next version of the CPE spec

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

next version of the CPE spec

Andrew Buttner
Administrator
I have been trying to update the spec with the changes we have
discussed on this list.  I wanted to bring up one of the issues again
to make sure I have it right.  This regards the defined structure
(hierarchy) of each element.

We talked about standardizing the first three components of an element
to vendor:product:version.  This would hold for the hardware part, the
os part, and the application part.  Additional components would be
allowed to describe things like editions and service packs, but a
structure would not be defined due to the difference with each vendor's
naming conventions.  Instead, these additional components would act
more like tags.

The side effect of this is that the matching algorithm becomes much
more complex.  No longer do the additional fields line up.  We could
end up trying to match:

cpe://microsoft:windows:xp:sp1
cpe://microsoft:windows:xp:pro:sp1

The current matching algorithm is based on the sp1 tag always appearing
in the same component, so we currently allow blank components to make
this work.  But moving to a tagged approach (with no defined order and
hence no blanks) means the matching algorithm will need to in essence
search the additional components (those after vendor:product:version)
for a match.

Anyway, I have attached a commented up version of the spec.  Please
feel free to add your own comments.

Thanks
Drew


---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515

cpe-specification_1.1-20070518.doc (324K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: next version of the CPE spec

Noakes, Douglas [USA]
Drew,

Great!  Thanks for all of your efforts...is there a deadline for when
you would like comments back?  

Thanks,
Doug

-----Original Message-----
From: Buttner, Drew [mailto:[hidden email]]
Sent: Friday, May 18, 2007 10:41 AM
To: [hidden email]
Subject: [CPE-DISCUSSION-LIST] next version of the CPE spec

I have been trying to update the spec with the changes we have discussed
on this list.  I wanted to bring up one of the issues again to make sure
I have it right.  This regards the defined structure
(hierarchy) of each element.

We talked about standardizing the first three components of an element
to vendor:product:version.  This would hold for the hardware part, the
os part, and the application part.  Additional components would be
allowed to describe things like editions and service packs, but a
structure would not be defined due to the difference with each vendor's
naming conventions.  Instead, these additional components would act more
like tags.

The side effect of this is that the matching algorithm becomes much more
complex.  No longer do the additional fields line up.  We could end up
trying to match:

cpe://microsoft:windows:xp:sp1
cpe://microsoft:windows:xp:pro:sp1

The current matching algorithm is based on the sp1 tag always appearing
in the same component, so we currently allow blank components to make
this work.  But moving to a tagged approach (with no defined order and
hence no blanks) means the matching algorithm will need to in essence
search the additional components (those after vendor:product:version)
for a match.

Anyway, I have attached a commented up version of the spec.  Please feel
free to add your own comments.

Thanks
Drew


---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515

Reply | Threaded
Open this post in threaded view
|

Re: next version of the CPE spec

Andrew Buttner
Administrator
>is there a deadline for when you would like comments back?  

I'll answer this by saying I don't have a date in mind as to making a
new version official.  That will be dependent on the amount of
community discussion.  So comments are appreciated whenever you have
them.  But if you can take a quick look at some point over the next two
weeks that would be helpful.

Thanks
Drew

Reply | Threaded
Open this post in threaded view
|

Re: next version of the CPE spec

Neal Ziring-2
In reply to this post by Andrew Buttner

Drew,

   Cool, I like what you've done so far.   I've fixed a few empty
component appearances that you missed, and added some
more comments.  My rev is attached.

   BTW, when we finish this, does it become 1.1 or 2.0?  Your
filename seems to imply 1.1, but the document now says
version 2.

   I'm not sure we can completely eliminate the notion of
blank components within the initial (structured) three.  I'll
have to think about that some more.

   Once this mailing list has reached consensus on the new name
specs, I can re-write the matching algorithm section to reflect
the new semantics.

...nz (Neal Ziring, [hidden email], [hidden email])

 
On Friday, May 18, 2007, at 10:41AM, "Buttner, Drew" <[hidden email]> wrote:

>I have been trying to update the spec with the changes we have
>discussed on this list.  I wanted to bring up one of the issues again
>to make sure I have it right.  This regards the defined structure
>(hierarchy) of each element.
>
>We talked about standardizing the first three components of an element
>to vendor:product:version.  This would hold for the hardware part, the
>os part, and the application part.  Additional components would be
>allowed to describe things like editions and service packs, but a
>structure would not be defined due to the difference with each vendor's
>naming conventions.  Instead, these additional components would act
>more like tags.
>
>The side effect of this is that the matching algorithm becomes much
>more complex.  No longer do the additional fields line up.  We could
>end up trying to match:
>
>cpe://microsoft:windows:xp:sp1
>cpe://microsoft:windows:xp:pro:sp1
>
>The current matching algorithm is based on the sp1 tag always appearing
>in the same component, so we currently allow blank components to make
>this work.  But moving to a tagged approach (with no defined order and
>hence no blanks) means the matching algorithm will need to in essence
>search the additional components (those after vendor:product:version)
>for a match.
>
>Anyway, I have attached a commented up version of the spec.  Please
>feel free to add your own comments.
>
>Thanks
>Drew
>
>
>---------
>
>Andrew Buttner
>The MITRE Corporation
>[hidden email]
>781-271-3515
>
>
>
>

cpe-specification_1.1-20070518T1823.doc (322K) Download Attachment