X-Git-Url: http://pere.pagekite.me/gitweb/homepage.git/blobdiff_plain/9db090e7e13816a0b7ff8d66556c868e710788dd..cb78fb2b35533adb2b1de63c9d46b17b60becc8c:/blog/index.rss diff --git a/blog/index.rss b/blog/index.rss index 892970bef0..ef6296058f 100644 --- a/blog/index.rss +++ b/blog/index.rss @@ -6,6 +6,85 @@ http://people.skolelinux.org/pere/blog/ + + Using NVD and CPE to track CVEs in locally maintained software + http://people.skolelinux.org/pere/blog/Using_NVD_and_CPE_to_track_CVEs_in_locally_maintained_software.html + http://people.skolelinux.org/pere/blog/Using_NVD_and_CPE_to_track_CVEs_in_locally_maintained_software.html + Fri, 28 Jan 2011 15:40:00 +0100 + +<p>The last few days I have looked at ways to track open security +issues here at my work with the University of Oslo. My idea is that +it should be possible to use the information about security issues +available on the Internet, and check our locally +maintained/distributed software against this information. It should +allow us to verify that no known security issue are forgotten. The +CVE database listing vulnerabilities seem like a great central point, +and by using the package lists from Debian mapped to CVEs provided by +the testing security team, I believed it should be possible to figure +out which security holes were present in our free software +collection.</p> + +<p>After reading up on the issue, it became obvious that the first +building block is to be able to name software packages in a unique and +consistent way across data sources. I considered several ways to do +this, for example coming up with my own naming scheme like using URLs +to project home pages or URLs to the Freshmeat entries, or using some +existing naming scheme. And it seem like I am not the first one to +come across this problem, as MITRE already proposed and implemented a +solution. Enter the <a href="http://cpe.mitre.org/index.html">Common +Platform Enumeration</a> dictionary, a vocabulary for referring to +software, hardware and other platform components. The CPE ids are +mapped to CVEs in the <a href="http://web.nvd.nist.gov/">National +Vulnerability Database</a>, allowing me to look up know security +issues for any CPE name. With this in place, all I need to do is to +locate the CPE id for the software packages we use at the university. +This is fairly trivial (I google for 'cve cpe $package' and check the +NVD entry if a CVE for the package exist).</p> + +<p>To give you an example. The GNU gzip source package have the CPE +name cpe:/a:gnu:gzip. If the old version 1.3.3 was the package to +check out, one could look up +<a href="http://web.nvd.nist.gov/view/vuln/search?cpe=cpe%3A%2Fa%3Agnu%3Agzip:1.3.3">cpe:/a:gnu:gzip:1.3.3 +in NVD</a> and get a list of 6 security holes with public CVE entries. +The most recent one is +<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0001">CVE-2010-0001</a>, +and at the bottom of the NVD page for this vulnerability the complete +list of affected versions is provided.</p> + +<p>The NVD database of CVEs is also available as a XML dump, allowing +for offline processing of issues. Using this dump, I've written a +small script taking a list of CPEs as input and list all CVEs +affecting the packages represented by these CPEs. One give it CPEs +with version numbers as specified above and get a list of open +security issues out.</p> + +<p>Of course for this approach to be useful, the quality of the NVD +information need to be high. For that to happen, I believe as many as +possible need to use and contribute to the NVD database. I notice +RHEL is providing +<a href="https://www.redhat.com/security/data/metrics/rhsamapcpe.txt">a +map from CVE to CPE</a>, indicating that they are using the CPE +information. I'm not aware of Debian and Ubuntu doing the same.</p> + +<p>To get an idea about the quality for free software, I spent some +time making it possible to compare the CVE database from Debian with +the CVE database in NVD. The result look fairly good, but there are +some inconsistencies in NVD (same software package having several +CPEs), and some inaccuracies (NVD not mentioning buggy packages that +Debian believe are affected by a CVE). Hope to find time to improve +the quality of NVD, but that require being able to get in touch with +someone maintaining it. So far my three emails with questions and +corrections have not seen any reply, but I hope contact can be +established soon.</p> + +<p>An interesting application for CPEs is cross platform package +mapping. It would be useful to know which packages in for example +RHEL, OpenSuSe and Mandriva are missing from Debian and Ubuntu, and +this would be trivial if all linux distributions provided CPE entries +for their packages.</p> + + + Skolelinux-intervju: Morten Amundsen http://people.skolelinux.org/pere/blog/Skolelinux_intervju__Morten_Amundsen.html @@ -702,87 +781,5 @@ servere.</p> - - Hva har mine representanter stemt i Storinget? - http://people.skolelinux.org/pere/blog/Hva_har_mine_representanter_stemt_i_Storinget_.html - http://people.skolelinux.org/pere/blog/Hva_har_mine_representanter_stemt_i_Storinget_.html - Tue, 11 Jan 2011 14:25:00 +0100 - -<p>I England har <a href="http://www.mysociety.org/">MySociety</a> -laget en genial tjeneste for å holde øye med parlamentet. Tjenesten -<a href="http://www.theyworkforyou.com/">They Work For You</a> lar -borgerne få direkte og sanntidsoppdatert innsyn i sine representanters -gjøren og laden i parlamentet. En kan kan få kopi av det en gitt -representant har sagt på talerstolen, og få vite hva hver enkelt -representant har stemt i hver enkelt sak som er tatt opp. Jeg skulle -gjerne hatt en slik tjeneste for Stortinget i Norge.</p> - -<p>Endel <a href="http://www.nsd.uib.no/polsys/storting/">statistikk -over representantenes stemmegivning</a> er tilgjengelig fra Norsk -sammfunnsvitenskaplig datatjeneste, men ingenting av dette er -detaljert nok til at en han holde hver enkelt stortingsrepresentant -ansvarlig.</p> - -<p>For å få en idé om det finnes en datakilde fra Stortinget som kan -brukes til å få oversikt over hvordan hver enkelt representant har -stemt, sendte jeg et spørsmål til Stortinget:</p> - -<p><blockquote><pre> -Fra: Petter Reinholdtsen -Sendt: 11. januar 2011 10:42 -Til: info (at) stortinget.no -Emne: Hvem stemte hva i de ulike sakene? - -Hei. Er det informasjon tilgjengelig på web om hvilke -stortingsrepresentanter som stemte hva i sakene som er til votering i -Stortinget? - -Vennlig hilsen, --- -Petter Reinholdtsen -</pre></blockquote></p> - -<p>Svaret kom noen timer senere:</p> - -<p><blockquote><pre> -From: Postmottak Informasjonshjornet -To: Petter Reinholdtsen -Subject: RE: Hvem stemte hva i de ulike sakene? -Date: Tue, 11 Jan 2011 12:46:25 +0000 - -Hei. -Takk for henvendelsen. - -Sommeren 2010 fikk vi nytt voteringsanlegg i stortingssalen som -muliggjør publisering av voteringsresultat på nett. dette er et -pågående prosjekt 1. halvår 2011. Kan ikke si nøyaktig når det er i -funksjon. -<a href="http://www.stortinget.no/no/Stortinget-og-demokratiet/Historikk/Nytt-konferanseanlegg-i-stortingssalen/">http://www.stortinget.no/no/Stortinget-og-demokratiet/Historikk/Nytt-konferanseanlegg-i-stortingssalen/</a> - -Foreløpig må du finne voteringsresultatet i referatet etter at saken -har vært behandlet i Stortinget. - -Ønsker du å vite hvem som stemte hva i en bestemt sak,(og hvem som -ikke var til stede), kan du kontakte oss og vi kan sende deg en -utskrift. - -Med vennlig hilsen -Elin B. Relander Tømte -Stortingets Informasjonsseksjon -tlf 23313596 - -www.stortinget.no -www.tinget.no -</pre></blockquote></p> - -<p>Det ser dermed ut at det i fjor ble mulig å hente ut informasjonen -fra Stortinget, men at Stortinget ikke legger denne informasjonen ut -på web ennå. En liten brikke er dermed på plass, men mye -gjenstår. Kanskje jeg får tid til å se på en norsk utgave etter -at vi i NUUG har fått operativ en norsk utgave av -<a href="http://www.fixmystreet.com/">FixMyStreet</a>.</p> - - -