FW: Mapping Debian packages to CPE IDs

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

FW: Mapping Debian packages to CPE IDs

Brant Cheikes
The note below was sent by a non-subscriber to the CPE Discussion List.  I'm
forwarding it to the list, and will try to ensure that comments and feedback
get back to Petter.

Thanks,
/Brant

Brant A. Cheikes
The MITRE Corporation
202 Burlington Road, M/S K302
Bedford, MA 01730-1420
Tel. 781-271-7505; Cell. 617-694-8180; Fax. 781-271-2352

-----Original Message-----
From: Petter Reinholdtsen [mailto:[hidden email]] On Behalf
Of Petter Reinholdtsen
Sent: Sunday, January 30, 2011 2:03 PM
To: CPE
Subject: Mapping Debian packages to CPE IDs

This is my first email to this list.  I hope I am not intruding.  I am not
subscribed, so please keep me CC.

The last few days, I have looked into using CPE for tracking open
security issues with the locally maintained software here at the
University of Oslo.  The idea was to use the information provided by
NVD about CVEs.

To test the quality of the CPE tagging in NVD, I had a look at the
Debian CVE registry, available from
<URL: svn://svn.debian.org/secure-testing >, and compared the affected
application list in data/CVE/list with the XML files provided by NVD.
To get this working, I had to create a mapping from Debian source
package names to CPE IDs.  This mapping is available in the same svn,
data/CPE/list.

While doing this mapping, I came across several CPEs used in the NVD
XML file that seem to be duplicates.  This reduces the value of the
NVD data set, as one might miss some CVEs if one search for the
"wrong" CPE.  The complete list of suspected duplicates I have found
so far is in data/CPE/aliases in the subversion repository, and look
like this:

  cpe:/a:asterisk:asterisk
  cpe:/a:asterisk:open_source
  cpe:/a:asterisk:p_b_x
  cpe:/a:digium:asterisk

  cpe:/a:clamav:clamav
  cpe:/a:cclamav:clamav
  cpe:/a:clam_anti-virus:clamav
  cpe:/a:clamavs:clamav

  cpe:/a:linux:kernel
  cpe:/a:kernel:linux_kernel
  cpe:/o:kernel:linux
  cpe:/o:linux:kernel
  cpe:/o:linux:linux_kernel

  cpe:/a:fetchmail:fetchmail
  cpe:/a:eric_raymond:fetchmail

  cpe:/a:x:x.org
  cpe:/a:x:x11

  cpe:/a:anibal_monsalve_salaz:ssmtp
  cpe:/a:ssmtp:ssmtp

  cpe:/a:silc:silc_toolkit
  cpe:/a:silcnet:silc_toolkit

  cpe:/a:interchange_development_group:interchange
  cpe:/a:icdevgroup:interchange

  cpe:/a:w3:amaya
  cpe:/a:w3c:amaya_web_browser

  cpe:/a:python:python
  cpe:/a:python_software_foundation:python

  cpe:/a:sixapart:movable_type
  cpe:/a:sixapart:movabletype

  cpe:/a:cups:cups
  cpe:/a:apple:cups

  cpe:/a:xpdf:xpdf
  cpe:/a:foolabs:xpdf

  cpe:/a:xensource:xen
  cpe:/a:citrix:xen
  cpe:/a:xen:xen
  cpe:/a:xensource_inc:xen

  cpe:/a:videolan:vlc
  cpe:/a:videolan:vlc_media_player

  cpe:/a:pedro_lineu_orso:sarg
  cpe:/a:sarg:squid_analysis_report_generator

  cpe:/a:arb_project:arb-common
  cpe:/a:lehrstuhl_fur_mikrobiologie:arb

  cpe:/a:ghostscript:ghostscript
  cpe:/a:artifex:gpl_ghostscript

  cpe:/a:gimp:gimp
  cpe:/a:gnu:gimp

I suspect these duplicate entries should be merged in the NVD
database.  What is needed to make this happen?

While comparing the set of packages affected as claimed by Debian and
NVD, I come across several mismatches.  I got a list with 1737
mismatches looking like these:

  warning: CVE-2008-7220 in Debian refer to cpe:/a:zabbix:zabbix,
    while NVD do not (found
    cpe:/a:prototypejs:prototype_javascript_framework).

  warning: CVE-2008-7244 in Debian refer to cpe:/a:mozilla:libxul,
    while NVD do not (found cpe:/a:mozilla:firefox).

  warning: CVE-2008-6699 in NVD is not refering to cpe:/a:typo3:typo3
    found in Debian.

I also failed to find CPE id for several packages claimed by the
Debian database to be affected by CVEs.  This is the list of packages
affected by 3 or more CVEs.  The complete list got 213 packages.

  error: missing CPE ID for vmware-package (27)
  error: missing CPE ID for kompozer (15)
  error: missing CPE ID for acidbase (15)
  error: missing CPE ID for eglibc (13)
  error: missing CPE ID for glpi (9)
  error: missing CPE ID for kino (8)
  error: missing CPE ID for knowledgeroot (8)
  error: missing CPE ID for gstreamer0.10-ffmpeg (7)
  error: missing CPE ID for xmlrpc-c (6)
  error: missing CPE ID for php-mail (6)
  error: missing CPE ID for ayttm (6)
  error: missing CPE ID for python-xml (6)
  error: missing CPE ID for python-4suite (6)
  error: missing CPE ID for gst-plugins-bad0.10 (6)
  error: missing CPE ID for smart (6)
  error: missing CPE ID for netpbm-free (5)
  error: missing CPE ID for w3c-libwww (4)
  error: missing CPE ID for sip-tester (4)
  error: missing CPE ID for mcabber (4)
  error: missing CPE ID for karrigell (4)
  error: missing CPE ID for sabre (4)
  error: missing CPE ID for tla (4)
  error: missing CPE ID for tdom (4)
  error: missing CPE ID for qutecom (4)
  error: missing CPE ID for kdenetwork (4)
  error: missing CPE ID for xmovie (4)
  error: missing CPE ID for nspr (4)
  error: missing CPE ID for xar (4)
  error: missing CPE ID for openmpi (3)
  error: missing CPE ID for siproxd (3)
  error: missing CPE ID for naim (3)
  error: missing CPE ID for lam (3)
  error: missing CPE ID for argyll (3)
  error: missing CPE ID for hamlib (3)
  error: missing CPE ID for pinball (3)
  error: missing CPE ID for hercules (3)
  error: missing CPE ID for ggobi (3)
  error: missing CPE ID for redland (3)
  error: missing CPE ID for memcachedb (3)
  error: missing CPE ID for sdcc (3)
  error: missing CPE ID for camserv (3)
  error: missing CPE ID for xerces-c2 (3)
  error: missing CPE ID for xerces-c (3)
  error: missing CPE ID for libannodex (3)
  error: missing CPE ID for libextractor (3)
  error: missing CPE ID for advi (3)
  error: missing CPE ID for xotcl (3)
  error: missing CPE ID for plt-scheme (3)
  error: missing CPE ID for xscreensaver (3)
  error: missing CPE ID for mt-daapd (3)
  error: missing CPE ID for gnu-smalltalk (3)
  error: missing CPE ID for hypre (3)
  error: missing CPE ID for mp4h (3)
  error: missing CPE ID for libaws (3)
  error: missing CPE ID for polarssl (3)
  error: missing CPE ID for open-iscsi (3)
  error: missing CPE ID for libtunepimp (3)
  error: missing CPE ID for system-tools-backends (3)
  error: missing CPE ID for vnc4 (3)
  error: missing CPE ID for guile-1.6 (3)
  error: missing CPE ID for xmlsec1 (3)
  error: missing CPE ID for libhtml-prototype-perl (3)
  error: missing CPE ID for qwik (3)
  error: missing CPE ID for qemu-kvm (3)

What is the correct way to find/generate new CPEs for these packages?

Happy hacking,
--
Petter Reinholdtsen

----- End forwarded message -----

smime.p7s (4K) Download Attachment