blog/data/2011-01-28-cve-cpe.txt

   1 Title: Using NVD and CPE to track CVEs in locally maintained software
   2 Tags: english, debian, sikkerhet
   3 Date: 2011-01-28 15:40
   4
   5 <p>The last few days I have looked at ways to track open security
   6 issues here at my work with the University of Oslo.  My idea is that
   7 it should be possible to use the information about security issues
   8 available on the Internet, and check our locally
   9 maintained/distributed software against this information.  It should
  10 allow us to verify that no known security issues are forgotten.  The
  11 CVE database listing vulnerabilities seem like a great central point,
  12 and by using the package lists from Debian mapped to CVEs provided by
  13 the testing security team, I believed it should be possible to figure
  14 out which security holes were present in our free software
  15 collection.</p>
  16
  17 <p>After reading up on the topic, it became obvious that the first
  18 building block is to be able to name software packages in a unique and
  19 consistent way across data sources.  I considered several ways to do
  20 this, for example coming up with my own naming scheme like using URLs
  21 to project home pages or URLs to the Freshmeat entries, or using some
  22 existing naming scheme.  And it seem like I am not the first one to
  23 come across this problem, as MITRE already proposed and implemented a
  24 solution.  Enter the <a href="http://cpe.mitre.org/index.html">Common
  25 Platform Enumeration</a> dictionary, a vocabulary for referring to
  26 software, hardware and other platform components.  The CPE ids are
  27 mapped to CVEs in the <a href="http://web.nvd.nist.gov/">National
  28 Vulnerability Database</a>, allowing me to look up know security
  29 issues for any CPE name.  With this in place, all I need to do is to
  30 locate the CPE id for the software packages we use at the university.
  31 This is fairly trivial (I google for 'cve cpe $package' and check the
  32 NVD entry if a CVE for the package exist).</p>
  33
  34 <p>To give you an example.  The GNU gzip source package have the CPE
  35 name cpe:/a:gnu:gzip.  If the old version 1.3.3 was the package to
  36 check out, one could look up
  37 <a href="http://web.nvd.nist.gov/view/vuln/search?cpe=cpe%3A%2Fa%3Agnu%3Agzip:1.3.3">cpe:/a:gnu:gzip:1.3.3
  38 in NVD</a> and get a list of 6 security holes with public CVE entries.
  39 The most recent one is
  40 <a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0001">CVE-2010-0001</a>,
  41 and at the bottom of the NVD page for this vulnerability the complete
  42 list of affected versions is provided.</p>
  43
  44 <p>The NVD database of CVEs is also available as a XML dump, allowing
  45 for offline processing of issues.  Using this dump, I've written a
  46 small script taking a list of CPEs as input and list all CVEs
  47 affecting the packages represented by these CPEs.  One give it CPEs
  48 with version numbers as specified above and get a list of open
  49 security issues out.</p>
  50
  51 <p>Of course for this approach to be useful, the quality of the NVD
  52 information need to be high.  For that to happen, I believe as many as
  53 possible need to use and contribute to the NVD database.  I notice
  54 RHEL is providing
  55 <a href="https://www.redhat.com/security/data/metrics/rhsamapcpe.txt">a
  56 map from CVE to CPE</a>, indicating that they are using the CPE
  57 information.  I'm not aware of Debian and Ubuntu doing the same.</p>
  58
  59 <p>To get an idea about the quality for free software, I spent some
  60 time making it possible to compare the CVE database from Debian with
  61 the CVE database in NVD.  The result look fairly good, but there are
  62 some inconsistencies in NVD (same software package having several
  63 CPEs), and some inaccuracies (NVD not mentioning buggy packages that
  64 Debian believe are affected by a CVE).  Hope to find time to improve
  65 the quality of NVD, but that require being able to get in touch with
  66 someone maintaining it.  So far my three emails with questions and
  67 corrections have not seen any reply, but I hope contact can be
  68 established soon.</p>
  69
  70 <p>An interesting application for CPEs is cross platform package
  71 mapping.  It would be useful to know which packages in for example
  72 RHEL, OpenSuSe and Mandriva are missing from Debian and Ubuntu, and
  73 this would be trivial if all linux distributions provided CPE entries
  74 for their packages.</p>