Quantcast

CPE automation and a call for feedback

classic Classic list List threaded Threaded
24 messages Options
12
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

CPE automation and a call for feedback

Vladimir Giszpenc
CPE gang,

To query the system for a list of installed packages (and patches)
authenticated scanners can use:

On Windows there is WMI(C)
On Fedora, RHEL and derivatives there is RPM
On OS/X there is pkgutil
On Suse there is zypper
On Debian and derivatives there is dpkg
On Solaris there is pkginfo

If we automate the above e.g. f(packagename, version, company, website,
etc) = CPE ID, we solve a large portion of the problem.  This will not
solve things installed from source, zips, or anything else that does not
register the application.  Those things need to be found and named, but
it is harder.

So now we have a bunch of IDs.  Yippee!  We can talk about the same
thing using the same name.  Next we want to describe the thing enough so
we can call out relationships like duplicates and sets like fuzzy
matches.

Why are we not using RDF and friends?  This will give us SPARQL for
queries and we are done!

Authenticated scanners only build IDs, thus *don't care* about the RDF.
TK will probably not oppose it, nor will NIST because RDF is already
part of NVD.

-----------------------------------------------------------------------
Who is left who needs wildcards and queries and opposes RDF-ifying CPE?

-----------------------------------------------------------------------

It solves most problems we have and then some.  It is not a panacea but
it is appropriate for this problem set.  For XCCDF and OVAL
(prerequisite is still not in the spec), just hard code lists of CPE IDs
and keep it simple.

After hearing all about it, I don't understand why we keep ignoring it?
I am just curious.  There is a learning curve, but I stress that we
would not all have to learn it.  I think a standard way to go beyond the
package manager to build our universe of CPE IDs would be most useful.

F(filename, fileversion, contents of README, etc) = CPE ID.  I don't
have the formula (and I believe there should be many), but this is the
sort of thing we should be discussing.  In fact, if f() is someone's
special sauce, that is OK by me.  Just call the ID SpecialSauceCook:ID
and we can let NVD relate them after the fact but the IDs would be
there.

Respectfully,

Vladimir Giszpenc
Armadillo Technical Lead
DSCI Contractor Supporting
US Army CERDEC S&TCD IAD Tactical Network Protection Branch
(732) 532-8959
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CPE automation and a call for feedback

Gary Newman-2
Hi Vlad,

What would the proposed automated f() CPE generator do with the following WMIC
"products" that appear after installing Sql Server 2008 on a computer?

        -Gary-

Microsoft Application Error Reporting
Microsoft SQL Server 2008 BI Development Studio
Microsoft SQL Server 2008 Books Online (August 2008)
Microsoft SQL Server 2008 Browser
Microsoft SQL Server 2008 Client Tools
Microsoft SQL Server 2008 Common Files
Microsoft SQL Server 2008 Database Engine Services
Microsoft SQL Server 2008 Database Engine Shared
Microsoft SQL Server 2008 Database Engine Shared
Microsoft SQL Server 2008 Integration Services
Microsoft SQL Server 2008 Management Studio
Microsoft SQL Server 2008 Native Client
Microsoft SQL Server 2008 Policies
Microsoft SQL Server 2008 Reporting Services
Microsoft SQL Server 2008 RsFx Driver
Microsoft SQL Server 2008 Setup Support Files
Microsoft SQL Server Compact 3.5 Design Tools ENU
Microsoft SQL Server Compact 3.5 SP1 English
Microsoft SQL Server Compact 3.5 SP1 Query Tools English
Microsoft SQL Server Compact 3.5 for Devices ENU
Microsoft SQL Server Database Publishing Wizard 1.2
Microsoft SQL Server VSS Writer
Microsoft Visual Studio Tools for Applications 2.0 - ENU
SQL Server System CLR Types
Sql Server Customer Experience Improvement Program


> CPE gang,
>
> To query the system for a list of installed packages (and patches)
> authenticated scanners can use:
>
> On Windows there is WMI(C)
> On Fedora, RHEL and derivatives there is RPM
> On OS/X there is pkgutil
> On Suse there is zypper
> On Debian and derivatives there is dpkg
> On Solaris there is pkginfo
>
> If we automate the above e.g. f(packagename, version, company, website,
> etc) = CPE ID, we solve a large portion of the problem.  This will not
> solve things installed from source, zips, or anything else that does not
> register the application.  Those things need to be found and named, but
> it is harder.
>
> ...
>
> Respectfully,
>
> Vladimir Giszpenc
> Armadillo Technical Lead
> DSCI Contractor Supporting
> US Army CERDEC S&TCD IAD Tactical Network Protection Branch
> (732) 532-8959
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CPE automation and a call for feedback

Vladimir Giszpenc
Gary,

I don't know the internals of Windows so I will answer in generalities.

For each product, get the version and other metadata for that product from WMIC and build the name.  It really does not matter what
algorithm we settle on as long as we all use the same one.  If you think it is important to have property FOO in the name, then so
be it.  This is sort of like a hashing function.  We want CPEId = f(a)  to result in unique CPEIds for different a values (no
collisions) and we want f(a') to never result in CPEid.  As far as I am concerned a hash would make a great ID, it is not backwards
compatible so I am trying to play nice with others.

We do not have the requirement that CPEId be of constant length so the URI format is as good as any.

Is WMIC not capable of collecting enough information to satisfy our pseudo hash function requirement?


Regards,

Vladimir Giszpenc
Armadillo Technical Lead
DSCI Contractor Supporting
US Army CERDEC S&TCD IAD Tactical Network Protection Branch
(732) 532-8959


> -----Original Message-----
> From: Gary Newman [mailto:[hidden email]]
> Sent: Friday, May 28, 2010 11:18 AM
> To: [hidden email]
> Subject: Re: [CPE-DISCUSSION-LIST] CPE automation and a call for feedback
>
> Hi Vlad,
>
> What would the proposed automated f() CPE generator do with the following WMIC
> "products" that appear after installing Sql Server 2008 on a computer?
>
>         -Gary-
>
> Microsoft Application Error Reporting
> Microsoft SQL Server 2008 BI Development Studio
> Microsoft SQL Server 2008 Books Online (August 2008)
> Microsoft SQL Server 2008 Browser
> Microsoft SQL Server 2008 Client Tools
> Microsoft SQL Server 2008 Common Files
> Microsoft SQL Server 2008 Database Engine Services
> Microsoft SQL Server 2008 Database Engine Shared
> Microsoft SQL Server 2008 Database Engine Shared
> Microsoft SQL Server 2008 Integration Services
> Microsoft SQL Server 2008 Management Studio
> Microsoft SQL Server 2008 Native Client
> Microsoft SQL Server 2008 Policies
> Microsoft SQL Server 2008 Reporting Services
> Microsoft SQL Server 2008 RsFx Driver
> Microsoft SQL Server 2008 Setup Support Files
> Microsoft SQL Server Compact 3.5 Design Tools ENU
> Microsoft SQL Server Compact 3.5 SP1 English
> Microsoft SQL Server Compact 3.5 SP1 Query Tools English
> Microsoft SQL Server Compact 3.5 for Devices ENU
> Microsoft SQL Server Database Publishing Wizard 1.2
> Microsoft SQL Server VSS Writer
> Microsoft Visual Studio Tools for Applications 2.0 - ENU
> SQL Server System CLR Types
> Sql Server Customer Experience Improvement Program
>
>
> > CPE gang,
> >
> > To query the system for a list of installed packages (and patches)
> > authenticated scanners can use:
> >
> > On Windows there is WMI(C)
> > On Fedora, RHEL and derivatives there is RPM
> > On OS/X there is pkgutil
> > On Suse there is zypper
> > On Debian and derivatives there is dpkg
> > On Solaris there is pkginfo
> >
> > If we automate the above e.g. f(packagename, version, company, website,
> > etc) = CPE ID, we solve a large portion of the problem.  This will not
> > solve things installed from source, zips, or anything else that does not
> > register the application.  Those things need to be found and named, but
> > it is harder.
> >
> > ...
> >
> > Respectfully,
> >
> > Vladimir Giszpenc
> > Armadillo Technical Lead
> > DSCI Contractor Supporting
> > US Army CERDEC S&TCD IAD Tactical Network Protection Branch
> > (732) 532-8959
> >

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CPE automation and a call for feedback

Gary Newman-2
Hi Vlad,

Sorry that I wasn't clearer, but all 25 of those "Products" are returned by
WMIC after installing a single instance of Sql Server 2008.

        -Gary-


> Gary,
>
> I don't know the internals of Windows so I will answer in generalities.
>
> For each product, get the version and other metadata for that product from
> WMIC and build the name.  It really does not matter what
> algorithm we settle on as long as we all use the same one.  If you think it is
> important to have property FOO in the name, then so
> be it.  This is sort of like a hashing function.  We want CPEId = f(a)  to
> result in unique CPEIds for different a values (no
> collisions) and we want f(a') to never result in CPEid.  As far as I am
> concerned a hash would make a great ID, it is not backwards
> compatible so I am trying to play nice with others.
>
> We do not have the requirement that CPEId be of constant length so the URI
> format is as good as any.
>
> Is WMIC not capable of collecting enough information to satisfy our pseudo
> hash function requirement?
>
>
> Regards,
>
> Vladimir Giszpenc
> Armadillo Technical Lead
> DSCI Contractor Supporting
> US Army CERDEC S&TCD IAD Tactical Network Protection Branch
> (732) 532-8959
>
>
> > -----Original Message-----
> > From: Gary Newman [mailto:[hidden email]]
> > Sent: Friday, May 28, 2010 11:18 AM
> > To: [hidden email]
> > Subject: Re: [CPE-DISCUSSION-LIST] CPE automation and a call for feedback
> >
> > Hi Vlad,
> >
> > What would the proposed automated f() CPE generator do with the following
> WMIC
> > "products" that appear after installing Sql Server 2008 on a computer?
> >
> >         -Gary-
> >
> > Microsoft Application Error Reporting
> > Microsoft SQL Server 2008 BI Development Studio
> > Microsoft SQL Server 2008 Books Online (August 2008)
> > Microsoft SQL Server 2008 Browser
> > Microsoft SQL Server 2008 Client Tools
> > Microsoft SQL Server 2008 Common Files
> > Microsoft SQL Server 2008 Database Engine Services
> > Microsoft SQL Server 2008 Database Engine Shared
> > Microsoft SQL Server 2008 Database Engine Shared
> > Microsoft SQL Server 2008 Integration Services
> > Microsoft SQL Server 2008 Management Studio
> > Microsoft SQL Server 2008 Native Client
> > Microsoft SQL Server 2008 Policies
> > Microsoft SQL Server 2008 Reporting Services
> > Microsoft SQL Server 2008 RsFx Driver
> > Microsoft SQL Server 2008 Setup Support Files
> > Microsoft SQL Server Compact 3.5 Design Tools ENU
> > Microsoft SQL Server Compact 3.5 SP1 English
> > Microsoft SQL Server Compact 3.5 SP1 Query Tools English
> > Microsoft SQL Server Compact 3.5 for Devices ENU
> > Microsoft SQL Server Database Publishing Wizard 1.2
> > Microsoft SQL Server VSS Writer
> > Microsoft Visual Studio Tools for Applications 2.0 - ENU
> > SQL Server System CLR Types
> > Sql Server Customer Experience Improvement Program
> >
> >
> > > CPE gang,
> > >
> > > To query the system for a list of installed packages (and patches)
> > > authenticated scanners can use:
> > >
> > > On Windows there is WMI(C)
> > > On Fedora, RHEL and derivatives there is RPM
> > > On OS/X there is pkgutil
> > > On Suse there is zypper
> > > On Debian and derivatives there is dpkg
> > > On Solaris there is pkginfo
> > >
> > > If we automate the above e.g. f(packagename, version, company, website,
> > > etc) = CPE ID, we solve a large portion of the problem.  This will not
> > > solve things installed from source, zips, or anything else that does not
> > > register the application.  Those things need to be found and named, but
> > > it is harder.
> > >
> > > ...
> > >
> > > Respectfully,
> > >
> > > Vladimir Giszpenc
> > > Armadillo Technical Lead
> > > DSCI Contractor Supporting
> > > US Army CERDEC S&TCD IAD Tactical Network Protection Branch
> > > (732) 532-8959
> > >
>
> * Users <[hidden email]>
> * Issuer: CN=dsci.com - Unverified
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CPE automation and a call for feedback

Vladimir Giszpenc
Gary,

So you installed 25 products.  What is the problem with that?  Do you
want to say you installed one?  If there is an aggregate product that
composes the others then it should be among them and maybe it is the
26th product (as long as there is an entry).  KISS!

Have a good weekend!

Vladimir Giszpenc
Armadillo Technical Lead
DSCI Contractor Supporting
US Army CERDEC S&TCD IAD Tactical Network Protection Branch
(732) 532-8959


> -----Original Message-----
> From: Gary Newman [mailto:[hidden email]]
> Sent: Friday, May 28, 2010 1:32 PM
> To: [hidden email]
> Subject: Re: [CPE-DISCUSSION-LIST] CPE automation and a call for
feedback
>
> Hi Vlad,
>
> Sorry that I wasn't clearer, but all 25 of those "Products" are
returned by
> WMIC after installing a single instance of Sql Server 2008.
>
>         -Gary-
>
>
> > Gary,
> >
> > I don't know the internals of Windows so I will answer in
generalities.
> >
> > For each product, get the version and other metadata for that
product from
> > WMIC and build the name.  It really does not matter what
> > algorithm we settle on as long as we all use the same one.  If you
think it is
> > important to have property FOO in the name, then so
> > be it.  This is sort of like a hashing function.  We want CPEId =
f(a)  to
> > result in unique CPEIds for different a values (no
> > collisions) and we want f(a') to never result in CPEid.  As far as I
am
> > concerned a hash would make a great ID, it is not backwards
> > compatible so I am trying to play nice with others.
> >
> > We do not have the requirement that CPEId be of constant length so
the URI
> > format is as good as any.
> >
> > Is WMIC not capable of collecting enough information to satisfy our
pseudo

> > hash function requirement?
> >
> >
> > Regards,
> >
> > Vladimir Giszpenc
> > Armadillo Technical Lead
> > DSCI Contractor Supporting
> > US Army CERDEC S&TCD IAD Tactical Network Protection Branch
> > (732) 532-8959
> >
> >
> > > -----Original Message-----
> > > From: Gary Newman [mailto:[hidden email]]
> > > Sent: Friday, May 28, 2010 11:18 AM
> > > To: [hidden email]
> > > Subject: Re: [CPE-DISCUSSION-LIST] CPE automation and a call for
feedback
> > >
> > > Hi Vlad,
> > >
> > > What would the proposed automated f() CPE generator do with the
following
> > WMIC
> > > "products" that appear after installing Sql Server 2008 on a
computer?

> > >
> > >         -Gary-
> > >
> > > Microsoft Application Error Reporting
> > > Microsoft SQL Server 2008 BI Development Studio
> > > Microsoft SQL Server 2008 Books Online (August 2008)
> > > Microsoft SQL Server 2008 Browser
> > > Microsoft SQL Server 2008 Client Tools
> > > Microsoft SQL Server 2008 Common Files
> > > Microsoft SQL Server 2008 Database Engine Services
> > > Microsoft SQL Server 2008 Database Engine Shared
> > > Microsoft SQL Server 2008 Database Engine Shared
> > > Microsoft SQL Server 2008 Integration Services
> > > Microsoft SQL Server 2008 Management Studio
> > > Microsoft SQL Server 2008 Native Client
> > > Microsoft SQL Server 2008 Policies
> > > Microsoft SQL Server 2008 Reporting Services
> > > Microsoft SQL Server 2008 RsFx Driver
> > > Microsoft SQL Server 2008 Setup Support Files
> > > Microsoft SQL Server Compact 3.5 Design Tools ENU
> > > Microsoft SQL Server Compact 3.5 SP1 English
> > > Microsoft SQL Server Compact 3.5 SP1 Query Tools English
> > > Microsoft SQL Server Compact 3.5 for Devices ENU
> > > Microsoft SQL Server Database Publishing Wizard 1.2
> > > Microsoft SQL Server VSS Writer
> > > Microsoft Visual Studio Tools for Applications 2.0 - ENU
> > > SQL Server System CLR Types
> > > Sql Server Customer Experience Improvement Program
> > >
> > >
> > > > CPE gang,
> > > >
> > > > To query the system for a list of installed packages (and
patches)

> > > > authenticated scanners can use:
> > > >
> > > > On Windows there is WMI(C)
> > > > On Fedora, RHEL and derivatives there is RPM
> > > > On OS/X there is pkgutil
> > > > On Suse there is zypper
> > > > On Debian and derivatives there is dpkg
> > > > On Solaris there is pkginfo
> > > >
> > > > If we automate the above e.g. f(packagename, version, company,
website,
> > > > etc) = CPE ID, we solve a large portion of the problem.  This
will not
> > > > solve things installed from source, zips, or anything else that
does not
> > > > register the application.  Those things need to be found and
named, but

> > > > it is harder.
> > > >
> > > > ...
> > > >
> > > > Respectfully,
> > > >
> > > > Vladimir Giszpenc
> > > > Armadillo Technical Lead
> > > > DSCI Contractor Supporting
> > > > US Army CERDEC S&TCD IAD Tactical Network Protection Branch
> > > > (732) 532-8959
> > > >
> >
> > * Users <[hidden email]>
> > * Issuer: CN=dsci.com - Unverified
> >
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CPE automation and a call for feedback

Brant Cheikes
This is how we start down a very slippery slope.

Vlad's basic claim is this: for any operating system O, it's straightforward to write a general-purpose algorithm compute_cpe() which inspects O's package manager database (e.g., WMIC, RPM, pkginfo, etc.) and outputs a list of valid CPE ids.  This algorithm is general purpose in that it doesn't contain any special-case code to handle different ways in which different vendor products might appear. (Or at least the number of variations are finite and enumerable.)  This implies, inter alia, that for every product installed using the package manager, the algorithm always obtains the vendor name, product name, version, etc., in the same way, the vendor name always appears the same way (so you can find all products by the same vendor), every version of the same product appears the same way (so you can correlate all versions of a product), you can parse out version and update in a standard way, etc.  The more you have to tweak the algorithm to deal with platform, vendor and product-specific variations, the less useful it becomes.

I'm assuming that Vlad is making this claim because he has done it for RPM, yes?  I'll take him on his word that this works as claimed--but I'd sure like to see the code, and it would be instructive to have a few members of the CPE community take that code, try it out and see what we get.  (Presumably the only way to build a dictionary that covers at least 80% of what's installable is to have a large population of users run this code on their systems, then take the union of the result sets.)

While perhaps this works for RPM, I've heard from many quarters saying this simply doesn't work in the general case.  My understanding is that CPE was created for the very reason that there's no standard for doing what Vlad describes.  Even holding the OS fixed, there are simply too many vendor, product and even version-specific variations to write a stable algorithm.  I'd like to be proven wrong.

Gary's example suggests that WMIC contains lots of stuff, and you cannot easily distinguish the products you buy from all their obscure component elements.  Applied to this example, the KISS principle means that the Windows portion of the CPE dictionary becomes the set union of whatever a large population of Windows users can extract from WMIC and transform into CPE name format.  I have some difficulty seeing the usefulness of that, but I'll withhold judgment until I see some running code.  Maybe we should start with a pilot using RPM and go from there.

/Brant

Brant A. Cheikes
The MITRE Corporation
202 Burlington Road, M/S K302
Bedford, MA 01730-1420
Tel. 781-271-7505; Cell. 617-694-8180; Fax. 781-271-2352


-----Original Message-----
From: Vladimir Giszpenc [mailto:[hidden email]]
Sent: Friday, May 28, 2010 1:26 PM
To: cpe-discussion-list CPE Community Forum
Subject: Re: [CPE-DISCUSSION-LIST] CPE automation and a call for feedback

Gary,

So you installed 25 products.  What is the problem with that?  Do you
want to say you installed one?  If there is an aggregate product that
composes the others then it should be among them and maybe it is the
26th product (as long as there is an entry).  KISS!

Have a good weekend!

Vladimir Giszpenc
Armadillo Technical Lead
DSCI Contractor Supporting
US Army CERDEC S&TCD IAD Tactical Network Protection Branch
(732) 532-8959


> -----Original Message-----
> From: Gary Newman [mailto:[hidden email]]
> Sent: Friday, May 28, 2010 1:32 PM
> To: [hidden email]
> Subject: Re: [CPE-DISCUSSION-LIST] CPE automation and a call for
feedback
>
> Hi Vlad,
>
> Sorry that I wasn't clearer, but all 25 of those "Products" are
returned by
> WMIC after installing a single instance of Sql Server 2008.
>
>         -Gary-
>
>
> > Gary,
> >
> > I don't know the internals of Windows so I will answer in
generalities.
> >
> > For each product, get the version and other metadata for that
product from
> > WMIC and build the name.  It really does not matter what
> > algorithm we settle on as long as we all use the same one.  If you
think it is
> > important to have property FOO in the name, then so
> > be it.  This is sort of like a hashing function.  We want CPEId =
f(a)  to
> > result in unique CPEIds for different a values (no
> > collisions) and we want f(a') to never result in CPEid.  As far as I
am
> > concerned a hash would make a great ID, it is not backwards
> > compatible so I am trying to play nice with others.
> >
> > We do not have the requirement that CPEId be of constant length so
the URI
> > format is as good as any.
> >
> > Is WMIC not capable of collecting enough information to satisfy our
pseudo

> > hash function requirement?
> >
> >
> > Regards,
> >
> > Vladimir Giszpenc
> > Armadillo Technical Lead
> > DSCI Contractor Supporting
> > US Army CERDEC S&TCD IAD Tactical Network Protection Branch
> > (732) 532-8959
> >
> >
> > > -----Original Message-----
> > > From: Gary Newman [mailto:[hidden email]]
> > > Sent: Friday, May 28, 2010 11:18 AM
> > > To: [hidden email]
> > > Subject: Re: [CPE-DISCUSSION-LIST] CPE automation and a call for
feedback
> > >
> > > Hi Vlad,
> > >
> > > What would the proposed automated f() CPE generator do with the
following
> > WMIC
> > > "products" that appear after installing Sql Server 2008 on a
computer?

> > >
> > >         -Gary-
> > >
> > > Microsoft Application Error Reporting
> > > Microsoft SQL Server 2008 BI Development Studio
> > > Microsoft SQL Server 2008 Books Online (August 2008)
> > > Microsoft SQL Server 2008 Browser
> > > Microsoft SQL Server 2008 Client Tools
> > > Microsoft SQL Server 2008 Common Files
> > > Microsoft SQL Server 2008 Database Engine Services
> > > Microsoft SQL Server 2008 Database Engine Shared
> > > Microsoft SQL Server 2008 Database Engine Shared
> > > Microsoft SQL Server 2008 Integration Services
> > > Microsoft SQL Server 2008 Management Studio
> > > Microsoft SQL Server 2008 Native Client
> > > Microsoft SQL Server 2008 Policies
> > > Microsoft SQL Server 2008 Reporting Services
> > > Microsoft SQL Server 2008 RsFx Driver
> > > Microsoft SQL Server 2008 Setup Support Files
> > > Microsoft SQL Server Compact 3.5 Design Tools ENU
> > > Microsoft SQL Server Compact 3.5 SP1 English
> > > Microsoft SQL Server Compact 3.5 SP1 Query Tools English
> > > Microsoft SQL Server Compact 3.5 for Devices ENU
> > > Microsoft SQL Server Database Publishing Wizard 1.2
> > > Microsoft SQL Server VSS Writer
> > > Microsoft Visual Studio Tools for Applications 2.0 - ENU
> > > SQL Server System CLR Types
> > > Sql Server Customer Experience Improvement Program
> > >
> > >
> > > > CPE gang,
> > > >
> > > > To query the system for a list of installed packages (and
patches)

> > > > authenticated scanners can use:
> > > >
> > > > On Windows there is WMI(C)
> > > > On Fedora, RHEL and derivatives there is RPM
> > > > On OS/X there is pkgutil
> > > > On Suse there is zypper
> > > > On Debian and derivatives there is dpkg
> > > > On Solaris there is pkginfo
> > > >
> > > > If we automate the above e.g. f(packagename, version, company,
website,
> > > > etc) = CPE ID, we solve a large portion of the problem.  This
will not
> > > > solve things installed from source, zips, or anything else that
does not
> > > > register the application.  Those things need to be found and
named, but

> > > > it is harder.
> > > >
> > > > ...
> > > >
> > > > Respectfully,
> > > >
> > > > Vladimir Giszpenc
> > > > Armadillo Technical Lead
> > > > DSCI Contractor Supporting
> > > > US Army CERDEC S&TCD IAD Tactical Network Protection Branch
> > > > (732) 532-8959
> > > >
> >
> > * Users <[hidden email]>
> > * Issuer: CN=dsci.com - Unverified
> >
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CPE automation and a call for feedback

Thomas Jones
In reply to this post by Vladimir Giszpenc
I can confirm that programmatic derivation of CPE names is possible. I  
years ago coded a bash script that queried the package list from  
Novell for the entire product line. It iterated over each record and  
extracted the name and version information.

Now this isn't to say that there wasn't problems. There were some  
8,000+ packages total. Five packages versioning information eluded my  
regular expressions used during extraction. Drew brought these to my  
attention so he may recall. I submitted that cpe dictionary derived  
from my script to Mitre a long time ago. I'm not certain what came of  
it.

As expansive the package list may be for a windows platform, I can't  
really see it possible. But for a system using a common build  
structure, such as rpm or deb; it is very much feasible.

Cheers.
Thomas

Sent from my iPhone

On May 28, 2010, at 12:26 PM, Vladimir Giszpenc <[hidden email]>  
wrote:

> Gary,
>
> So you installed 25 products.  What is the problem with that?  Do you
> want to say you installed one?  If there is an aggregate product that
> composes the others then it should be among them and maybe it is the
> 26th product (as long as there is an entry).  KISS!
>
> Have a good weekend!
>
> Vladimir Giszpenc
> Armadillo Technical Lead
> DSCI Contractor Supporting
> US Army CERDEC S&TCD IAD Tactical Network Protection Branch
> (732) 532-8959
>
>
>> -----Original Message-----
>> From: Gary Newman [mailto:[hidden email]]
>> Sent: Friday, May 28, 2010 1:32 PM
>> To: [hidden email]
>> Subject: Re: [CPE-DISCUSSION-LIST] CPE automation and a call for
> feedback
>>
>> Hi Vlad,
>>
>> Sorry that I wasn't clearer, but all 25 of those "Products" are
> returned by
>> WMIC after installing a single instance of Sql Server 2008.
>>
>>        -Gary-
>>
>>
>>> Gary,
>>>
>>> I don't know the internals of Windows so I will answer in
> generalities.
>>>
>>> For each product, get the version and other metadata for that
> product from
>>> WMIC and build the name.  It really does not matter what
>>> algorithm we settle on as long as we all use the same one.  If you
> think it is
>>> important to have property FOO in the name, then so
>>> be it.  This is sort of like a hashing function.  We want CPEId =
> f(a)  to
>>> result in unique CPEIds for different a values (no
>>> collisions) and we want f(a') to never result in CPEid.  As far as I
> am
>>> concerned a hash would make a great ID, it is not backwards
>>> compatible so I am trying to play nice with others.
>>>
>>> We do not have the requirement that CPEId be of constant length so
> the URI
>>> format is as good as any.
>>>
>>> Is WMIC not capable of collecting enough information to satisfy our
> pseudo
>>> hash function requirement?
>>>
>>>
>>> Regards,
>>>
>>> Vladimir Giszpenc
>>> Armadillo Technical Lead
>>> DSCI Contractor Supporting
>>> US Army CERDEC S&TCD IAD Tactical Network Protection Branch
>>> (732) 532-8959
>>>
>>>
>>>> -----Original Message-----
>>>> From: Gary Newman [mailto:[hidden email]]
>>>> Sent: Friday, May 28, 2010 11:18 AM
>>>> To: [hidden email]
>>>> Subject: Re: [CPE-DISCUSSION-LIST] CPE automation and a call for
> feedback
>>>>
>>>> Hi Vlad,
>>>>
>>>> What would the proposed automated f() CPE generator do with the
> following
>>> WMIC
>>>> "products" that appear after installing Sql Server 2008 on a
> computer?
>>>>
>>>>        -Gary-
>>>>
>>>> Microsoft Application Error Reporting
>>>> Microsoft SQL Server 2008 BI Development Studio
>>>> Microsoft SQL Server 2008 Books Online (August 2008)
>>>> Microsoft SQL Server 2008 Browser
>>>> Microsoft SQL Server 2008 Client Tools
>>>> Microsoft SQL Server 2008 Common Files
>>>> Microsoft SQL Server 2008 Database Engine Services
>>>> Microsoft SQL Server 2008 Database Engine Shared
>>>> Microsoft SQL Server 2008 Database Engine Shared
>>>> Microsoft SQL Server 2008 Integration Services
>>>> Microsoft SQL Server 2008 Management Studio
>>>> Microsoft SQL Server 2008 Native Client
>>>> Microsoft SQL Server 2008 Policies
>>>> Microsoft SQL Server 2008 Reporting Services
>>>> Microsoft SQL Server 2008 RsFx Driver
>>>> Microsoft SQL Server 2008 Setup Support Files
>>>> Microsoft SQL Server Compact 3.5 Design Tools ENU
>>>> Microsoft SQL Server Compact 3.5 SP1 English
>>>> Microsoft SQL Server Compact 3.5 SP1 Query Tools English
>>>> Microsoft SQL Server Compact 3.5 for Devices ENU
>>>> Microsoft SQL Server Database Publishing Wizard 1.2
>>>> Microsoft SQL Server VSS Writer
>>>> Microsoft Visual Studio Tools for Applications 2.0 - ENU
>>>> SQL Server System CLR Types
>>>> Sql Server Customer Experience Improvement Program
>>>>
>>>>
>>>>> CPE gang,
>>>>>
>>>>> To query the system for a list of installed packages (and
> patches)
>>>>> authenticated scanners can use:
>>>>>
>>>>> On Windows there is WMI(C)
>>>>> On Fedora, RHEL and derivatives there is RPM
>>>>> On OS/X there is pkgutil
>>>>> On Suse there is zypper
>>>>> On Debian and derivatives there is dpkg
>>>>> On Solaris there is pkginfo
>>>>>
>>>>> If we automate the above e.g. f(packagename, version, company,
> website,
>>>>> etc) = CPE ID, we solve a large portion of the problem.  This
> will not
>>>>> solve things installed from source, zips, or anything else that
> does not
>>>>> register the application.  Those things need to be found and
> named, but
>>>>> it is harder.
>>>>>
>>>>> ...
>>>>>
>>>>> Respectfully,
>>>>>
>>>>> Vladimir Giszpenc
>>>>> Armadillo Technical Lead
>>>>> DSCI Contractor Supporting
>>>>> US Army CERDEC S&TCD IAD Tactical Network Protection Branch
>>>>> (732) 532-8959
>>>>>
>>>
>>> * Users <[hidden email]>
>>> * Issuer: CN=dsci.com - Unverified
>>>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CPE automation and a call for feedback

Vladimir Giszpenc
Thomas,

> As expansive the package list may be for a windows platform, I can't
> really see it possible. But for a system using a common build
> structure, such as rpm or deb; it is very much feasible.

Why is it not possible on the Windows platform?  The worst that can
happen is that we miss a slew of CPE-IDs because those packages do not
use the same way of registering packages or use no way at all.  It
should work for a large set of products and that is good enough (I hate
repeating these words but "perfect is the enemy of good").  I know it
will not give us complete coverage on any platform.  I just don't
understand why we don't start with this method (on ALL platforms) and
build from there.

Basically, instead of sharing the results of your script we all run the
same script to get the same IDs.  Is the script proprietary?


Cheerio,

Vladimir Giszpenc
Armadillo Technical Lead
DSCI Contractor Supporting
US Army CERDEC S&TCD IAD Tactical Network Protection Branch
(732) 532-8959
B
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CPE automation and a call for feedback

B
Hi Vlad and others.  This thread seems to have stalled.

It seems completely possible to automate large portions of the windows installed software.

Check out this link showing an example of where the information is in the registry and powershell code to get at it. http://myitforum.com/cs2/blogs/yli628/archive/2008/01/16/powershell-script-to-list-installed-software-on-local-computer.aspx 

What is shown is for the local machine but for many a network query would provide the same data.

The fields in the example show at least Displayname DisplayVersion Publisher already separated in the registry so re-parsing of the (psinfo etc) data would not be required.

Similar info is available in MS SCCM (formerly SMS) reports for those who have deployed that.

Standardizing on identifiers that can be programmatically gathered and verified would be great.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CPE automation and a call for feedback (UNCLASSIFIED)

WOLFKIEL, JOSEPH L CIV DISA PEO-MA
Classification:  UNCLASSIFIED
Caveats: NONE

Just FYI, I'm still working on doing this within the DoD.  We want to use CPE, but can't afford to depend on a manual mapping process to occur before pulling asset inventories.

As a going-in position, I'm asking our vendors and government developers to basically treat anything that installs itself as an application as an application.  We'll pull everything registered, including patches, updates, libraries, and plain 'ol garbage and report it all in CPE format.  At some central level, we'll need to implement a process (with a manual component) that winnows out which ones are which.  I've been working through what that would look like on Windows, Linux, HPUX, MacOS, and some other operating systems and still think it's more feasible than the current manual process that we've been floundering with for the last several years.  I think we'll need the ability, at the central location to designate the "stuff" we find as either applications, updates (i.e. patches, "feature packs", non version-related software installs, etc), or "other."  We'll want to keep the applications and patch info, and may/may not want to keep everything else.

I think the NVD would be a great central point for the community to normalize discovered application names.  I plan to discuss this with NIST.

I developed a transform in Python that will take Windows registry entries for Displayname DisplayVersion Publisher and put them in CPE REGEX format, including the percent encoding.  Not sure if there's interest on the list of working through the conversion logic, but I'm happy to provide it to anyone that wants it.

Joseph L. Wolfkiel
Engineering Group Lead
DISA PEO MA/IA52
(703) 882-0772
[hidden email]
-----Original Message-----
From: B [mailto:[hidden email]]
Sent: Friday, November 19, 2010 4:34 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] CPE automation and a call for feedback

Hi Vlad and others.  This thread seems to have stalled.

It seems completely possible to automate large portions of the windows
installed software.

Check out this link showing an example of where the information is in the
registry and powershell code to get at it.
http://myitforum.com/cs2/blogs/yli628/archive/2008/01/16/powershell-script-to-list-installed-software-on-local-computer.aspx 

What is shown is for the local machine but for many a network query would
provide the same data.

The fields in the example show at least Displayname DisplayVersion Publisher
already separated in the registry so re-parsing of the (psinfo etc) data
would not be required.

Similar info is available in MS SCCM (formerly SMS) reports for those who
have deployed that.

Standardizing on identifiers that can be programmatically gathered and
verified would be great.
--
View this message in context: http://making-security-measurable.1364806.n2.nabble.com/CPE-automation-and-a-call-for-feedback-tp5110199p5756685.html
Sent from the CPE - Common Platform Enumeration mailing list archive at Nabble.com.
Classification:  UNCLASSIFIED
Caveats: NONE


smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CPE automation and a call for feedback (UNCLASSIFIED)

Jagathpal Shobharani
Hi Joseph,

I would be interested in the python script and check output format from it. Can you please pass it on to me.

Regards,
Shobha, CISSP
Principal Engineer, RSA The Security Division of EMC

-----Original Message-----
From: WOLFKIEL, JOSEPH L CIV DISA PEO-MA [mailto:[hidden email]]
Sent: Saturday, November 20, 2010 3:25 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] CPE automation and a call for feedback (UNCLASSIFIED)

Classification:  UNCLASSIFIED
Caveats: NONE

Just FYI, I'm still working on doing this within the DoD.  We want to use CPE, but can't afford to depend on a manual mapping process to occur before pulling asset inventories.

As a going-in position, I'm asking our vendors and government developers to basically treat anything that installs itself as an application as an application.  We'll pull everything registered, including patches, updates, libraries, and plain 'ol garbage and report it all in CPE format.  At some central level, we'll need to implement a process (with a manual component) that winnows out which ones are which.  I've been working through what that would look like on Windows, Linux, HPUX, MacOS, and some other operating systems and still think it's more feasible than the current manual process that we've been floundering with for the last several years.  I think we'll need the ability, at the central location to designate the "stuff" we find as either applications, updates (i.e. patches, "feature packs", non version-related software installs, etc), or "other."  We'll want to keep the applications and patch info, and may/may not want to keep everything else.

I think the NVD would be a great central point for the community to normalize discovered application names.  I plan to discuss this with NIST.

I developed a transform in Python that will take Windows registry entries for Displayname DisplayVersion Publisher and put them in CPE REGEX format, including the percent encoding.  Not sure if there's interest on the list of working through the conversion logic, but I'm happy to provide it to anyone that wants it.

Joseph L. Wolfkiel
Engineering Group Lead
DISA PEO MA/IA52
(703) 882-0772
[hidden email]
-----Original Message-----
From: B [mailto:[hidden email]]
Sent: Friday, November 19, 2010 4:34 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] CPE automation and a call for feedback

Hi Vlad and others.  This thread seems to have stalled.

It seems completely possible to automate large portions of the windows
installed software.

Check out this link showing an example of where the information is in the
registry and powershell code to get at it.
http://myitforum.com/cs2/blogs/yli628/archive/2008/01/16/powershell-script-to-list-installed-software-on-local-computer.aspx 

What is shown is for the local machine but for many a network query would
provide the same data.

The fields in the example show at least Displayname DisplayVersion Publisher
already separated in the registry so re-parsing of the (psinfo etc) data
would not be required.

Similar info is available in MS SCCM (formerly SMS) reports for those who
have deployed that.

Standardizing on identifiers that can be programmatically gathered and
verified would be great.
--
View this message in context: http://making-security-measurable.1364806.n2.nabble.com/CPE-automation-and-a-call-for-feedback-tp5110199p5756685.html
Sent from the CPE - Common Platform Enumeration mailing list archive at Nabble.com.
Classification:  UNCLASSIFIED
Caveats: NONE
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CPE automation and a call for feedback (UNCLASSIFIED)

Adam Montville
I'd be interested in that script as well.

-----Original Message-----
From: Jagathpal Shobharani [mailto:[hidden email]]
Sent: Sunday, November 21, 2010 7:58 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] CPE automation and a call for feedback (UNCLASSIFIED)

Hi Joseph,

I would be interested in the python script and check output format from it. Can you please pass it on to me.

Regards,
Shobha, CISSP
Principal Engineer, RSA The Security Division of EMC

-----Original Message-----
From: WOLFKIEL, JOSEPH L CIV DISA PEO-MA [mailto:[hidden email]]
Sent: Saturday, November 20, 2010 3:25 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] CPE automation and a call for feedback (UNCLASSIFIED)

Classification:  UNCLASSIFIED
Caveats: NONE

Just FYI, I'm still working on doing this within the DoD.  We want to use CPE, but can't afford to depend on a manual mapping process to occur before pulling asset inventories.

As a going-in position, I'm asking our vendors and government developers to basically treat anything that installs itself as an application as an application.  We'll pull everything registered, including patches, updates, libraries, and plain 'ol garbage and report it all in CPE format.  At some central level, we'll need to implement a process (with a manual component) that winnows out which ones are which.  I've been working through what that would look like on Windows, Linux, HPUX, MacOS, and some other operating systems and still think it's more feasible than the current manual process that we've been floundering with for the last several years.  I think we'll need the ability, at the central location to designate the "stuff" we find as either applications, updates (i.e. patches, "feature packs", non version-related software installs, etc), or "other."  We'll want to keep the applications and patch info, and may/may not want to keep everything else.

I think the NVD would be a great central point for the community to normalize discovered application names.  I plan to discuss this with NIST.

I developed a transform in Python that will take Windows registry entries for Displayname DisplayVersion Publisher and put them in CPE REGEX format, including the percent encoding.  Not sure if there's interest on the list of working through the conversion logic, but I'm happy to provide it to anyone that wants it.

Joseph L. Wolfkiel
Engineering Group Lead
DISA PEO MA/IA52
(703) 882-0772
[hidden email]
-----Original Message-----
From: B [mailto:[hidden email]]
Sent: Friday, November 19, 2010 4:34 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] CPE automation and a call for feedback

Hi Vlad and others.  This thread seems to have stalled.

It seems completely possible to automate large portions of the windows
installed software.

Check out this link showing an example of where the information is in the
registry and powershell code to get at it.
http://myitforum.com/cs2/blogs/yli628/archive/2008/01/16/powershell-script-to-list-installed-software-on-local-computer.aspx 

What is shown is for the local machine but for many a network query would
provide the same data.

The fields in the example show at least Displayname DisplayVersion Publisher
already separated in the registry so re-parsing of the (psinfo etc) data
would not be required.

Similar info is available in MS SCCM (formerly SMS) reports for those who
have deployed that.

Standardizing on identifiers that can be programmatically gathered and
verified would be great.
--
View this message in context: http://making-security-measurable.1364806.n2.nabble.com/CPE-automation-and-a-call-for-feedback-tp5110199p5756685.html
Sent from the CPE - Common Platform Enumeration mailing list archive at Nabble.com.
Classification:  UNCLASSIFIED
Caveats: NONE
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CPE automation and a call for feedback (UNCLASSIFIED)

WOLFKIEL, JOSEPH L CIV DISA PEO-MA
Classification:  UNCLASSIFIED
Caveats: NONE

I've attached the script along with a sample input and output file (from one of my home computers).  

In the .zip file, there is a file cpetext.txt that contains the discovered registered 'applications' on a box.  The applications are in pipe-delimited format with the name components in order product|vendor|version|installdate.  The script windows_cpe_converter.py reads in the pipe-delimited file and outputs the application names in CPE-REGEX compliant format.  A sample output is in the file cpenames.txt.

If you want try it, you'll need to update the input file path to wherever you save the cpetext.txt file and update the output file to wherever you want it saved.  The input file was built with a registry query that I can't give out, but the output is a simple pipe-delimited list in format product|vendor|version|install_date.

Joseph L. Wolfkiel
Engineering Group Lead
DISA PEO MA/IA52
(703) 882-0772
[hidden email]

-----Original Message-----
From: Adam Montville [mailto:[hidden email]]
Sent: Tuesday, November 23, 2010 2:09 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] CPE automation and a call for feedback (UNCLASSIFIED)

I'd be interested in that script as well.

-----Original Message-----
From: Jagathpal Shobharani [mailto:[hidden email]]
Sent: Sunday, November 21, 2010 7:58 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] CPE automation and a call for feedback (UNCLASSIFIED)

Hi Joseph,

I would be interested in the python script and check output format from it. Can you please pass it on to me.

Regards,
Shobha, CISSP
Principal Engineer, RSA The Security Division of EMC

-----Original Message-----
From: WOLFKIEL, JOSEPH L CIV DISA PEO-MA [mailto:[hidden email]]
Sent: Saturday, November 20, 2010 3:25 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] CPE automation and a call for feedback (UNCLASSIFIED)

Classification:  UNCLASSIFIED
Caveats: NONE

Just FYI, I'm still working on doing this within the DoD.  We want to use CPE, but can't afford to depend on a manual mapping process to occur before pulling asset inventories.

As a going-in position, I'm asking our vendors and government developers to basically treat anything that installs itself as an application as an application.  We'll pull everything registered, including patches, updates, libraries, and plain 'ol garbage and report it all in CPE format.  At some central level, we'll need to implement a process (with a manual component) that winnows out which ones are which.  I've been working through what that would look like on Windows, Linux, HPUX, MacOS, and some other operating systems and still think it's more feasible than the current manual process that we've been floundering with for the last several years.  I think we'll need the ability, at the central location to designate the "stuff" we find as either applications, updates (i.e. patches, "feature packs", non version-related software installs, etc), or "other."  We'll want to keep the applications and patch info, and may/may not want to keep everything else.

I think the NVD would be a great central point for the community to normalize discovered application names.  I plan to discuss this with NIST.

I developed a transform in Python that will take Windows registry entries for Displayname DisplayVersion Publisher and put them in CPE REGEX format, including the percent encoding.  Not sure if there's interest on the list of working through the conversion logic, but I'm happy to provide it to anyone that wants it.

Joseph L. Wolfkiel
Engineering Group Lead
DISA PEO MA/IA52
(703) 882-0772
[hidden email]
-----Original Message-----
From: B [mailto:[hidden email]]
Sent: Friday, November 19, 2010 4:34 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] CPE automation and a call for feedback

Hi Vlad and others.  This thread seems to have stalled.

It seems completely possible to automate large portions of the windows
installed software.

Check out this link showing an example of where the information is in the
registry and powershell code to get at it.
http://myitforum.com/cs2/blogs/yli628/archive/2008/01/16/powershell-script-to-list-installed-software-on-local-computer.aspx 

What is shown is for the local machine but for many a network query would
provide the same data.

The fields in the example show at least Displayname DisplayVersion Publisher
already separated in the registry so re-parsing of the (psinfo etc) data
would not be required.

Similar info is available in MS SCCM (formerly SMS) reports for those who
have deployed that.

Standardizing on identifiers that can be programmatically gathered and
verified would be great.
--
View this message in context: http://making-security-measurable.1364806.n2.nabble.com/CPE-automation-and-a-call-for-feedback-tp5110199p5756685.html
Sent from the CPE - Common Platform Enumeration mailing list archive at Nabble.com.
Classification:  UNCLASSIFIED
Caveats: NONE
  Classification:  UNCLASSIFIED
Caveats: NONE


CPE Converter.zip (9K) Download Attachment
smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Automated CPE Generation Style Guide (UNCLASSIFIED)

WOLFKIEL, JOSEPH L CIV DISA PEO-MA
In reply to this post by Adam Montville
Classification:  UNCLASSIFIED
Caveats: NONE

As you may have heard, I've been working with several vendors and DoD government software products to attempt to collect and report installed software in CPE format (or at least CPE 2.x RegEx-compliant format).

One of the difficulties I encountered is that different operating systems (e.g. Microsoft, HPUX, Linux, MACOS, etc) provide different pieces of product names and call them different things.

I'm thinking it would be helpful for interoperability and automation to put together a style guide for each operating system, defining what product name elements we can expect to retrieve and how to combine them together to construct CPEs in a way that will/may result in different vendor tools producing the same names for the same products installed on the same operating systems.

Is there any interest in generating style guides like I've described above?

Joseph L. Wolfkiel
Engineering Group Lead
DISA PEO MA/IA52
(703) 882-0772
[hidden email]

Classification:  UNCLASSIFIED
Caveats: NONE


smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Automated CPE Generation Style Guide (UNCLASSIFIED)

Vladimir Giszpenc
Joseph L. Wolfkiel,

> Is there any interest in generating style guides like I've described?

Yes.

Vladimir Giszpenc
Armadillo Technical Lead
DSCI Contractor Supporting
US Army CERDEC S&TCD IAD Tactical Network Protection Branch
(732) 532-8959
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Automated CPE Generation Style Guide (UNCLASSIFIED)

Adam Montville
In reply to this post by WOLFKIEL, JOSEPH L CIV DISA PEO-MA
On Dec 14, 2010, at 5:25 AM, "WOLFKIEL, JOSEPH L CIV DISA PEO-MA" <[hidden email]> wrote:

> I'm thinking it would be helpful for interoperability and automation to put together a style guide for each operating system, defining what product name elements we can expect to retrieve and how to combine them together to construct CPEs in a way that will/may result in different vendor tools producing the same names for the same products installed on the same operating systems.

My initital reaction to this is: Another thing to pay attention to?  It seems that security automation standards are running into this sort of thing a lot (vendors calling things by different names, representing a distinct subset of the information in which we are interested, or otherwise viewing the world differently than the next guy).  Does it make sense to continue documenting semantics in this manner?  Or, is there a better way of handling this?

Not saying this is a bad idea, just wondering about the larger problem.  Also, for what it's worth, any solution such as that mentioned above should be more strict than a guide if interoperability and automation are the goals.

Adam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Automated CPE Generation Style Guide (UNCLASSIFIED)

Vladimir Giszpenc
Adam,

I always go back to an API.  I believe that package managers are the
real distinction more so than the OS but I am sure there are some OS
specific extensions that will prove me wrong somewhere.  Either way, I
agree with you.

> Not saying this is a bad idea, just wondering about the larger
problem.  Also, for what it's worth,
> any solution such as that mentioned above should be more strict than a
guide if interoperability and
> automation are the goals.

For WMI use ____ to get the name
For RPM use ____ to get the name
For APT use ____ to get the name
For ...

Vlad
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Automated CPE Generation Style Guide (UNCLASSIFIED)

Adam Montville
Is this an interim suggestion?  It's not bad (I suggested an open source,
programmatic solution to this list not very long ago), but I don't prefer
to see the "how" being specified.  I'd rather see only the "what" in
specifications and standards, which leaves vendors some flexibility in
tool implementation.  I don't disagree that until we find the proper
"what" solution, we can do little to avoid the "how" in the specification,
but I'd like to stay focused on longer-term objectives also.

Adam

On 12/14/10 6:02 AM, "Vladimir Giszpenc" <[hidden email]> wrote:

>Adam,
>
>I always go back to an API.  I believe that package managers are the
>real distinction more so than the OS but I am sure there are some OS
>specific extensions that will prove me wrong somewhere.  Either way, I
>agree with you.
>
>> Not saying this is a bad idea, just wondering about the larger
>problem.  Also, for what it's worth,
>> any solution such as that mentioned above should be more strict than a
>guide if interoperability and
>> automation are the goals.
>
>For WMI use ____ to get the name
>For RPM use ____ to get the name
>For APT use ____ to get the name
>For ...
>
>Vlad
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Automated CPE Generation Style Guide (UNCLASSIFIED)

Vladimir Giszpenc
Adam,

My suggestion is basically that we need an authoritative source of the
what.  The installed package should be it.  The package manager knows
how to retrieve it.  If there are five equivalent ways of getting the
same thing, I don't care about the how.  I am looking for

Do a particular how using suggested API or equivalent (must get the same
what).  I am even OK with the list of five ways in an ordered preference

If you can't get the name using API 1, use API 2.  If that is not
available move on to API 3 and so on until you get to API N.  After
that, make your best guess.  Note, that a guess is often a set and not
one particular package though.

Vladimir Giszpenc
Armadillo Technical Lead
DSCI Contractor Supporting
US Army CERDEC S&TCD IAD Tactical Network Protection Branch
(732) 532-8959


> -----Original Message-----
> From: Adam Montville [mailto:[hidden email]]
> Sent: Tuesday, December 14, 2010 9:24 AM
> To: [hidden email]
> Subject: Re: [CPE-DISCUSSION-LIST] Automated CPE Generation Style
Guide (UNCLASSIFIED)
>
> Is this an interim suggestion?  It's not bad (I suggested an open
source,
> programmatic solution to this list not very long ago), but I don't
prefer
> to see the "how" being specified.  I'd rather see only the "what" in
> specifications and standards, which leaves vendors some flexibility in
> tool implementation.  I don't disagree that until we find the proper
> "what" solution, we can do little to avoid the "how" in the
specification,

> but I'd like to stay focused on longer-term objectives also.
>
> Adam
>
> On 12/14/10 6:02 AM, "Vladimir Giszpenc" <[hidden email]> wrote:
>
> >Adam,
> >
> >I always go back to an API.  I believe that package managers are the
> >real distinction more so than the OS but I am sure there are some OS
> >specific extensions that will prove me wrong somewhere.  Either way,
I
> >agree with you.
> >
> >> Not saying this is a bad idea, just wondering about the larger
> >problem.  Also, for what it's worth,
> >> any solution such as that mentioned above should be more strict
than a

> >guide if interoperability and
> >> automation are the goals.
> >
> >For WMI use ____ to get the name
> >For RPM use ____ to get the name
> >For APT use ____ to get the name
> >For ...
> >
> >Vlad
> >
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Automated CPE Generation Style Guide (UNCLASSIFIED)

Adam Montville
Thanks for the additional explanation, Vlad.

Would we have potential trust issues here?  It seems that a malicious
package could, if we give the package "authority," report whatever it
wants to the package manager yes?

On 12/14/10 6:36 AM, "Vladimir Giszpenc" <[hidden email]> wrote:

>Adam,
>
>My suggestion is basically that we need an authoritative source of the
>what.  The installed package should be it.  The package manager knows
>how to retrieve it.  If there are five equivalent ways of getting the
>same thing, I don't care about the how.  I am looking for
>
>Do a particular how using suggested API or equivalent (must get the same
>what).  I am even OK with the list of five ways in an ordered preference
>
>If you can't get the name using API 1, use API 2.  If that is not
>available move on to API 3 and so on until you get to API N.  After
>that, make your best guess.  Note, that a guess is often a set and not
>one particular package though.
>
>Vladimir Giszpenc
>Armadillo Technical Lead
>DSCI Contractor Supporting
>US Army CERDEC S&TCD IAD Tactical Network Protection Branch
>(732) 532-8959
>
>
>> -----Original Message-----
>> From: Adam Montville [mailto:[hidden email]]
>> Sent: Tuesday, December 14, 2010 9:24 AM
>> To: [hidden email]
>> Subject: Re: [CPE-DISCUSSION-LIST] Automated CPE Generation Style
>Guide (UNCLASSIFIED)
>>
>> Is this an interim suggestion?  It's not bad (I suggested an open
>source,
>> programmatic solution to this list not very long ago), but I don't
>prefer
>> to see the "how" being specified.  I'd rather see only the "what" in
>> specifications and standards, which leaves vendors some flexibility in
>> tool implementation.  I don't disagree that until we find the proper
>> "what" solution, we can do little to avoid the "how" in the
>specification,
>> but I'd like to stay focused on longer-term objectives also.
>>
>> Adam
>>
>> On 12/14/10 6:02 AM, "Vladimir Giszpenc" <[hidden email]> wrote:
>>
>> >Adam,
>> >
>> >I always go back to an API.  I believe that package managers are the
>> >real distinction more so than the OS but I am sure there are some OS
>> >specific extensions that will prove me wrong somewhere.  Either way,
>I
>> >agree with you.
>> >
>> >> Not saying this is a bad idea, just wondering about the larger
>> >problem.  Also, for what it's worth,
>> >> any solution such as that mentioned above should be more strict
>than a
>> >guide if interoperability and
>> >> automation are the goals.
>> >
>> >For WMI use ____ to get the name
>> >For RPM use ____ to get the name
>> >For APT use ____ to get the name
>> >For ...
>> >
>> >Vlad
>> >
>
12
Loading...