when is a version an update?

Recently we were reviewing some names within the dictionary for both Apache Tomcat and for Mozilla Firefox.  The review prompted an interesting question.  In both cases, the products have multi pointed version numbers. (e.g. 1.2.3)  So at first glance a CPE Name of vendor:product:1.2.3 seems appropriate.

But looking deeper we realize that the product is released in a way that some would consider the first 2 points the version and the last point an update (or bug fix, etc).  For Tomcat and Firefox, there is no mention of update in their release notes or product documentation, but the use of the version string seems to align with CPE's concept of an update.  The CPE Specification even calls this out:

"The fifth component of a CPE Name is used for update or service pack information.  Sometimes this is referred to as point releases or minor versions.  The technical difference between version and update will be different for certain vendors and products."

So the question is, when does a version become an update?

Using a specific example, Apache Tomcat is often referred to by the first two points of the version.  Looking at the Tomcat site (http://tomcat.apache.org/) we see links for 6.0 and 5.5 and 4.1.  So CPE Names like cpe:/a:apache:tomcat:6.0 makes sense.

Now looking at the changelog for Tomcat (http://tomcat.apache.org/tomcat-6.0-doc/changelog.html) we see a third point added to the version.  For example, the latest release is 6.0.20.  What would a CPE Name for this look like?

cpe:/a:apache:tomcat:6.0.20

or

cpe:/a:apache:tomcat:6.0:20

Notice the difference at the end of the name.  The first example uses the version string 6.0.20 in the version component to create the name.  The second example uses 6.0 for the version component and 20 for the update component.

Thoughts?

Both produce unique ids.  The second example will be better for CPE Matching ... but uses the update component when the vendor never mentions the term 'update'.

Thanks
Drew

---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515

Drew,

To repeat, the specification says:

“The technical difference between version and update will be different for certain vendors and products.”

In the Tomcat case, this seems to be a version, so

cpe:/a:apache:tomcat:6.0.20

would be the most consistent with the vendor intent and therefore, in my opinion, the most correct.

More generically, I think your point is interesting, because it tends to suggest that the “update” field is only relevant if the vendor characterizes their software that way (therefore subjective), rather then having any objective value as an identifier.  That is consistent with the CPE Specification quote above.

From an operational perspective, “update”, if the vendor provides it as an identifier, is really just an extension or re-characterization of “version”, which begs the question of why it is needed at all.

-John


On 7/29/09 3:49 PM, "Buttner, Drew" <abuttner@...> wrote:

Recently we were reviewing some names within the dictionary for both Apache Tomcat and for Mozilla Firefox.  The review prompted an interesting question.  In both cases, the products have multi pointed version numbers. (e.g. 1.2.3)  So at first glance a CPE Name of vendor:product:1.2.3 seems appropriate.

But looking deeper we realize that the product is released in a way that some would consider the first 2 points the version and the last point an update (or bug fix, etc).  For Tomcat and Firefox, there is no mention of update in their release notes or product documentation, but the use of the version string seems to align with CPE's concept of an update.  The CPE Specification even calls this out:

"The fifth component of a CPE Name is used for update or service pack information.  Sometimes this is referred to as point releases or minor versions.  The technical difference between version and update will be different for certain vendors and products."

So the question is, when does a version become an update?

Using a specific example, Apache Tomcat is often referred to by the first two points of the version.  Looking at the Tomcat site (http://tomcat.apache.org/) we see links for 6.0 and 5.5 and 4.1.  So CPE Names like cpe:/a:apache:tomcat:6.0 makes sense.

Now looking at the changelog for Tomcat (http://tomcat.apache.org/tomcat-6.0-doc/changelog.html) we see a third point added to the version.  For example, the latest release is 6.0.20.  What would a CPE Name for this look like?

cpe:/a:apache:tomcat:6.0.20

or

cpe:/a:apache:tomcat:6.0:20

Notice the difference at the end of the name.  The first example uses the version string 6.0.20 in the version component to create the name.  The second example uses 6.0 for the version component and 20 for the update component.

Thoughts?

Both produce unique ids.  The second example will be better for CPE Matching ... but uses the update component when the vendor never mentions the term 'update'.

Thanks
Drew

---------

Andrew Buttner
The MITRE Corporation
abuttner@...
781-271-3515

We have to be careful with assigning too much meaning to this component
as in the term 'update', 'hotfix', 'alpha', 'beta', etc.  It is best
just to look at it as an identifier that within its own domain hold some
ordinal scale.  (sequence-based)  The 5th component is really an
identifier used by the software product to differentiate itself from the
others in its class.  

It would not be a post by TK without something on an ontology. :-)
In the Dublin Core Ontology, they had to deal with this problem (as well
as others).
If you look at the Dublin Core Terms or 'dcterms' for short, there is a
predicate (property) dcterms:hasVersion

Now I return you to your regularly scheduled programming. :-)

--tk


-----Original Message-----
From: Buttner, Drew [mailto:[hidden email]]
Sent: Wednesday, July 29, 2009 2:50 PM
To: [hidden email]
Subject: [CPE-DISCUSSION-LIST] when is a version an update?

Recently we were reviewing some names within the dictionary for both
Apache Tomcat and for Mozilla Firefox.  The review prompted an
interesting question.  In both cases, the products have multi pointed
version numbers. (e.g. 1.2.3)  So at first glance a CPE Name of
vendor:product:1.2.3 seems appropriate.

But looking deeper we realize that the product is released in a way that
some would consider the first 2 points the version and the last point an
update (or bug fix, etc).  For Tomcat and Firefox, there is no mention
of update in their release notes or product documentation, but the use
of the version string seems to align with CPE's concept of an update.
The CPE Specification even calls this out:

"The fifth component of a CPE Name is used for update or service pack
information.  Sometimes this is referred to as point releases or minor
versions.  The technical difference between version and update will be
different for certain vendors and products."

So the question is, when does a version become an update?

Using a specific example, Apache Tomcat is often referred to by the
first two points of the version.  Looking at the Tomcat site
(http://tomcat.apache.org/) we see links for 6.0 and 5.5 and 4.1.  So
CPE Names like cpe:/a:apache:tomcat:6.0 makes sense.

Now looking at the changelog for Tomcat
(http://tomcat.apache.org/tomcat-6.0-doc/changelog.html) we see a third
point added to the version.  For example, the latest release is 6.0.20.
What would a CPE Name for this look like?

cpe:/a:apache:tomcat:6.0.20

or

cpe:/a:apache:tomcat:6.0:20

Notice the difference at the end of the name.  The first example uses
the version string 6.0.20 in the version component to create the name.
The second example uses 6.0 for the version component and 20 for the
update component.

Thoughts?

Both produce unique ids.  The second example will be better for CPE
Matching ... but uses the update component when the vendor never
mentions the term 'update'.

Thanks
Drew

---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515

Thanks for bringing this up Drew. As we have been building new CPE names for non-ms products, we have realized that there are products whose version numbers span multiple points (three/four) and not always vendors market them as update or service pack. Scenarios like these end up in having CPEs for each and every minor version, which I am not against. But, if we look from the implementation point of view the second style "cpe:a:abc:xyz:12.3:4.5" will fetch more usability because of the CPE matching. I doubt if anyone really cares about querying for versions like 1.2.3.4 and if they really care then  recommend using OVAL.

So, would it make sense to restrict the version component to carry two points (like major version) and the rest be adjusted in the update component (expanding it to include the minor versions)?


Thanks,
Sudhir

This same problem exists in many of the Adobe acrobat and reader CPEs.  It
looks like Adobe refers to the major version as the product version and every
point version beyond that as an update.  That's not how the CPEs are cast
though.

Any attempt at recasting version numbers, soas to call some updates, in the
current CPE dictionary entries is going to be hard to do.  I doubt that it can
be done with the resources currently allocated to maintain the dictionary.

Perhaps it's best to instead focus on consistency within every product on its
own?

        -Gary-

UNCLASSIFIED

Drew,

What is the technical definition difference between "update" and "patch"?
It appears that Tomcat uses the term "patch" in its changelog.  So wouldn't
one expect to see cpe:/a:apache:tomcat:6.0:20 if version, patch, and service
pack use the same space.


R/
Bob

(703) 601-4729 ext 124

-----Original Message-----
From: Banghart, John [mailto:[hidden email]]
Sent: Wednesday, July 29, 2009 4:08 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] when is a version an update?

Drew,

To repeat, the specification says:

"The technical difference between version and update will be different for
certain vendors and products."

In the Tomcat case, this seems to be a version, so

cpe:/a:apache:tomcat:6.0.20

would be the most consistent with the vendor intent and therefore, in my
opinion, the most correct.

More generically, I think your point is interesting, because it tends to
suggest that the "update" field is only relevant if the vendor characterizes
their software that way (therefore subjective), rather then having any
objective value as an identifier.  That is consistent with the CPE
Specification quote above.

From an operational perspective, "update", if the vendor provides it as an
identifier, is really just an extension or re-characterization of "version",
which begs the question of why it is needed at all.

-John


On 7/29/09 3:49 PM, "Buttner, Drew" <[hidden email]> wrote:



        Recently we were reviewing some names within the dictionary for both
Apache Tomcat and for Mozilla Firefox.  The review prompted an interesting
question.  In both cases, the products have multi pointed version numbers.
(e.g. 1.2.3)  So at first glance a CPE Name of vendor:product:1.2.3 seems
appropriate.
       
        But looking deeper we realize that the product is released in a way
that some would consider the first 2 points the version and the last point
an update (or bug fix, etc).  For Tomcat and Firefox, there is no mention of
update in their release notes or product documentation, but the use of the
version string seems to align with CPE's concept of an update.  The CPE
Specification even calls this out:
       
        "The fifth component of a CPE Name is used for update or service
pack information.  Sometimes this is referred to as point releases or minor
versions.  The technical difference between version and update will be
different for certain vendors and products."
       
        So the question is, when does a version become an update?
       
        Using a specific example, Apache Tomcat is often referred to by the
first two points of the version.  Looking at the Tomcat site
(http://tomcat.apache.org/) we see links for 6.0 and 5.5 and 4.1.  So CPE
Names like cpe:/a:apache:tomcat:6.0 makes sense.
       
        Now looking at the changelog for Tomcat
(http://tomcat.apache.org/tomcat-6.0-doc/changelog.html) we see a third
point added to the version.  For example, the latest release is 6.0.20.
What would a CPE Name for this look like?
       
        cpe:/a:apache:tomcat:6.0.20
       
        or
       
        cpe:/a:apache:tomcat:6.0:20
       
        Notice the difference at the end of the name.  The first example
uses the version string 6.0.20 in the version component to create the name.
The second example uses 6.0 for the version component and 20 for the update
component.
       
        Thoughts?
       
        Both produce unique ids.  The second example will be better for CPE
Matching ... but uses the update component when the vendor never mentions
the term 'update'.
       
        Thanks
        Drew
       
        ---------
       
        Andrew Buttner
        The MITRE Corporation
        [hidden email]
        781-271-3515
       
       

Are there tool vendors out there who could potentially experience issues with the design and eventual implementation of their products if all current CPEs in the Official Dictionary were deprecated under this thinking?

-----Original Message-----
From: Buttner, Drew [mailto:[hidden email]]
Sent: Wednesday, July 29, 2009 3:50 PM
To: [hidden email]
Subject: [CPE-DISCUSSION-LIST] when is a version an update?

Recently we were reviewing some names within the dictionary for both Apache Tomcat and for Mozilla Firefox.  The review prompted an interesting question.  In both cases, the products have multi pointed version numbers. (e.g. 1.2.3)  So at first glance a CPE Name of vendor:product:1.2.3 seems appropriate.

But looking deeper we realize that the product is released in a way that some would consider the first 2 points the version and the last point an update (or bug fix, etc).  For Tomcat and Firefox, there is no mention of update in their release notes or product documentation, but the use of the version string seems to align with CPE's concept of an update.  The CPE Specification even calls this out:

"The fifth component of a CPE Name is used for update or service pack information.  Sometimes this is referred to as point releases or minor versions.  The technical difference between version and update will be different for certain vendors and products."

So the question is, when does a version become an update?

Using a specific example, Apache Tomcat is often referred to by the first two points of the version.  Looking at the Tomcat site (http://tomcat.apache.org/) we see links for 6.0 and 5.5 and 4.1.  So CPE Names like cpe:/a:apache:tomcat:6.0 makes sense.

Now looking at the changelog for Tomcat (http://tomcat.apache.org/tomcat-6.0-doc/changelog.html) we see a third point added to the version.  For example, the latest release is 6.0.20.  What would a CPE Name for this look like?

cpe:/a:apache:tomcat:6.0.20

or

cpe:/a:apache:tomcat:6.0:20

Notice the difference at the end of the name.  The first example uses the version string 6.0.20 in the version component to create the name.  The second example uses 6.0 for the version component and 20 for the update component.

Thoughts?

Both produce unique ids.  The second example will be better for CPE Matching ... but uses the update component when the vendor never mentions the term 'update'.

Thanks
Drew

---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515

>So, would it make sense to restrict the version component to carry two points (like
>major version) and the rest be adjusted in the update component (expanding it to
>include the minor versions)?

I think for certain situations, guidance like this is useful and will result in more useful CPE Names.  But I think we should be careful about making hard and fast statements like this.  We may find that some vendor uses a 3 point version and still does updates for their different editions.

I think the bigger issue we are dealing with right now is that we can't read too much into the terms "product", "version", "update", etc.  These terms mean different things for different people.  CPE has used them to help describe each component and help users understand some generalities, but the specific meaning of each needs to be derived from the specification and the dictionary.

My opinion is that we need to look at things on a case by case basis and determine what makes the most sense.  We need to use existing names as references.  We need to look at how the vendor expresses the platform and how new releases are structured.

I do think that in many situation, Sudhir has great point about making names more usable by leveraging the update component for some of the lower points in the version string.

Thanks
Drew

I agree with Gary that it will be hard to go through the current dictionary and just fix things.  I do think that we need to focus on consistency within each product.  Over time, we can work to bring names into alignment with each other and to fix where necessary certain legacy names.

Thanks
Drew

>We have to be careful with assigning too much meaning to this component
>as in the term 'update', 'hotfix', 'alpha', 'beta', etc.  It is best
>just to look at it as an identifier that within its own domain hold some
>ordinal scale.  (sequence-based)  The 5th component is really an
>identifier used by the software product to differentiate itself from the
>others in its class.

I think this is a really important point that TK brings up.  We need to be careful assigning too much meaning to the component names.  We need to look at them regarding what they are trying to accomplish.  What is a version to one vendor, might be a version/update to another, and might be build to a third.  I was looking at a Japanese product yesterday that used the term "grade" for their different releases.

Thanks
Drew

I want to inject just a cautionary note here that (I think) trying to
reverse engineer what each sub-component of each version in every product
from each manufacturer means is probably not sustainable across all known
products.

I think a default behavior that just copies the entire string of the
"version" information provided by a product into the "version" field of its
CPE identifier is probably the more sustainable solution.

Trying to figure out where to break a version string up and smear it across
version/update/edition fields will be very hard to do across all known
products.

Note:  Particularly for Microsoft OS products, copying the entire version
string into the version field will result in redundancies in the update and
(possibly) edition fields, but it's not clear to me if that's a problem or
not.


Lt Col Joseph L. Wolfkiel
Director, Computer Network Defense Research & Technology (CND R&T) Program
Management Office
9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700

-----Original Message-----
From: Buttner, Drew [mailto:[hidden email]]
Sent: Thursday, August 06, 2009 8:24 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] when is a version an update?

>We have to be careful with assigning too much meaning to this component
>as in the term 'update', 'hotfix', 'alpha', 'beta', etc.  It is best
>just to look at it as an identifier that within its own domain hold
>some ordinal scale.  (sequence-based)  The 5th component is really an
>identifier used by the software product to differentiate itself from
>the others in its class.

I think this is a really important point that TK brings up.  We need to be
careful assigning too much meaning to the component names.  We need to look
at them regarding what they are trying to accomplish.  What is a version to
one vendor, might be a version/update to another, and might be build to a
third.  I was looking at a Japanese product yesterday that used the term
"grade" for their different releases.

Thanks
Drew

I concur with Joe on this issue.  Breaking up the version string introduces complexities that impact the cost of creating and maintaining CPE Names that we can avoid by using the full version string.  De-normalization, as may exist in Microsoft names, does not seem to be a problem to me.  In some cases it is an advantage as it supports more matching use-cases.

Sincerely,
 
David Waltermire
SCAP Architect
National Institute of Standards and Technology
(301) 975-3390
[hidden email]