Comments (12)
Ah, here's the Debian one: https://salsa.debian.org/security-tracker-team/security-tracker/-/blob/master/data/CPE/list
from gsd-tools.
This is a great idea!
I would love to see something like cpe->PURL mapping, but almost anything would be better than what we have today :)
from gsd-tools.
So I've looked around a lot and it basically boils down to:
CPE
Purl
Manual names (e.g. Vendorname/productname/version)
Manual URLs (e.g. https://notepad-plus-plus.org/downloads/v8.2.1/)
The (good?) news is an official CPE dictionary is available:
https://nvd.nist.gov/products/cpe
and include references, e.g.
<title xml:lang="en-US">@thi.ng/egf Project @thi.ng/egf 0.1.0 for Node.js</title> Advisory Version <cpe-23:cpe23-item name="cpe:2.3
The bad news: it's incomplete.
The worse news is it's not compatible with some vendors. Literally the first example I tried is bad:
Red Hat repository to CPE mapping:
https://access.redhat.com/security/data/metrics/repository-to-cpe.json
the first entry:
"cpes": ["cpe:/a:redhat:3scale_amp:2.11::el8", "cpe:/a:redhat:3scale_amp:2.12::el8",
and nope, it's not in the official dictionary, NVD official has:
So we'll also need a CPE to CPE mapping dictionary (e.g. Red Hat to NVD).
from gsd-tools.
Yeah, I didn't bother with using the official CPE dictionary at all when I did my stuff, I just allowed multiple CPEs to map to a package (or sometimes multiple packages) within an ecosystem because I never cared about going back the other way to CPE, but you're right that we'd need CPE -> CPE for accomplishing that.
from gsd-tools.
Of course even if we did there's no guarantee NVD is using what they say is the official entry on new entries. I've found several cases in the past where they use an old one or make up something new entirely. I'm sure you already know that though.
from gsd-tools.
NVD made a typo of "zabbiz" at some point (should be zabbix), if there's one error there's more. CPE should be structured data, and thus validated and tested to ensure it's correct. At a minimum, we should ensure each CPE we use exists in a CPE dictionary and is correct (spelling/etc.).
from gsd-tools.
Stupid question: why aren't we talking about using SPDX?
from gsd-tools.
I guess ultimately I would really like to have something that is flexible and contains enough information to map between multiple formats.
from gsd-tools.
Can I suggest we start capturing ideas like this that are project scale on their own somewhere? Also it appears one or two other entities may also be working on a similar problem/solution.
from gsd-tools.
Does the https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/CVE_JSON_5.0_schema.json help at all here, we also have the OSV format https://github.com/ossf/osv-schema
from gsd-tools.
For newer projects that are PURL-native (we're trying to be at endoflife.date), it would be nice to have a reverse-mapping as well, to be able to "work in PURL", but provide compatibility data that CPE-tooling can use.
from gsd-tools.
I haven't had a chance to review this yet, but this may be what I was looking to do: https://github.com/scanoss/purl2cpe
from gsd-tools.
Related Issues (20)
- Update Edit Button to disable submission while already processing API requests
- Replicate the requests form for the Create GSD Form in GSD Web HOT 1
- Reach out to the OpenSSF community on participating with GSD
- Reach out to Ruby Advisory Database community about participation with GSD
- API Endpoint to request/reserve a GSD ID HOT 1
- Update gsd-web to use jsonschema validator HOT 2
- Update gsd-schema with kurtseifried/gsd-schema changes
- Link in https://github.com/cloudsecurityalliance/gsd-tools/blob/main/securitylist/README.md goes to 404 HOT 1
- schema.gsd.id Cloudflare Worker for schema $refs HOT 7
- Fix GSD Bot creating multiple affected packages instead of using multiple ranges
- Update GSD Bot to use INTRODUCED/FIX for reference types HOT 2
- Add tooltips for data.gsd.id add reference type
- Add text box for commit message when editing on data.gsd.id
- Update GSD Web to update modified at when changing a GSD
- Update Edit Button to support all OSV fields HOT 3
- GSD data normalization and format cross-compatibility/conversion
- Vulnerability Data Source Landscape HOT 1
- Update data.gsd.id show page to include all OSV values
- Create an OpenAPI v3.1 Spec for GSD API
- Create Python Interface for GSD HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gsd-tools.