RE: Should Debian ask for a CPE when a CVE in Debian is found?
- To: "David A. Wheeler" <dwheeler@linuxfoundation.org>, "debian-security@lists.debian.org" <debian-security@lists.debian.org>, "Brewer, Tanya L. (Fed)" <tanya.brewer@nist.gov>
- Cc: "Wheeler, David A" <dwheeler@ida.org>, cpe_dictionary <cpe_dictionary@nist.gov>, Kate Stewart <kstewart@linuxfoundation.org>, Samir Khakimov <skhakimo@ida.org>, Holger Levsen <holger@layer-acht.org>, "Turner, Christopher A. (Fed)" <christopher.turner@nist.gov>
- Subject: RE: Should Debian ask for a CPE when a CVE in Debian is found?
- From: "Booth, Harold (Fed)" <harold.booth@nist.gov>
- Date: Mon, 2 Dec 2024 13:08:53 +0000
- Message-id: <[🔎] DM6PR09MB54637BB981109C62D27FF7DDE6352@DM6PR09MB5463.namprd09.prod.outlook.com>
- In-reply-to: <[🔎] 05E0F76B-3FD6-4975-B989-3D678E26552D@dwheeler.com>
- References: <9F8E44BC27E22046B84EC1B9364C66A1B31E3FC9F1@EXCH07-4850.ida.org> <CY1PR09MB08268F7F0D9F4FCF94146877E6A90@CY1PR09MB0826.namprd09.prod.outlook.com> <[🔎] 05E0F76B-3FD6-4975-B989-3D678E26552D@dwheeler.com>
Hi David,
Noting that the statement below described the world in 2016, which looks different than one we now have in 2024. I have not been involved with the NVD program for quite some time (~2017/2018), and I have cc'ed Tanya Brewer who now leads the program.
Regards,
-Harold
-----Original Message-----
From: David A. Wheeler <dwheeler@linuxfoundation.org>
Sent: Sunday, December 1, 2024 3:30 PM
To: Booth, Harold (Fed) <harold.booth@nist.gov>; debian-security@lists.debian.org
Cc: Wheeler, David A <dwheeler@ida.org>; cpe_dictionary <cpe_dictionary@nist.gov>; Kate Stewart <kstewart@linuxfoundation.org>; Samir Khakimov <skhakimo@ida.org>; Holger Levsen <holger@layer-acht.org>
Subject: Re: Should Debian ask for a CPE when a CVE in Debian is found?
> On Feb 12, 2016, at 12:50 PM, Booth, Harold <harold.booth@nist.gov> wrote:
>
> We welcome and encourage participation from any vendor to provide us with this information. We will be happy to work with Debian to accept their CPE submissions for products that they release. What would help you to get started? We can set-up a quick call if that would help, otherwise the cpe_dictionary@nist.gov email is the correct place for submissions.
>
> Related to CPE, is another software identification scheme, Software ID (SWID) Tags (ISO 19770-2:2015) that we think provides more capability and benefit. We have a document currently in draft, NIST IR 8060 (http://csrc.nist.gov/publications/PubsDrafts.html#NIST-IR-8060), that describes how to create and use SWID tags as well as some use cases. I mention the SWID tags since we can also auto generate CPEs from those, and we see SWID tags as longer term solution to the problem of software product identification and inventory.
FYI: For longer-term identification of software components, I would suggest considering purls instead. These are *MUCH* simpler for identification of OSS components, which matters for the millions of OSS components that exist. The purl format is supported in SPDX, CycloneDX, OSV, and many other formats.
Specification for purl here:
https://github.com/package-url/purl-spec
For Debian specifically, there's already a format specifically for it. An example (with extras):
pkg:deb/debian/curl@7.50.3-1?arch=i386&distro=jessie
The OpenSSF responded to CISA about naming issues in 2023 (I facilitated the report). Summary here:
https://openssf.org/blog/2023/12/11/openssf-responds-to-the-cisa-rfc-on-software-identification-ecosystem-analysis/
It notes that "Purl is currently in use as a de facto standard in many situations" and
the value of using DNS-based approaches (purl is one).
--- David A. Wheeler
Reply to: