From 9db090e7e13816a0b7ff8d66556c868e710788dd Mon Sep 17 00:00:00 2001 From: Petter Reinholdtsen Date: Fri, 28 Jan 2011 14:37:41 +0000 Subject: [PATCH] Ny post. --- blog/data/2011-01-28-cve-cpe.txt | 47 ++++++++++++++++++++++---------- 1 file changed, 33 insertions(+), 14 deletions(-) diff --git a/blog/data/2011-01-28-cve-cpe.txt b/blog/data/2011-01-28-cve-cpe.txt index 4d5321513b..b8ffc37e1e 100644 --- a/blog/data/2011-01-28-cve-cpe.txt +++ b/blog/data/2011-01-28-cve-cpe.txt @@ -1,6 +1,6 @@ Title: Using NVD and CPE to track CVEs in locally maintained software -Tags: english, debian -Date: 2011-01-23 00:20 +Tags: english, debian, sikkerhet +Date: 2011-01-28 15:40

The last few days I have looked at ways to track open security issues here at my work with the University of Oslo. My idea is that @@ -21,10 +21,10 @@ this, for example coming up with my own naming scheme like using URLs to project home pages or URLs to the Freshmeat entries, or using some existing naming scheme. And it seem like I am not the first one to come across this problem, as MITRE already proposed and implemented a -solution. Enter the Common +solution. Enter the Common Platform Enumeration dictionary, a vocabulary for referring to software, hardware and other platform components. The CPE ids are -mapped to CVEs in the National +mapped to CVEs in the National Vulnerability Database, allowing me to look up know security issues for any CPE name. With this in place, all I need to do is to locate the CPE id for the software packages we use at the university. @@ -34,22 +34,41 @@ NVD entry if a CVE for the package exist).

To give you an example. The GNU gzip source package have the CPE name cpe:/a:gnu:gzip. If the old version 1.3.3 was the package to check out, one could look up -cpe:/a:gnu:gzip:1.3.3 +cpe:/a:gnu:gzip:1.3.3 in NVD and get a list of 6 security holes with public CVE entries. The most recent one is -CVE-2010-0001, +CVE-2010-0001, and at the bottom of the NVD page for this vulnerability the complete list of affected versions is provided.

The NVD database of CVEs is also available as a XML dump, allowing -for offline processing of issues. I've written a small script taking -a list of CPEs as input which list all CVEs affecting these packages. -One give it CPEs with version numbers and get a list of open security -issues out. +for offline processing of issues. Using this dump, I've written a +small script taking a list of CPEs as input and list all CVEs +affecting the packages represented by these CPEs. One give it CPEs +with version numbers as specified above and get a list of open +security issues out.

-- who uses CPEs? - - RHEL +

Of course for this approach to be useful, the quality of the NVD +information need to be high. For that to happen, I believe as many as +possible need to use and contribute to the NVD database. I notice +RHEL is providing +a +map from CVE to CPE, indicating that they are using the CPE +information. I'm not aware of Debian and Ubuntu doing the same.

-- quality +

To get an idea about the quality for free software, I spent some +time making it possible to compare the CVE database from Debian with +the CVE database in NVD. The result look fairly good, but there are +some inconsistencies in NVD (same software package having several +CPEs), and some inaccuracies (NVD not mentioning buggy packages that +Debian believe are affected by a CVE). Hope to find time to improve +the quality of NVD, but that require being able to get in touch with +someone maintaining it. So far my three emails with questions and +corrections have not seen any reply, but I hope contact can be +established soon.

-- other applications +

An interesting application for CPEs is cross platform package +mapping. It would be useful to know which packages in for example +RHEL, OpenSuSe and Mandriva are missing from Debian and Ubuntu, and +this would be trivial if all linux distributions provided CPE entries +for their packages.

-- 2.47.2