From: Petter Reinholdtsen Date: Fri, 28 Jan 2011 10:12:31 +0000 (+0000) Subject: Start på dagens post. X-Git-Url: http://pere.pagekite.me/gitweb/homepage.git/commitdiff_plain/f80ce01d92f3339f6542b00f1c6074df53843186?hp=27ffa962100dea9889f7fe7b3061966d80f1203a Start på dagens post. --- diff --git a/blog/data/2011-01-28-cve-cpe.txt b/blog/data/2011-01-28-cve-cpe.txt new file mode 100644 index 0000000000..44747d4226 --- /dev/null +++ b/blog/data/2011-01-28-cve-cpe.txt @@ -0,0 +1,40 @@ +Title: Using NVD and CPE to track CVEs in locally maintained software +Tags: english, debian +Date: 2011-01-23 00:20 + +

The last few days I have looked at ways to track open security +issues here at the University of Oslo where I work. My idea was that +it should be possible to use the information in security issues +available on the Internet, and check our locally +maintained/distributed software against this information to verify +that no known security issue had been forgotten. The CVE database +listing vulnerabilities seem like a great central point, and by using +the package lists from Debian mapped to CVEs provided by the testing +security team, it should be possible to figure out which security +holes were present in our free software collection.

+ +

After reading up on the issue, it became obvious that the first +building block is to be able to name software packages in a unique and +consistent way across data sources. I considered several ways to do +this, for example coming up with my own naming scheme like using URLs +to project home pages or URLs to the Freshmeat entries. But it seem +like I am not the first one to come across this problem, and MITRE had +already proposed and implemented a solution to this naming problem. +Enter the Common Platform +Enumeration dictionary, a vocabulary for referring to software, +hardware and other platform components. The CPE ids are mapped to +CVEs in the National Vulnerability +Database, allowing me to look up know security issues for any CPE +name. With this in place, all I need to do is to locate the CPE id +for the software packages we use at the university. This is fairly +trivial (I google for 'cve cpe $package' and check the NVD entry if a +CVE for the package exist).

+ + + + - CPE -> CVE + + +http://web.nvd.nist.gov/view/vuln/search +http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3430 +cpe:/a:kernel:linux-pam:1.1.2