[debian][CPE] declaration of Debian CPE entry to MITRE
phil at reseau-libre.net
phil at reseau-libre.net
Thu Jun 15 14:06:16 UTC 2017
On 2017-06-15 15:38, Raphael Hertzog wrote:
> Hello,
Hello Raphael, thanks for your response!
>
> I don't think that it makes sense to have each 8.x version recorded.
> Point
> releases are not really relevant, if you need finer-grained data, then
> you
> likely need package-level version and not debian-level version.
I agree with that. I didn't use it for OVAL/XCCDF benchmarks as some as
multiple minors and all specify the minor version (last official one is
8.0, i use a custom cpe:/o:debianproject:debian:8 to stay generic).
Maybe the first minor is a requirement and can be kept for all
successive updates.
For Debian kfreebsd, i don't know if a separated CPE is effectively
required or not. As far as i know, it would be easier to keep one
reference, but the official cpe defines "debian_linux"
(cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*).
>
> 9.0 (stretch) is not yet out so it would be a bit early to have it
> recorded already, no?
Agreed. If it takes some time between the release of stretch and an
official CPE declaration i can define on in the SCAP-security-guide
directly, as a local CPE dictionnary as it is accepted by the standard.
>
> I would expect the security team to be in charge:
> team at security.debian.org
Thanks!
> Cheers,
Cheers,
--
Philippe.
More information about the Pkg-security-team
mailing list