[Buildroot] Adding new products in the CPE database ?

[Buildroot] Adding new products in the CPE database ?

[Thomas Petazzoni]

Hello Matt,

I was wondering what was the process to add a new product in the CPE
database.

Indeed, I was investigating
https://security-tracker.debian.org/tracker/CVE-2011-3332, which is
affecting our "argus" package.

However CVE-2011-3332 affects the Argus product from Iceni, a PDF
extracting tool at https://www.iceni.com/legacy.htm.

This is completely different than the Argus package we have, which is
https://openargus.org/.

The NVD CPE database has several Argus products known:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=argus.
From Iceni, from Oracle, from Litronic. But none of them correspond to
the Argus that we have packaged.

So I guess we need to tell the NVD people to add an entry in the CPE
database for this other Argus product, so that we can then amend our
argus.mk package with the appropriate CPE ID information.

Thanks for your feedback!

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] Adding new products in the CPE database ?

[Arnout Vandecappelle]

On 04/10/2021 09:49, Thomas Petazzoni wrote:
> Hello Matt,
> 
> I was wondering what was the process to add a new product in the CPE
> database.
> 
> Indeed, I was investigating
> https://security-tracker.debian.org/tracker/CVE-2011-3332, which is
> affecting our "argus" package.
> 
> However CVE-2011-3332 affects the Argus product from Iceni, a PDF
> extracting tool at https://www.iceni.com/legacy.htm.
> 
> This is completely different than the Argus package we have, which is
> https://openargus.org/.
> 
> The NVD CPE database has several Argus products known:
> https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=argus.
>  From Iceni, from Oracle, from Litronic. But none of them correspond to
> the Argus that we have packaged.
> 
> So I guess we need to tell the NVD people to add an entry in the CPE
> database for this other Argus product, so that we can then amend our
> argus.mk package with the appropriate CPE ID information.

  I believe it's simply sending mail to cpe_dictionary at nist.gov. From [1]:


"Organizations interested in submitting CPE Names should contact the NVD CPE 
team at cpe_dictionary at nist.gov for help with the processing of their 
submission."


  Regards,
  Arnout


[1] https://nvd.nist.gov/products/cpe
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [External] Re: Adding new products in the CPE database ?

[Weber, Matthew L Collins via buildroot]

All,

> From: Arnout Vandecappelle <arnout@mind.be>
> Sent: Tuesday, October 5, 2021 2:01 PM
> To: Thomas Petazzoni <thomas.petazzoni@bootlin.com>; Weber, Matthew L Collins <Matthew.Weber@collins.com>
> Cc: buildroot@uclibc.org <buildroot@uclibc.org>; Yann E. MORIN <yann.morin.1998@free.fr>
> Subject: [External] Re: [Buildroot] Adding new products in the CPE database ?
>  
>
>
> On 04/10/2021 09:49, Thomas Petazzoni wrote:
> > Hello Matt,
> >
> > I was wondering what was the process to add a new product in the CPE
> > database.
> >
> > Indeed, I was investigating
> > https://urldefense.com/v3/__https://security-tracker.debian.org/tracker/CVE-2011-3332__;!!MvWE!VPRf0gaaOCsnE_JQM6pGz-1aoPEj-5ToeWvMQhYpCm-cI3SkMsp4OAcAY74VaSz9TE70$ , which is
> > affecting our "argus" package.
> >
> > However CVE-2011-3332 affects the Argus product from Iceni, a PDF
> > extracting tool at https://urldefense.com/v3/__https://www.iceni.com/legacy.htm__;!!MvWE!VPRf0gaaOCsnE_JQM6pGz-1aoPEj-5ToeWvMQhYpCm-cI3SkMsp4OAcAY74VaTcLkKg6$ .
> >
> > This is completely different than the Argus package we have, which is
> > https://urldefense.com/v3/__https://openargus.org/__;!!MvWE!VPRf0gaaOCsnE_JQM6pGz-1aoPEj-5ToeWvMQhYpCm-cI3SkMsp4OAcAY74VafTb08-R$ .
> >
> > The NVD CPE database has several Argus products known:
> > https://urldefense.com/v3/__https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=argus__;!!MvWE!VPRf0gaaOCsnE_JQM6pGz-1aoPEj-5ToeWvMQhYpCm-cI3SkMsp4OAcAY74VaXBFw7T9$ .
> >  From Iceni, from Oracle, from Litronic. But none of them correspond to
> > the Argus that we have packaged.
> >
> > So I guess we need to tell the NVD people to add an entry in the CPE
> > database for this other Argus product, so that we can then amend our
> > argus.mk package with the appropriate CPE ID information.
>
>   I believe it's simply sending mail to cpe_dictionary at nist.gov. From [1]:

Yeah, it isn't too bad.

What has worked before has been to build a proposed XML entry for the new addition that includes the basic VERSION and PROJECT reference fields.  The NIST cpe team then takes those refs and verifies they make sense before adding the new entry to the dictionary.  You don't necessarily need to include all prior versions (they sometimes fill these in).

Regards,
Matt
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot