Making Security Measurable › CPE - Common Platform Enumeration

cpe id for windows 2003 server

5 messages Options
Embed this post
Permalink
Dick_Whitehurst

cpe id for windows 2003 server

Reply Threaded More More options
Print post
Permalink
Some javascript/style in this post has been disabled (why?)

Is it intentional that in the current CPE dictionary the title associated with windows 2003 server is “Microsoft windows 2003” instead of “Microsoft Windows Server 2003”?

 

We are(were) attempting to use a “reverse” mapping from the value in OVAL definitions <platform> to the title value in the cpe dictionary.  This has generally worked well, but most Oval definitions reference “Microsoft Windows Server 2003” rather than the “real” cpe title.  Would it be reasonable to change the title in the cpe dictionary to the expected “Microsoft Windows Server 2003”?

 

Thanks,

Dick Whitehurst

 

PS There is currently a *deprecated* cpe entry with the title of “Microsoft Windows Server 2003”
Andrew Buttner

Re: cpe id for windows 2003 server

Reply Threaded More More options
Print post
Permalink
The <title> element in the CPE Dictionary schema should be
representative of the vendor given marketing name for the platform.  In
this case I think you are correct in that this name would be known as
"Microsoft Windows Server 2003".  This is how it is represented on the
Microsoft web site.

Thanks
Drew


>-----Original Message-----
>From: Dick Whitehurst [mailto:[hidden email]]
>Sent: Friday, September 19, 2008 5:03 PM
>To: cpe-discussion-list CPE Community Forum
>Subject: [CPE-DISCUSSION-LIST] cpe id for windows 2003 server
>
>Is it intentional that in the current CPE dictionary the title
>associated with windows 2003 server is "Microsoft windows 2003"
instead
>of "Microsoft Windows Server 2003"?
>
>
>
>We are(were) attempting to use a "reverse" mapping from the value in
>OVAL definitions <platform> to the title value in the cpe dictionary.
>This has generally worked well, but most Oval definitions reference
>"Microsoft Windows Server 2003" rather than the "real" cpe title.
Would

>it be reasonable to change the title in the cpe dictionary to the
>expected "Microsoft Windows Server 2003"?
>
>
>
>Thanks,
>
>Dick Whitehurst
>
>
>
>PS There is currently a *deprecated* cpe entry with the title of
>"Microsoft Windows Server 2003"
Ernest Park

Re: cpe id for windows 2003 server

Reply Threaded More More options
Print post
Permalink
Another opportunity for <alias>
 
Private and ppublic components can be added, and if such name components get moved to be a definitive name component, nothing changes as long as the CPE name component query consistently checks across all parts of the name, and all aliases for each part.

On Sun, Sep 21, 2008 at 10:05 PM, Buttner, Drew <[hidden email]> wrote:
The <title> element in the CPE Dictionary schema should be
representative of the vendor given marketing name for the platform.  In
this case I think you are correct in that this name would be known as
"Microsoft Windows Server 2003".  This is how it is represented on the
Microsoft web site.

Thanks
Drew


>-----Original Message-----
>From: Dick Whitehurst [mailto:[hidden email]]
>Sent: Friday, September 19, 2008 5:03 PM
>To: cpe-discussion-list CPE Community Forum
>Subject: [CPE-DISCUSSION-LIST] cpe id for windows 2003 server
>
>Is it intentional that in the current CPE dictionary the title
>associated with windows 2003 server is "Microsoft windows 2003"
instead
>of "Microsoft Windows Server 2003"?
>
>
>
>We are(were) attempting to use a "reverse" mapping from the value in
>OVAL definitions <platform> to the title value in the cpe dictionary.
>This has generally worked well, but most Oval definitions reference
>"Microsoft Windows Server 2003" rather than the "real" cpe title.
Would
>it be reasonable to change the title in the cpe dictionary to the
>expected "Microsoft Windows Server 2003"?

>
>
>
>Thanks,
>
>Dick Whitehurst
>
>
>
>PS There is currently a *deprecated* cpe entry with the title of
>"Microsoft Windows Server 2003"
Keich, Joshua

Re: CPE adoption by NVD/NIST

Reply Threaded More More options
Print post
Permalink
Some javascript/style in this post has been disabled (why?)

 

 

 

Hi,

 

I noticed that that the product mapping file posted by NIST after the CPE migration a couple weeks ago lacks appropriate column labels (including labels for NULL entries)? I’d like to know what each column in the mapping file represents.

 

On a slightly separate topic, this looks like a mistake; shouldn’t both entries contain apache_software_foundation?

 

Apache Software Foundation,a,Tomcat,4.1.31,NULL,apache,tomcat,a,4.1.31,NULL,NULL,NULL

Apache Software Foundation,a,Tomcat,4.1.32,NULL,apache_software_foundation,tomcat,a,4.1.32,NULL,NULL,NULL

 

Shouldn’t the integration of CPE names into the NVD feed have reduced the instances of overlapping name space for CVE vendor and product attributes.

 

-Joshua Keich

Redseal Systems, Inc

415-515-0211

 

 

 

 

 
Wolfkiel, Joseph

Re: CPE Focus Areas -- We need to get moving again

Reply Threaded More More options
Print post
Permalink
Some javascript/style in this post has been disabled (why?)
Seems like it's been awfully quiet on this list lately.
 
Just wanted to let everyone know that the gears are still churning here.  We had some interesting conversations offline over the last month and I wanted to keep everyone in the loop on how (my? our?) thinking has evolved.
 
In conversations internal to NSA, with DISA, NIST, and with some vendors, we've been talking through use cases, schemas, and rationales for how we would be using CPE in some of the products we're developing and planning to acquire.  Several general use cases fell out of the discussion that I think summarize the major issues.
 
Here's my summary of the latest:
 
1.  The CPE name itself -- what can/should go into the CPE string.  Component names, default values, reserved values (e.g. "NULL", "UNKNOWN")
2.  The CPE language -- how to combine CPE strings to define platforms with dependencies or to group platforms
3.  The CPE submission process -- What I think the original "CPE Dictionary" schema was to be used for -- basically a format to formally submit CPE names to NIST/MITRE for community review and addition to vetted community CPE content.  The format should be tightly coupled with the process.
4.  The CPE distribution process -- How NIST, and (potentially) vendors, can transmit CPE names and metadata between their content repositories and tools.  Pretty much the information you can get from NVD today when you do a dictionary download, plus (in the future) a potentially much larger set of metadata to include information about the common functions of CPE-described platforms, individual component names, check references, license keys, MD5 hashes, etc.
5.  CPE-indexed assessment result reporting and aggregation -- Reporting of findings about devices on a per-CPE basis, such as vulnerabilities, patch status, settings, inventory, etc.
 
I've been spending most of my time lately working on the 5th issue.  It's a key issue for the DoD since we want all of our SCAP-enabled assessment tools and capabilities to output their SCAP-related content in a common way so we can build out an infrastructure to manage (aggregate, correlate, deconflict, enhance, summarize) our assessment data across the DoD enterprise.  I'll be sharing more of that information on the list in the coming weeks.  NIST has the charter to work issues 3 and 4, so you should hear from them in the very near future.
 
Please provide feedback since we plan to use the formats, languages, interface definitions, and other SCAP and CPE-based languages and interface descriptions we show you on the list in DoD and other federal procurements in the next 1-3 years.

Lt Col Joseph L. Wolfkiel
Director, Computer Network Defense Research & Technology (CND R&T) Program Management Office
9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700

 

 

 

 



smime.p7s (6K) Download Attachment
Free Embeddable Forum Powered by Nabble Help