Quantcast

[cpe-discussion] some questions about CPE

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[cpe-discussion] some questions about CPE

Feng Cao
Hi all,

We are evaluating CPE inside Oracle. Can someone help to shed some light
to the below questions (please bear with me as I'm new to this list)?

- Who created the CPE names for Oracle and Sun?
- Why are some names (like oracle linux) missing from CPE 2.2 (and were
listed in previous versions)?
- Can Oracle get the notification of any request to cpe-dictionary for
new or modifed CPE names for Oracle (and Sun) products and review such a
request?
- What is the projected timeline for cpe dictionary based on CPE 2.3?
- Inside CPE 2.3, it will be useful to include CPE string into
"target_sw" as a standard way to name the sw (similarly for
"target_hw"). Had this been discussed?

Thanks,

--Feng

Feng Cao
Oracle Global Product Security
--
cpe-discussion mailing list
To unsubscribe send an email to:
[hidden email] with the following in the body of the message:
unsubscribe cpe-discussion
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [cpe-discussion] some questions about CPE

Kent Landfield
Not sure you received an answer to this but the reality is it may not have been someone from either Sun or Oracle.  I think there needs to be a discussion about the CPE dictionary assignment process.  Today I am no sure it is well understood by the community.  

From my perspective:
  • We need a process for registering CPE names that is well understood.
  • Vendors should be the final arbitrators for CPEs for their products if they want to be (some don't and the community has done the best they could but…)
  • We need a secure and verifiable means to add, update, deprecate, etc. that can be done without major resource demands on NIST.
Thanks.

Kent Landfield

McAfee | An Intel Company
Direct: +1.972.963.7096 
Mobile: +1.817.637.8026
Web: www.mcafee.com

From: Feng Cao <[hidden email]>
Organization: Oracle Corporation
Date: Tuesday, June 25, 2013 12:47 AM
To: "[hidden email]" <[hidden email]>
Subject: [cpe-discussion] some questions about CPE

Hi all,

We are evaluating CPE inside Oracle. Can someone help to shed some light
to the below questions (please bear with me as I'm new to this list)?

- Who created the CPE names for Oracle and Sun?
- Why are some names (like oracle linux) missing from CPE 2.2 (and were
listed in previous versions)?
- Can Oracle get the notification of any request to cpe-dictionary for
new or modifed CPE names for Oracle (and Sun) products and review such a
request?
- What is the projected timeline for cpe dictionary based on CPE 2.3?
- Inside CPE 2.3, it will be useful to include CPE string into
"target_sw" as a standard way to name the sw (similarly for
"target_hw"). Had this been discussed?

Thanks,

--Feng

Feng Cao
Oracle Global Product Security
--
cpe-discussion mailing list
To unsubscribe send an email to:
[hidden email] with the following in the body of the message:
unsubscribe cpe-discussion


--
cpe-discussion mailing list
To unsubscribe send an email to:
[hidden email] with the following in the body of the message:
unsubscribe cpe-discussion
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [cpe-discussion] some questions about CPE

Eric Jenko

> I think there needs to be a discussion about the CPE dictionary assignment process.

> We need a process for registering CPE names that is well understood.

 

I couldn’t agree more.  I think the process should be such that one can derive/predict (with relative accuracy) what a CPE string should be if it doesn’t yet exist in the official dictionary.

 

One of the challenges in adopting the use of CPE is deciding how to handle when vendors/products/etc. don’t exist in the official dictionary.  There are basically two choices: 1) ignore them or 2) derive the strings (“guess”).  Neither is good and the second option can be frustrating, especially if it’s found that an official entry already exists that is radically different from what was expected, as in cases of company/product acquisitions/rebranding.

 

It might be a good idea to establish a hierarchy or relationship schema in CPE similar to what was done in CWE.  This could help ensure that all products under a company’s umbrella (via acquisition or rebranding) or all names and versions of a given product (via rebranding) are accounted for and easily found.  This could help a company in vetting their CPEs.  It could also help to alleviate the frustration of a vulnerability analyst trying to include the proper CPEs in a report.

 

> Vendors should be the final arbitrators for CPEs for their products if they want to be.

 

I agree, as long as a company doesn’t rebrand a product and then decide to change all existing CPEs for that product to match the new name.  Obviously, rules would need to be established to prevent things like this and ensure stability so that if I search for (and find) a product’s CPE today, I can find it again with the same search criteria next month. 

 

Lastly, I’d like to see a change in how the vendor part (name) is chosen – e.g., perhaps using the company’s copyright, if one exists.  It could help to avoid confusion when trying to derive the CPE for a product owned by one of many companies named “Acme”.  Currently, one of them will get “acme” and the others will get domain-based names like “acme.net”, “acme.org”, etc..  Personally, I think domain-based names are a bad idea.  Suppose the “acme.org” company goes under, and the “acme.net” company buys the domain.  It might result in a vulnerability analyst using the wrong CPE.

 

Thanks.

 

Eric Jenko

Counter Threat Unit (CTU)

cid:image001.jpg@01CC58D9.9EFC8AC0

One Concourse Parkway Suite 500

Atlanta, GA 30328

[hidden email]

www.secureworks.com

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of [hidden email]
Sent: Thursday, June 27, 2013 06:12
To: [hidden email]; [hidden email]
Subject: Re: [cpe-discussion] some questions about CPE

 

Not sure you received an answer to this but the reality is it may not have been someone from either Sun or Oracle.  I think there needs to be a discussion about the CPE dictionary assignment process.  Today I am no sure it is well understood by the community.  

 

From my perspective:

  • We need a process for registering CPE names that is well understood.
  • Vendors should be the final arbitrators for CPEs for their products if they want to be (some don't and the community has done the best they could but…)
  • We need a secure and verifiable means to add, update, deprecate, etc. that can be done without major resource demands on NIST.

Thanks.

 

Kent Landfield

McAfee | An Intel Company
Direct: +1.972.963.7096 
Mobile: +1.817.637.8026
Web: www.mcafee.com

 

From: Feng Cao <[hidden email]>
Organization: Oracle Corporation
Date: Tuesday, June 25, 2013 12:47 AM
To: "[hidden email]" <[hidden email]>
Subject: [cpe-discussion] some questions about CPE

 

Hi all,

 

We are evaluating CPE inside Oracle. Can someone help to shed some light

to the below questions (please bear with me as I'm new to this list)?

 

- Who created the CPE names for Oracle and Sun?

- Why are some names (like oracle linux) missing from CPE 2.2 (and were

listed in previous versions)?

- Can Oracle get the notification of any request to cpe-dictionary for

new or modifed CPE names for Oracle (and Sun) products and review such a

request?

- What is the projected timeline for cpe dictionary based on CPE 2.3?

- Inside CPE 2.3, it will be useful to include CPE string into

"target_sw" as a standard way to name the sw (similarly for

"target_hw"). Had this been discussed?

 

Thanks,

 

--Feng

 

Feng Cao

Oracle Global Product Security

--

cpe-discussion mailing list

To unsubscribe send an email to:

[hidden email] with the following in the body of the message:

unsubscribe cpe-discussion

 


--
cpe-discussion mailing list
To unsubscribe send an email to:
[hidden email] with the following in the body of the message:
unsubscribe cpe-discussion
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [cpe-discussion] some questions about CPE

Blake Frantz
In reply to this post by Kent Landfield

I agree on all points.

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of [hidden email]
Sent: Thursday, June 27, 2013 3:12 AM
To: [hidden email]; [hidden email]
Subject: Re: [cpe-discussion] some questions about CPE

 

Not sure you received an answer to this but the reality is it may not have been someone from either Sun or Oracle.  I think there needs to be a discussion about the CPE dictionary assignment process.  Today I am no sure it is well understood by the community.  

 

From my perspective:

  • We need a process for registering CPE names that is well understood.
  • Vendors should be the final arbitrators for CPEs for their products if they want to be (some don't and the community has done the best they could but…)
  • We need a secure and verifiable means to add, update, deprecate, etc. that can be done without major resource demands on NIST.

Thanks.

 

Kent Landfield

McAfee | An Intel Company
Direct: +1.972.963.7096 
Mobile: +1.817.637.8026
Web: www.mcafee.com

 

From: Feng Cao <[hidden email]>
Organization: Oracle Corporation
Date: Tuesday, June 25, 2013 12:47 AM
To: "[hidden email]" <[hidden email]>
Subject: [cpe-discussion] some questions about CPE

 

Hi all,

 

We are evaluating CPE inside Oracle. Can someone help to shed some light

to the below questions (please bear with me as I'm new to this list)?

 

- Who created the CPE names for Oracle and Sun?

- Why are some names (like oracle linux) missing from CPE 2.2 (and were

listed in previous versions)?

- Can Oracle get the notification of any request to cpe-dictionary for

new or modifed CPE names for Oracle (and Sun) products and review such a

request?

- What is the projected timeline for cpe dictionary based on CPE 2.3?

- Inside CPE 2.3, it will be useful to include CPE string into

"target_sw" as a standard way to name the sw (similarly for

"target_hw"). Had this been discussed?

 

Thanks,

 

--Feng

 

Feng Cao

Oracle Global Product Security

--

cpe-discussion mailing list

To unsubscribe send an email to:

[hidden email] with the following in the body of the message:

unsubscribe cpe-discussion

 


...


This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.

--
cpe-discussion mailing list
To unsubscribe send an email to:
[hidden email] with the following in the body of the message:
unsubscribe cpe-discussion
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [cpe-discussion] some questions about CPE

steveklos
In reply to this post by Eric Jenko

A few comments – sorry for the length, but there are quite a number of really good comments from Eric and Kent that I’d like to address to the wider audience.

 

Before you read on, please be aware that I’m the person who’s currently managing a non-profit under the auspices of IEEE-ISTO to evangelize the use of SWID tags in the market.  I don’t have a financial interest in this effort, but I do have a strong interest in seeing the market make steps towards fixing what’s been a pervasive issue for IT departments everywhere since software started being deployed to personal computers.

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Eric Jenko
Sent: Thursday, June 27, 2013 6:40 AM
To: [hidden email]; [hidden email]; [hidden email]
Subject: Re: [cpe-discussion] some questions about CPE

 

> I think there needs to be a discussion about the CPE dictionary assignment process.

> We need a process for registering CPE names that is well understood.

 

I couldn’t agree more.  I think the process should be such that one can derive/predict (with relative accuracy) what a CPE string should be if it doesn’t yet exist in the official dictionary.

 

One should not rely on predictions or statistical models when it comes to identification of software for security or compliance purposes – if that’s all you have, you don’t have a choice, but there are other approaches.  Frankly, the software vendor should specify what their software product is, the information should be provided in a way that the receiver can validate that the data is authoritative.  This can be done with SWID tags and it may be possible with other technologies as well, but I’ve not seen other effective options that have been embraced by the ISV community as yet.  Additionally, the SWID tag can directly support the development of an existing CPE dictionary if that’s desired (see http://tagvault.org/2012/04/23/cpe-integration/ for more information on this topic)

 

For software that does not include a SWID tag, IT operations should be responsible for creating a SWID tag that is included with the software.  This can be done for new software as it’s being distributed and can also be done for older software titles that already exist in the network infrastructure.

 

One of the challenges in adopting the use of CPE is deciding how to handle when vendors/products/etc. don’t exist in the official dictionary.  There are basically two choices: 1) ignore them or 2) derive the strings (“guess”).  Neither is good and the second option can be frustrating, especially if it’s found that an official entry already exists that is radically different from what was expected, as in cases of company/product acquisitions/rebranding.

 

One thing to consider as you work through this – you need to look at each release at a point in time.  When a software product is shipped, that particular release/version will not be changed through company or product acquisition or rebranding.  These types of changes do occur, and occur regularly, but they happen when a new release/version is shipped.

 

For example, FrontPage was developed by a company named Vermeer.  Releases of the products that were branded Vermeer may still exist in some systems.  Microsoft then bought Vermeer, but kept the branding of FrontPage – the next release was a different code base and had the Microsoft brand on it.  FrontPage was then retired, but – at least for upgrade purposes, was replaced by Microsoft Expression Web – completely different product, but from a license compliance perspective, there is a relationship between Front Page and Expression Web.  Each of these products has a unique code base.  The Vermeer and Microsoft FrontPage products have a related code base, and if an issue is found in the Vermeer version, depending on the issue, it may need to be checked against the Microsoft version, but each release carries its own specific issues and the CPE name for a specific release that’s been distributed to the market should never change.

 

In terms of dealing with the issue of products/vendors/releases not existing in the catalog – this is a problem that needs a normalization registry.  It would be relatively easy to create a set of names of publishers, products, and such that would serve the open source and legacy environment, but it would need to be something that supports relationships (i.e. if a 3rd party enters the name “Microsoft” and Microsoft indicates the name is “Microsoft Corporation”, there needs to be a method to indicate that these two are synonyms (although only one would be authoritative – that’s the one provided by the publisher).

 

It might be a good idea to establish a hierarchy or relationship schema in CPE similar to what was done in CWE.  This could help ensure that all products under a company’s umbrella (via acquisition or rebranding) or all names and versions of a given product (via rebranding) are accounted for and easily found.  This could help a company in vetting their CPEs.  It could also help to alleviate the frustration of a vulnerability analyst trying to include the proper CPEs in a report.

 

Agree. 

 

> Vendors should be the final arbitrators for CPEs for their products if they want to be.

 

I agree, as long as a company doesn’t rebrand a product and then decide to change all existing CPEs for that product to match the new name.  Obviously, rules would need to be established to prevent things like this and ensure stability so that if I search for (and find) a product’s CPE today, I can find it again with the same search criteria next month. 

 

I agree that the Vendors should be the final arbitrators of their software identification (focusing on a more generic term than CPE – especially if CPE can be derived from the software identification details).  In fact, if this is not supported by the vendor community, I can pretty much guarantee that the costs for managing the system will skyrocket while the accuracy will plummet.  There are too many publishers, too many platforms and too many releases of products, suites, bundles, patches, etc for any third party to manage completely.  Further, this data needs to be used for multiple purposes – not just for CPE/SCAP needs, but for other security, license compliance and logistics efforts and different tools will come up with different answers.

 

The data must be provided by the vendor, it must be normalized and it must be used consistently by all tools.  Doing this will cut down IT costs, increase accuracy and enable an SCAP structure that’s based on authoritative data.

 

When it comes to a specific CPE reference changing – it should never change.  This goes back to the point in time discussion.  A CPE references a specific product release from a specific publisher at a specific point in time.  If a product is rebranded, you may get a different CPE for subsequent releases, but there should be ways you can identify a relationship between the two (useful to indicate that a later release of a product that may have a different CPE product should be tested to see if it has a similar vulnerability). 

 

You cannot put limits on the publisher from a rebranding or restructuring perspective.  If you do, you’ll end up alienating the very publisher community you need to make this work.  You need to have a system that allows for these changes and manages to them. 

 

Lastly, I’d like to see a change in how the vendor part (name) is chosen – e.g., perhaps using the company’s copyright, if one exists.  It could help to avoid confusion when trying to derive the CPE for a product owned by one of many companies named “Acme”.  Currently, one of them will get “acme” and the others will get domain-based names like “acme.net”, “acme.org”, etc..  Personally, I think domain-based names are a bad idea.  Suppose the “acme.org” company goes under, and the “acme.net” company buys the domain.  It might result in a vulnerability analyst using the wrong CPE.

 

I agree with these comments, but there are a number of issues here…  Ultimately, the concept of ID of a vendor, customer, etc is something that needs to be addressed more comprehensively, but that’s not yet been done.  We worked through a number of different options for this when working on the 19770-2 standard.  What we determined was:

 

-        You need to have a unique reference for an entity

-        You cannot rely on the name because companies in different countries can legally have the same name

-        You need to base the unique reference on a system that ensures uniqueness

-        You do not want the unique reference to change – it must be normalized

-        One of the few, but not only, ways to ensure uniqueness and normalization is to base that information on an existing registration authority

 

Outcome of this thinking was based on what the IETF did in RFC 3720 for IQNs – namely:

 

-        Domains may only have one owner at a time

-        Including a date with the domain name ensures uniqueness to the owner

-        Including a Company name that goes with the Domain Name will help make the data more human readable

-        The ISO/IEC 19770-2 standard created a regid which includes the domain, a date of ownership and the name of the company

-        TagVault.org has taken this one step further and is working towards providing an openly accessible repository that includes the details from the regid – thus, if you look up microsoft.com (or, com.microsoft), you will get “Microsoft Corporation”.  The work on the repository is just starting now, but the fundamental requirements to support that repository are already in place

 

Multiple ways this data can be used in CPE.  If you want the shortest name (which has at times been indicated as a desirable approach), the domain name is likely the shortest reference.  If you want a reference that indicates if ownership has changed (such as when a company is purchased and the domain changes hands), you would need to include the ownership date.  If you want to have a unique name, you would need to use the name associated with the regid (for purposes of CPE, you would also need some additional transformation rules to change the name to a string – such as changing spaces to underscore).

 

The general approach I believe has the best opportunity for success has the following characteristics:

 

-        The effort is not limited to CPE/SCAP, but looks at the market holistically (giving some idea of the scope, this includes some of the following issues) – what’s needed for license compliance, security and logistics?  What’s needed by IT shops?  How can the data collected from multiple devices on a network be reconciled and used by multiple different IT tools?  How can this data help with supply side security?  Can the solution support bundles, suites, individual products, patches, multiple platforms, and an increasing range of publishers?  Can the solution provide additional benefits – such as the ability to validate that files were created by a known (and approved) publisher?

-        The effort needs to start at the vendor – anywhere after that point and you start getting into proprietary solutions with varying accuracy and limited ability for normalization and consistency across the breadth of IT requirements.

-        The approach must support the identification of suites, bundles, individual products and must also include support for patches.  The approach must also be able to provide data down to individual product installations to the IT teams (i.e. if I installed Office Pro 2013 on a device(s), I should be able to see that and I should also be able to see that I only installed Excel, Word and PowerPoint on the device(s) from that suite).

-        The data needs to be provided in a consistent and normalized fashion that the receiver can validate.

-        There must be a method or methods available to support legacy products.

-        There must be a hard and fast link between what a vendor indicates is there product(s) and how a vulnerability analyst directs references for various issues.

-        For the system to achieve a high level of automation, authoritative identification data must be provided either by the vendor, or by IT operations for the organization managing vulnerabilities.  Basing efforts on predictions and statistically close references will always require much more administrative effort.  Please note – when I say automation, I’m not necessarily saying that patch management systems should automatically and blindly apply a patch as soon as it’s available.  There is a role for administration of systems, I just don’t think that role should be to have to manually check through a reporting system to know if a patch is required for a system, or not.

There’s quite a lot more behind the support for SWID tags (including a huge number of very large ISV’s and tool providers who support the effort), but I wanted to ensure I at least start to provide some additional details that can be considered in the CPE/SCAP discussion. 

 

Cheers,

 

Steve Klos

 

Thanks.

 

Eric Jenko

Counter Threat Unit (CTU)

cid:image001.jpg@01CC58D9.9EFC8AC0

One Concourse Parkway Suite 500

Atlanta, GA 30328

[hidden email]

www.secureworks.com

 

From: [hidden email] [hidden email] On Behalf Of [hidden email]
Sent: Thursday, June 27, 2013 06:12
To: [hidden email]; [hidden email]
Subject: Re: [cpe-discussion] some questions about CPE

 

Not sure you received an answer to this but the reality is it may not have been someone from either Sun or Oracle.  I think there needs to be a discussion about the CPE dictionary assignment process.  Today I am no sure it is well understood by the community.  

 

From my perspective:

  • We need a process for registering CPE names that is well understood.
  • Vendors should be the final arbitrators for CPEs for their products if they want to be (some don't and the community has done the best they could but…)
  • We need a secure and verifiable means to add, update, deprecate, etc. that can be done without major resource demands on NIST.

Thanks.

 

Kent Landfield

McAfee | An Intel Company
Direct: +1.972.963.7096 
Mobile: +1.817.637.8026
Web: www.mcafee.com

 

From: Feng Cao <[hidden email]>
Organization: Oracle Corporation
Date: Tuesday, June 25, 2013 12:47 AM
To: "[hidden email]" <[hidden email]>
Subject: [cpe-discussion] some questions about CPE

 

Hi all,

 

We are evaluating CPE inside Oracle. Can someone help to shed some light

to the below questions (please bear with me as I'm new to this list)?

 

- Who created the CPE names for Oracle and Sun?

- Why are some names (like oracle linux) missing from CPE 2.2 (and were

listed in previous versions)?

- Can Oracle get the notification of any request to cpe-dictionary for

new or modifed CPE names for Oracle (and Sun) products and review such a

request?

- What is the projected timeline for cpe dictionary based on CPE 2.3?

- Inside CPE 2.3, it will be useful to include CPE string into

"target_sw" as a standard way to name the sw (similarly for

"target_hw"). Had this been discussed?

 

Thanks,

 

--Feng

 

Feng Cao

Oracle Global Product Security

--

cpe-discussion mailing list

To unsubscribe send an email to:

[hidden email] with the following in the body of the message:

unsubscribe cpe-discussion

 


--
cpe-discussion mailing list
To unsubscribe send an email to:
[hidden email] with the following in the body of the message:
unsubscribe cpe-discussion
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [cpe-discussion] some questions about CPE

Feng Cao
In reply to this post by Kent Landfield

I have contacted a number of internal groups, and no one had ever been involved in CPE dictionary. So it is interesting to know who put those names into CPE dictionary (as we have the concerns about inconsistency or correctness from many CPE names for Oracle and Sun).

I fully agree on your points for registering and maintaining CPE names. Vendors should be involved in all the processes, or at least be notified of addition or change on CPE names for their products during the processes.

Regards,

--Feng

On 6/27/2013 3:12 AM, [hidden email] wrote:
Not sure you received an answer to this but the reality is it may not have been someone from either Sun or Oracle.  I think there needs to be a discussion about the CPE dictionary assignment process.  Today I am no sure it is well understood by the community.  

From my perspective:
  • We need a process for registering CPE names that is well understood.
  • Vendors should be the final arbitrators for CPEs for their products if they want to be (some don't and the community has done the best they could but…)
  • We need a secure and verifiable means to add, update, deprecate, etc. that can be done without major resource demands on NIST.
Thanks.

Kent Landfield

McAfee | An Intel Company
Direct: +1.972.963.7096 
Mobile: +1.817.637.8026
Web: www.mcafee.com

From: Feng Cao <[hidden email]>
Organization: Oracle Corporation
Date: Tuesday, June 25, 2013 12:47 AM
To: "[hidden email]" <[hidden email]>
Subject: [cpe-discussion] some questions about CPE

Hi all,

We are evaluating CPE inside Oracle. Can someone help to shed some light
to the below questions (please bear with me as I'm new to this list)?

- Who created the CPE names for Oracle and Sun?
- Why are some names (like oracle linux) missing from CPE 2.2 (and were
listed in previous versions)?
- Can Oracle get the notification of any request to cpe-dictionary for
new or modifed CPE names for Oracle (and Sun) products and review such a
request?
- What is the projected timeline for cpe dictionary based on CPE 2.3?
- Inside CPE 2.3, it will be useful to include CPE string into
"target_sw" as a standard way to name the sw (similarly for
"target_hw"). Had this been discussed?

Thanks,

--Feng

Feng Cao
Oracle Global Product Security
--
cpe-discussion mailing list
To unsubscribe send an email to:
[hidden email] with the following in the body of the message:
unsubscribe cpe-discussion



--
cpe-discussion mailing list
To unsubscribe send an email to:
[hidden email] with the following in the body of the message:
unsubscribe cpe-discussion
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [cpe-discussion] some questions about CPE

mark menkhus

Hi,

 

As I understand it, the main source of vendor information in CPE is from your own security notices and then from best effort of folks who curated this information from security defect reports or bulletins.  These notices or bulletins are submitted by the vendor product security team and are part of the public record as text and hypertext documents.

 

Given our limited resources in the response team, we don’t have plans to be involved in the lifecycle of those CPE names for one reason - CPE is only used for the SCAP scope.  We don’t think that managing all of our product names in CPE is appropriate for our role as SCAP content authors, we currently aren’t planning on submitting CPE URI’s as part of our bulletin process.  As automation requirements develop, though it makes sense.

 

Software registries are a very good thing, and CPE seems to be great pattern to follow, though it is not definitive. HP has also participated in the Software Package Data exchange or SPDX so this bears comparison.

 

Regards,

Mark Menkhus CISSP, CSSLP, ITIL v3 Expert

Hewlett Packard GSSE Software Security Response Team

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Feng Cao
Sent: Thursday, June 27, 2013 11:34 AM
To: [hidden email]
Cc: [hidden email]
Subject: Re: [cpe-discussion] some questions about CPE

 


I have contacted a number of internal groups, and no one had ever been involved in CPE dictionary. So it is interesting to know who put those names into CPE dictionary (as we have the concerns about inconsistency or correctness from many CPE names for Oracle and Sun).

I fully agree on your points for registering and maintaining CPE names. Vendors should be involved in all the processes, or at least be notified of addition or change on CPE names for their products during the processes.

Regards,

--Feng

On 6/27/2013 3:12 AM, [hidden email] wrote:

Not sure you received an answer to this but the reality is it may not have been someone from either Sun or Oracle.  I think there needs to be a discussion about the CPE dictionary assignment process.  Today I am no sure it is well understood by the community.  

 

From my perspective:

  • We need a process for registering CPE names that is well understood.
  • Vendors should be the final arbitrators for CPEs for their products if they want to be (some don't and the community has done the best they could but…)
  • We need a secure and verifiable means to add, update, deprecate, etc. that can be done without major resource demands on NIST.

Thanks.

 

Kent Landfield

McAfee | An Intel Company
Direct: +1.972.963.7096 
Mobile: +1.817.637.8026
Web: www.mcafee.com

 

From: Feng Cao <[hidden email]>
Organization: Oracle Corporation
Date: Tuesday, June 25, 2013 12:47 AM
To: "[hidden email]" <[hidden email]>
Subject: [cpe-discussion] some questions about CPE

 

Hi all,

 

We are evaluating CPE inside Oracle. Can someone help to shed some light

to the below questions (please bear with me as I'm new to this list)?

 

- Who created the CPE names for Oracle and Sun?

- Why are some names (like oracle linux) missing from CPE 2.2 (and were

listed in previous versions)?

- Can Oracle get the notification of any request to cpe-dictionary for

new or modifed CPE names for Oracle (and Sun) products and review such a

request?

- What is the projected timeline for cpe dictionary based on CPE 2.3?

- Inside CPE 2.3, it will be useful to include CPE string into

"target_sw" as a standard way to name the sw (similarly for

"target_hw"). Had this been discussed?

 

Thanks,

 

--Feng

 

Feng Cao

Oracle Global Product Security

--

cpe-discussion mailing list

To unsubscribe send an email to:

[hidden email] with the following in the body of the message:

unsubscribe cpe-discussion

 

 


--
cpe-discussion mailing list
To unsubscribe send an email to:
[hidden email] with the following in the body of the message:
unsubscribe cpe-discussion
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [cpe-discussion] some questions about CPE

Ronayne, James K.-2
In reply to this post by Feng Cao

Oracle releases security advisories as CVRF (e.g., http://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/1841214.xml).  Those advisories contain product names under the ProductTree element (view the raw XML to see the tree broken out by parts).  Do you have a complete distinct list of those names available?  Are the names used consistently across all advisories?  Are they used elsewhere (regardless of form)?  Should we consider those names Oracle’s official list of product names (minus the “and before” part of some names)?  Those names at least provide “Vendor”, “Product Family”, “Product Name”, and “Product Version”.

Thanks.

 

Jim

 

 

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Feng Cao
Sent: Thursday, June 27, 2013 1:34 PM
To: [hidden email]
Cc: [hidden email]
Subject: Re: [cpe-discussion] some questions about CPE

 


I have contacted a number of internal groups, and no one had ever been involved in CPE dictionary. So it is interesting to know who put those names into CPE dictionary (as we have the concerns about inconsistency or correctness from many CPE names for Oracle and Sun).

I fully agree on your points for registering and maintaining CPE names. Vendors should be involved in all the processes, or at least be notified of addition or change on CPE names for their products during the processes.

Regards,

--Feng

On 6/27/2013 3:12 AM, [hidden email] wrote:

Not sure you received an answer to this but the reality is it may not have been someone from either Sun or Oracle.  I think there needs to be a discussion about the CPE dictionary assignment process.  Today I am no sure it is well understood by the community.  

 

From my perspective:

  • We need a process for registering CPE names that is well understood.
  • Vendors should be the final arbitrators for CPEs for their products if they want to be (some don't and the community has done the best they could but…)
  • We need a secure and verifiable means to add, update, deprecate, etc. that can be done without major resource demands on NIST.

Thanks.

 

Kent Landfield

McAfee | An Intel Company
Direct: +1.972.963.7096 
Mobile: +1.817.637.8026
Web: www.mcafee.com

 

From: Feng Cao <[hidden email]>
Organization: Oracle Corporation
Date: Tuesday, June 25, 2013 12:47 AM
To: "[hidden email]" <[hidden email]>
Subject: [cpe-discussion] some questions about CPE

 

Hi all,

 

We are evaluating CPE inside Oracle. Can someone help to shed some light

to the below questions (please bear with me as I'm new to this list)?

 

- Who created the CPE names for Oracle and Sun?

- Why are some names (like oracle linux) missing from CPE 2.2 (and were

listed in previous versions)?

- Can Oracle get the notification of any request to cpe-dictionary for

new or modifed CPE names for Oracle (and Sun) products and review such a

request?

- What is the projected timeline for cpe dictionary based on CPE 2.3?

- Inside CPE 2.3, it will be useful to include CPE string into

"target_sw" as a standard way to name the sw (similarly for

"target_hw"). Had this been discussed?

 

Thanks,

 

--Feng

 

Feng Cao

Oracle Global Product Security

--

cpe-discussion mailing list

To unsubscribe send an email to:

[hidden email] with the following in the body of the message:

unsubscribe cpe-discussion

 

 


--
cpe-discussion mailing list
To unsubscribe send an email to:
[hidden email] with the following in the body of the message:
unsubscribe cpe-discussion
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [cpe-discussion] some questions about CPE

Ernest Park-2
When we regenerate the CPE names, we do two things.

We allow ALL names
We allow each user to either define an alias, or select any existing alias, including the most common.


Users can then download the CPE and CVE information with the corrected names, and also automatically generate the corrected OVAL files.


Our thinking is that due to the way that names are created, it will never be to everyone's liking. In our way, any reasonable name that fits the structure can work.


With Regards,


Ernest M. Park
Principal and Managing Director | Cyber Risk, Security & Crisis Mgnt
Mobile: 203-816-0001
[hidden email]



The information transmitted, including any attachments, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material, and/or copyrighted and proprietary information owned by the creator and Airius Internet Solutions, LLC. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited, and all liability arising therefrom is disclaimed. Any redistribution of the copyrighted content within this communication without the express written permission of Airius Internet Solutions, LLC is forbidden and constitutes theft of copyrighted works. Airius Internet Solutions, LLC will prosecute such actions to the full extent of the law. If you received this in error, please contact the sender and delete the material from any computer. Airius Internet Solutions, LLC is a Connecticut limited liability corporation.


On Fri, Jun 28, 2013 at 9:26 AM, Ronayne, James K. <[hidden email]> wrote:

Oracle releases security advisories as CVRF (e.g., http://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/1841214.xml).  Those advisories contain product names under the ProductTree element (view the raw XML to see the tree broken out by parts).  Do you have a complete distinct list of those names available?  Are the names used consistently across all advisories?  Are they used elsewhere (regardless of form)?  Should we consider those names Oracle’s official list of product names (minus the “and before” part of some names)?  Those names at least provide “Vendor”, “Product Family”, “Product Name”, and “Product Version”.

Thanks.

 

Jim

 

 

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Feng Cao
Sent: Thursday, June 27, 2013 1:34 PM
To: [hidden email]
Cc: [hidden email]
Subject: Re: [cpe-discussion] some questions about CPE

 


I have contacted a number of internal groups, and no one had ever been involved in CPE dictionary. So it is interesting to know who put those names into CPE dictionary (as we have the concerns about inconsistency or correctness from many CPE names for Oracle and Sun).

I fully agree on your points for registering and maintaining CPE names. Vendors should be involved in all the processes, or at least be notified of addition or change on CPE names for their products during the processes.

Regards,

--Feng

On 6/27/2013 3:12 AM, [hidden email] wrote:

Not sure you received an answer to this but the reality is it may not have been someone from either Sun or Oracle.  I think there needs to be a discussion about the CPE dictionary assignment process.  Today I am no sure it is well understood by the community.  

 

From my perspective:

  • We need a process for registering CPE names that is well understood.
  • Vendors should be the final arbitrators for CPEs for their products if they want to be (some don't and the community has done the best they could but…)
  • We need a secure and verifiable means to add, update, deprecate, etc. that can be done without major resource demands on NIST.

Thanks.

 

Kent Landfield

McAfee | An Intel Company
Direct: <a href="tel:%2B1.972.963.7096" value="+19729637096" target="_blank">+1.972.963.7096 
Mobile: <a href="tel:%2B1.817.637.8026" value="+18176378026" target="_blank">+1.817.637.8026
Web: www.mcafee.com

 

From: Feng Cao <[hidden email]>
Organization: Oracle Corporation
Date: Tuesday, June 25, 2013 12:47 AM
To: "[hidden email]" <[hidden email]>
Subject: [cpe-discussion] some questions about CPE

 

Hi all,

 

We are evaluating CPE inside Oracle. Can someone help to shed some light

to the below questions (please bear with me as I'm new to this list)?

 

- Who created the CPE names for Oracle and Sun?

- Why are some names (like oracle linux) missing from CPE 2.2 (and were

listed in previous versions)?

- Can Oracle get the notification of any request to cpe-dictionary for

new or modifed CPE names for Oracle (and Sun) products and review such a

request?

- What is the projected timeline for cpe dictionary based on CPE 2.3?

- Inside CPE 2.3, it will be useful to include CPE string into

"target_sw" as a standard way to name the sw (similarly for

"target_hw"). Had this been discussed?

 

Thanks,

 

--Feng

 

Feng Cao

Oracle Global Product Security

--

cpe-discussion mailing list

To unsubscribe send an email to:

[hidden email] with the following in the body of the message:

unsubscribe cpe-discussion

 

 


--
cpe-discussion mailing list
To unsubscribe send an email to:
[hidden email] with the following in the body of the message:
unsubscribe cpe-discussion


--
cpe-discussion mailing list
To unsubscribe send an email to:
[hidden email] with the following in the body of the message:
unsubscribe cpe-discussion
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [cpe-discussion] some questions about CPE

Booth, Harold
In reply to this post by Feng Cao

I apologize for joining the conversation late.

 

Responding to Feng’s inquiry:

 

The data contained within the Official CPE Dictionary is largely from two sources. The first and largest source is the result of vulnerability analysis performed at the NVD where CPEs are created in order to associate product names to vulnerabilities. Prior to using CPE (before 2008) the NVD used a vendor, product, version triad to identify products; the data was not particularly consistent and was largely based on a quick review of the vulnerability description and how the security advisories referred to the product for that particular vulnerability. The NVD data served as the starting point for the initial creation of the Official CPE dictionary after an involved effort to try to normalize a (small) subset of the then existing NVD data in 2008. Since 2008 the NVD has attempted to remain consistent with existing data and the CPE specification when creating new CPEs as much as possible. However, there are still inconsistencies with the data, largely mirroring inconsistencies with how humans reference product names. Whenever an inconsistency is discovered or pointed out we try to correct those. The second source of CPEs are users of the dictionary who require a CPE (or corrected CPE) for their use. A third, underrepresented source, are the software publishers. There are a handful of publishers who do supply CPE data to dictionary and we are happy to have their help.

 

If publishers are willing to become involved in the CPE creation process, please send a note to [hidden email]. Publisher submissions (conforming to the CPE specification) are considered authoritative and we can work with the publisher to make sure any names that are inconsistent with the publisher submission are deprecated to the proper name. If performed in a timely manner, review of CPE submissions for their associated products by third-parties prior to publication in the official CPE dictionary would be welcomed.

 

While not ideal, the current process for adding or modifying entries to the CPE Dictionary is to submit an XML formatted list (according to the CPE dictionary schema) of CPE entries to the [hidden email] alias. Each CPE name entry should have some sort of reference data which can include simple HREF links to authoritative (preferably vendor) information, etc. that justify the instantiation of the name in the Dictionary (typically embedded within the file as an XML comment). The submission is reviewed to insure the submitted entries are consistent with existing entries contained within the Official CPE Dictionary. If any CPE name entries in a submission are modified, a response is first sent to the submitter to verify that the changes are acceptable. Once an agreement is made, the entries are added to the dictionary and will appear in the next nightly generation of the CPE feed. The process is currently conducted largely via email, but to help automate the process as much as possible, a new web/rest submission interface is under development.

 

Finally, Steve Klos mentioned a number of important issues in his email and one of the areas we are looking at is how to use the ISO 19770-2 (SWID Tags) standard to assist with the use cases that CPE is trying to address. I would encourage everyone to look at the ISO standard to gain an understanding of how it can be useful to the CPE(SCAP) use cases.

 

Regards,

 

-Harold

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Feng Cao
Sent: Thursday, June 27, 2013 1:34 PM
To: [hidden email]
Cc: cpe-discussion
Subject: Re: [cpe-discussion] some questions about CPE

 


I have contacted a number of internal groups, and no one had ever been involved in CPE dictionary. So it is interesting to know who put those names into CPE dictionary (as we have the concerns about inconsistency or correctness from many CPE names for Oracle and Sun).

I fully agree on your points for registering and maintaining CPE names. Vendors should be involved in all the processes, or at least be notified of addition or change on CPE names for their products during the processes.

Regards,

--Feng

On 6/27/2013 3:12 AM, [hidden email] wrote:

Not sure you received an answer to this but the reality is it may not have been someone from either Sun or Oracle.  I think there needs to be a discussion about the CPE dictionary assignment process.  Today I am no sure it is well understood by the community.  

 

From my perspective:

  • We need a process for registering CPE names that is well understood.
  • Vendors should be the final arbitrators for CPEs for their products if they want to be (some don't and the community has done the best they could but…)
  • We need a secure and verifiable means to add, update, deprecate, etc. that can be done without major resource demands on NIST.

Thanks.

 

Kent Landfield

McAfee | An Intel Company
Direct: +1.972.963.7096 
Mobile: +1.817.637.8026
Web: www.mcafee.com

 

From: Feng Cao <[hidden email]>
Organization: Oracle Corporation
Date: Tuesday, June 25, 2013 12:47 AM
To: "[hidden email]" <[hidden email]>
Subject: [cpe-discussion] some questions about CPE

 

Hi all,

 

We are evaluating CPE inside Oracle. Can someone help to shed some light

to the below questions (please bear with me as I'm new to this list)?

 

- Who created the CPE names for Oracle and Sun?

- Why are some names (like oracle linux) missing from CPE 2.2 (and were

listed in previous versions)?

- Can Oracle get the notification of any request to cpe-dictionary for

new or modifed CPE names for Oracle (and Sun) products and review such a

request?

- What is the projected timeline for cpe dictionary based on CPE 2.3?

- Inside CPE 2.3, it will be useful to include CPE string into

"target_sw" as a standard way to name the sw (similarly for

"target_hw"). Had this been discussed?

 

Thanks,

 

--Feng

 

Feng Cao

Oracle Global Product Security

--

cpe-discussion mailing list

To unsubscribe send an email to:

[hidden email] with the following in the body of the message:

unsubscribe cpe-discussion

 

 


--
cpe-discussion mailing list
To unsubscribe send an email to:
[hidden email] with the following in the body of the message:
unsubscribe cpe-discussion
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [cpe-discussion] some questions about CPE

steveklos

With Harold saying check the standard out, I’ll provide a bit of info that may make this cheaper, faster, easier for all.

 

The ISO standard is obviously, the authoritative source for SWID tag structure.  However, TagVault.org has developed what might be called a compendium to the ISO standard.  This document contains both information about details of the SWID standard as well as additional certification requirements.  This document is currently available from the TagVault.org website for free and is also currently in review (if you spot a problem, please provide feedback on the provided spreadsheet) – see http://tagvault.org/2013/06/19/certification-document-version-3-4-available/.  In general, for most organizations, you likely will not need to purchase the standard if you download this document.

 

As indicated in the write up for this document, we are actively working on a revision to the 19770-2 standard and that process is going through as many fast track steps as possible to get published, hopefully, in record time.  The revision is incorporating many of the TagVault.org extensions and is also adding some capabilities so the SWID tags can be completely automatically created for patches using standard tools such as WiX, Advanced Installer and InstallShield. 

 

I apologize in advance for the requirement to create a user account as well as entering a documented password to download the document.  We are still ironing out some of the kinks in the new website modules and this was the only way, at the moment, we could ensure that organizations did not cross-link directly to the document download.  There are a few extra steps, but hopefully, this doesn’t prove to be too much of an obstacle. 

 

Cheers,

 

SK

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Booth, Harold
Sent: Friday, June 28, 2013 2:33 PM
To: cpe-discussion
Subject: Re: [cpe-discussion] some questions about CPE

 

I apologize for joining the conversation late.

 

Responding to Feng’s inquiry:

 

The data contained within the Official CPE Dictionary is largely from two sources. The first and largest source is the result of vulnerability analysis performed at the NVD where CPEs are created in order to associate product names to vulnerabilities. Prior to using CPE (before 2008) the NVD used a vendor, product, version triad to identify products; the data was not particularly consistent and was largely based on a quick review of the vulnerability description and how the security advisories referred to the product for that particular vulnerability. The NVD data served as the starting point for the initial creation of the Official CPE dictionary after an involved effort to try to normalize a (small) subset of the then existing NVD data in 2008. Since 2008 the NVD has attempted to remain consistent with existing data and the CPE specification when creating new CPEs as much as possible. However, there are still inconsistencies with the data, largely mirroring inconsistencies with how humans reference product names. Whenever an inconsistency is discovered or pointed out we try to correct those. The second source of CPEs are users of the dictionary who require a CPE (or corrected CPE) for their use. A third, underrepresented source, are the software publishers. There are a handful of publishers who do supply CPE data to dictionary and we are happy to have their help.

 

If publishers are willing to become involved in the CPE creation process, please send a note to [hidden email]. Publisher submissions (conforming to the CPE specification) are considered authoritative and we can work with the publisher to make sure any names that are inconsistent with the publisher submission are deprecated to the proper name. If performed in a timely manner, review of CPE submissions for their associated products by third-parties prior to publication in the official CPE dictionary would be welcomed.

 

While not ideal, the current process for adding or modifying entries to the CPE Dictionary is to submit an XML formatted list (according to the CPE dictionary schema) of CPE entries to the [hidden email] alias. Each CPE name entry should have some sort of reference data which can include simple HREF links to authoritative (preferably vendor) information, etc. that justify the instantiation of the name in the Dictionary (typically embedded within the file as an XML comment). The submission is reviewed to insure the submitted entries are consistent with existing entries contained within the Official CPE Dictionary. If any CPE name entries in a submission are modified, a response is first sent to the submitter to verify that the changes are acceptable. Once an agreement is made, the entries are added to the dictionary and will appear in the next nightly generation of the CPE feed. The process is currently conducted largely via email, but to help automate the process as much as possible, a new web/rest submission interface is under development.

 

Finally, Steve Klos mentioned a number of important issues in his email and one of the areas we are looking at is how to use the ISO 19770-2 (SWID Tags) standard to assist with the use cases that CPE is trying to address. I would encourage everyone to look at the ISO standard to gain an understanding of how it can be useful to the CPE(SCAP) use cases.

 

Regards,

 

-Harold

 

From: [hidden email] [[hidden email]] On Behalf Of Feng Cao
Sent: Thursday, June 27, 2013 1:34 PM
To: [hidden email]
Cc: cpe-discussion
Subject: Re: [cpe-discussion] some questions about CPE

 


I have contacted a number of internal groups, and no one had ever been involved in CPE dictionary. So it is interesting to know who put those names into CPE dictionary (as we have the concerns about inconsistency or correctness from many CPE names for Oracle and Sun).

I fully agree on your points for registering and maintaining CPE names. Vendors should be involved in all the processes, or at least be notified of addition or change on CPE names for their products during the processes.

Regards,

--Feng

On 6/27/2013 3:12 AM, [hidden email] wrote:

Not sure you received an answer to this but the reality is it may not have been someone from either Sun or Oracle.  I think there needs to be a discussion about the CPE dictionary assignment process.  Today I am no sure it is well understood by the community.  

 

From my perspective:

  • We need a process for registering CPE names that is well understood.
  • Vendors should be the final arbitrators for CPEs for their products if they want to be (some don't and the community has done the best they could but…)
  • We need a secure and verifiable means to add, update, deprecate, etc. that can be done without major resource demands on NIST.

Thanks.

 

Kent Landfield

McAfee | An Intel Company
Direct: +1.972.963.7096 
Mobile: +1.817.637.8026
Web: www.mcafee.com

 

From: Feng Cao <[hidden email]>
Organization: Oracle Corporation
Date: Tuesday, June 25, 2013 12:47 AM
To: "[hidden email]" <[hidden email]>
Subject: [cpe-discussion] some questions about CPE

 

Hi all,

 

We are evaluating CPE inside Oracle. Can someone help to shed some light

to the below questions (please bear with me as I'm new to this list)?

 

- Who created the CPE names for Oracle and Sun?

- Why are some names (like oracle linux) missing from CPE 2.2 (and were

listed in previous versions)?

- Can Oracle get the notification of any request to cpe-dictionary for

new or modifed CPE names for Oracle (and Sun) products and review such a

request?

- What is the projected timeline for cpe dictionary based on CPE 2.3?

- Inside CPE 2.3, it will be useful to include CPE string into

"target_sw" as a standard way to name the sw (similarly for

"target_hw"). Had this been discussed?

 

Thanks,

 

--Feng

 

Feng Cao

Oracle Global Product Security

--

cpe-discussion mailing list

To unsubscribe send an email to:

[hidden email] with the following in the body of the message:

unsubscribe cpe-discussion

 

 


--
cpe-discussion mailing list
To unsubscribe send an email to:
[hidden email] with the following in the body of the message:
unsubscribe cpe-discussion
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [cpe-discussion] some questions about CPE

Feng Cao
In reply to this post by Ronayne, James K.-2
Hi Jim,

Oracle releases security advisories as CVRF (e.g., http://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/1841214.xml).  Those advisories contain product names under the ProductTree element (view the raw XML to see the tree broken out by parts). 

Do you have a complete distinct list of those names available? 
  • Yes.  But note that the names change from time to time which is one reason that aliases are needed. Note that the productID does not change at Oracle.  If you look at a productID (In FullProductName Tag) you will see a string something like "P-115V-11.2.0.2" which means Internal-productID is "115" with version "11.2.0.2".   From Internal-ProductID we use a mapping table which indicates the product name (Net Services for internal-productID) and the product Family (Oracle Database Server for internal-product-ID).  Occasionally the product name changes or the product family for a particular product id.   Occasionally means less than 1% per year but probably more than .1% per year (I'm guessing).  Given that we have over 3,000 productIDs in use this means between 3 and 30 change per year. 

For the outside parties, we are happy to provide them with a list of all 271 product_ids with at least one Researcher reported vulnerability or where we issued a published CPU/Alert fix.  We have no plans to provide the complete list of over 4402 because it would be confusing for both customers and reporters and we don't want to get in dialogs regarding providing additional information for all product IDs as it takes up our resources and we don't see a customer benefit.   However, if vulnerabilities are discovered that do not appear to fit any of the published product_ids, we will gratefully accept a dialog via secalert_us to clarify the product_id of interest.   We will frequently update our product_id list as vulnerabilities for new product IDs are discovered or fixes for new product_IDs issued (except see next).   We also believe the alias problem must be solved or be well on its way for a solution or we will stop updating our list of product_ids in response to new reports or delivered fixes and may follow that by removing the list completely.


Are the names used consistently across all advisories? 

  • No, but they rarely change.  productIDs are used consistently.


Are they used elsewhere (regardless of form)? 

  • Yes.   When customer reported bugs are entered, the internal-productID is used.  That ID is also used in manufacturing (e.g. to determine what is distributed for a particular license).   Also, it is used for bug routing since certain people are notified when bugs for specific bugs or security bugs are entered.


Should we consider those names Oracle’s official list of product names (minus the “and before” part of some names)?  Those names at least provide “Vendor”, “Product Family”, “Product Name”, and “Product Version”.

  • They are the official names when the Fixes described in the CVRF are distributed.   The productIDs, however, are valid across all fix distributions.

Thanks,

--Feng

On 6/28/2013 6:26 AM, Ronayne, James K. wrote:

Oracle releases security advisories as CVRF (e.g., http://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/1841214.xml).  Those advisories contain product names under the ProductTree element (view the raw XML to see the tree broken out by parts).  Do you have a complete distinct list of those names available?  Are the names used consistently across all advisories?  Are they used elsewhere (regardless of form)?  Should we consider those names Oracle’s official list of product names (minus the “and before” part of some names)?  Those names at least provide “Vendor”, “Product Family”, “Product Name”, and “Product Version”.

Thanks.

 

Jim

 

 

 

From: [hidden email] [[hidden email]] On Behalf Of Feng Cao
Sent: Thursday, June 27, 2013 1:34 PM
To: [hidden email]
Cc: [hidden email]
Subject: Re: [cpe-discussion] some questions about CPE

 


I have contacted a number of internal groups, and no one had ever been involved in CPE dictionary. So it is interesting to know who put those names into CPE dictionary (as we have the concerns about inconsistency or correctness from many CPE names for Oracle and Sun).

I fully agree on your points for registering and maintaining CPE names. Vendors should be involved in all the processes, or at least be notified of addition or change on CPE names for their products during the processes.

Regards,

--Feng

On 6/27/2013 3:12 AM, [hidden email] wrote:

Not sure you received an answer to this but the reality is it may not have been someone from either Sun or Oracle.  I think there needs to be a discussion about the CPE dictionary assignment process.  Today I am no sure it is well understood by the community.  

 

From my perspective:

  • We need a process for registering CPE names that is well understood.
  • Vendors should be the final arbitrators for CPEs for their products if they want to be (some don't and the community has done the best they could but…)
  • We need a secure and verifiable means to add, update, deprecate, etc. that can be done without major resource demands on NIST.

Thanks.

 

Kent Landfield

McAfee | An Intel Company
Direct: +1.972.963.7096 
Mobile: +1.817.637.8026
Web: www.mcafee.com

 

From: Feng Cao <[hidden email]>
Organization: Oracle Corporation
Date: Tuesday, June 25, 2013 12:47 AM
To: "[hidden email]" <[hidden email]>
Subject: [cpe-discussion] some questions about CPE

 

Hi all,

 

We are evaluating CPE inside Oracle. Can someone help to shed some light

to the below questions (please bear with me as I'm new to this list)?

 

- Who created the CPE names for Oracle and Sun?

- Why are some names (like oracle linux) missing from CPE 2.2 (and were

listed in previous versions)?

- Can Oracle get the notification of any request to cpe-dictionary for

new or modifed CPE names for Oracle (and Sun) products and review such a

request?

- What is the projected timeline for cpe dictionary based on CPE 2.3?

- Inside CPE 2.3, it will be useful to include CPE string into

"target_sw" as a standard way to name the sw (similarly for

"target_hw"). Had this been discussed?

 

Thanks,

 

--Feng

 

Feng Cao

Oracle Global Product Security

--

cpe-discussion mailing list

To unsubscribe send an email to:

[hidden email] with the following in the body of the message:

unsubscribe cpe-discussion

 

 



--
cpe-discussion mailing list
To unsubscribe send an email to:
[hidden email] with the following in the body of the message:
unsubscribe cpe-discussion
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [cpe-discussion] some questions about CPE

Feng Cao
In reply to this post by Booth, Harold

Hi Harold,

Can you or someone else help to clarify the questions about CPE 2.3?
- What is the projected timeline for cpe dictionary based on CPE 2.3?

- Inside CPE 2.3, it will be useful to include CPE names into "target_sw" as a standard way to name the sw (similarly for "target_hw"). Had this been discussed?

Thanks,

--Feng 

On 6/28/2013 2:32 PM, Booth, Harold wrote:

I apologize for joining the conversation late.

 

Responding to Feng’s inquiry:

 

The data contained within the Official CPE Dictionary is largely from two sources. The first and largest source is the result of vulnerability analysis performed at the NVD where CPEs are created in order to associate product names to vulnerabilities. Prior to using CPE (before 2008) the NVD used a vendor, product, version triad to identify products; the data was not particularly consistent and was largely based on a quick review of the vulnerability description and how the security advisories referred to the product for that particular vulnerability. The NVD data served as the starting point for the initial creation of the Official CPE dictionary after an involved effort to try to normalize a (small) subset of the then existing NVD data in 2008. Since 2008 the NVD has attempted to remain consistent with existing data and the CPE specification when creating new CPEs as much as possible. However, there are still inconsistencies with the data, largely mirroring inconsistencies with how humans reference product names. Whenever an inconsistency is discovered or pointed out we try to correct those. The second source of CPEs are users of the dictionary who require a CPE (or corrected CPE) for their use. A third, underrepresented source, are the software publishers. There are a handful of publishers who do supply CPE data to dictionary and we are happy to have their help.

 

If publishers are willing to become involved in the CPE creation process, please send a note to [hidden email]. Publisher submissions (conforming to the CPE specification) are considered authoritative and we can work with the publisher to make sure any names that are inconsistent with the publisher submission are deprecated to the proper name. If performed in a timely manner, review of CPE submissions for their associated products by third-parties prior to publication in the official CPE dictionary would be welcomed.

 

While not ideal, the current process for adding or modifying entries to the CPE Dictionary is to submit an XML formatted list (according to the CPE dictionary schema) of CPE entries to the [hidden email] alias. Each CPE name entry should have some sort of reference data which can include simple HREF links to authoritative (preferably vendor) information, etc. that justify the instantiation of the name in the Dictionary (typically embedded within the file as an XML comment). The submission is reviewed to insure the submitted entries are consistent with existing entries contained within the Official CPE Dictionary. If any CPE name entries in a submission are modified, a response is first sent to the submitter to verify that the changes are acceptable. Once an agreement is made, the entries are added to the dictionary and will appear in the next nightly generation of the CPE feed. The process is currently conducted largely via email, but to help automate the process as much as possible, a new web/rest submission interface is under development.

 

Finally, Steve Klos mentioned a number of important issues in his email and one of the areas we are looking at is how to use the ISO 19770-2 (SWID Tags) standard to assist with the use cases that CPE is trying to address. I would encourage everyone to look at the ISO standard to gain an understanding of how it can be useful to the CPE(SCAP) use cases.

 

Regards,

 

-Harold

 

From: [hidden email] [[hidden email]] On Behalf Of Feng Cao
Sent: Thursday, June 27, 2013 1:34 PM
To: [hidden email]
Cc: cpe-discussion
Subject: Re: [cpe-discussion] some questions about CPE

 


I have contacted a number of internal groups, and no one had ever been involved in CPE dictionary. So it is interesting to know who put those names into CPE dictionary (as we have the concerns about inconsistency or correctness from many CPE names for Oracle and Sun).

I fully agree on your points for registering and maintaining CPE names. Vendors should be involved in all the processes, or at least be notified of addition or change on CPE names for their products during the processes.

Regards,

--Feng

On 6/27/2013 3:12 AM, [hidden email] wrote:

Not sure you received an answer to this but the reality is it may not have been someone from either Sun or Oracle.  I think there needs to be a discussion about the CPE dictionary assignment process.  Today I am no sure it is well understood by the community.  

 

From my perspective:

  • We need a process for registering CPE names that is well understood.
  • Vendors should be the final arbitrators for CPEs for their products if they want to be (some don't and the community has done the best they could but…)
  • We need a secure and verifiable means to add, update, deprecate, etc. that can be done without major resource demands on NIST.

Thanks.

 

Kent Landfield

McAfee | An Intel Company
Direct: +1.972.963.7096 
Mobile: +1.817.637.8026
Web: www.mcafee.com

 

From: Feng Cao <[hidden email]>
Organization: Oracle Corporation
Date: Tuesday, June 25, 2013 12:47 AM
To: "[hidden email]" <[hidden email]>
Subject: [cpe-discussion] some questions about CPE

 

Hi all,

 

We are evaluating CPE inside Oracle. Can someone help to shed some light

to the below questions (please bear with me as I'm new to this list)?

 

- Who created the CPE names for Oracle and Sun?

- Why are some names (like oracle linux) missing from CPE 2.2 (and were

listed in previous versions)?

- Can Oracle get the notification of any request to cpe-dictionary for

new or modifed CPE names for Oracle (and Sun) products and review such a

request?

- What is the projected timeline for cpe dictionary based on CPE 2.3?

- Inside CPE 2.3, it will be useful to include CPE string into

"target_sw" as a standard way to name the sw (similarly for

"target_hw"). Had this been discussed?

 

Thanks,

 

--Feng

 

Feng Cao

Oracle Global Product Security

--

cpe-discussion mailing list

To unsubscribe send an email to:

[hidden email] with the following in the body of the message:

unsubscribe cpe-discussion

 

 



--
cpe-discussion mailing list
To unsubscribe send an email to:
[hidden email] with the following in the body of the message:
unsubscribe cpe-discussion


--
cpe-discussion mailing list
To unsubscribe send an email to:
[hidden email] with the following in the body of the message:
unsubscribe cpe-discussion
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [cpe-discussion] some questions about CPE

Booth, Harold
Responses in line below.

-Harold

From: Feng Cao [mailto:[hidden email]]
Sent: Monday, July 08, 2013 6:11 PM
To: Booth, Harold
Cc: cpe-discussion
Subject: Re: [cpe-discussion] some questions about CPE


Hi Harold,

Can you or someone else help to clarify the questions about CPE 2.3?

- What is the projected timeline for cpe dictionary based on CPE 2.3?

[HB] We are in the finally testing phase of the software which incorporates this functionality, and barring any further unforeseen circumstances we should have the software deployed within the next week or two. I will send an update once that is completed.
 
- Inside CPE 2.3, it will be useful to include CPE names into "target_sw" as a standard way to name the sw (similarly for "target_hw"). Had this been discussed?

[HB] Yes, this has been discussed both in the context of CPE and SWID tags, but not extensively other than to say that a normalized set of values should be the preferred thing to do. There is not, as of yet, a definitive list of these values that I am aware of. I recall that at one point there was a list for something which looks like it should go in target_hw within SWID, but I am not sure that was ever finalized.


Thanks,

--Feng

--
cpe-discussion mailing list
To unsubscribe send an email to:
[hidden email] with the following in the body of the message:
unsubscribe cpe-discussion
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [cpe-discussion] some questions about CPE

Feng Cao
Harold,

Thank you very much for the answers.

Cheers,

--Feng

On 7/11/2013 11:43 AM, Booth, Harold wrote:

> Responses in line below.
>
> -Harold
>
> From: Feng Cao [mailto:[hidden email]]
> Sent: Monday, July 08, 2013 6:11 PM
> To: Booth, Harold
> Cc: cpe-discussion
> Subject: Re: [cpe-discussion] some questions about CPE
>
>
> Hi Harold,
>
> Can you or someone else help to clarify the questions about CPE 2.3?
>
> - What is the projected timeline for cpe dictionary based on CPE 2.3?
>
> [HB] We are in the finally testing phase of the software which incorporates this functionality, and barring any further unforeseen circumstances we should have the software deployed within the next week or two. I will send an update once that is completed.
>  
> - Inside CPE 2.3, it will be useful to include CPE names into "target_sw" as a standard way to name the sw (similarly for "target_hw"). Had this been discussed?
>
> [HB] Yes, this has been discussed both in the context of CPE and SWID tags, but not extensively other than to say that a normalized set of values should be the preferred thing to do. There is not, as of yet, a definitive list of these values that I am aware of. I recall that at one point there was a list for something which looks like it should go in target_hw within SWID, but I am not sure that was ever finalized.
>
>
> Thanks,
>
> --Feng
>

--
cpe-discussion mailing list
To unsubscribe send an email to:
[hidden email] with the following in the body of the message:
unsubscribe cpe-discussion
Loading...