Title: Using NVD and CPE to track CVEs in locally maintained software
Tags: english, debian
Date: 2011-01-23 00:20

<p>The last few days I have looked at ways to track open security
issues here at the University of Oslo where I work.  My idea was that
it should be possible to use the information in security issues
available on the Internet, and check our locally
maintained/distributed software against this information to verify
that no known security issue had been forgotten.  The CVE database
listing vulnerabilities seem like a great central point, and by using
the package lists from Debian mapped to CVEs provided by the testing
security team, it should be possible to figure out which security
holes were present in our free software collection.</p>

<p>After reading up on the issue, it became obvious that the first
building block is to be able to name software packages in a unique and
consistent way across data sources.  I considered several ways to do
this, for example coming up with my own naming scheme like using URLs
to project home pages or URLs to the Freshmeat entries.  But it seem
like I am not the first one to come across this problem, and MITRE had
already proposed and implemented a solution to this naming problem.
Enter the <ahref="http://cpe.mitre.org/index.html">Common Platform
Enumeration</a> dictionary, a vocabulary for referring to software,
hardware and other platform components.  The CPE ids are mapped to
CVEs in the <ahref="http://web.nvd.nist.gov/">National Vulnerability
Database</a>, allowing me to look up know security issues for any CPE
name.  With this in place, all I need to do is to locate the CPE id
for the software packages we use at the university.  This is fairly
trivial (I google for 'cve cpe $package' and check the NVD entry if a
CVE for the package exist).</p>



 - CPE -> CVE


http://web.nvd.nist.gov/view/vuln/search
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3430
cpe:/a:kernel:linux-pam:1.1.2