next version of the CPE spec
|
|
I have been trying to update the spec with the changes we have
discussed on this list. I wanted to bring up one of the issues again to make sure I have it right. This regards the defined structure (hierarchy) of each element. We talked about standardizing the first three components of an element to vendor:product:version. This would hold for the hardware part, the os part, and the application part. Additional components would be allowed to describe things like editions and service packs, but a structure would not be defined due to the difference with each vendor's naming conventions. Instead, these additional components would act more like tags. The side effect of this is that the matching algorithm becomes much more complex. No longer do the additional fields line up. We could end up trying to match: cpe://microsoft:windows:xp:sp1 cpe://microsoft:windows:xp:pro:sp1 The current matching algorithm is based on the sp1 tag always appearing in the same component, so we currently allow blank components to make this work. But moving to a tagged approach (with no defined order and hence no blanks) means the matching algorithm will need to in essence search the additional components (those after vendor:product:version) for a match. Anyway, I have attached a commented up version of the spec. Please feel free to add your own comments. Thanks Drew --------- Andrew Buttner The MITRE Corporation [hidden email] 781-271-3515 |
||||||||
cpe-specification_1.1-20070518.doc (324K)
|
|
||||||||
|
|
|
||||||||
|
In reply to this post
by Andrew Buttner
Drew, Cool, I like what you've done so far. I've fixed a few empty component appearances that you missed, and added some more comments. My rev is attached. BTW, when we finish this, does it become 1.1 or 2.0? Your filename seems to imply 1.1, but the document now says version 2. I'm not sure we can completely eliminate the notion of blank components within the initial (structured) three. I'll have to think about that some more. Once this mailing list has reached consensus on the new name specs, I can re-write the matching algorithm section to reflect the new semantics. ...nz (Neal Ziring, [hidden email], [hidden email]) On Friday, May 18, 2007, at 10:41AM, "Buttner, Drew" <[hidden email]> wrote: >I have been trying to update the spec with the changes we have >discussed on this list. I wanted to bring up one of the issues again >to make sure I have it right. This regards the defined structure >(hierarchy) of each element. > >We talked about standardizing the first three components of an element >to vendor:product:version. This would hold for the hardware part, the >os part, and the application part. Additional components would be >allowed to describe things like editions and service packs, but a >structure would not be defined due to the difference with each vendor's >naming conventions. Instead, these additional components would act >more like tags. > >The side effect of this is that the matching algorithm becomes much >more complex. No longer do the additional fields line up. We could >end up trying to match: > >cpe://microsoft:windows:xp:sp1 >cpe://microsoft:windows:xp:pro:sp1 > >The current matching algorithm is based on the sp1 tag always appearing >in the same component, so we currently allow blank components to make >this work. But moving to a tagged approach (with no defined order and >hence no blanks) means the matching algorithm will need to in essence >search the additional components (those after vendor:product:version) >for a match. > >Anyway, I have attached a commented up version of the spec. Please >feel free to add your own comments. > >Thanks >Drew > > >--------- > >Andrew Buttner >The MITRE Corporation >[hidden email] >781-271-3515 > > > > |
||||||||
| Free Embeddable Forum Powered by Nabble | Help |
