<link>http://people.skolelinux.org/pere/blog/</link>
<atom:link href="http://people.skolelinux.org/pere/blog/index.rss" rel="self" type="application/rss+xml" />
+ <item>
+ <title>Using NVD and CPE to track CVEs in locally maintained software</title>
+ <link>http://people.skolelinux.org/pere/blog/Using_NVD_and_CPE_to_track_CVEs_in_locally_maintained_software.html</link>
+ <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Using_NVD_and_CPE_to_track_CVEs_in_locally_maintained_software.html</guid>
+ <pubDate>Fri, 28 Jan 2011 15:40:00 +0100</pubDate>
+ <description>
+<p>The last few days I have looked at ways to track open security
+issues here at my work with the University of Oslo. My idea is that
+it should be possible to use the information about security issues
+available on the Internet, and check our locally
+maintained/distributed software against this information. It should
+allow us to verify that no known security issue are forgotten. The
+CVE database listing vulnerabilities seem like a great central point,
+and by using the package lists from Debian mapped to CVEs provided by
+the testing security team, I believed it should be possible to figure
+out which security holes were present in our free software
+collection.</p>
+
+<p>After reading up on the issue, it became obvious that the first
+building block is to be able to name software packages in a unique and
+consistent way across data sources. I considered several ways to do
+this, for example coming up with my own naming scheme like using URLs
+to project home pages or URLs to the Freshmeat entries, or using some
+existing naming scheme. And it seem like I am not the first one to
+come across this problem, as MITRE already proposed and implemented a
+solution. Enter the <a href="http://cpe.mitre.org/index.html">Common
+Platform Enumeration</a> dictionary, a vocabulary for referring to
+software, hardware and other platform components. The CPE ids are
+mapped to CVEs in the <a href="http://web.nvd.nist.gov/">National
+Vulnerability Database</a>, allowing me to look up know security
+issues for any CPE name. With this in place, all I need to do is to
+locate the CPE id for the software packages we use at the university.
+This is fairly trivial (I google for 'cve cpe $package' and check the
+NVD entry if a CVE for the package exist).</p>
+
+<p>To give you an example. The GNU gzip source package have the CPE
+name cpe:/a:gnu:gzip. If the old version 1.3.3 was the package to
+check out, one could look up
+<a href="http://web.nvd.nist.gov/view/vuln/search?cpe=cpe%3A%2Fa%3Agnu%3Agzip:1.3.3">cpe:/a:gnu:gzip:1.3.3
+in NVD</a> and get a list of 6 security holes with public CVE entries.
+The most recent one is
+<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0001">CVE-2010-0001</a>,
+and at the bottom of the NVD page for this vulnerability the complete
+list of affected versions is provided.</p>
+
+<p>The NVD database of CVEs is also available as a XML dump, allowing
+for offline processing of issues. Using this dump, I've written a
+small script taking a list of CPEs as input and list all CVEs
+affecting the packages represented by these CPEs. One give it CPEs
+with version numbers as specified above and get a list of open
+security issues out.</p>
+
+<p>Of course for this approach to be useful, the quality of the NVD
+information need to be high. For that to happen, I believe as many as
+possible need to use and contribute to the NVD database. I notice
+RHEL is providing
+<a href="https://www.redhat.com/security/data/metrics/rhsamapcpe.txt">a
+map from CVE to CPE</a>, indicating that they are using the CPE
+information. I'm not aware of Debian and Ubuntu doing the same.</p>
+
+<p>To get an idea about the quality for free software, I spent some
+time making it possible to compare the CVE database from Debian with
+the CVE database in NVD. The result look fairly good, but there are
+some inconsistencies in NVD (same software package having several
+CPEs), and some inaccuracies (NVD not mentioning buggy packages that
+Debian believe are affected by a CVE). Hope to find time to improve
+the quality of NVD, but that require being able to get in touch with
+someone maintaining it. So far my three emails with questions and
+corrections have not seen any reply, but I hope contact can be
+established soon.</p>
+
+<p>An interesting application for CPEs is cross platform package
+mapping. It would be useful to know which packages in for example
+RHEL, OpenSuSe and Mandriva are missing from Debian and Ubuntu, and
+this would be trivial if all linux distributions provided CPE entries
+for their packages.</p>
+</description>
+ </item>
+
<item>
<title>Skolelinux-intervju: Morten Amundsen</title>
<link>http://people.skolelinux.org/pere/blog/Skolelinux_intervju__Morten_Amundsen.html</link>
</description>
</item>
- <item>
- <title>Hva har mine representanter stemt i Storinget?</title>
- <link>http://people.skolelinux.org/pere/blog/Hva_har_mine_representanter_stemt_i_Storinget_.html</link>
- <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Hva_har_mine_representanter_stemt_i_Storinget_.html</guid>
- <pubDate>Tue, 11 Jan 2011 14:25:00 +0100</pubDate>
- <description>
-<p>I England har <a href="http://www.mysociety.org/">MySociety</a>
-laget en genial tjeneste for å holde øye med parlamentet. Tjenesten
-<a href="http://www.theyworkforyou.com/">They Work For You</a> lar
-borgerne få direkte og sanntidsoppdatert innsyn i sine representanters
-gjøren og laden i parlamentet. En kan kan få kopi av det en gitt
-representant har sagt på talerstolen, og få vite hva hver enkelt
-representant har stemt i hver enkelt sak som er tatt opp. Jeg skulle
-gjerne hatt en slik tjeneste for Stortinget i Norge.</p>
-
-<p>Endel <a href="http://www.nsd.uib.no/polsys/storting/">statistikk
-over representantenes stemmegivning</a> er tilgjengelig fra Norsk
-sammfunnsvitenskaplig datatjeneste, men ingenting av dette er
-detaljert nok til at en han holde hver enkelt stortingsrepresentant
-ansvarlig.</p>
-
-<p>For å få en idé om det finnes en datakilde fra Stortinget som kan
-brukes til å få oversikt over hvordan hver enkelt representant har
-stemt, sendte jeg et spørsmål til Stortinget:</p>
-
-<p><blockquote><pre>
-Fra: Petter Reinholdtsen
-Sendt: 11. januar 2011 10:42
-Til: info (at) stortinget.no
-Emne: Hvem stemte hva i de ulike sakene?
-
-Hei. Er det informasjon tilgjengelig på web om hvilke
-stortingsrepresentanter som stemte hva i sakene som er til votering i
-Stortinget?
-
-Vennlig hilsen,
---
-Petter Reinholdtsen
-</pre></blockquote></p>
-
-<p>Svaret kom noen timer senere:</p>
-
-<p><blockquote><pre>
-From: Postmottak Informasjonshjornet
-To: Petter Reinholdtsen
-Subject: RE: Hvem stemte hva i de ulike sakene?
-Date: Tue, 11 Jan 2011 12:46:25 +0000
-
-Hei.
-Takk for henvendelsen.
-
-Sommeren 2010 fikk vi nytt voteringsanlegg i stortingssalen som
-muliggjør publisering av voteringsresultat på nett. dette er et
-pågående prosjekt 1. halvår 2011. Kan ikke si nøyaktig når det er i
-funksjon.
-<a href="http://www.stortinget.no/no/Stortinget-og-demokratiet/Historikk/Nytt-konferanseanlegg-i-stortingssalen/">http://www.stortinget.no/no/Stortinget-og-demokratiet/Historikk/Nytt-konferanseanlegg-i-stortingssalen/</a>
-
-Foreløpig må du finne voteringsresultatet i referatet etter at saken
-har vært behandlet i Stortinget.
-
-Ønsker du å vite hvem som stemte hva i en bestemt sak,(og hvem som
-ikke var til stede), kan du kontakte oss og vi kan sende deg en
-utskrift.
-
-Med vennlig hilsen
-Elin B. Relander Tømte
-Stortingets Informasjonsseksjon
-tlf 23313596
-
-www.stortinget.no
-www.tinget.no
-</pre></blockquote></p>
-
-<p>Det ser dermed ut at det i fjor ble mulig å hente ut informasjonen
-fra Stortinget, men at Stortinget ikke legger denne informasjonen ut
-på web ennå. En liten brikke er dermed på plass, men mye
-gjenstår. Kanskje jeg får tid til å se på en norsk utgave etter
-at vi i NUUG har fått operativ en norsk utgave av
-<a href="http://www.fixmystreet.com/">FixMyStreet</a>.</p>
-</description>
- </item>
-
</channel>
</rss>
projects / homepage.git / blobdiff