Re: Vendor to CPE mapping and list update issues

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Re: Vendor to CPE mapping and list update issues

Here's our findings file for those who couldn't open it.

Regarding applications that have gone through several owners, we plan to have a relationship showing deprecation for vendors (i.e., Citadel <productnamehere> has now been deprecated at the vendor level so that it now reads McAfee <productnamehere>, where the product name remains the same and only the vendor name changes.

Regarding another thread vis-a=vie product naming and detailed issues, the UCF team will happily apply our mapping staff to this issue and will both vet, suggest changes, and maintain the information in the list no cost to anyone.

Dorian J. Cougias
Founder and Lead Analyst, Unified Compliance Framework


This e-mail legal notice is enforceable and binding on any recipient or addressee in terms of the international Electronic Communications and Transaction Act (ECT) 25 of 2002 and the Uniform Electronic Transactions Act (UETA) of the United States. This message contains information intended solely for the addressee, which may be legally privileged and is confidential. If you are not the intended recipient, you shall not peruse, use, disseminate, distribute or copy this message or any file attached to this message. If you have received this message in error, please e-mail the sender by replying to this message. Any agreements concluded with Network Frontiers LLC or the Unified Compliance Framework by using electronic correspondence shall only come into effect once Network Frontiers LLC or the Unified Compliance Framework confirm such contract formation in a follow up or return communication and always subject to the requirements of the ECT and UETA Acts and general principles of contract law. The law of California and the United States shall govern this legal notice and e-mail message.

-------- Original Message --------
Subject: Re: [CPE-DISCUSSION-LIST] Vendor to CPE mapping
From: "Buttner, Drew" <[hidden email]>
Date: Mon, May 18, 2009 6:51 am
To: [hidden email]


I'm not sure if others are having the same problem, but the .zip file does not seem to be valid and I cannot open it. You may want to try sending this directly to the list instead of through the Nabble interface.

>> The answer to both is a tentative yes, but with a lot of work.
>> First, we've
>> found huge issues with the current state of the list regarding
>> vendor names.
>> Since when is a person a vendor?
>Easily. A "vendor" does not imply a commercial entity. Think open
>source developers. Think of the computer science students. Both
>contribute software but do not represent commercial organizations.

Yes, CPE needed a convention for creating names for platforms that were not from a commercial organization. (think open source) We felt that the best solution was to use the initial developer's name.

>> There are a couple of people listed as
>> vendors. Wild. We also found out that the current methodology
>> doesn't allow
>> for acquisition of vendors, selling of products, etc.
>In the situation that a specific product or entity is sold or acquired
>does not negate the need for a preexisting cpe declaration. The
>product or vendor was released as such; and should be able to be
>referenced after that product or vendor ceases to exist.

This is a known issue with the current CPE specification. There has been talk in the past about using aliases to represent these changed names. I can say that this issue is something that is sure to be solved by a future major version, but right now we are living with this deficiency until we have a better idea about what the next major version should look like.

>I'd have to look at the newest cpe standard, but seemingly a new cpe
>would need to be defined. Anyone?

Currently, yes. If vendors merge, or if one vendor is bought by another, then any CPE Name created from that point forward would be with the new vendor name. Existing CPE Names would not be changed.

>> So our first proposal outlined in the Word document is to separate the
>> vendor list from the product list and track vendors in a taxonomic
>> hierarchy. And yes, ASSIGN NUMERIC IDs to them.
>Admittedly, I have been overwhelmed with too much work too little
>time. But has this age old proposal not been determined yet?

I think this idea has a lot of merit. Numeric ids have been talked about a lot in the past. As has the notion of splitting out the vendor component into a separate enumeration. I think there is promise in this, especially if we change the way CPE Matching works and use a solution that does not rely on the URI structure. This is again a version 3 discussion.

The CPE team here at MITRE has had some focused discussions on what some different version 3 proposals might look like. We have been trying to determine the different needs of the community as well as determine where the current specification falls down. Many of these ideas have been shared with the community. Our next step is to formalize these ideas into official proposals that we can discuss as a community. I will try to put more effort into this to get these moving again.

Drew (218K) Download Attachment