Making Security Measurable › CPE - Common Platform Enumeration

names with no vendor

5 messages Options
Embed this post
Permalink
Andrew Buttner

names with no vendor

Reply Threaded More More options
Print post
Permalink
What about applications that do not have a vendor associated with them?
For example, there are a number of shareware tools that have been
developed by an individual and posted to the web.  They don't have a
vendor, just a tool name.

My suggestion would be that the vendor component be left blank, so the
name would look like:

cpe:///:tool_name:1.2.3

Any reason against this?


---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515

Ken Lassesen-2

Re: names with no vendor

Reply Threaded More More options
Print post
Permalink
Two additional solutions:
1) have the vendor being the licensing term that it is under...
2) use the individual's name


Ken Lassesen,
HomeOffice: 360-297-4717   Cell: 360-509-2402  Fax: 928-832-6836
IM: [hidden email]  [hidden email]
mailto:[hidden email]
CONFIDENTIALITY NOTICE
The information contained in this electronic message may contain
confidential and privileged information and is intended only for use by
the individual(s) or entity(ies) to whom it was addressed. Any
unauthorized review, use, disclosure, or distribution of this
communication is strictly prohibited. If you are not the intended
recipient, please contact the sender by reply email and permanently
delete and destroy the original message.


-----Original Message-----
From: Buttner, Drew [mailto:[hidden email]]
Sent: Monday, May 07, 2007 12:22 PM
To: [hidden email]
Subject: [CPE-DISCUSSION-LIST] names with no vendor

What about applications that do not have a vendor associated with them?
For example, there are a number of shareware tools that have been
developed by an individual and posted to the web.  They don't have a
vendor, just a tool name.

My suggestion would be that the vendor component be left blank, so the
name would look like:

cpe:///:tool_name:1.2.3

Any reason against this?


---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515

Thomas R. Jones

Re: names with no vendor

Reply Threaded More More options
Print post
Permalink
I tend to definitely lean towards option #2.

On Mon, 2007-05-07 at 12:25 -0700, Ken Lassesen wrote:

> Two additional solutions:
> 1) have the vendor being the licensing term that it is under...
> 2) use the individual's name
>
>
> Ken Lassesen,
> HomeOffice: 360-297-4717   Cell: 360-509-2402  Fax: 928-832-6836
> IM: [hidden email]  [hidden email]
> mailto:[hidden email]
> CONFIDENTIALITY NOTICE
> The information contained in this electronic message may contain
> confidential and privileged information and is intended only for use by
> the individual(s) or entity(ies) to whom it was addressed. Any
> unauthorized review, use, disclosure, or distribution of this
> communication is strictly prohibited. If you are not the intended
> recipient, please contact the sender by reply email and permanently
> delete and destroy the original message.
>
>
> -----Original Message-----
> From: Buttner, Drew [mailto:[hidden email]]
> Sent: Monday, May 07, 2007 12:22 PM
> To: [hidden email]
> Subject: [CPE-DISCUSSION-LIST] names with no vendor
>
> What about applications that do not have a vendor associated with them?
> For example, there are a number of shareware tools that have been
> developed by an individual and posted to the web.  They don't have a
> vendor, just a tool name.
>
> My suggestion would be that the vendor component be left blank, so the
> name would look like:
>
> cpe:///:tool_name:1.2.3
>
> Any reason against this?
>
>
> ---------
>
> Andrew Buttner
> The MITRE Corporation
> [hidden email]
> 781-271-3515
>
>

Noakes, Douglas [USA]

Re: names with no vendor

Reply Threaded More More options
Print post
Permalink
In reply to this post by Andrew Buttner
In the past the analysts have not had one way of notating this.
Typically you will see either
1) the name of the product is also used as the vendor name [happens with
PHP products a lot]
-or-
2) the name of the vendor is the primary developer [happens with
SourceForge products often]

Not sure it makes a huge difference to the analysts...any way you slice
it there will be some cleaning-up to do.  My recommendation would be
either use the product name as the vendor or to go with Drew's idea and
just leave that field blank.



-----Original Message-----
From: Buttner, Drew [mailto:[hidden email]]
Sent: Monday, May 07, 2007 3:22 PM
To: [hidden email]
Subject: [CPE-DISCUSSION-LIST] names with no vendor

What about applications that do not have a vendor associated with them?
For example, there are a number of shareware tools that have been
developed by an individual and posted to the web.  They don't have a
vendor, just a tool name.

My suggestion would be that the vendor component be left blank, so the
name would look like:

cpe:///:tool_name:1.2.3

Any reason against this?


---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515

Neal Ziring-2

Re: names with no vendor

Reply Threaded More More options
Print post
Permalink
In reply to this post by Andrew Buttner
Drew and everybody,

 >My suggestion would be that the vendor component be left blank, so the
 >name would look like:
 >
 >cpe:///:tool_name:1.2.3  

That had always been my intent for the CPE Name structure.
In cases where a field is not applicable, leave it blank.

However, in some cases, you could have the same tool name
but multiple different suppliers, and the difference might be
relevant.  For example, you might want to distinguish
bind supplied by Sun Microsystems from bind supplied by
ISC.   When that distinction isn't relevant, you can leave
the supplier off.

            cpe:///sun:bind:9.3.4
            cpe:///isc:bind:9.4.1
            cpe:///bind:9.3


...nz (Neal Ziring, [hidden email], http://users.erols.com/ziring/)


 
On Monday, May 07, 2007, at 03:22PM, "Buttner, Drew" <[hidden email]> wrote:

>What about applications that do not have a vendor associated with them?
>For example, there are a number of shareware tools that have been
>developed by an individual and posted to the web.  They don't have a
>vendor, just a tool name.
>
>My suggestion would be that the vendor component be left blank, so the
>name would look like:
>
>cpe:///:tool_name:1.2.3
>
>Any reason against this?
>
>
>---------
>
>Andrew Buttner
>The MITRE Corporation
>[hidden email]
>781-271-3515
>
>

Free Embeddable Forum Powered by Nabble Help