CPE, who's telling right ?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

CPE, who's telling right ?

Security Database Team
Dear all,

Since we've started our processus to make security-database compliant to
open standards (cve, oval, cce, cwe...) we try as much as possible to
cross link data originated from different sources. It happens to look that
we identified some discrepancies about the use of CPE's ids. We have
already raised such a problem in the past.

In fact, OVAL and NVD don't use the same cpe(s) for same products,
especially for Microsoft.

Here is an example:

http://www.security-database.com/detail.php?alert=MS09-002
(sorry, you'll have to log on), but i paste the result.

Oval :

 * cpe:/a:microsoft:ie:7 (oval:org.mitre.oval:def:627 )
 * cpe:/o:microsoft:windows_2008:::x86
 * cpe:/o:microsoft:windows_2008::sp1:x64 (oval:org.mitre.oval:def:5356 )

NVD :

   * cpe:/a:microsoft:internet_explorer:7
   * cpe:/o:microsoft:windows_server_2008:::itanium
   * cpe:/o:microsoft:windows_server_2008:::x32
   * cpe:/o:microsoft:windows_server_2008:::x64


As expected, the difference resides in the use of 'windows_server_2008'
and  'windows_2008' terms, 'ie' and 'internet_explorer'.

Also, you could see x86 and x32, x64.

Is it just a typo ? or the CPE schema is not valided upon generating the
signatures ?

Who's telling right ? OVAL or NVD !?!

Thanks a lot.
Ben.

--
Benjamin Picuira
Security Database Core Team Leader
Mail : mailto:[hidden email]
Web : http://www.security-database.com
--
Reply | Threaded
Open this post in threaded view
|

Re: CPE, who's telling right ?

Andrew Buttner
Administrator
The Official CPE Dictionary (hosted by NVD) should be used as the official source of CPE Names.  The names used in OVAL should be changed to align with what is found in the Official CPE Dictionary.  I will work with the OVAL team to get this correction made.

In addition, we are aware that a massive cleanup of the Official CPE Dictionary is needed and we are working toward that right now.  Sorry for the trouble that this has caused.

Thanks
Drew


>-----Original Message-----
>From: Security Database Team [mailto:[hidden email]]
>Sent: Tuesday, February 24, 2009 9:18 AM
>To: cpe-discussion-list CPE Community Forum
>Subject: [CPE-DISCUSSION-LIST] CPE, who's telling right ?
>
>Dear all,
>
>Since we've started our processus to make security-database compliant to
>open standards (cve, oval, cce, cwe...) we try as much as possible to
>cross link data originated from different sources. It happens to look
>that
>we identified some discrepancies about the use of CPE's ids. We have
>already raised such a problem in the past.
>
>In fact, OVAL and NVD don't use the same cpe(s) for same products,
>especially for Microsoft.
>
>Here is an example:
>
>http://www.security-database.com/detail.php?alert=MS09-002
>(sorry, you'll have to log on), but i paste the result.
>
>Oval :
>
> * cpe:/a:microsoft:ie:7 (oval:org.mitre.oval:def:627 )
> * cpe:/o:microsoft:windows_2008:::x86
> * cpe:/o:microsoft:windows_2008::sp1:x64 (oval:org.mitre.oval:def:5356
>)
>
>NVD :
>
>   * cpe:/a:microsoft:internet_explorer:7
>   * cpe:/o:microsoft:windows_server_2008:::itanium
>   * cpe:/o:microsoft:windows_server_2008:::x32
>   * cpe:/o:microsoft:windows_server_2008:::x64
>
>
>As expected, the difference resides in the use of 'windows_server_2008'
>and  'windows_2008' terms, 'ie' and 'internet_explorer'.
>
>Also, you could see x86 and x32, x64.
>
>Is it just a typo ? or the CPE schema is not valided upon generating the
>signatures ?
>
>Who's telling right ? OVAL or NVD !?!
>
>Thanks a lot.
>Ben.
>
>--
>Benjamin Picuira
>Security Database Core Team Leader
>Mail : mailto:[hidden email]
>Web : http://www.security-database.com
>--