How security vulnerabilities for this package is tracked in NIST/NVD?

[vaibhav-rustagi]

Hi,

I was trying to find cpe_uri associated with this package in NIST/NVD so that COS (https://cloud.google.com/container-optimized-os/docs) can track security vulnerabilities associated with it. However, based on the search there was no cpe_uri associated.

Could you help in providing information as what cpe_uri can be used by downstream users to track security vulnerability in this package from NIST/NVD?

[ThomasHabets]

What's cpe_uri?

[vaibhav-rustagi]

cpe is a structured format which covers information about vendor and software provided by them. More information can be found at: https://nvd.nist.gov/products/cpe, https://csrc.nist.gov/Projects/Security-Content-Automation-Protocol/Specifications/cpe

For tracking security vulnerabilities in any software used, NVD is generally being tracked for finding vulnerabilities based on CPE associated with each vulnerability. Example: https://nvd.nist.gov/vuln/detail/CVE-2021-41617 where we can see cpe:2.3:a:openbsd:openssh: / cpe:2.3:o:fedoraproject:fedora:34 are the CPE's. Downstream users of the package tracks a cpe for vulnerability and if NVD has a vulnerability which matches with the cpe monitored by downstream, then downstream users can triage the vulnerability to see if they are affected or not.

[ThomasHabets]

I'm not aware of arping having a cpu_uri, either formally or informally.

I dunno, could cpe:2.3:a:thomashabets:arping:[…] make sense?

[vaibhav-rustagi]

I think above make sense. But in order to add it to NVD, I think you need to contact: cpe_dictionary@nist.gov (as per https://nvd.nist.gov/products/cpe).