Draft for http://dep.debian.net/ - merged with DEP12
Title: Add Common Platform Enumerator information to package meta information DEP: DEP12 State: Pre-DRAFT Date: 2012-04-13 Drivers: Petter Reinholdtsen <pere@hungry.com> URL: http://wiki.debian.org/CPEtagPackagesDep Abstract: This document propose to make it easier to map between Debian packages and known security holes by tagging each package with Common Platform Enumerator strings, allowing us to look up our packages in the NVD CVE database of security issues. This will make it easier for enterprise system administrators to figure out which security problems affect their computers, and make it easier for the Debian security team to figure out which Debian packages are affected by a given security problem.
Introduction and Motivation
The National Vulnerability Database (NVD) provide a information about Common Vulnerabilities and Exposures (CVE) entries, including the severity of the problem and what software is affected. The list of software packages affected uses the Common Platform Enumerator values to identify individual software packages and versions.
By mapping Debian packages to CPE values, it is possible to figure out which packages are affected by which CVEs, and also to discover if the security tracker in Debian have holes in its coverage. This mapping can be done manually, but the it would be easier for both system administrators and the Debian security team if each package maintainer would keep track of their packages CPE value.
A prototype doing such mapping is implemented in the secure-testing git repository, https://salsa.debian.org/security-tracker-team/security-tracker.git . These are the files involved:
- bin/compare-nvd-cve
- data/CPE/list
- data/CPE/aliases
Proposal
Use the upstream metadata file (YAML format) to store the CPE values as a space separated list. Some packages have several CPE values, for historical reasons, and for these all of them should be listed, separated by space.
debian/upstream/metadata would look something like this for the perl package:
- CPE: cpe:/a:perl:perl cpe:/a:larry_wall:perl
And something like this for the dmitry package:
- CPE: cpe:/a:mor-pah.net:dmitry_deepmagic_information_gathering_tool cpe:/a:dmitry_project:dmitry
History
- 2012-04-13 First skeleton draft.
- 2012-06-27 Updated with a few links and more concrete proposal.
- 2016-08-25 Rewrite proposal to document debian/upstream/metadata as the location for CPE info (ie DEP12).
- 2024-07-12 Added file path and another entry to example.