names with no vendor

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

names with no vendor

Andrew Buttner
Administrator
What about applications that do not have a vendor associated with them?
For example, there are a number of shareware tools that have been
developed by an individual and posted to the web.  They don't have a
vendor, just a tool name.

My suggestion would be that the vendor component be left blank, so the
name would look like:

cpe:///:tool_name:1.2.3

Any reason against this?


---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515

Reply | Threaded
Open this post in threaded view
|

Re: names with no vendor

Ken Lassesen-2
Two additional solutions:
1) have the vendor being the licensing term that it is under...
2) use the individual's name


Ken Lassesen,
HomeOffice: 360-297-4717   Cell: 360-509-2402  Fax: 928-832-6836
IM: [hidden email]  [hidden email]
mailto:[hidden email]
CONFIDENTIALITY NOTICE
The information contained in this electronic message may contain
confidential and privileged information and is intended only for use by
the individual(s) or entity(ies) to whom it was addressed. Any
unauthorized review, use, disclosure, or distribution of this
communication is strictly prohibited. If you are not the intended
recipient, please contact the sender by reply email and permanently
delete and destroy the original message.


-----Original Message-----
From: Buttner, Drew [mailto:[hidden email]]
Sent: Monday, May 07, 2007 12:22 PM
To: [hidden email]
Subject: [CPE-DISCUSSION-LIST] names with no vendor

What about applications that do not have a vendor associated with them?
For example, there are a number of shareware tools that have been
developed by an individual and posted to the web.  They don't have a
vendor, just a tool name.

My suggestion would be that the vendor component be left blank, so the
name would look like:

cpe:///:tool_name:1.2.3

Any reason against this?


---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515

Reply | Threaded
Open this post in threaded view
|

Re: names with no vendor

Thomas Jones
I tend to definitely lean towards option #2.

On Mon, 2007-05-07 at 12:25 -0700, Ken Lassesen wrote:

> Two additional solutions:
> 1) have the vendor being the licensing term that it is under...
> 2) use the individual's name
>
>
> Ken Lassesen,
> HomeOffice: 360-297-4717   Cell: 360-509-2402  Fax: 928-832-6836
> IM: [hidden email]  [hidden email]
> mailto:[hidden email]
> CONFIDENTIALITY NOTICE
> The information contained in this electronic message may contain
> confidential and privileged information and is intended only for use by
> the individual(s) or entity(ies) to whom it was addressed. Any
> unauthorized review, use, disclosure, or distribution of this
> communication is strictly prohibited. If you are not the intended
> recipient, please contact the sender by reply email and permanently
> delete and destroy the original message.
>
>
> -----Original Message-----
> From: Buttner, Drew [mailto:[hidden email]]
> Sent: Monday, May 07, 2007 12:22 PM
> To: [hidden email]
> Subject: [CPE-DISCUSSION-LIST] names with no vendor
>
> What about applications that do not have a vendor associated with them?
> For example, there are a number of shareware tools that have been
> developed by an individual and posted to the web.  They don't have a
> vendor, just a tool name.
>
> My suggestion would be that the vendor component be left blank, so the
> name would look like:
>
> cpe:///:tool_name:1.2.3
>
> Any reason against this?
>
>
> ---------
>
> Andrew Buttner
> The MITRE Corporation
> [hidden email]
> 781-271-3515
>
>

Reply | Threaded
Open this post in threaded view
|

Re: names with no vendor

Noakes, Douglas [USA]
In reply to this post by Andrew Buttner
In the past the analysts have not had one way of notating this.
Typically you will see either
1) the name of the product is also used as the vendor name [happens with
PHP products a lot]
-or-
2) the name of the vendor is the primary developer [happens with
SourceForge products often]

Not sure it makes a huge difference to the analysts...any way you slice
it there will be some cleaning-up to do.  My recommendation would be
either use the product name as the vendor or to go with Drew's idea and
just leave that field blank.



-----Original Message-----
From: Buttner, Drew [mailto:[hidden email]]
Sent: Monday, May 07, 2007 3:22 PM
To: [hidden email]
Subject: [CPE-DISCUSSION-LIST] names with no vendor

What about applications that do not have a vendor associated with them?
For example, there are a number of shareware tools that have been
developed by an individual and posted to the web.  They don't have a
vendor, just a tool name.

My suggestion would be that the vendor component be left blank, so the
name would look like:

cpe:///:tool_name:1.2.3

Any reason against this?


---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515

Reply | Threaded
Open this post in threaded view
|

Re: names with no vendor

Neal Ziring-2
In reply to this post by Andrew Buttner
Drew and everybody,

 >My suggestion would be that the vendor component be left blank, so the
 >name would look like:
 >
 >cpe:///:tool_name:1.2.3  

That had always been my intent for the CPE Name structure.
In cases where a field is not applicable, leave it blank.

However, in some cases, you could have the same tool name
but multiple different suppliers, and the difference might be
relevant.  For example, you might want to distinguish
bind supplied by Sun Microsystems from bind supplied by
ISC.   When that distinction isn't relevant, you can leave
the supplier off.

            cpe:///sun:bind:9.3.4
            cpe:///isc:bind:9.4.1
            cpe:///bind:9.3


...nz (Neal Ziring, [hidden email], http://users.erols.com/ziring/)


 
On Monday, May 07, 2007, at 03:22PM, "Buttner, Drew" <[hidden email]> wrote:

>What about applications that do not have a vendor associated with them?
>For example, there are a number of shareware tools that have been
>developed by an individual and posted to the web.  They don't have a
>vendor, just a tool name.
>
>My suggestion would be that the vendor component be left blank, so the
>name would look like:
>
>cpe:///:tool_name:1.2.3
>
>Any reason against this?
>
>
>---------
>
>Andrew Buttner
>The MITRE Corporation
>[hidden email]
>781-271-3515
>
>