[Secure-testing-team] Comparing NVD and Debian CVE tracking
Yves-Alexis Perez
corsac at debian.org
Fri Jan 28 07:00:02 UTC 2011
On ven., 2011-01-28 at 01:18 +0100, Petter Reinholdtsen wrote:
> I've created a mapping between Debian source packages and CPE entries
> used in the CVE information in NVD. The result is in the
> secure-testing subversion tree, data/CPE/list. The data is probably
> not 100% accurate, but close enough to be useful.
Btw I wonder if the CPE names could be matched against packages names
the same way packages are matched accross distros (see the appinstaller
meeting report by Enrico Zini:
http://www.enricozini.org/2011/debian/distromatch/)
What it needs is:
----
The data it requires for a distribution should be rather straightforward
to generate:
1. a file which maps binary package names to source package names
2. a file with the list of files in all the packages
----
In our case there's no binary packages, but there's no file list
available either, so we only have the package name to feed the xapian
index, not sure if it's enough for the euristic to work.
(not sure if it's helpful either, we can keep the CPE/packages matching
list in secure-testing repository and maintain it here)
Regards,
--
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20110128/ba8e5a10/attachment.pgp>
More information about the Secure-testing-team
mailing list