Will CPE be expanded to contain optional information regarding component software?

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Will CPE be expanded to contain optional information regarding component software?

shanford
Are there any plans to incorporate optional "contains" indications?  For
example, it would be very valuable to have CPE specify that:
cpe:/a:vendor:product:2.0 contains
- cpe:/a:gnu:zlib:1.2.1
- cpe:/a:openssl:openssl:0.9.8d

While:
cpe:/a:vendor:product:2.0:update1 contains
- cpe:/a:gnu:zlib:1.2.1
- cpe:/a:openssl:openssl:1.0.0

Because Update 1 was a security fix to correct for OpenSSL vulnerabilities.

With a "contains" option specified, flaws in OpenSSL 0.9.8d could be used to
flag cpe:/a:vendor:product:2.0 as potentially also vulnerable.

Thanks,
Seth Hanford
Cisco IntelliShield