cpe ids and package names
Hello,
I apologize for the mistakes I will make, I am not a native.
Yesterday, I asked a question to the security team and they told me to
ask it here : (in short) Is there a file that bonds cpe ids to package
names?
I know this file exists :
http://anonscm.debian.org/viewvc/secure-testing/data/CPE/list?view=markup
The problem is : it does not include any version info. For example :
If I scan a machine with nmap and retrieve the http server's cpe (let
say it's apache 2.2.22)
The cpe will be cpe:/a:apache:http_server:2.2.22.
With the list I gave above, I'm able to say : "The package currently
running is either apache or apache2" but nothing more. (of course,
obviously, it is apache2)
In that special case it is easy to determine which package is installed
and used, but it becomes a pain if I want a global solution to determine
which package corresponds to which service (not only the http server).
I see two solutions :
Doing a fuzzing match with the product's name and the product's version
on the package's names. Which is an ugly trick that won't work in every
case imo.
Making an enumeration of cpes and bonding each of them with the good
package name in function depending on a given version (maybe in a xml
file?).
Have you heard of such a file?
* Florian Weimer
You should ask on the public mailing list
<debian-security@lists.debian.org>, perhaps there is sufficient
interest to maintain such a mapping.
So? Would you be interested by a file like this?
Thank you.
Regards,
Quentin Poirier
Reply to: