Common Platform Enumeration (CPE) naming schema on information gathering process

[jespunya]

What would you like added? Common Platform Enumeration (CPE) is a structured naming scheme for information technology systems, software, and packages. Based upon the generic syntax for Uniform Resource Identifiers (URI), CPE includes a formal name format, a method for checking names against a system, and a description format for binding text and tests to a name.

The usage of CPE naming is especially important to boost the integration of multiple tools during the automatization of testing. Actually, several widely used security tools provide it's inventories based on CPE encoding.

An example of CPE naming would be the representation of: Microsoft Internet Explorer 8.0.6001 Beta as:

wfn:[part="a",vendor="microsoft",product="internet_explorer",
version="8\.0\.6001",update="beta"]

Or the most commonly found:

cpe:/a:microsoft:internet_explorer:8.0.6001:beta

I think that would be important that any WSTG reader would be introduced to those naming scheme in order to know what it is and how to use it, as well as encourage developers security testing tools to integrate the usage of CPE on its tools for better integration with other databases and tools.

Do you think that it would be interesting? If you would like to introduce it, where do you think that it would feed the best inside the guide?

My proposal would be:

1. Add a new appending to the guide with the explanation of the Common Platform Enumeration (CPE)
2. Softly integrate through examples the usage of CPE on the section 4.2 of the guide, especially on the modules 4.2.2, 4.2.4, 4.2.8 and 4.2.9. This softly integration would consist on providing the corresponding cpe names for the frameworks and technologies mentioned at the examples of those modules.

Would you like to be assigned to this issue?

• [x] Assign me, please!

[ThunderSon]

I'd really this topic to be injected into the WSTG. Points to consider:

• We need to define properly where to inject its definition - could be in an appendix, in a chapter in 4.2, etc. - to properly allow the reader to go through it and use it.
• The document gets updated incrementally to entertain this topic and properly use CPE across its chapters.
• Be ready by the v5 release to properly contain CPE.

Why I enjoy this topic? Readers will be able to:

• automate tasks by injecting CPEs into scanners.
• write more professional reports.
• search for exact application under databases using CPEs.
• Broaden their knowledge by learning this standard.

Looking forward for more opinions and actionable points on this 😄

[kingthorin]

I have no further context for this tweet right now just wanted to keep track of it somehow: https://mobile.twitter.com/manicode/status/1238835388757823493

[ThunderSon]

@stevespringett @jmanico would you be able to provide us with input on the above topic?

[stevespringett]

In general, a section on naming would be good. CPE is one method of naming. There are others including Package URL and SWID.

CPE is inherently flawed. It's centralized. The vendor/product/versions often do not reflect reality. And most importantly, CPEs are typically not created until a CVE is created. So it's not an authoritative source of software, rather vulnerable software.

Naming is hard. Vendors get merged, acquired, products are renamed, etc. Currently, a global alias list does not exist. These are all known problems. A global namespace has only been created once - DNS. The software equivalent of this does not currently exist.

IMO, a section on naming would be good which references to the various methods in which software is named, including CPE, Package URL, and SWID.

[kingthorin]

Further details on CPE/SWID concerns: https://groups.google.com/a/owasp.org/g/leaders/c/eQPCC7-nQj4/m/WMYVLMmSAgAJ

[kingthorin]

@jespunya are you going to be able to tackle this?

[jespunya]

@kingthorin I still think that it would be interesting, but I don't have a clear idea about how to address it. What would be your idea? Maybe a subsection of the section 5 (Reporting) exposing what's Naming, it's usages and limitations and a introduction to the CPE, Package URL & SWID proposed by @stevespringett? Any other idea?

[ThunderSon]

I would scrap CPE as it's going to be deprecated and move forward with it. @stevespringett what would you advise for this call?

[stevespringett]

CPE will be around for a few more years. The NVD will be supporting it while they migrate to SWID and commercial sources of vulnerability intelligence (VulnDB, Secunia, etc) continue to support it. So for the foreseeable future, I would include CPE, SWID, and PURL.

https://cyclonedx.org/use-cases/#known-vulnerabilities has some recommendations on which of these three to use based on the type of software being represented.

[jespunya]

Thanks @stevespringett I will try to make a first version during the following days so we could have something more specific to talk about it.

[ThunderSon]

@jespunya if you require any help or support, ping away :) Thanks for tackling this!

[github-actions[bot]]

Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.

[github-actions[bot]]

Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.

[github-actions[bot]]

Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.

[github-actions[bot]]

Please comment if you are still working on this issue, as it has been inactive for 90 days. To give everyone a chance to contribute, we are releasing it to new contributors.