CPE reference in the vulnerability file

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

CPE reference in the vulnerability file

geraldd
Hi,

On the NIST website, the CVE vulnerability XML file with the version 2.0 contains references with CPEs: 'nvdcve-2.0-*.xml'

However, a lot of CPE references can not be found in the CPE product dictionary (official-cpe-dictionary_v2.2.xml).

Different types of missing data are seen:

1) Many software products appear to not be in the CPE database at all.
For example, in the last modified version of the vulnerabilities 'nvdcve-2.0-modified.xml', the following entries are not in the CPE database (there are a lot more) :
cpe:/o:bsdi:bsd_os:3.1
cpe:/a:intersystems:cache_database:5

2) Newer releases of software products seem to be missing from the CPE database. For example, the newest version of Adobe Acrobat in the CPE database is 8.1. But the CVE file has entries for the versions 8.1.1, 8.1.2, 9, and 9.0.

3) CPE references in CVEs sometimes specify more detail than corresponding entries in the CPE database. For example, there are CPEs for various releases of Solaris (cpe:/o:sun:solaris:8, cpe:/o:sun:solaris:9, and cpe:/o:sun:solaris:10), but the CVE database wants to specify that a vulnerability applies only to the Sparc architecture, so it references cpe:/o:sun:solaris:10::sparc, which is not in the CPE database.
   
I would like to know if there is a standard for the usage of the CPEs in the vulnerability database. Do all the existing CPE entries in the CVE database are candidate and will be entered in the CPE database in a later phase? Or does the CVE database use its own CPE terminology?

Is there a plan to have an exact matching between the entries in the CVE database and the CPE dictionary?

Thanks a lot,

Gerald
Reply | Threaded
Open this post in threaded view
|

Re: CPE reference in the vulnerability file

McCormick, Christopher [USA]
The thread at the following link within this discussion forum relates to these questions (July 2009).  Please refer to the information in this thread including statements about roles and responsibilities for the NIST/NVD and MITRE.  The idea of batch processing the CPE data via CVE analysis is an idea that has been discussed before and as resource cycles become free and permit, the NIST/NVD is looking towards producing this capability.

http://n2.nabble.com/CPE-Entries-for-Acrobat-8-1-4-9-0-9-1-td3291494.html#a3291494 


-----Original Message-----
From: geraldd [mailto:[hidden email]]
Sent: Monday, September 28, 2009 12:02 PM
To: [hidden email]
Subject: [CPE-DISCUSSION-LIST] CPE reference in the vulnerability file

Hi,

On the NIST website, the CVE vulnerability XML file with the version 2.0 contains references with CPEs: 'nvdcve-2.0-*.xml'

However, a lot of CPE references can not be found in the CPE product dictionary (official-cpe-dictionary_v2.2.xml).

Different types of missing data are seen:

1) Many software products appear to not be in the CPE database at all.
For example, in the last modified version of the vulnerabilities 'nvdcve-2.0-modified.xml', the following entries are not in the CPE database (there are a lot more) :
cpe:/o:bsdi:bsd_os:3.1
cpe:/a:intersystems:cache_database:5

2) Newer releases of software products seem to be missing from the CPE database. For example, the newest version of Adobe Acrobat in the CPE database is 8.1. But the CVE file has entries for the versions 8.1.1, 8.1.2, 9, and 9.0.

3) CPE references in CVEs sometimes specify more detail than corresponding entries in the CPE database. For example, there are CPEs for various releases of Solaris (cpe:/o:sun:solaris:8, cpe:/o:sun:solaris:9, and cpe:/o:sun:solaris:10), but the CVE database wants to specify that a vulnerability applies only to the Sparc architecture, so it references cpe:/o:sun:solaris:10::sparc, which is not in the CPE database.
   
I would like to know if there is a standard for the usage of the CPEs in the vulnerability database. Do all the existing CPE entries in the CVE database are candidate and will be entered in the CPE database in a later phase? Or does the CVE database use its own CPE terminology?

Is there a plan to have an exact matching between the entries in the CVE database and the CPE dictionary?

Thanks a lot,

Gerald
--
View this message in context: http://n2.nabble.com/CPE-reference-in-the-vulnerability-file-tp3730283p3730283.html
Sent from the CPE - Common Platform Enumeration mailing list archive at Nabble.com.