Dealing with Missing Names

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Dealing with Missing Names

Andrew Buttner
Administrator
One area of CPE that needs some immediate attention is the quantity and
quality of the Official CPE Dictionary.  We have recently had some feedback
that the limited amount of names and the number of errors is making it hard
for users to adopt and leverage CPE.  Over the next few weeks I will be
working to help improve this situation and by doing so will hopefully help
make CPE more usable for all.

MISSING CPE NAMES
-----------------
Maybe the most common question that we get is what to do if a CPE Name is
missing from the Official CPE Dictionary.  This could be because the name
that is needed represents a brand new platform type, or because the name
represents a class of platforms that hasn't been worked on yet, or it could
be because we just missed it when the original set of names was added.
Either way, the hole needs to be filled and a new CPE Name needs to be
added.

The CPE Specification was designed to give users the ability to make some
educated guesses about what the CPE Name should be.  This is useful in two
ways:

1) The missing CPE Name can be created by the user and submitted to
[hidden email] (following the CPE Dictionary schema) for inclusion into the
dictionary.  By following the CPE Specification and submitting using the
schema, the time to include the name into the dictionary should be greatly
reduced.  Once included, it is now available to be used.

2) If desired, the submitted name can be used by the individual as a
temporary name.  (make sure it is marked as such)  Note that the name might
change during our review process, but hopefully the CPE Specification enable
a name to be created that is close to what the final name will be.  Once the
official name has been included in the dictionary, the individual should
replace their temporary name with the official name.

*** Question ***

Should CPE specify a way for individual tools to annotate that an unofficial CPE Name (one that has been submitted for inclusion into the dictionary) is in fact a temporary name?  Or should we leave it up to the individual tools that choose to expose these names to their customers?  In other words, should CPE make a recommendation that a tool include a flag or state attribute with every CPE Name used so that a tool's users will understand if the name is official or not?  My opinion is that this a problem for the individual tool to figure out if they choose to use unofficial CPE Names.  I feel that CPE should stay out of this process and let the tools decide on a method that fits them best.  

REPORTING ERRORS
----------------

If an error is found in an existing CPE Name, or a title associated with an
existing name, then please forward a description of the error to
[hidden email].  All error reports will be reviewed and sent to NIST so the
Official CPE Dictionary can be corrected.  (and the name in error
deprecated)

DISCUSSION
----------

As always, the CPE Discussion List is available to ask questions and to get
advice from the community.  Please leverage this resource as it will help
everyone understand and improve CPE.

Thanks
Drew


---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515
Reply | Threaded
Open this post in threaded view
|

Re: Dealing with Missing Names

Gary Newman-2
Hi Drew,

The "create one and submit it" model is fine for vendors, but doesn't help CPE
consumers understand the tentative nature of "candidate" names (not in the
dictionary).  Imagine dozens of deployed products at the time Windows 7 is
released (likely by fall).  Only at its release will Microsoft announce the
editions, and might even still change the name to something else.  Those dozens
of deployed products will need "candidate" names for that OS (and its editions)
during beta (today), and the product vendors (and end-users) will need to
generate names that are likely to conflict.  

Clearly marking "candidate" cpe names will help consumers.  How about prefixing
such name components with _c_ as a short-hand.

        -Gary-

> One area of CPE that needs some immediate attention is the quantity and
> quality of the Official CPE Dictionary.  We have recently had some feedback
> that the limited amount of names and the number of errors is making it hard
> for users to adopt and leverage CPE.  Over the next few weeks I will be
> working to help improve this situation and by doing so will hopefully help
> make CPE more usable for all.
>
> MISSING CPE NAMES
> -----------------
> Maybe the most common question that we get is what to do if a CPE Name is
> missing from the Official CPE Dictionary.  This could be because the name
> that is needed represents a brand new platform type, or because the name
> represents a class of platforms that hasn't been worked on yet, or it could
> be because we just missed it when the original set of names was added.
> Either way, the hole needs to be filled and a new CPE Name needs to be
> added.
>
> The CPE Specification was designed to give users the ability to make some
> educated guesses about what the CPE Name should be.  This is useful in two
> ways:
>
> 1) The missing CPE Name can be created by the user and submitted to
> [hidden email] (following the CPE Dictionary schema) for inclusion into the
> dictionary.  By following the CPE Specification and submitting using the
> schema, the time to include the name into the dictionary should be greatly
> reduced.  Once included, it is now available to be used.
>
> 2) If desired, the submitted name can be used by the individual as a
> temporary name.  (make sure it is marked as such)  Note that the name might
> change during our review process, but hopefully the CPE Specification enable
> a name to be created that is close to what the final name will be.  Once the
> official name has been included in the dictionary, the individual should
> replace their temporary name with the official name.
>
> *** Question ***
>
> Should CPE specify a way for individual tools to annotate that an unofficial
> CPE Name (one that has been submitted for inclusion into the dictionary) is in
> fact a temporary name?  Or should we leave it up to the individual tools that
> choose to expose these names to their customers?  In other words, should CPE
> make a recommendation that a tool include a flag or state attribute with every
> CPE Name used so that a tool's users will understand if the name is official
> or not?  My opinion is that this a problem for the individual tool to figure
> out if they choose to use unofficial CPE Names.  I feel that CPE should stay
> out of this process and let the tools decide on a method that fits them best.
>
> REPORTING ERRORS
> ----------------
>
> If an error is found in an existing CPE Name, or a title associated with an
> existing name, then please forward a description of the error to
> [hidden email].  All error reports will be reviewed and sent to NIST so the
> Official CPE Dictionary can be corrected.  (and the name in error
> deprecated)
>
> DISCUSSION
> ----------
>
> As always, the CPE Discussion List is available to ask questions and to get
> advice from the community.  Please leverage this resource as it will help
> everyone understand and improve CPE.
>
> Thanks
> Drew
>
>
> ---------
>
> Andrew Buttner
> The MITRE Corporation
> [hidden email]
> 781-271-3515
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Dealing with Missing Names

Andrew Buttner
Administrator
I think your example of Windows 7 bring up two important issues.

1) How do we respond to new platform types in a timely manner?
2) How do we deal with names that could change?

As you point out, the two issues are related in a way.  If we try to issue new names too early, then there is more of chance that they will need to change.  If we delay the release of new names, then they will not be available for the community to use when needed.

In response to the second issue, I feel like the deprecation process solves this.  Let me ask - How have people found the deprecation process?  Are there implementation issues associated with following multiple and frequent deprecation paths?  Would releasing a name early, and then deprecating as necessary when that names changes solve the second issue?

If deprecation works, then I would answer the first issue by saying that submissions should come early as soon as we have a need for a particular name.  In fact, the first names may often be for beta versions that really should have their own CPE Name.

Thanks
Drew



>-----Original Message-----
>From: Gary Newman [mailto:[hidden email]]
>Sent: Wednesday, February 18, 2009 10:36 AM
>To: cpe-discussion-list CPE Community Forum
>Subject: Re: [CPE-DISCUSSION-LIST] Dealing with Missing Names
>
>Hi Drew,
>
>The "create one and submit it" model is fine for vendors, but doesn't
>help CPE consumers understand the tentative nature of "candidate" names
>(not in the dictionary).  Imagine dozens of deployed products at the
>time Windows 7 is released (likely by fall).  Only at its release will
>Microsoft announce the editions, and might even still change the name
>to something else.  Those dozens of deployed products will need
>"candidate" names for that OS (and its editions) during beta (today),
>and the product vendors (and end-users) will need to generate names
>that are likely to conflict.
>
>Clearly marking "candidate" cpe names will help consumers.  How about
>prefixing such name components with _c_ as a short-hand.
>
>        -Gary-
>
Reply | Threaded
Open this post in threaded view
|

Re: Dealing with Missing Names

Gary Newman-2
Hi Drew,

Perhaps it was unintentional, but you didn't include (and thus maybe don't
consider) the CPE consumer's ability to recognized candidate names an important
issue.  If so, please recognize that the changing of names can easily undermine
the main purpose of CPE.

It's not clear whether the deprecation process will work as smoothly as you
allude to.  The "adoption" of new names (and deprecation of old) currently
requires considerable vendor manual labor.  Thus, there will be a time lag
between dictionary release and end-user availability.

The current deprecation process also doesn't consider how CPE consumers will
deal with deprecation.  Does the community really believe that end-users will
have the skills, and energy, to modify their own data to match the latest
dictionary?

As to beta versions having their own CPE name, isn't that precluded by the
prefix rule?  Could we really have all these

        cpe:/o:microsoft:windows_7::ctp:x64-ultimate
        cpe:/o:microsoft:windows_7::rc1:x64-ultimate
        cpe:/o:microsoft:windows_vista_plus_plus::gold:x64-ultracool

for the same operating system, one the consumer marketing wizards do their
magic?

        -Gary-

> I think your example of Windows 7 bring up two important issues.
>
> 1) How do we respond to new platform types in a timely manner?
> 2) How do we deal with names that could change?
>
> As you point out, the two issues are related in a way.  If we try to issue new
> names too early, then there is more of chance that they will need to change.
> If we delay the release of new names, then they will not be available for the
> community to use when needed.
>
> In response to the second issue, I feel like the deprecation process solves
> this.  Let me ask - How have people found the deprecation process?  Are there
> implementation issues associated with following multiple and frequent
> deprecation paths?  Would releasing a name early, and then deprecating as
> necessary when that names changes solve the second issue?
>
> If deprecation works, then I would answer the first issue by saying that
> submissions should come early as soon as we have a need for a particular name.
> In fact, the first names may often be for beta versions that really should
> have their own CPE Name.
>
> Thanks
> Drew
>
>
>
> >-----Original Message-----
> >From: Gary Newman [mailto:[hidden email]]
> >Sent: Wednesday, February 18, 2009 10:36 AM
> >To: cpe-discussion-list CPE Community Forum
> >Subject: Re: [CPE-DISCUSSION-LIST] Dealing with Missing Names
> >
> >Hi Drew,
> >
> >The "create one and submit it" model is fine for vendors, but doesn't
> >help CPE consumers understand the tentative nature of "candidate" names
> >(not in the dictionary).  Imagine dozens of deployed products at the
> >time Windows 7 is released (likely by fall).  Only at its release will
> >Microsoft announce the editions, and might even still change the name
> >to something else.  Those dozens of deployed products will need
> >"candidate" names for that OS (and its editions) during beta (today),
> >and the product vendors (and end-users) will need to generate names
> >that are likely to conflict.
> >
> >Clearly marking "candidate" cpe names will help consumers.  How about
> >prefixing such name components with _c_ as a short-hand.
> >
> >        -Gary-
Reply | Threaded
Open this post in threaded view
|

Re: Dealing with Missing Names

Andrew Buttner
Administrator
Gary,

I hope the answers below help with some of your questions.  I am very interested as to what others in the community might think about these issues.



>Perhaps it was unintentional, but you didn't include (and thus maybe
>don't consider) the CPE consumer's ability to recognized candidate
>names an important issue.

Right now there is no such thing as a candidate name.  The feeling was that we don't need candidate names as the deprecation process can deal with these.  Is this something we need to reconsider?  CVE used to have candidate names but they found the process of converting candidates to real identifiers to be an unnecessary delay as most candidates were never changed.  CPE has been taking the approach that if a submitted names needs to change, then we can just deprecate the old name and add the new name.




>If so, please recognize that the changing
>of names can easily undermine the main purpose of CPE.

I do agree with this and understand that we want to limit the amount of changing to a bare minimum.  Unfortunately, as long as we keep the URI format to support matching, I don't see how we will be able to eliminate changing names.




>It's not clear whether the deprecation process will work as smoothly as
>you allude to.  The "adoption" of new names (and deprecation of old)
>currently requires considerable vendor manual labor.  Thus, there will
>be a time lag between dictionary release and end-user availability.

The hope is that there would be no manual labor in following a deprecation path, or in updating an existing mapping.  I envision one possible solution would be a script that parses the CPE Dictionary and automatically updates any deprecated names in your vendor mapping.  This script could run nightly.  Would this be feasible?  Is there more to it that I am missing?




>The current deprecation process also doesn't consider how CPE consumers
>will deal with deprecation.  Does the community really believe that
>end-users will have the skills, and energy, to modify their own data to
>match the latest dictionary?

I think this is a valid concern.  I ask the rest of the CPE Community to chime in with how deprecation is currently working for them.  Are there issues that are unfeasible that the community is finding in trying to implement?




>As to beta versions having their own CPE name, isn't that precluded by
>the prefix rule?

I don't think so.  The prefix property just says that platform types identified by a long name should be a subset of those identified by a short name.  In other words, the types identified by

cpe:/o:Microsoft:windows_7:beta

would be a subset of types identified by

cpe:/o:Microsoft:windows_7



>Could we really have all these
>
>        cpe:/o:microsoft:windows_7::ctp:x64-ultimate
>        cpe:/o:microsoft:windows_7::rc1:x64-ultimate
>        cpe:/o:microsoft:windows_vista_plus_plus::gold:x64-ultracool
>
>for the same operating system, one the consumer marketing wizards do
>their magic?

These names would uniquely id individual platform types.  Of course they do expose current limitations in the matching algorithm.  With the name change from Windows 7 to Windows Vista ++ we no longer can match the names.  I agree that this deficiency needs to be addressed in a future version of CPE, maybe through aliases or through an ontology.



Thanks
Drew
Reply | Threaded
Open this post in threaded view
|

Re: Dealing with Missing Names

Ronayne, James K.
We really need the component tree to include deprecation.  If one wants to build abstract CPEs that can match against fully specified CPEs from the dictionary then it is important to know which CPE components are valid to use.  You can figure it out by following the deprecation links and deconstructing the non-deprecated CPEs but it would be easier to have it noted in the dictionary tree.

Jim



-----Original Message-----
From: Buttner, Drew [mailto:[hidden email]]
Sent: Tuesday, March 03, 2009 4:23 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Dealing with Missing Names


Gary,

I hope the answers below help with some of your questions.  I am very interested as to what others in the community might think about these issues.



>Perhaps it was unintentional, but you didn't include (and thus maybe
>don't consider) the CPE consumer's ability to recognized candidate
>names an important issue.

Right now there is no such thing as a candidate name.  The feeling was that we don't need candidate names as the deprecation process can deal with these.  Is this something we need to reconsider?  CVE used to have candidate names but they found the process of converting candidates to real identifiers to be an unnecessary delay as most candidates were never changed.  CPE has been taking the approach that if a submitted names needs to change, then we can just deprecate the old name and add the new name.




>If so, please recognize that the changing
>of names can easily undermine the main purpose of CPE.

I do agree with this and understand that we want to limit the amount of changing to a bare minimum.  Unfortunately, as long as we keep the URI format to support matching, I don't see how we will be able to eliminate changing names.




>It's not clear whether the deprecation process will work as smoothly as
>you allude to.  The "adoption" of new names (and deprecation of old)
>currently requires considerable vendor manual labor.  Thus, there will
>be a time lag between dictionary release and end-user availability.

The hope is that there would be no manual labor in following a deprecation path, or in updating an existing mapping.  I envision one possible solution would be a script that parses the CPE Dictionary and automatically updates any deprecated names in your vendor mapping.  This script could run nightly.  Would this be feasible?  Is there more to it that I am missing?




>The current deprecation process also doesn't consider how CPE consumers
>will deal with deprecation.  Does the community really believe that
>end-users will have the skills, and energy, to modify their own data to
>match the latest dictionary?

I think this is a valid concern.  I ask the rest of the CPE Community to chime in with how deprecation is currently working for them.  Are there issues that are unfeasible that the community is finding in trying to implement?




>As to beta versions having their own CPE name, isn't that precluded by
>the prefix rule?

I don't think so.  The prefix property just says that platform types identified by a long name should be a subset of those identified by a short name.  In other words, the types identified by

cpe:/o:Microsoft:windows_7:beta

would be a subset of types identified by

cpe:/o:Microsoft:windows_7



>Could we really have all these
>
>        cpe:/o:microsoft:windows_7::ctp:x64-ultimate
>        cpe:/o:microsoft:windows_7::rc1:x64-ultimate
>        cpe:/o:microsoft:windows_vista_plus_plus::gold:x64-ultracool
>
>for the same operating system, one the consumer marketing wizards do
>their magic?

These names would uniquely id individual platform types.  Of course they do expose current limitations in the matching algorithm.  With the name change from Windows 7 to Windows Vista ++ we no longer can match the names.  I agree that this deficiency needs to be addressed in a future version of CPE, maybe through aliases or through an ontology.



Thanks
Drew