frontiers LLC or the Unified Compliance Framework confirm such contract formation in a follow up or return communication and always subject to the requirements of the ECT and UETA Acts and general principles of contract law. The law of California and the United States shall govern this legal notice and e-mail message.

-------- Original Message --------
Subject: Re: [CPE-DISCUSSION-LIST] Vendor to CPE mapping
From: "Buttner, Drew" <[hidden email]>
Date: Mon, May 18, 2009 9:05 am
To: [hidden email]

>Our second proposal is a much more stringent approach to list
>management. Common mistakes such as version 7 as well as
>version 7.0 of the same product are listed. Misspellings. Etc.

Note that these are intended to be DIFFERENT platform types. '7' is the platform type that represent all version 7 platforms. (ie 7.0, 7.1, 7.2, etc.) '7.0' is used to identify the first version 7 platform.

Thanks
Drew

Sheldon Malm

Re: Vendor to CPE mapping

Reply Threaded

In reply to this post by Steve Meulmeester

Some javascript/style in this post has been disabled (why?)

It would not. Under normal hierarchical structure, 7 would be the "parent" of all 7.x "children"; 7.0 would be the first "child" of the 7 "parent".

These are different logical levels, where 7 represents a class and 7.0 represents a member of that class.

--------------------------
Sheldon Malm
Director
Security Research and Development
nCircle VERT

Sent from my BlackBerry Wireless Handheld

From: Dorian Cougias <[hidden email]>
To: [hidden email] <[hidden email]>
Sent: Mon May 18 09:20:12 2009
Subject: Re: [CPE-DISCUSSION-LIST] Vendor to CPE mapping

-------- Original Message --------
Subject: Re: [CPE-DISCUSSION-LIST] Vendor to CPE mapping
From: "Buttner, Drew" <[hidden email]>
Date: Mon, May 18, 2009 9:05 am
To: [hidden email]

>Our second proposal is a much more stringent approach to list
>management. Common mistakes such as version 7 as well as
>version 7.0 of the same product are listed. Misspellings. Etc.

Note that these are intended to be DIFFERENT platform types. '7' is the platform type that represent all version 7 platforms. (ie 7.0, 7.1, 7.2, etc.) '7.0' is used to identify the first version 7 platform.

Thanks
Drew

unifiedcompliance

Re: Vendor to CPE mapping

Reply Threaded

In reply to this post by Steve Meulmeester

Some javascript/style in this post has been disabled (why?)

Thanks.

We'll go back through the list and ensure that we have a major version list (1, 2, 3, etc.) for all applications if they have multiple versions. We'll then surbordinate the actual versions (version 1.0, 1.1, etc.) undernead the major version list.

We're pretty much doing that already for products we've found without a version number wherein we've added the product and then subordinated the first version we found below it.

Dorian J. Cougias

Founder and Lead Analyst, Unified Compliance Framework

-------

This e-mail legal notice is enforceable and binding on any recipient or addressee in terms of the international Electronic Communications and Transaction Act (ECT) 25 of 2002 and the Uniform Electronic Transactions Act (UETA) of the United States. This message contains information intended solely for the addressee, which may be legally privileged and is confidential. If you are not the intended recipient, you shall not peruse, use, disseminate, distribute or copy this message or any file attached to this message. If you have received this message in error, please e-mail the sender by replying to this message. Any agreements concluded with Network Frontiers LLC or the Unified Compliance Framework by using electronic correspondence shall only come into effect once Network Frontiers LLC or the Unified Compliance Framework confirm such contract formation in a follow up or return communication and always subject to the requirements of the ECT and UETA Acts and general principles of contract law. The law of California and the United States shall govern this legal notice and e-mail message.

-------- Original Message --------
Subject: Re: [CPE-DISCUSSION-LIST] Vendor to CPE mapping
From: Sheldon Malm <[hidden email]>
Date: Mon, May 18, 2009 1:57 pm
To: [hidden email]

It would not. Under normal hierarchical structure, 7 would be the "parent" of all 7.x "children"; 7.0 would be the first "child" of the 7 "parent".

These are different logical levels, where 7 represents a class and 7.0 represents a member of that class.

--------------------------
Sheldon Malm
Director
Security Research and Development
nCircle VERT

Sent from my BlackBerry Wireless Handheld

From: Dorian Cougias <[hidden email]>
To: [hidden email] <[hidden email]>
Sent: Mon May 18 09:20:12 2009
Subject: Re: [CPE-DISCUSSION-LIST] Vendor to CPE mapping
So that means that 7 and 7.0 are different somehow? Wouldln't normalized database nomenclature state that 7.0 begins the subordination of all further 7.x versions?

Dorian J. Cougias
Founder and Lead Analyst, Unified Compliance Framework

-------

This e-mail legal notice is enforceable and binding on any recipient or addressee in terms of the international Electronic Communications and Transaction Act (ECT) 25 of 2002 and the Uniform Electronic Transactions Act (UETA) of the United States. This message contains information intended solely for the addressee, which may be legally privileged and is confidential. If you are not the intended recipient, you shall not peruse, use, disseminate, distribute or copy this message or any file attached to this message. If you have received this message in error, please e-mail the sender by replying to this message. Any agreements concluded with Network Frontiers LLC or the Unified Compliance Framework by using electronic correspondence shall only come into effect once Network Frontiers LLC or the Unified Compliance Framework confirm such contract formation in a follow up or return communication and always subject to the requirements of the ECT and UETA Acts and general principles of contract law. The law of California and the United States shall govern this legal notice and e-mail message.

-------- Original Message --------
Subject: Re: [CPE-DISCUSSION-LIST] Vendor to CPE mapping
From: "Buttner, Drew" <[hidden email]>
Date: Mon, May 18, 2009 9:05 am
To: [hidden email]

>Our second proposal is a much more stringent approach to list
>management. Common mistakes such as version 7 as well as
>version 7.0 of the same product are listed. Misspellings. Etc.

Note that these are intended to be DIFFERENT platform types. '7' is the platform type that represent all version 7 platforms. (ie 7.0, 7.1, 7.2, etc.) '7.0' is used to identify the first version 7 platform.

Thanks
Drew

unifiedcompliance

Re: Vendor to CPE mapping

Reply Threaded

In reply to this post by Steve Meulmeester

Some javascript/style in this post has been disabled (why?)

After again examining the the Microsoft portion of the CPE list, we found that every Microsoft application except certain versions of Internet follow the case where a minor version is listed without it's major version first.

It looks like the only products that actually follow the convention stated to us are Internet Explorer 5, 6, and 7. The rest of the software just has a version number listed.

Does this mean that we should correct every application within the system for consistency, or can we simply take out the less than handfull of references to Internet Explorer versions without a dot release?

Also, if we are to follow the "version release" method, what is the convention for releases of software that don't have "dot level" version numbers, such as Microsoft Office 2007?

Dorian J. Cougias
Founder and Lead Analyst, Unified Compliance Framework

-------

This e-mail legal notice is enforceable and binding on any recipient or addressee in terms of the international Electronic Communications and Transaction Act (ECT) 25 of 2002 and the Uniform Electronic Transactions Act (UETA) of the United States. This message contains information intended solely for the addressee, which may be legally privileged and is confidential. If you are not the intended recipient, you shall not peruse, use, disseminate, distribute or copy this message or any file attached to this message. If you have received this message in error, please e-mail the sender by replying to this message. Any agreements concluded with Network Frontiers LLC or the Unified Compliance Framework by using electronic correspondence shall only come into effect once Network Frontiers LLC or the Unified Compliance Framework confirm such contract formation in a follow up or return communication and always subject to the requirements of the ECT and UETA Acts and general principles of contract law. The law of California and the United States shall govern this legal notice and e-mail message.

-------- Original Message --------
Subject: RE: [CPE-DISCUSSION-LIST] Vendor to CPE mapping
From: "Dorian Cougias" <[hidden email]>
Date: Mon, May 18, 2009 7:02 pm
To: "CPE Community Forum" <[hidden email]>
Cc: [hidden email], "Erwin Rydell" <[hidden email]>

Thanks.

We'll go back through the list and ensure that we have a major version list (1, 2, 3, etc.) for all applications if they have multiple versions. We'll then surbordinate the actual versions (version 1.0, 1.1, etc.) undernead the major version list.

We're pretty much doing that already for products we've found without a version number wherein we've added the product and then subordinated the first version we found below it.

Dorian J. Cougias

Founder and Lead Analyst, Unified Compliance Framework

-------

This e-mail legal notice is enforceable and binding on any recipient or addressee in terms of the international Electronic Communications and Transaction Act (ECT) 25 of 2002 and the Uniform Electronic Transactions Act (UETA) of the United States. This message contains information intended solely for the addressee, which may be legally privileged and is confidential. If you are not the intended recipient, you shall not peruse, use, disseminate, distribute or copy this message or any file attached to this message. If you have received this message in error, please e-mail the sender by replying to this message. Any agreements concluded with Network Frontiers LLC or the Unified Compliance Framework by using electronic correspondence shall only come into effect once Network Frontiers LLC or the Unified Compliance Framework confirm such contract formation in a follow up or return communication and always subject to the requirements of the ECT and UETA Acts and general principles of contract law. The law of California and the United States shall govern this legal notice and e-mail message.

-------- Original Message --------
Subject: Re: [CPE-DISCUSSION-LIST] Vendor to CPE mapping
From: Sheldon Malm <[hidden email]>
Date: Mon, May 18, 2009 1:57 pm
To: [hidden email]

It would not. Under normal hierarchical structure, 7 would be the "parent" of all 7.x "children"; 7.0 would be the first "child" of the 7 "parent".

These are different logical levels, where 7 represents a class and 7.0 represents a member of that class.

--------------------------
Sheldon Malm
Director
Security Research and Development
nCircle VERT

Sent from my BlackBerry Wireless Handheld

From: Dorian Cougias <[hidden email]>
To: [hidden email] <[hidden email]>
Sent: Mon May 18 09:20:12 2009
Subject: Re: [CPE-DISCUSSION-LIST] Vendor to CPE mapping
So that means that 7 and 7.0 are different somehow? Wouldln't normalized database nomenclature state that 7.0 begins the subordination of all further 7.x versions?

Dorian J. Cougias
Founder and Lead Analyst, Unified Compliance Framework

-------

This e-mail legal notice is enforceable and binding on any recipient or addressee in terms of the international Electronic Communications and Transaction Act (ECT) 25 of 2002 and the Uniform Electronic Transactions Act (UETA) of the United States. This message contains information intended solely for the addressee, which may be legally privileged and is confidential. If you are not the intended recipient, you shall not peruse, use, disseminate, distribute or copy this message or any file attached to this message. If you have received this message in error, please e-mail the sender by replying to this message. Any agreements concluded with Network Frontiers LLC or the Unified Compliance Framework by using electronic correspondence shall only come into effect once Network Frontiers LLC or the Unified Compliance Framework confirm such contract formation in a follow up or return communication and always subject to the requirements of the ECT and UETA Acts and general principles of contract law. The law of California and the United States shall govern this legal notice and e-mail message.

-------- Original Message --------
Subject: Re: [CPE-DISCUSSION-LIST] Vendor to CPE mapping
From: "Buttner, Drew" <[hidden email]>
Date: Mon, May 18, 2009 9:05 am
To: [hidden email]

>Our second proposal is a much more stringent approach to list
>management. Common mistakes such as version 7 as well as
>version 7.0 of the same product are listed. Misspellings. Etc.

Note that these are intended to be DIFFERENT platform types. '7' is the platform type that represent all version 7 platforms. (ie 7.0, 7.1, 7.2, etc.) '7.0' is used to identify the first version 7 platform.

Thanks
Drew

Andrew Buttner

Re: Vendor to CPE mapping

Reply Threaded

Dorian,

This is great research!

>After again examining the the Microsoft portion of the CPE list, we
>found that every Microsoft application except certain versions of
>Internet follow the case where a minor version is listed without it's
>major version first.

Could you provide an example of this? I guess I am confused by what you are finding. I feel like all the applications have a major version, just that some of them are encoded in terms like '2000' or '2003'.

Is the claim that there is cpe:/a:microsoft:exchange_server:5.5 but no cpe:/a:microsoft:exchange_server:5? If so, that is probably because there hasn't been a need for the major version 5 name so no one has submitted it.

>It looks like the only products that actually follow the convention
>stated to us are Internet Explorer 5, 6, and 7. The rest of the software
>just has a version number listed.
>
>Does this mean that we should correct every application within the
>system for consistency, or can we simply take out the less than handfull
>of references to Internet Explorer versions without a dot release?
>
>Also, if we are to follow the "version release" method, what is the
>convention for releases of software that don't have "dot level" version
>numbers, such as Microsoft Office 2007?

This is the premise of the thread discussion started under Microsoft OS Naming. Granted that thread focuses on operating systems, but the same argument holds for applications and my thinking would be that the decision would carry over. Do you have any thoughts on this matter? If so it would be great to post as a reply to that thread.

Thanks
Drew

unifiedcompliance

Re: Vendor to CPE mapping

Reply Threaded

In reply to this post by Steve Meulmeester

Some javascript/style in this post has been disabled (why?)

It doesn't matter to us which way the list membership wants to go -- as long as the list can be maintained in a consistent manner.

If the list membership does want to go with

Product Name
     Major Release
          Versioned Release

Then we'll adjust accordingly and we'll do all of the edits of the list so that if we find products that don't have a major release such as the following

Application A
     Version 7
          Version 7.1
     Version 8.0

Then we'll add the appropriate "major release" entry so that it properly reads

Application A
     Version 7
          Version 7.1
     Version 8
          Version 8.0

If that's what everyone wants, that's the standard we'll clean things up to.

Dorian J. Cougias
Founder and Lead Analyst, Unified Compliance Framework

-------

This e-mail legal notice is enforceable and binding on any recipient or addressee in terms of the international Electronic Communications and Transaction Act (ECT) 25 of 2002 and the Uniform Electronic Transactions Act (UETA) of the United States. This message contains information intended solely for the addressee, which may be legally privileged and is confidential. If you are not the intended recipient, you shall not peruse, use, disseminate, distribute or copy this message or any file attached to this message. If you have received this message in error, please e-mail the sender by replying to this message. Any agreements concluded with Network Frontiers LLC or the Unified Compliance Framework by using electronic correspondence shall only come into effect once Network Frontiers LLC or the Unified Compliance Framework confirm such contract formation in a follow up or return communication and always subject to the requirements of the ECT and UETA Acts and general principles of contract law. The law of California and the United States shall govern this legal notice and e-mail message.

-------- Original Message --------
Subject: Re: [CPE-DISCUSSION-LIST] Vendor to CPE mapping
From: "Buttner, Drew" <[hidden email]>
Date: Thu, May 21, 2009 11:09 am
To: [hidden email]

Dorian,

This is great research!

>After again examining the the Microsoft portion of the CPE list, we
>found that every Microsoft application except certain versions of
>Internet follow the case where a minor version is listed without it's
>major version first.

Could you provide an example of this? I guess I am confused by what you are finding. I feel like all the applications have a major version, just that some of them are encoded in terms like '2000' or '2003'.

Is the claim that there is cpe:/a:microsoft:exchange_server:5.5 but no cpe:/a:microsoft:exchange_server:5? If so, that is probably because there hasn't been a need for the major version 5 name so no one has submitted it.

>It looks like the only products that actually follow the convention
>stated to us are Internet Explorer 5, 6, and 7. The rest of the software
>just has a version number listed.
>
>Does this mean that we should correct every application within the
>system for consistency, or can we simply take out the less than handfull
>of references to Internet Explorer versions without a dot release?
>
>Also, if we are to follow the "version release" method, what is the
>convention for releases of software that don't have "dot level" version
>numbers, such as Microsoft Office 2007?

This is the premise of the thread discussion started under Microsoft OS Naming. Granted that thread focuses on operating systems, but the same argument holds for applications and my thinking would be that the decision would carry over. Do you have any thoughts on this matter? If so it would be great to post as a reply to that thread.

Thanks
Drew

Andrew Buttner

Re: Vendor to CPE mapping

Reply Threaded

Here is the dilemma we find ourselves in ...

Regarding:

Application A
Version 7
Version 7.0
Version 7.1
Version 8
Version 8.0

All of these names are needed by different people for different purposes. Some users need to link information related to the application name. Others need to do so related to a major release. Still others need to talk about a specific version.

The current CPE Specification supports the creation of all of these names.

But we have realized that maintaining / storing all of these names is not feasible. So we have been looking at alternative ways to do this that might help solve the problem. In the meantime we have been adding names that are needed to the dictionary.

NIST - is this a correct interpretation of the problem as you see it?

Thanks
Drew

>-----Original Message-----
>From: Dorian Cougias [mailto:[hidden email]]
>Sent: Thursday, May 21, 2009 2:29 PM
>To: cpe-discussion-list CPE Community Forum
>Subject: Re: [CPE-DISCUSSION-LIST] Vendor to CPE mapping
>
>It doesn't matter to us which way the list membership wants to go -- as
>long as the list can be maintained in a consistent manner.
>
>If the list membership does want to go with
>
>Product Name
> Major Release
> Versioned Release
>
>Then we'll adjust accordingly and we'll do all of the edits of the list
>so that if we find products that don't have a major release such as the
>following
>
>Application A
> Version 7
> Version 7.1
> Version 8.0
>
>Then we'll add the appropriate "major release" entry so that it properly
>reads
>
>Application A
> Version 7
> Version 7.1
> Version 8
> Version 8.0
>
>If that's what everyone wants, that's the standard we'll clean things up
>to.
>
>
>Dorian J. Cougias
>Founder and Lead Analyst, Unified Compliance Framework
>
>
>
>-------
>
>This e-mail legal notice is enforceable and binding on any recipient or
>addressee in terms of the international Electronic Communications and
>Transaction Act (ECT) 25 of 2002 and the Uniform Electronic Transactions
>Act (UETA) of the United States. This message contains information
>intended solely for the addressee, which may be legally privileged and
>is confidential. If you are not the intended recipient, you shall not
>peruse, use, disseminate, distribute or copy this message or any file
>attached to this message. If you have received this message in error,
>please e-mail the sender by replying to this message. Any agreements
>concluded with Network Frontiers LLC or the Unified Compliance Framework
>by using electronic correspondence shall only come into effect once
>Network Frontiers LLC or the Unified Compliance Framework confirm such
>contract formation in a follow up or return communication and always
>subject to the requirements of the ECT and UETA Acts and general
>principles of contract law. The law of California and the United States
>shall govern this legal notice and e-mail message.
>
>
>
> -------- Original Message --------
> Subject: Re: [CPE-DISCUSSION-LIST] Vendor to CPE mapping
> From: "Buttner, Drew" <[hidden email]>
> Date: Thu, May 21, 2009 11:09 am
> To: [hidden email]
>
> Dorian,
>
> This is great research!
>
> >After again examining the the Microsoft portion of the CPE list,
>we
> >found that every Microsoft application except certain versions of
> >Internet follow the case where a minor version is listed without
>it's
> >major version first.
>
> Could you provide an example of this? I guess I am confused by
>what you are finding. I feel like all the applications have a major
>version, just that some of them are encoded in terms like '2000' or
>'2003'.
>
> Is the claim that there is cpe:/a:microsoft:exchange_server:5.5
>but no cpe:/a:microsoft:exchange_server:5? If so, that is probably
>because there hasn't been a need for the major version 5 name so no one
>has submitted it.
>
>
> >It looks like the only products that actually follow the
>convention
> >stated to us are Internet Explorer 5, 6, and 7. The rest of the
>software
> >just has a version number listed.
> >
> >Does this mean that we should correct every application within
>the
> >system for consistency, or can we simply take out the less than
>handfull
> >of references to Internet Explorer versions without a dot
>release?
> >
> >Also, if we are to follow the "version release" method, what is
>the
> >convention for releases of software that don't have "dot level"
>version
> >numbers, such as Microsoft Office 2007?
>
> This is the premise of the thread discussion started under
>Microsoft OS Naming. Granted that thread focuses on operating systems,
>but the same argument holds for applications and my thinking would be
>that the decision would carry over. Do you have any thoughts on this
>matter? If so it would be great to post as a reply to that thread.
>
> Thanks
> Drew
>
>

unifiedcompliance

Re: Vendor to CPE mapping

Reply Threaded

We can actually track as you stated below. Its pretty easy for us to
maintain this, and maintain it in a hierarchical structure.

Three things

A) We'd be happy to present our tracking methodology and XML schema to
everyone and make it freely available to them.

B) We'd be happy to maintain the information in this hierarchical order, as
we have to do that anyway for our own purposes.

C) We'd be happy to freely give away this version of the CPE list in XML to
the group.

-----Original Message-----
From: Buttner, Drew [mailto:[hidden email]]
Sent: Thursday, May 21, 2009 11:40 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Vendor to CPE mapping

Here is the dilemma we find ourselves in ...

Regarding:

Application A
Version 7
Version 7.0
Version 7.1
Version 8
Version 8.0

All of these names are needed by different people for different purposes.
Some users need to link information related to the application name. Others
need to do so related to a major release. Still others need to talk about a
specific version.

The current CPE Specification supports the creation of all of these names.

But we have realized that maintaining / storing all of these names is not
feasible. So we have been looking at alternative ways to do this that might
help solve the problem. In the meantime we have been adding names that are
needed to the dictionary.

NIST - is this a correct interpretation of the problem as you see it?

Thanks
Drew

it's

> >major version first.
>
> Could you provide an example of this? I guess I am confused by what
>you are finding. I feel like all the applications have a major version,
>just that some of them are encoded in terms like '2000' or '2003'.
>
> Is the claim that there is cpe:/a:microsoft:exchange_server:5.5
>but no cpe:/a:microsoft:exchange_server:5? If so, that is probably
>because there hasn't been a need for the major version 5 name so no one
>has submitted it.
>
>
> >It looks like the only products that actually follow the convention
> >stated to us are Internet Explorer 5, 6, and 7. The rest of the
>software
> >just has a version number listed.
> >
> >Does this mean that we should correct every application within the
> >system for consistency, or can we simply take out the less than
>handfull
> >of references to Internet Explorer versions without a dot release?
> >
> >Also, if we are to follow the "version release" method, what is the
> >convention for releases of software that don't have "dot level"
>version
> >numbers, such as Microsoft Office 2007?
>
> This is the premise of the thread discussion started under Microsoft

>OS Naming. Granted that thread focuses on operating systems, but the
>same argument holds for applications and my thinking would be that the
>decision would carry over. Do you have any thoughts on this matter? If
>so it would be great to post as a reply to that thread.
>
> Thanks
> Drew
>
>