CPE editor in OpenSCAP library

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

CPE editor in OpenSCAP library

Maros Barabas
Hi,

     my name is Maros Barabas and I work on OpenSCAP project [1] that
implements many SCAP standards including CPE. Our library can parse/export XML
files (as CPE dictionary and CPE language) and work with internal model that
represents these files in C-lang structures.

Currently I have some questions on CPE I hope you can answer.
(1) How we can tell user what version of CPE we support in library ? Or it
should be hard-coded and changed only with patching schema ?
(2) Is there any current model/schema that can verify XML file that is valid
(semantic) with actual version ?
(3) What is the mechanism that we should use for parsing / exporting CPE xml
files ? Currently we are using libxml2 xmlwriter/xmlreader. Is there any better
solution you can advice ?
(4) Can the CPE XML schema be used for parsing / exporting CPE files ?

Thanks for your answers.

Regards
Maros Barabas

[1] www.open-scap.org
Reply | Threaded
Open this post in threaded view
|

Re: CPE editor in OpenSCAP library

Booth, Harold
-----Original Message-----
From: Maros Barabas [mailto:[hidden email]]
Sent: Tuesday, December 01, 2009 6:28 AM
To: [hidden email]
Subject: [CPE-DISCUSSION-LIST] CPE editor in OpenSCAP library

Hi,

     my name is Maros Barabas and I work on OpenSCAP project [1] that
implements many SCAP standards including CPE. Our library can parse/export XML
files (as CPE dictionary and CPE language) and work with internal model that
represents these files in C-lang structures.

Currently I have some questions on CPE I hope you can answer.
(1) How we can tell user what version of CPE we support in library ? Or it
should be hard-coded and changed only with patching schema ?




(2) Is there any current model/schema that can verify XML file that is valid
(semantic) with actual version ?

I believe you are asking with if there is a schema or dtd which will validate the XML CPE Dictionary format.  If that is the case the one for 2.2 can be found here:
http://cpe.mitre.org/files/cpe-dictionary_2.2.zip

or here:


(3) What is the mechanism that we should use for parsing / exporting CPE xml
files ? Currently we are using libxml2 xmlwriter/xmlreader. Is there any better
solution you can advice ?


(4) Can the CPE XML schema be used for parsing / exporting CPE files ?

Thanks for your answers.

Regards
Maros Barabas

[1] www.open-scap.org
Reply | Threaded
Open this post in threaded view
|

Re: CPE editor in OpenSCAP library

Booth, Harold
In reply to this post by Maros Barabas
I apologize my previous message was incorrectly sent prematurely.
Please ignore it.

Answers are inline below.

-----Original Message-----
From: Maros Barabas [mailto:[hidden email]]
Sent: Tuesday, December 01, 2009 6:28 AM
To: [hidden email]
Subject: [CPE-DISCUSSION-LIST] CPE editor in OpenSCAP library

Hi,

     my name is Maros Barabas and I work on OpenSCAP project [1] that
implements many SCAP standards including CPE. Our library can parse/export XML
files (as CPE dictionary and CPE language) and work with internal model that
represents these files in C-lang structures.

Currently I have some questions on CPE I hope you can answer.
(1) How we can tell user what version of CPE we support in library ? Or it
should be hard-coded and changed only with patching schema ?


---
For the 2.x line of CPE the maintainers have chosen to have the namespace be fixed for all versions to: http://cpe.mitre.org/dictionary/2.0
The actual schema file used to validate determines what version of CPE you support.  I imagine whether you hard-code or not could be dependent on implementation.
---


(2) Is there any current model/schema that can verify XML file that is valid
(semantic) with actual version ?

---

I believe you are asking with if there is a schema or dtd which will validate the XML CPE Dictionary format.  If that is the case the one for 2.2 can be found here:

http://cpe.mitre.org/files/cpe-dictionary_2.2.zip

or here:

http://cpe.mitre.org/files/cpe-dictionary_2.2.xsd
---


(3) What is the mechanism that we should use for parsing / exporting CPE xml
files ? Currently we are using libxml2 xmlwriter/xmlreader. Is there any better
solution you can advice ?

---
I am afraid I can't offer any advice from experience on this assuming you are looking for a parser with C bindings.  I just did a quick google search for "C xml parser" and libxml2 is one of the first and another library called expat was also listed, but does not appear to be actively maintained.  For C++ the Apache Xerces parser has worked for me in the past.
---

(4) Can the CPE XML schema be used for parsing / exporting CPE files ?

---
The CPE dictionary available at http://nvd.nist.gov/cpe.cfm uses this format.  CPE lists in the SCAP data stream also use this format.
---