draft version 2.1 specification

I have tried to roll up many of the suggestions made via the discussion
list over the past 2 months.  Attached is a draft of version 2.1.  Note
that this would be a minor change and would not affect the structure
used to create CPE Names.  Below is a list of things included in 2.1

- added Part identifiers for:
   * Runtime Environments
   * Libraries
   * Drivers
   * Virtual Environments
- added Reporting use case
- clarified how to handle the Vendor Component when multiple DNS names
are registered
- clarified how to determine the Product Component (used most common
recognizable name)
- fixed Microsoft Windows examples
- fixed bug in "namePattern" in schemas
- allowed multiple "title" elements in dictionary schema

If you have additional comments or suggestions, please forward them
onto the list.

Thanks
Drew


---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515

Drew,

Thank you for making these updates.  Did you update the 2.0 schemas to
reflect the proper CPE name pattern based on the CPE 2.0 spec?  If not,
this should be done ASAP to correct the defect for organizations that
are currently using CPE 2.0.

Dave

Yes, here are draft copies of the schema files that have the small
changes outlined in the draft 2.1 spec.

One question, I noticed that the namespaces used are:

http://cpe.mitre.org/language/2.0
http://cpe.mitre.org/dictionary/2.0

I'm drawing a blank as to if the intention was to change the namespace
with each minor release, or if this was an oversight on my part and the
namespace should have just ended with '2'.  What does everyone think?
I know there is some split opinions on this topic in OVAL.

Thanks
Drew

I would like to suggest that for both of the xsd files that the schemaLocation
attribute value for the xsd:import tag point to the full absolute path to the
schema file (i.e. http://www.w3.org/2001/xml.xsd instead of xml.xsd).  This will
let anyone know who wishes to use these schema files (and validate them) where
to obtain the supporting files.

Regards,

-Harold

Quoting "Buttner, Drew" <[hidden email]>:

 I am in favor of changing the namespace on each release. My SCAP
database model (available at http://oval.lassesen.com/Nist2007) showed
that it results in simpler processing and I am a hopeless romantic (i.e.
KISS).


Ken Lassesen,
Office 206-734-4718 Home: 360-297-4717   Cell: 360-509-2402  Skype:
Ken.Lassesen
IM: [hidden email]  

CONFIDENTIALITY NOTICE
The information contained in this electronic message may contain
confidential and privileged information and is intended only for use by
the individual(s) or entity(ies) to whom it was addressed. Any
unauthorized review, use, disclosure, or distribution of this
communication is strictly prohibited. If you are not the intended
recipient, please contact the sender by reply email and permanently
delete and destroy the original message.


-----Original Message-----
From: Buttner, Drew [mailto:[hidden email]]
Sent: Wednesday, November 07, 2007 4:51 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] draft version 2.1 specification

Yes, here are draft copies of the schema files that have the small
changes outlined in the draft 2.1 spec.

One question, I noticed that the namespaces used are:

http://cpe.mitre.org/language/2.0
http://cpe.mitre.org/dictionary/2.0

I'm drawing a blank as to if the intention was to change the namespace
with each minor release, or if this was an oversight on my part and the
namespace should have just ended with '2'.  What does everyone think?
I know there is some split opinions on this topic in OVAL.

Thanks
Drew

Drew,

Some minor comments on v2.1.

        Dave

David Lemire
Director of Technology
     and Corporate Capabilties
A&N Associates, Inc.
999 Corporate Blvd, Suite 100
Linthicum, Maryland 21090
TEL: 410-859-5449 x111
FAX: 410-859-5292
[hidden email]
www.anassoc.com






 

I disagree this fits as a 2.x release.  The addition of the new part
identifiers makes the CPE's I'm using obsolete.  Seems like that would
justify classifying this as a major, versus minor release.  I would advocate
removing the new part identifiers from this release.  I also disagree that
adding new part identifiers is necessarily the way to go without having a
discussion first.  My personal opinion is that it's probably better to talk
about the target HW and SW environments for a given application or OS, (or
potentially, virtualized hardware) which should accomodate virtualization,
macros, drivers, and runtime environments.  It does make sense to add a new
part for data files which, if used, would result in vulnerabilities.  But I
think that should be a function of a 3.0 release to come out much later.

My suggestions for this minor release:

1.  Insert all colons for all CPE parts.  This eases the construction of CPE
names using a concatenate function when it is automated.
2.  Change naming scheme for products that use the nn.nn.nn.nn numbering
scheme so that the version field holds the highest order version and the
edition or update field holds the complete nn.nn.nn.nn version information.
This would allow us to map vulnerabilities at the product-version level and
lower level becomes an OVAL problem.
3.  Provide implementation guidance for what to do with target SW and HW
specifications (e.g. MS Word for MacOSX, or Windows XP 64 bit)
4.  Require spelling out of all names versus mandatory abbreviations from an
arbitrary list.  I'm attaching a list of update names for Microsoft
products.  I think it's clear from just this list that the abbreviation
problem will become unmanageable in the near future if we attempt to keep up
with vendor abbreviations.  I also can't explain what some of the
abbreviations mean, which means humans would have to continually have a copy
of the abbreviation guide handy.  There's also the problem with abbreviation
overlap -- e.g. FR=French and FR=Feature Release.

Lt Col Joseph L. Wolfkiel

Director, Computer Network Defense Research & Technology (CND R&T) Program
Management Office

NSA/I71
9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700


-----Original Message-----
From: Buttner, Drew [mailto:[hidden email]]
Sent: Tuesday, November 06, 2007 8:15 AM
To: [hidden email]
Subject: [CPE-DISCUSSION-LIST] draft version 2.1 specification


I have tried to roll up many of the suggestions made via the discussion
list over the past 2 months.  Attached is a draft of version 2.1.  Note
that this would be a minor change and would not affect the structure
used to create CPE Names.  Below is a list of things included in 2.1

- added Part identifiers for:
   * Runtime Environments
   * Libraries
   * Drivers
   * Virtual Environments
- added Reporting use case
- clarified how to handle the Vendor Component when multiple DNS names
are registered
- clarified how to determine the Product Component (used most common
recognizable name)
- fixed Microsoft Windows examples
- fixed bug in "namePattern" in schemas
- allowed multiple "title" elements in dictionary schema

If you have additional comments or suggestions, please forward them
onto the list.

Thanks
Drew


---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515

David,

Thank you very much for your comments.  I have merged them into the
draft and will release a new version of the draft shortly after looking
at other responses.

Thanks
Drew
 

>I would like to suggest that for both of the xsd files that
>the schemaLocation
>attribute value for the xsd:import tag point to the full
>absolute path to the
>schema file (i.e. http://www.w3.org/2001/xml.xsd instead of
>xml.xsd).  This will
>let anyone know who wishes to use these schema files (and
>validate them) where to obtain the supporting files.

Note: this is in reference to the following statement

<xsd:import namespace="http://www.w3.org/XML/1998/namespace"
            schemaLocation="xml.xsd"/>

If implemented the way you suggest, would validators only be able to
retrieve this imported schema by going out over the internet?  What
would happen when the internet is not available?  Is there a way to
fall back to a local copy?

Thanks
Drew

> I am in favor of changing the namespace on each release. My SCAP
>database model (available at http://oval.lassesen.com/Nist2007) showed
>that it results in simpler processing and I am a hopeless
>romantic (i.e. KISS).

Any other thoughts out there on this?  Here is a good article outlining
the challenge.

http://www.ibm.com/developerworks/xml/library/x-tipnamsp.html

Thanks
Drew

I found the following excerpt from the "XML Schema Part 0: Primer Second
Edition" by W3C which can be found at http://www.w3.org/TR/xmlschema-0/#ref40.

"In an instance document, the attribute xsi:schemaLocation provides hints from
the author to a processor regarding the location of schema documents. The author
warrants that these schema documents are relevant to checking the validity of
the document content, on a namespace by namespace basis.
..<example snipped>...
The schemaLocation attribute value consists of one or more pairs of URI
references, separated by white space. The first member of each pair is a
namespace name, and the second member of the pair is a hint describing where to
find an appropriate schema document for that namespace. The presence of these
hints does not require the processor to obtain or use the cited schema
documents, and the processor is free to use other schemas obtained by any
suitable means, or to use no schema at all."

This seems to suggest that authors can (and should) provide hints to users of
their schema as to where to find supporting schema documents.

From my practical experience using the Java API, as the developer, I have
control over what schemas are used and where they are located, regardless of
the schemaLocation value contained in any import or include statements.

-Harold

Quoting "Buttner, Drew" <[hidden email]>:

Joe,

I have some similar concerns about adding new types to dictionary in a
minor version especially where there is overlap with an existing type.
I have not formed a complete opinion on this yet and I am interested in
understanding more about your concerns regarding the new parts.  Can you
give some examples as to how this is causing problems for you?

More regarding your suggestions below.

Is the CPE more expressive if all colons are included?  Are
implementations easier with having them versus not having them?  The
behavior should be the same regardless of trailing colon use.

> 2.  Change naming scheme for products that use the
> nn.nn.nn.nn numbering scheme so that the version field holds
> the highest order version and the edition or update field
> holds the complete nn.nn.nn.nn version information.
> This would allow us to map vulnerabilities at the
> product-version level and lower level becomes an OVAL problem.

What if the product also has an update or edition?  Can you provide some
examples?

> 3.  Provide implementation guidance for what to do with
> target SW and HW specifications (e.g. MS Word for MacOSX, or
> Windows XP 64 bit)

This would be good.

If the maintainers of the official CPE dictionary apply the
abbreviations consistently I don't think it matters as long as the name
is static once entered into the dictionary.  If implementations use
static mappings from this name to another equivalent non-CPE name or the
CPE prescribed check mechanisms to determine applicability of a CPE this
is also a non issue.  So what we are left with is a personal choice as
to what direction to go.  I don't have a strong opinion either way
considering all of this.

My responses follow.

- Joe

Q: I have some similar concerns about adding new types to dictionary in a
minor version especially where there is overlap with an existing type.  I
have not formed a complete opinion on this yet and I am interested in
understanding more about your concerns regarding the new parts.  Can you
give some examples as to how this is causing problems for you?  

Response: Specifically, some of the existing CPEs that are in the NVD now
would have to be re-classified if the new parts are introduced.  As an
example off the top of my head, JRE is already in the NVD classified as an
application.  We have mapped our apps against it's CPE ID and would have to
go back and re-map if the CPE changes as a result of the new type
definitions.  I'm also not comfortable that we need the additional part
types to do what we want to do AND we're adding significant complexity by
doing it.

> 1.  Insert all colons for all CPE parts.  This eases the construction of
CPE names using a concatenate function when it is automated.

Q: Is the CPE more expressive if all colons are included?  Are
implementations easier with having them versus not having them?  The
behavior should be the same regardless of trailing colon use.

Response: Not more expressive, just easier to build business logic if you're
using a database to dynamically create CPE names.  E.G.  I created CPE names
for our application database by concatenating "cpe://",[part
type],":",[vendor
name],":",[product],":",[version],":",[update],":",[edition],":",[language].
When a field was blank, the concatenate statement still put in the colons
and there isn't a graceful way to delete them back off.  I'm not sure about
how the rest of the community is constructing CPE names, but I'm thinking
they may come across similar problems.

> 2.  Change naming scheme for products that use the nn.nn.nn.nn numbering
scheme so that the version field holds the highest order version and the
edition or update field holds the complete nn.nn.nn.nn version information.
This would allow us to map vulnerabilities at the product-version level and
lower level becomes an OVAL problem.

Q: What if the product also has an update or edition?  Can you provide some
examples?

Response:  It seems that many of the vendors that use the nn.nn.nn.nn naming
convention release patches as software updates that change the later parts
of the nn.nn.nn.nn name, so maybe it would be more appropriate to put the
minor version stuff in the Update column versus the edition column..  My
specific examples include Cisco IOS, Oracle Database, the Linux Kernel
Versions, and Sun OSs.

Oracle and Cisco, in particular have extensive minor version identifiers
(like "12.4(6)T1" for Cisco IOS and "8.1.5.0.0 Enterprise" for Oracle
Database).  In many cases, our databases don't specify all the full minor
version information, so we may have to search for potential vulnerabilities
based solely on the product and major version.  It would be helpful if that
were broken out already so we don't have to build specialized queries to try
to break it out of the nn.nn.nn.nn version names.

> 4.  Require spelling out of all names versus mandatory abbreviations from
an arbitrary list.  I'm attaching a list of update names for Microsoft
products.  I think it's clear from just this list that the abbreviation
problem will become unmanageable in the near future if we attempt to keep up
with vendor abbreviations.  I also can't explain what some of the
abbreviations mean, which means humans would have to continually have a copy
of the abbreviation guide handy.  There's also the problem with abbreviation
overlap -- e.g. FR=French and FR=Feature Release.

Q: If the maintainers of the official CPE dictionary apply the abbreviations
consistently I don't think it matters as long as the name is static once
entered into the dictionary.  If implementations use static mappings from
this name to another equivalent non-CPE name or the CPE prescribed check
mechanisms to determine applicability of a CPE this is also a non issue.  So
what we are left with is a personal choice as to what direction to go.  I
don't have a strong opinion either way
considering all of this.

Response:  My push to spell out names rather than attempt to manage
abbreviations is just the two issues:  1.  XML is meant to be human
readable, so you shouldn't have to consult the CPE spec abbreviation lookup
table to interpret what a CPE says; and 2.  There's workload involved in
constantly evaluating, assigning, and maintaining an abbreviation list.  I
don't really want to pay for that, and I'm not sure anyone else wants to
either.  Other than those two issues, I don't have any real strong feelings
about abbreviations.

Lt Col Joseph L. Wolfkiel

Director, Computer Network Defense Research & Technology (CND R&T) Program
Management Office

NSA/I71
9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700


-----Original Message-----
From: Waltermire, Dave [USA] [mailto:[hidden email]]
Sent: Thursday, November 15, 2007 12:36 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] draft version 2.1 specification


Joe,

I have some similar concerns about adding new types to dictionary in a
minor version especially where there is overlap with an existing type.
I have not formed a complete opinion on this yet and I am interested in
understanding more about your concerns regarding the new parts.  Can you
give some examples as to how this is causing problems for you?

More regarding your suggestions below.

Is the CPE more expressive if all colons are included?  Are
implementations easier with having them versus not having them?  The
behavior should be the same regardless of trailing colon use.

> 2.  Change naming scheme for products that use the
> nn.nn.nn.nn numbering scheme so that the version field holds
> the highest order version and the edition or update field
> holds the complete nn.nn.nn.nn version information.
> This would allow us to map vulnerabilities at the
> product-version level and lower level becomes an OVAL problem.

What if the product also has an update or edition?  Can you provide some
examples?

> 3.  Provide implementation guidance for what to do with
> target SW and HW specifications (e.g. MS Word for MacOSX, or
> Windows XP 64 bit)

This would be good.

If the maintainers of the official CPE dictionary apply the
abbreviations consistently I don't think it matters as long as the name
is static once entered into the dictionary.  If implementations use
static mappings from this name to another equivalent non-CPE name or the
CPE prescribed check mechanisms to determine applicability of a CPE this
is also a non issue.  So what we are left with is a personal choice as
to what direction to go.  I don't have a strong opinion either way
considering all of this.

Joe/Drew,

Drew, could you provide some explanation as to the immediate need for
the addition of these new part types.  Is there a member of the CPE
community that needs to use the new types of CPE in a production
environment or for a prototype?  I would rather wait on any part
additions if possible until we are able to flesh out a larger, more
complete official CPE database.  Lets pick our battles for now.

I wrote a custom SQL function that does this without adding the extra
colons.  I don't see a need for them.  Any other experiences with this?

Drew, do you have any thoughts here?  I know you have looked into Cisco.
For both I suggest that we engage the vendor to tell us how they want to
do it.

There isn't much workload here, but you have a good point.  The question
I have is if we abandon abbreviations, how do we handle the existing
abbreviated names that have been published?  I'd like to find a way that
would avoid having NIST pay for changing everything to an unabbreviated
form.

Dave

When you start dealing with applications, you don't see as many updates,
editions and languages.  

Making colons optional also has the advantage of being forward compatible
with any number of parts that seem to be coming down the pipeline.

Vladimir Giszpenc
DSCI Contractor Supporting
US Army CERDEC S&TCD IAD Tactical Network Protection Branch
(732) 532-8959

That's an easy win.  Is making colons optional a good compromise?

Lt Col Joseph L. Wolfkiel

Director, Computer Network Defense Research & Technology (CND R&T)
Program Management Office

NSA/I71
9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700


-----Original Message-----
From: Vladimir Giszpenc [mailto:[hidden email]]
Sent: Friday, November 16, 2007 12:14 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] draft version 2.1 specification


When you start dealing with applications, you don't see as many updates,
editions and languages.  

Making colons optional also has the advantage of being forward
compatible
with any number of parts that seem to be coming down the pipeline.

Vladimir Giszpenc
DSCI Contractor Supporting
US Army CERDEC S&TCD IAD Tactical Network Protection Branch
(732) 532-8959

 

The reason for the proposed additions of platform part was because of
requests from the community.  In addition to supporting the possible
creation of CPE for java libraries, there was also the suggestion that
we add in support for future needs.  See the following thread:

http://www.nabble.com/Maven2-POM-to-CPEs-tf4562572.html

My feeling was that additional platform parts do not invalidate
existing CPE Names and therefore should not affect current users of
CPE.  As far as I am aware, no current CPE Name in the CPE Dictionary
would have to be re-classified under these new platform parts.

Wolfkiel - I think the CPE list you were looking at was an old list
from NVD that was not officially part of CPE and was done as an
exercise to see how things would work.  I do agree that some of those
names that were set up as applications would fit into the proposed
platform parts.

Thanks
Drew

Note that the trailing colons are already optional in the spec and should
not be present if a CPE Name only uses some of the first few components.
Please refer to the BNF grammar in Appendix A of the spec.

Thanks
Drew

It is known that the Version Component is going to be troublesome.
There doesn't seem to be anyway to nicely break things apart that give
us the flexibility we need.  Cisco IOS is prime example of this.  For
the short term we settled on just having one component.  If a CPE Name
is needed at different version levels (for example 5.3 and 5.3.4) then
both CPE Names should exist.  The downside to this is that matching
will not work across these different CPE Names.

If there is a suggestion out there, we are all ears!

Thanks
Drew

>4.  Require spelling out of all names versus mandatory
>abbreviations from an
>arbitrary list.  I'm attaching a list of update names for Microsoft
>products.  I think it's clear from just this list that the
abbreviation
>problem will become unmanageable in the near future if we
>attempt to keep up with vendor abbreviations.

The reason for abbreviations was to help keep the size of CPE Names
manageable.  If the community does not see this as a useful goal and
don't mind slightly bigger names then we can remove the idea of
abbreviations.  What do others in the community think?



>I also can't explain what some of the
>abbreviations mean, which means humans would have to
>continually have a copy of the abbreviation guide handy.

Note that the CPE Name is not meant to be human readable.  The <title>
field of the CPE Dictionary entry is meant to be the human readable
string.

I do agree that when creating new CPE Names, one will have to have the
list of abbreviations handy.  Because of this, we have tried to limit
the abbreviations to only very common terms.



>There's also the problem with abbreviation
>overlap -- e.g. FR=French and FR=Feature Release.

The defined table of abbreviation in the CPE Spec (updated via the CPE
Web site) solves this problem by defining the official abbreviations.

Thanks
Drew