[debian][CPE] declaration of Debian CPE entry to MITRE
Raphael Hertzog
hertzog at debian.org
Thu Jun 15 13:38:32 UTC 2017
Hello,
On Thu, 25 May 2017, Philippe Thierry wrote:
> Up to the Debian (debian GNU/Linux)) 8.0, Debian has declared the OS
> releases to the MITRE and is visible in the CPE search tool of the NIST:
>
> https://nvd.nist.gov/products/cpe/search/results?keyword=debian_linux&status=FINAL&orderBy=CPEURI&namingFormat=2.3&startIndex=20
>
> There is no more declarations for other versions (8.x, x > 0) and for
> Debian/kfreeBSD.
I don't think that it makes sense to have each 8.x version recorded. Point
releases are not really relevant, if you need finer-grained data, then you
likely need package-level version and not debian-level version.
9.0 (stretch) is not yet out so it would be a bit early to have it
recorded already, no?
> As SCAP security guide team member managing the Debian (& Ubuntu) targets,
> the CPE entries of Debian is a requirement to support Debian as a target for
> SCAP security policy compliance checks & remediations (XCCDF benchmarks) and
> for various OVAL check (e.g. CVE checks, much like debsecan).
>
> Do you know who is managing the declaration of the Debian operating-system
> against the MITRE ?
I would expect the security team to be in charge: team at security.debian.org
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/
More information about the Pkg-security-team
mailing list