CPE automation and a call for feedback

CPE gang,

To query the system for a list of installed packages (and patches)
authenticated scanners can use:

On Windows there is WMI(C)
On Fedora, RHEL and derivatives there is RPM
On OS/X there is pkgutil
On Suse there is zypper
On Debian and derivatives there is dpkg
On Solaris there is pkginfo

If we automate the above e.g. f(packagename, version, company, website,
etc) = CPE ID, we solve a large portion of the problem.  This will not
solve things installed from source, zips, or anything else that does not
register the application.  Those things need to be found and named, but
it is harder.

So now we have a bunch of IDs.  Yippee!  We can talk about the same
thing using the same name.  Next we want to describe the thing enough so
we can call out relationships like duplicates and sets like fuzzy
matches.

Why are we not using RDF and friends?  This will give us SPARQL for
queries and we are done!

Authenticated scanners only build IDs, thus *don't care* about the RDF.
TK will probably not oppose it, nor will NIST because RDF is already
part of NVD.

-----------------------------------------------------------------------
Who is left who needs wildcards and queries and opposes RDF-ifying CPE?

-----------------------------------------------------------------------

It solves most problems we have and then some.  It is not a panacea but
it is appropriate for this problem set.  For XCCDF and OVAL
(prerequisite is still not in the spec), just hard code lists of CPE IDs
and keep it simple.

After hearing all about it, I don't understand why we keep ignoring it?
I am just curious.  There is a learning curve, but I stress that we
would not all have to learn it.  I think a standard way to go beyond the
package manager to build our universe of CPE IDs would be most useful.

F(filename, fileversion, contents of README, etc) = CPE ID.  I don't
have the formula (and I believe there should be many), but this is the
sort of thing we should be discussing.  In fact, if f() is someone's
special sauce, that is OK by me.  Just call the ID SpecialSauceCook:ID
and we can let NVD relate them after the fact but the IDs would be
there.

Respectfully,

Vladimir Giszpenc
Armadillo Technical Lead
DSCI Contractor Supporting
US Army CERDEC S&TCD IAD Tactical Network Protection Branch
(732) 532-8959

Hi Vlad,

What would the proposed automated f() CPE generator do with the following WMIC
"products" that appear after installing Sql Server 2008 on a computer?

        -Gary-

Microsoft Application Error Reporting
Microsoft SQL Server 2008 BI Development Studio
Microsoft SQL Server 2008 Books Online (August 2008)
Microsoft SQL Server 2008 Browser
Microsoft SQL Server 2008 Client Tools
Microsoft SQL Server 2008 Common Files
Microsoft SQL Server 2008 Database Engine Services
Microsoft SQL Server 2008 Database Engine Shared
Microsoft SQL Server 2008 Database Engine Shared
Microsoft SQL Server 2008 Integration Services
Microsoft SQL Server 2008 Management Studio
Microsoft SQL Server 2008 Native Client
Microsoft SQL Server 2008 Policies
Microsoft SQL Server 2008 Reporting Services
Microsoft SQL Server 2008 RsFx Driver
Microsoft SQL Server 2008 Setup Support Files
Microsoft SQL Server Compact 3.5 Design Tools ENU
Microsoft SQL Server Compact 3.5 SP1 English
Microsoft SQL Server Compact 3.5 SP1 Query Tools English
Microsoft SQL Server Compact 3.5 for Devices ENU
Microsoft SQL Server Database Publishing Wizard 1.2
Microsoft SQL Server VSS Writer
Microsoft Visual Studio Tools for Applications 2.0 - ENU
SQL Server System CLR Types
Sql Server Customer Experience Improvement Program

Gary,

I don't know the internals of Windows so I will answer in generalities.

For each product, get the version and other metadata for that product from WMIC and build the name.  It really does not matter what
algorithm we settle on as long as we all use the same one.  If you think it is important to have property FOO in the name, then so
be it.  This is sort of like a hashing function.  We want CPEId = f(a)  to result in unique CPEIds for different a values (no
collisions) and we want f(a') to never result in CPEid.  As far as I am concerned a hash would make a great ID, it is not backwards
compatible so I am trying to play nice with others.

We do not have the requirement that CPEId be of constant length so the URI format is as good as any.

Is WMIC not capable of collecting enough information to satisfy our pseudo hash function requirement?


Regards,

Vladimir Giszpenc
Armadillo Technical Lead
DSCI Contractor Supporting
US Army CERDEC S&TCD IAD Tactical Network Protection Branch
(732) 532-8959

Hi Vlad,

Sorry that I wasn't clearer, but all 25 of those "Products" are returned by
WMIC after installing a single instance of Sql Server 2008.

        -Gary-

Gary,

So you installed 25 products.  What is the problem with that?  Do you
want to say you installed one?  If there is an aggregate product that
composes the others then it should be among them and maybe it is the
26th product (as long as there is an entry).  KISS!

Have a good weekend!

Vladimir Giszpenc
Armadillo Technical Lead
DSCI Contractor Supporting
US Army CERDEC S&TCD IAD Tactical Network Protection Branch
(732) 532-8959


> -----Original Message-----
> From: Gary Newman [mailto:[hidden email]]
> Sent: Friday, May 28, 2010 1:32 PM
> To: [hidden email]
> Subject: Re: [CPE-DISCUSSION-LIST] CPE automation and a call for
feedback
>
> Hi Vlad,
>
> Sorry that I wasn't clearer, but all 25 of those "Products" are
returned by
> WMIC after installing a single instance of Sql Server 2008.
>
>         -Gary-
>
>
> > Gary,
> >
> > I don't know the internals of Windows so I will answer in
generalities.
> >
> > For each product, get the version and other metadata for that
product from
> > WMIC and build the name.  It really does not matter what
> > algorithm we settle on as long as we all use the same one.  If you
think it is
> > important to have property FOO in the name, then so
> > be it.  This is sort of like a hashing function.  We want CPEId =
f(a)  to
> > result in unique CPEIds for different a values (no
> > collisions) and we want f(a') to never result in CPEid.  As far as I
am
> > concerned a hash would make a great ID, it is not backwards
> > compatible so I am trying to play nice with others.
> >
> > We do not have the requirement that CPEId be of constant length so
the URI
> > format is as good as any.
> >
> > Is WMIC not capable of collecting enough information to satisfy our
pseudo feedback
> > >
> > > Hi Vlad,
> > >
> > > What would the proposed automated f() CPE generator do with the
following
> > WMIC
> > > "products" that appear after installing Sql Server 2008 on a
computer? patches) website,
> > > > etc) = CPE ID, we solve a large portion of the problem.  This
will not
> > > > solve things installed from source, zips, or anything else that
does not
> > > > register the application.  Those things need to be found and
named, but

This is how we start down a very slippery slope.

Vlad's basic claim is this: for any operating system O, it's straightforward to write a general-purpose algorithm compute_cpe() which inspects O's package manager database (e.g., WMIC, RPM, pkginfo, etc.) and outputs a list of valid CPE ids.  This algorithm is general purpose in that it doesn't contain any special-case code to handle different ways in which different vendor products might appear. (Or at least the number of variations are finite and enumerable.)  This implies, inter alia, that for every product installed using the package manager, the algorithm always obtains the vendor name, product name, version, etc., in the same way, the vendor name always appears the same way (so you can find all products by the same vendor), every version of the same product appears the same way (so you can correlate all versions of a product), you can parse out version and update in a standard way, etc.  The more you have to tweak the algorithm to deal with platform, vendor and product-specific variations, the less useful it becomes.

I'm assuming that Vlad is making this claim because he has done it for RPM, yes?  I'll take him on his word that this works as claimed--but I'd sure like to see the code, and it would be instructive to have a few members of the CPE community take that code, try it out and see what we get.  (Presumably the only way to build a dictionary that covers at least 80% of what's installable is to have a large population of users run this code on their systems, then take the union of the result sets.)

While perhaps this works for RPM, I've heard from many quarters saying this simply doesn't work in the general case.  My understanding is that CPE was created for the very reason that there's no standard for doing what Vlad describes.  Even holding the OS fixed, there are simply too many vendor, product and even version-specific variations to write a stable algorithm.  I'd like to be proven wrong.

Gary's example suggests that WMIC contains lots of stuff, and you cannot easily distinguish the products you buy from all their obscure component elements.  Applied to this example, the KISS principle means that the Windows portion of the CPE dictionary becomes the set union of whatever a large population of Windows users can extract from WMIC and transform into CPE name format.  I have some difficulty seeing the usefulness of that, but I'll withhold judgment until I see some running code.  Maybe we should start with a pilot using RPM and go from there.

/Brant

Brant A. Cheikes
The MITRE Corporation
202 Burlington Road, M/S K302
Bedford, MA 01730-1420
Tel. 781-271-7505; Cell. 617-694-8180; Fax. 781-271-2352


-----Original Message-----
From: Vladimir Giszpenc [mailto:[hidden email]]
Sent: Friday, May 28, 2010 1:26 PM
To: cpe-discussion-list CPE Community Forum
Subject: Re: [CPE-DISCUSSION-LIST] CPE automation and a call for feedback

Gary,

So you installed 25 products.  What is the problem with that?  Do you
want to say you installed one?  If there is an aggregate product that
composes the others then it should be among them and maybe it is the
26th product (as long as there is an entry).  KISS!

Have a good weekend!

Vladimir Giszpenc
Armadillo Technical Lead
DSCI Contractor Supporting
US Army CERDEC S&TCD IAD Tactical Network Protection Branch
(732) 532-8959


> -----Original Message-----
> From: Gary Newman [mailto:[hidden email]]
> Sent: Friday, May 28, 2010 1:32 PM
> To: [hidden email]
> Subject: Re: [CPE-DISCUSSION-LIST] CPE automation and a call for
feedback
>
> Hi Vlad,
>
> Sorry that I wasn't clearer, but all 25 of those "Products" are
returned by
> WMIC after installing a single instance of Sql Server 2008.
>
>         -Gary-
>
>
> > Gary,
> >
> > I don't know the internals of Windows so I will answer in
generalities.
> >
> > For each product, get the version and other metadata for that
product from
> > WMIC and build the name.  It really does not matter what
> > algorithm we settle on as long as we all use the same one.  If you
think it is
> > important to have property FOO in the name, then so
> > be it.  This is sort of like a hashing function.  We want CPEId =
f(a)  to
> > result in unique CPEIds for different a values (no
> > collisions) and we want f(a') to never result in CPEid.  As far as I
am
> > concerned a hash would make a great ID, it is not backwards
> > compatible so I am trying to play nice with others.
> >
> > We do not have the requirement that CPEId be of constant length so
the URI
> > format is as good as any.
> >
> > Is WMIC not capable of collecting enough information to satisfy our
pseudo feedback
> > >
> > > Hi Vlad,
> > >
> > > What would the proposed automated f() CPE generator do with the
following
> > WMIC
> > > "products" that appear after installing Sql Server 2008 on a
computer? patches) website,
> > > > etc) = CPE ID, we solve a large portion of the problem.  This
will not
> > > > solve things installed from source, zips, or anything else that
does not
> > > > register the application.  Those things need to be found and
named, but

I can confirm that programmatic derivation of CPE names is possible. I  
years ago coded a bash script that queried the package list from  
Novell for the entire product line. It iterated over each record and  
extracted the name and version information.

Now this isn't to say that there wasn't problems. There were some  
8,000+ packages total. Five packages versioning information eluded my  
regular expressions used during extraction. Drew brought these to my  
attention so he may recall. I submitted that cpe dictionary derived  
from my script to Mitre a long time ago. I'm not certain what came of  
it.

As expansive the package list may be for a windows platform, I can't  
really see it possible. But for a system using a common build  
structure, such as rpm or deb; it is very much feasible.

Cheers.
Thomas

Sent from my iPhone

On May 28, 2010, at 12:26 PM, Vladimir Giszpenc <[hidden email]>  
wrote:

Thomas,

> As expansive the package list may be for a windows platform, I can't
> really see it possible. But for a system using a common build
> structure, such as rpm or deb; it is very much feasible.

Why is it not possible on the Windows platform?  The worst that can
happen is that we miss a slew of CPE-IDs because those packages do not
use the same way of registering packages or use no way at all.  It
should work for a large set of products and that is good enough (I hate
repeating these words but "perfect is the enemy of good").  I know it
will not give us complete coverage on any platform.  I just don't
understand why we don't start with this method (on ALL platforms) and
build from there.

Basically, instead of sharing the results of your script we all run the
same script to get the same IDs.  Is the script proprietary?


Cheerio,

Vladimir Giszpenc
Armadillo Technical Lead
DSCI Contractor Supporting
US Army CERDEC S&TCD IAD Tactical Network Protection Branch
(732) 532-8959

Hi Vlad and others.  This thread seems to have stalled.

It seems completely possible to automate large portions of the windows installed software.

Check out this link showing an example of where the information is in the registry and powershell code to get at it. http://myitforum.com/cs2/blogs/yli628/archive/2008/01/16/powershell-script-to-list-installed-software-on-local-computer.aspx 

What is shown is for the local machine but for many a network query would provide the same data.

The fields in the example show at least Displayname DisplayVersion Publisher already separated in the registry so re-parsing of the (psinfo etc) data would not be required.

Similar info is available in MS SCCM (formerly SMS) reports for those who have deployed that.

Standardizing on identifiers that can be programmatically gathered and verified would be great.

Classification:  UNCLASSIFIED
Caveats: NONE

Just FYI, I'm still working on doing this within the DoD.  We want to use CPE, but can't afford to depend on a manual mapping process to occur before pulling asset inventories.

As a going-in position, I'm asking our vendors and government developers to basically treat anything that installs itself as an application as an application.  We'll pull everything registered, including patches, updates, libraries, and plain 'ol garbage and report it all in CPE format.  At some central level, we'll need to implement a process (with a manual component) that winnows out which ones are which.  I've been working through what that would look like on Windows, Linux, HPUX, MacOS, and some other operating systems and still think it's more feasible than the current manual process that we've been floundering with for the last several years.  I think we'll need the ability, at the central location to designate the "stuff" we find as either applications, updates (i.e. patches, "feature packs", non version-related software installs, etc), or "other."  We'll want to keep the applications and patch info, and may/may not want to keep everything else.

I think the NVD would be a great central point for the community to normalize discovered application names.  I plan to discuss this with NIST.

I developed a transform in Python that will take Windows registry entries for Displayname DisplayVersion Publisher and put them in CPE REGEX format, including the percent encoding.  Not sure if there's interest on the list of working through the conversion logic, but I'm happy to provide it to anyone that wants it.

Joseph L. Wolfkiel
Engineering Group Lead
DISA PEO MA/IA52
(703) 882-0772
[hidden email]
-----Original Message-----
From: B [mailto:[hidden email]]
Sent: Friday, November 19, 2010 4:34 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] CPE automation and a call for feedback

Hi Vlad and others.  This thread seems to have stalled.

It seems completely possible to automate large portions of the windows
installed software.

Check out this link showing an example of where the information is in the
registry and powershell code to get at it.
http://myitforum.com/cs2/blogs/yli628/archive/2008/01/16/powershell-script-to-list-installed-software-on-local-computer.aspx 

What is shown is for the local machine but for many a network query would
provide the same data.

The fields in the example show at least Displayname DisplayVersion Publisher
already separated in the registry so re-parsing of the (psinfo etc) data
would not be required.

Similar info is available in MS SCCM (formerly SMS) reports for those who
have deployed that.

Standardizing on identifiers that can be programmatically gathered and
verified would be great.
--
View this message in context: http://making-security-measurable.1364806.n2.nabble.com/CPE-automation-and-a-call-for-feedback-tp5110199p5756685.html
Sent from the CPE - Common Platform Enumeration mailing list archive at Nabble.com.
Classification:  UNCLASSIFIED
Caveats: NONE

Hi Joseph,

I would be interested in the python script and check output format from it. Can you please pass it on to me.

Regards,
Shobha, CISSP
Principal Engineer, RSA The Security Division of EMC

-----Original Message-----
From: WOLFKIEL, JOSEPH L CIV DISA PEO-MA [mailto:[hidden email]]
Sent: Saturday, November 20, 2010 3:25 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] CPE automation and a call for feedback (UNCLASSIFIED)

Classification:  UNCLASSIFIED
Caveats: NONE

Just FYI, I'm still working on doing this within the DoD.  We want to use CPE, but can't afford to depend on a manual mapping process to occur before pulling asset inventories.

As a going-in position, I'm asking our vendors and government developers to basically treat anything that installs itself as an application as an application.  We'll pull everything registered, including patches, updates, libraries, and plain 'ol garbage and report it all in CPE format.  At some central level, we'll need to implement a process (with a manual component) that winnows out which ones are which.  I've been working through what that would look like on Windows, Linux, HPUX, MacOS, and some other operating systems and still think it's more feasible than the current manual process that we've been floundering with for the last several years.  I think we'll need the ability, at the central location to designate the "stuff" we find as either applications, updates (i.e. patches, "feature packs", non version-related software installs, etc), or "other."  We'll want to keep the applications and patch info, and may/may not want to keep everything else.

I think the NVD would be a great central point for the community to normalize discovered application names.  I plan to discuss this with NIST.

I developed a transform in Python that will take Windows registry entries for Displayname DisplayVersion Publisher and put them in CPE REGEX format, including the percent encoding.  Not sure if there's interest on the list of working through the conversion logic, but I'm happy to provide it to anyone that wants it.

Joseph L. Wolfkiel
Engineering Group Lead
DISA PEO MA/IA52
(703) 882-0772
[hidden email]
-----Original Message-----
From: B [mailto:[hidden email]]
Sent: Friday, November 19, 2010 4:34 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] CPE automation and a call for feedback

Hi Vlad and others.  This thread seems to have stalled.

It seems completely possible to automate large portions of the windows
installed software.

Check out this link showing an example of where the information is in the
registry and powershell code to get at it.
http://myitforum.com/cs2/blogs/yli628/archive/2008/01/16/powershell-script-to-list-installed-software-on-local-computer.aspx 

What is shown is for the local machine but for many a network query would
provide the same data.

The fields in the example show at least Displayname DisplayVersion Publisher
already separated in the registry so re-parsing of the (psinfo etc) data
would not be required.

Similar info is available in MS SCCM (formerly SMS) reports for those who
have deployed that.

Standardizing on identifiers that can be programmatically gathered and
verified would be great.
--
View this message in context: http://making-security-measurable.1364806.n2.nabble.com/CPE-automation-and-a-call-for-feedback-tp5110199p5756685.html
Sent from the CPE - Common Platform Enumeration mailing list archive at Nabble.com.
Classification:  UNCLASSIFIED
Caveats: NONE

I'd be interested in that script as well.

-----Original Message-----
From: Jagathpal Shobharani [mailto:[hidden email]]
Sent: Sunday, November 21, 2010 7:58 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] CPE automation and a call for feedback (UNCLASSIFIED)

Hi Joseph,

I would be interested in the python script and check output format from it. Can you please pass it on to me.

Regards,
Shobha, CISSP
Principal Engineer, RSA The Security Division of EMC

-----Original Message-----
From: WOLFKIEL, JOSEPH L CIV DISA PEO-MA [mailto:[hidden email]]
Sent: Saturday, November 20, 2010 3:25 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] CPE automation and a call for feedback (UNCLASSIFIED)

Classification:  UNCLASSIFIED
Caveats: NONE

Just FYI, I'm still working on doing this within the DoD.  We want to use CPE, but can't afford to depend on a manual mapping process to occur before pulling asset inventories.

As a going-in position, I'm asking our vendors and government developers to basically treat anything that installs itself as an application as an application.  We'll pull everything registered, including patches, updates, libraries, and plain 'ol garbage and report it all in CPE format.  At some central level, we'll need to implement a process (with a manual component) that winnows out which ones are which.  I've been working through what that would look like on Windows, Linux, HPUX, MacOS, and some other operating systems and still think it's more feasible than the current manual process that we've been floundering with for the last several years.  I think we'll need the ability, at the central location to designate the "stuff" we find as either applications, updates (i.e. patches, "feature packs", non version-related software installs, etc), or "other."  We'll want to keep the applications and patch info, and may/may not want to keep everything else.

I think the NVD would be a great central point for the community to normalize discovered application names.  I plan to discuss this with NIST.

I developed a transform in Python that will take Windows registry entries for Displayname DisplayVersion Publisher and put them in CPE REGEX format, including the percent encoding.  Not sure if there's interest on the list of working through the conversion logic, but I'm happy to provide it to anyone that wants it.

Joseph L. Wolfkiel
Engineering Group Lead
DISA PEO MA/IA52
(703) 882-0772
[hidden email]
-----Original Message-----
From: B [mailto:[hidden email]]
Sent: Friday, November 19, 2010 4:34 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] CPE automation and a call for feedback

Hi Vlad and others.  This thread seems to have stalled.

It seems completely possible to automate large portions of the windows
installed software.

Check out this link showing an example of where the information is in the
registry and powershell code to get at it.
http://myitforum.com/cs2/blogs/yli628/archive/2008/01/16/powershell-script-to-list-installed-software-on-local-computer.aspx 

What is shown is for the local machine but for many a network query would
provide the same data.

The fields in the example show at least Displayname DisplayVersion Publisher
already separated in the registry so re-parsing of the (psinfo etc) data
would not be required.

Similar info is available in MS SCCM (formerly SMS) reports for those who
have deployed that.

Standardizing on identifiers that can be programmatically gathered and
verified would be great.
--
View this message in context: http://making-security-measurable.1364806.n2.nabble.com/CPE-automation-and-a-call-for-feedback-tp5110199p5756685.html
Sent from the CPE - Common Platform Enumeration mailing list archive at Nabble.com.
Classification:  UNCLASSIFIED
Caveats: NONE

Classification:  UNCLASSIFIED
Caveats: NONE

I've attached the script along with a sample input and output file (from one of my home computers).  

In the .zip file, there is a file cpetext.txt that contains the discovered registered 'applications' on a box.  The applications are in pipe-delimited format with the name components in order product|vendor|version|installdate.  The script windows_cpe_converter.py reads in the pipe-delimited file and outputs the application names in CPE-REGEX compliant format.  A sample output is in the file cpenames.txt.

If you want try it, you'll need to update the input file path to wherever you save the cpetext.txt file and update the output file to wherever you want it saved.  The input file was built with a registry query that I can't give out, but the output is a simple pipe-delimited list in format product|vendor|version|install_date.

Joseph L. Wolfkiel
Engineering Group Lead
DISA PEO MA/IA52
(703) 882-0772
[hidden email]

-----Original Message-----
From: Adam Montville [mailto:[hidden email]]
Sent: Tuesday, November 23, 2010 2:09 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] CPE automation and a call for feedback (UNCLASSIFIED)

I'd be interested in that script as well.

-----Original Message-----
From: Jagathpal Shobharani [mailto:[hidden email]]
Sent: Sunday, November 21, 2010 7:58 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] CPE automation and a call for feedback (UNCLASSIFIED)

Hi Joseph,

I would be interested in the python script and check output format from it. Can you please pass it on to me.

Regards,
Shobha, CISSP
Principal Engineer, RSA The Security Division of EMC

-----Original Message-----
From: WOLFKIEL, JOSEPH L CIV DISA PEO-MA [mailto:[hidden email]]
Sent: Saturday, November 20, 2010 3:25 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] CPE automation and a call for feedback (UNCLASSIFIED)

Classification:  UNCLASSIFIED
Caveats: NONE

Just FYI, I'm still working on doing this within the DoD.  We want to use CPE, but can't afford to depend on a manual mapping process to occur before pulling asset inventories.

As a going-in position, I'm asking our vendors and government developers to basically treat anything that installs itself as an application as an application.  We'll pull everything registered, including patches, updates, libraries, and plain 'ol garbage and report it all in CPE format.  At some central level, we'll need to implement a process (with a manual component) that winnows out which ones are which.  I've been working through what that would look like on Windows, Linux, HPUX, MacOS, and some other operating systems and still think it's more feasible than the current manual process that we've been floundering with for the last several years.  I think we'll need the ability, at the central location to designate the "stuff" we find as either applications, updates (i.e. patches, "feature packs", non version-related software installs, etc), or "other."  We'll want to keep the applications and patch info, and may/may not want to keep everything else.

I think the NVD would be a great central point for the community to normalize discovered application names.  I plan to discuss this with NIST.

I developed a transform in Python that will take Windows registry entries for Displayname DisplayVersion Publisher and put them in CPE REGEX format, including the percent encoding.  Not sure if there's interest on the list of working through the conversion logic, but I'm happy to provide it to anyone that wants it.

Joseph L. Wolfkiel
Engineering Group Lead
DISA PEO MA/IA52
(703) 882-0772
[hidden email]
-----Original Message-----
From: B [mailto:[hidden email]]
Sent: Friday, November 19, 2010 4:34 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] CPE automation and a call for feedback

Hi Vlad and others.  This thread seems to have stalled.

It seems completely possible to automate large portions of the windows
installed software.

Check out this link showing an example of where the information is in the
registry and powershell code to get at it.
http://myitforum.com/cs2/blogs/yli628/archive/2008/01/16/powershell-script-to-list-installed-software-on-local-computer.aspx 

What is shown is for the local machine but for many a network query would
provide the same data.

The fields in the example show at least Displayname DisplayVersion Publisher
already separated in the registry so re-parsing of the (psinfo etc) data
would not be required.

Similar info is available in MS SCCM (formerly SMS) reports for those who
have deployed that.

Standardizing on identifiers that can be programmatically gathered and
verified would be great.
--
View this message in context: http://making-security-measurable.1364806.n2.nabble.com/CPE-automation-and-a-call-for-feedback-tp5110199p5756685.html
Sent from the CPE - Common Platform Enumeration mailing list archive at Nabble.com.
Classification:  UNCLASSIFIED
Caveats: NONE
  Classification:  UNCLASSIFIED
Caveats: NONE

Classification:  UNCLASSIFIED
Caveats: NONE

As you may have heard, I've been working with several vendors and DoD government software products to attempt to collect and report installed software in CPE format (or at least CPE 2.x RegEx-compliant format).

One of the difficulties I encountered is that different operating systems (e.g. Microsoft, HPUX, Linux, MACOS, etc) provide different pieces of product names and call them different things.

I'm thinking it would be helpful for interoperability and automation to put together a style guide for each operating system, defining what product name elements we can expect to retrieve and how to combine them together to construct CPEs in a way that will/may result in different vendor tools producing the same names for the same products installed on the same operating systems.

Is there any interest in generating style guides like I've described above?

Joseph L. Wolfkiel
Engineering Group Lead
DISA PEO MA/IA52
(703) 882-0772
[hidden email]

Classification:  UNCLASSIFIED
Caveats: NONE

Joseph L. Wolfkiel,

> Is there any interest in generating style guides like I've described?

Yes.

Vladimir Giszpenc
Armadillo Technical Lead
DSCI Contractor Supporting
US Army CERDEC S&TCD IAD Tactical Network Protection Branch
(732) 532-8959

On Dec 14, 2010, at 5:25 AM, "WOLFKIEL, JOSEPH L CIV DISA PEO-MA" <[hidden email]> wrote:

> I'm thinking it would be helpful for interoperability and automation to put together a style guide for each operating system, defining what product name elements we can expect to retrieve and how to combine them together to construct CPEs in a way that will/may result in different vendor tools producing the same names for the same products installed on the same operating systems.

My initital reaction to this is: Another thing to pay attention to?  It seems that security automation standards are running into this sort of thing a lot (vendors calling things by different names, representing a distinct subset of the information in which we are interested, or otherwise viewing the world differently than the next guy).  Does it make sense to continue documenting semantics in this manner?  Or, is there a better way of handling this?

Not saying this is a bad idea, just wondering about the larger problem.  Also, for what it's worth, any solution such as that mentioned above should be more strict than a guide if interoperability and automation are the goals.

Adam

Adam,

I always go back to an API.  I believe that package managers are the
real distinction more so than the OS but I am sure there are some OS
specific extensions that will prove me wrong somewhere.  Either way, I
agree with you.

> Not saying this is a bad idea, just wondering about the larger
problem.  Also, for what it's worth,
> any solution such as that mentioned above should be more strict than a
guide if interoperability and
> automation are the goals.

For WMI use ____ to get the name
For RPM use ____ to get the name
For APT use ____ to get the name
For ...

Vlad

Is this an interim suggestion?  It's not bad (I suggested an open source,
programmatic solution to this list not very long ago), but I don't prefer
to see the "how" being specified.  I'd rather see only the "what" in
specifications and standards, which leaves vendors some flexibility in
tool implementation.  I don't disagree that until we find the proper
"what" solution, we can do little to avoid the "how" in the specification,
but I'd like to stay focused on longer-term objectives also.

Adam

On 12/14/10 6:02 AM, "Vladimir Giszpenc" <[hidden email]> wrote:

Adam,

My suggestion is basically that we need an authoritative source of the
what.  The installed package should be it.  The package manager knows
how to retrieve it.  If there are five equivalent ways of getting the
same thing, I don't care about the how.  I am looking for

Do a particular how using suggested API or equivalent (must get the same
what).  I am even OK with the list of five ways in an ordered preference

If you can't get the name using API 1, use API 2.  If that is not
available move on to API 3 and so on until you get to API N.  After
that, make your best guess.  Note, that a guess is often a set and not
one particular package though.

Vladimir Giszpenc
Armadillo Technical Lead
DSCI Contractor Supporting
US Army CERDEC S&TCD IAD Tactical Network Protection Branch
(732) 532-8959


> -----Original Message-----
> From: Adam Montville [mailto:[hidden email]]
> Sent: Tuesday, December 14, 2010 9:24 AM
> To: [hidden email]
> Subject: Re: [CPE-DISCUSSION-LIST] Automated CPE Generation Style
Guide (UNCLASSIFIED)
>
> Is this an interim suggestion?  It's not bad (I suggested an open
source,
> programmatic solution to this list not very long ago), but I don't
prefer
> to see the "how" being specified.  I'd rather see only the "what" in
> specifications and standards, which leaves vendors some flexibility in
> tool implementation.  I don't disagree that until we find the proper
> "what" solution, we can do little to avoid the "how" in the
specification, I
> >agree with you.
> >
> >> Not saying this is a bad idea, just wondering about the larger
> >problem.  Also, for what it's worth,
> >> any solution such as that mentioned above should be more strict
than a

Thanks for the additional explanation, Vlad.

Would we have potential trust issues here?  It seems that a malicious
package could, if we give the package "authority," report whatever it
wants to the package manager yes?

On 12/14/10 6:36 AM, "Vladimir Giszpenc" <[hidden email]> wrote: