Nmap Development mailing list archives
Re: NIST CPE
From: "Jan-Oliver Wagner" <Jan-Oliver.Wagner () greenbone net>
Date: Fri, 1 Apr 2011 08:20:59 +0200
On Freitag, 1. April 2011, David Fifield wrote:
Henri, I'm sure you know more about how CPE is actually used than most of us. In your opinion, would a partial result like cpe:/o:microsoft:windows_xp be useful to people (better than nothing), or are they going to want more precise information like cpe:/o:microsoft:windows_xp::sp3. It seems like offering even a little bit of information is useful, but if someone has the CPE hooked up to a vulnerability database or something, they may not want to see spurious alerts about Windows XP when the OS is actually Windows XP SP3 and already has the vulnerability fixed. I'm trying to get information on whether it would be better to at first implement very easy, but incomplete, CPE (like the cpeify-os.py script); or if the output needs to be mostly complete to begin with.
From the OpenVAS point of view, it is already very helpful to have partial information! Therefore I'd very welcome to have a first simple implementation which we can use to test/build the full chain up to vulnerability management database. It is task of the management tool to deal with incomplete CPE information. FWIW: I don't think in this regard there exists no "incomplete CPE", just "incomplete CPE information". AFAIKT, CPE was designed to work even with incomplete information. Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335084-0 | http://www.greenbone.net/ Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 202460 Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- NIST CPE ambarisha b (Mar 23)
- Re: NIST CPE David Fifield (Mar 27)
- Re: NIST CPE Henri Doreau (Mar 30)
- Re: NIST CPE David Fifield (Mar 31)
- Re: NIST CPE Jan-Oliver Wagner (Mar 31)
- Re: NIST CPE Henri Doreau (Mar 30)
- Re: NIST CPE David Fifield (Mar 27)