Re: NIST CPE

["Jan-Oliver Wagner" <Jan-Oliver.Wagner () greenbone net>]

On Freitag, 1. April 2011, David Fifield wrote:
> Henri, I'm sure you know more about how CPE is actually used than most
> of us. In your opinion, would a partial result like
> cpe:/o:microsoft:windows_xp be useful to people (better than nothing),
> or are they going to want more precise information like
> cpe:/o:microsoft:windows_xp::sp3.
>
> It seems like offering even a little bit of information is useful, but
> if someone has the CPE hooked up to a vulnerability database or
> something, they may not want to see spurious alerts about Windows XP
> when the OS is actually Windows XP SP3 and already has the vulnerability
> fixed.
>
> I'm trying to get information on whether it would be better to at first
> implement very easy, but incomplete, CPE (like the cpeify-os.py script);
> or if the output needs to be mostly complete to begin with.

From the OpenVAS point of view, it is already very helpful to have partial
information! Therefore I'd very welcome to have a first simple implementation
which we can use to test/build the full chain up to vulnerability management
database.
It is task of the management tool to deal with incomplete CPE information.

FWIW: I don't think in this regard there exists no "incomplete CPE", just
"incomplete CPE information". AFAIKT, CPE was designed to work even with
incomplete information.

Best

        Jan

-- 
Dr. Jan-Oliver Wagner |  ++49-541-335084-0  |  http://www.greenbone.net/
Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/