| |
Q: Why doesn't CPE just use a numeric naming convention similar to CVE and CCE?
A: In short the answer to this question is to support matching. CPE is often used to identify the platform type of a given machine and then to have that type compared against applicable types of different issues (e.g. like vulnerabilities or configuration statements). In this use case, the level of granularity that the identification is made is often different than the level of granularity that the applicability statement is made. To resolve this, there must be a way to understand relationships between different CPE Names. For example, a system might be identified as Windows XP Service Pack 2, but a vulnerability is said to apply to Windows XP. Through matching, we can deduce that a system identified as Windows XP Service Pack 2 is also a Windows XP system, and therefore the vulnerability applies.
Q: Why not use a numerical identifier with known structure (to support matching) similar to that of ISBN and VIN identifiers?
A: One of the initial goals of CPE was to enable the creation of new identifiers without relying too heavily on the support of an authoritative source. ISBN and VIN solve their structure issues by having an authoritative source hand out unique numerical identifiers to represent each publisher or manufacturer. With platforms, new vendors are constantly showing up and the thought was that forcing a request to an authoritative source would cause a time delay. In addition, the authoritative source would have to be funded and one goal was too reduce the amount of long term funding that was needed to support this initiative.
Q: Why doesn't the XML namespace associated with the CPE Dictionary and CPE Language change between minor versions?
A: This is a long standing discussion with no real right or wrong. We have always chosen to keep the namespace the same for minor version so as not to force existing content to change. If we changed the namespace, then all existing content would have to be modified to relate to this new namespace, even though the rest of the XML document might not have changed. Also, the argument can be made that we are not changing the meaning of the elements in the schema, rather we are just modifying the child elements and attributes. Without a change in meaning, the namespace should not change, that way tools that are importing instance documents can continue to "understand" the xml. In other words, a 'cpe-list' element still means the same thing, and a 'title' element still means the same thing. The following document provides more information on this: http://www.xfront.com/Versioning.pdf
Q: When creating a new CPE Name, what term should be used if a given component is not defined by a vendor?
A: If attempting to create a CPE Name for a given platform that does not have or define a certain component, and it is desired to enumerate a specific release guarding against future releases that may introduce the component (e.g. the release of a new edition), then the value '-' (a single hyphen) should be used. Note that some vendors do in fact define a term of an initial release but do not use this term in the marketing name. In these cases, that term should be used instead of '-'. An example of this is with the Microsoft Windows operating system where the initial release is known without a service pack. In this case, the vendor does in fact have a term for this release (gold) and that vendor term should be used instead of '-'.
overview | faqs | governance | contact us
|
|
