Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.security > #4532

RE: Should Debian ask for a CPE when a CVE in Debian is found?

From "Booth, Harold" <harold.booth@nist.gov>
Newsgroups linux.debian.security
Subject RE: Should Debian ask for a CPE when a CVE in Debian is found?
Date 2016-02-12 19:30 +0100
Message-ID <r1qDF-2aX-21@gated-at.bofh.it> (permalink)
References <r1oLw-Wf-23@gated-at.bofh.it>
Organization linux.* mail to news gateway

Show all headers | View raw

We welcome and encourage participation from any vendor to provide us with this information. We will be happy to work with Debian to accept their CPE submissions for products that they release. What would help you to get started? We can set-up a quick call if that would help, otherwise the cpe_dictionary@nist.gov email is the correct place for submissions.

Related to CPE, is another software identification scheme, Software ID (SWID) Tags (ISO 19770-2:2015) that we think provides more capability and benefit. We have a document currently in draft, NIST IR 8060 (http://csrc.nist.gov/publications/PubsDrafts.html#NIST-IR-8060), that describes how to create and use SWID tags as well as some use cases. I mention the SWID tags since we can also auto generate CPEs from those, and we see SWID tags as longer term solution to the problem of software product identification and inventory.

Regards,

-Harold

-----Original Message-----
From: Wheeler, David A [mailto:dwheeler@ida.org] 
Sent: Friday, February 12, 2016 10:51 AM
To: debian-security@lists.debian.org; cpe_dictionary <cpe_dictionary@nist.gov>
Cc: Kate Stewart <kstewart@linuxfoundation.org>; David A. Wheeler <dwheeler@dwheeler.com>; Khakimov, Samir "Sam" <skhakimo@ida.org>; Holger Levsen <holger@layer-acht.org>
Subject: Should Debian ask for a CPE when a CVE in Debian is found?

Should Debian's security team ask for a Common Platform Enumeration (CPE) id when a related CVE is found/reported fixed?

CPEs are used to by some systems to identify software (including, optionally, specific version numbers of software).  Some security scanning automated tools use CPEs for identification.  More info on requesting CPEs here: 
https://nvd.nist.gov/cpe.cfm

I thought I'd raise the idea.  Thanks!

--- David A. Wheeler

Back to linux.debian.security | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Should Debian ask for a CPE when a CVE in Debian is found? "Wheeler, David A" <dwheeler@ida.org> - 2016-02-12 17:30 +0100
  RE: Should Debian ask for a CPE when a CVE in Debian is found? "Booth, Harold" <harold.booth@nist.gov> - 2016-02-12 19:30 +0100
  Re: Should Debian ask for a CPE when a CVE in Debian is found? Paul Wise <pabs@debian.org> - 2016-02-13 22:00 +0100
    Re: Should Debian ask for a CPE when a CVE in Debian is found? Holger Levsen <holger@layer-acht.org> - 2016-02-15 10:10 +0100
      Re: Should Debian ask for a CPE when a CVE in Debian is found? Vulchev <v.vulchev@gmail.com> - 2016-02-15 10:30 +0100
      Re: Should Debian ask for a CPE when a CVE in Debian is found? Elmar Stellnberger <estellnb@gmail.com> - 2016-02-15 10:40 +0100
        Re: Should Debian ask for a CPE when a CVE in Debian is found? "georg@riseup.net" <georg@riseup.net> - 2016-02-15 18:40 +0100
      Re: Should Debian ask for a CPE when a CVE in Debian is found? Paul Wise <pabs@debian.org> - 2016-02-16 00:50 +0100

csiph-web