The following is a list of issues / suggestions that have been proposed for a future version of the CPE Specification. Note that some issued may be in a FIXED state meaning that the issue has been addressed but it can't be officially closed until the next specification release.
| Issue |
Status |
|
| 15145 - document deprecated attributes |
|
created on Thu Apr 24 08:34:07 2008 |
open |
|
In the CPE Dictionary schema, we need to document the use of the deprecated attributes. We also need to state that one should just ignore the 'deprecated_by' and 'deprecated_date' attributes unless 'deprecated' is set to TRUE. |
|
| 16851 - clarify what term to use for an initial release |
|
created on Fri Sep 5 14:25:11 2008 |
fixed |
|
Clarification is needed regarding how to handle situations where a given platform does not have the notion of a specific component. For example, an application may not support different languages, or an operating system may not have editions. In these cases there is nothing to use for the related component in a CPE Name. These components could be left blank, but this could create problems if the component is used in a later release. For example, the operating system mentioned above may decide to add editions after the initial release. If a blank edition component was used for the initial name, then that initial name would also match the new edition. This may not be desired. There needs to be a way to name that initial release. |
|
| 16853 - change version component to support matching issues |
|
created on Fri Sep 5 14:26:23 2008 |
open |
|
Matching within the version component has been a trouble spot for CPE. Since a CPE Name only has a single component that holds both the major and minor versions (and any other parts to the version), there currently is no way to perform matching at different levels of specificity within the version. For example, the current matching algorithm does not work between cpe:/a:vendor:product:4.5 and cpe:/a:vendor:product:4. |
|
| 18144 - clarify vendor component regarding subdomains |
|
created on Tue Dec 9 07:37:19 2008 |
open |
|
More detail is needed about exactly how to create the vendor piece of the CPE Name. The question at hand focuses around how to handle subdomains. This is coming up more with international vendors that are placed in their countries top-level domain. For example, "www.iij.ad.jp". Should the vendor component be "iij" or "iij.ad". |
|
| 18278 - clarify vendor component regarding no qualified DNS |
|
created on Thu Dec 18 09:04:09 2008 |
fixed |
|
Clarification is needed for situations when there is no DNS name affiliated with a certain vendor but an os, application, etc from this vendor is hosted elsewhere. What is the correct naming methodology for the vendor component? For example, the vendor Best Software may not have a qualified DNS name yet their application ABC123 may be hosted on an open source software site. It has been proposed that the following paragraph gets added to the Vendor Component section: "In some cases, especially with open source software, a vendor may not have a qualified DNS name. For these situations, the term used in the vendor component should be formed using the most widely known form of the vendor name, replacing spaces with underscores. For example, the vendor Best Software may not have a qualified DNS name, so a CPE Name for their application ABC123 would be cpe:/a:best_software:abc123". |
|
| 18279 - move paragraph about consulting the dictionary |
|
created on Thu Dec 18 09:05:59 2008 |
fixed |
|
For many names, there are a couple different ways that the name could be written. For example, with Microsoft Windows Vista Home Basic 64-bit Edition Service Pack 2, the CPE Name could be written as: cpe:/o:microsoft:windows_vista::sp2:home_basic_x64 or cpe:/o:microsoft:windows_vista::sp2:_x64_home_basic. This is a case where there is no right answer and the official dictionary needs just choose one of the names. The main thing that the CPE Specification want to guard against is that both CPE Names are not found in the dictionary. The spec says: "When questions arise about terms to be used, the CPE Dictionary should be consulted for any existing names whose structure should be copied. If the dictionary does not provide any help, then the CPE Community should help decide what is the best route forward for a particular name. For example, if there is a question about what to use as the Product Component, polling the CPE Community should be considered. In the end, all that really matters is that the CPE Name is unique." This is stated in the current CPE spec, but probably is in the wrong spot (bottom of page 6) and is not easily found. I should move this to the bottom of the first paragraph of section 5.2 |
|
| 19486 - document how to handle multiple editions |
|
created on Thu Apr 16 08:01:47 2009 |
open |
|
It is often possible for a platform type to be part of multiple editions. For example, x64 Professional. The spec needs to state how to fit multiple different editions into the Edition component. |
|
