| |
Q: Why doesn't CPE just use a numeric naming convention similar to CVE and CCE?
A: In short the answer to this question is to support matching. CPE is often used to identify the platform type of a given machine and then to have that type compared against applicable types of different issues (e.g. like vulnerabilities or configuration statements). In this use case, the level of granularity that the identification is made is often different than the level of granularity that the applicability statement is made. To resolve this, there must be a way to understand relationships bewteen different CPE Names. For example, a system might be identified as Windows XP Service Pack 2, but a vulnerability is said to apply to Windows XP. Through matching, we can deduce that a system identified as Windows XP Service Pack 2 is also a Windows XP system, and therefore the vulnerability applies.
Q: Why doesn't the XML namespace associated with the CPE Dictionary and CPE Language change between minor versions?
A: This is a long standing discussion with no real right or wrong. We have always chosen to keep the namespace the same for minor version so as not to force existing content to change. If we changed the namespace, then all existing content would have to be modified to relate to this new namespace, even though the rest of the XML document might not have changed. Also, the argument can be made that we are not changing the meaning of the elements in the schema, rather we are just modifying the child elements and attributes. Without a change in meaning, the namespace should not change, that way tools that are importing instance documents can continue to "understand" the xml. In other words, a 'cpe-list' element still means the same thing, and a 'title' element still means the same thing. The following document provides more information on this: http://www.xfront.com/Versioning.pdf
overview | faqs | governance | contact us
|
|
