[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

cpe ids and package names


I apologize for the mistakes I will make, I am not a native.

Yesterday, I asked a question to the security team and they told me to ask it here : (in short) Is there a file that bonds cpe ids to package names?

I know this file exists :


The problem is : it does not include any version info. For example :

If I scan a machine with nmap and retrieve the http server's cpe (let say it's apache 2.2.22)

The cpe will be cpe:/a:apache:http_server:2.2.22.

With the list I gave above, I'm able to say : "The package currently running is either apache or apache2" but nothing more. (of course, obviously, it is apache2)

In that special case it is easy to determine which package is installed and used, but it becomes a pain if I want a global solution to determine which package corresponds to which service (not only the http server).

I see two solutions :
Doing a fuzzing match with the product's name and the product's version on the package's names. Which is an ugly trick that won't work in every case imo.

Making an enumeration of cpes and bonding each of them with the good package name in function depending on a given version (maybe in a xml file?).

Have you heard of such a file?

* Florian Weimer

You should ask on the public mailing list
<debian-security@lists.debian.org>, perhaps there is sufficient
interest to maintain such a mapping.

So? Would you be interested by a file like this?

Thank you.


Quentin Poirier

Reply to: