search

loopbackio / security

[WORK IN PROGRESS] A centralised repository for all security-related matters on the LoopBack Project.
MIT License
4 stars 1 forks source link

Update NIST CPE Dictionary #3

Open achrinza opened 2 years ago

achrinza commented 2 years ago

CPE (Common Platform Enumeration) is a standard syntax for describing software (e.g. vendor, software type, software name, version).

The NIST CPE Dictionary is a central database of registered CPEs. Vendors can register their CPEs with NIST to be added to the database.

Currently, LoopBack only has 1 CPE entry, cpe:2.3:a:ibm:loopback:8.0.0:*:*:*:*:*:*:*.

Here is a 3-part proposal:

  1. IBM is no longer the vendor for LoopBack To solve this, we can revoke the current CPE and replace it with the following: cpe:2.3:a:loopback:\@loopback\/rest:8.0.0:*:*:*:*:*:*:* Note that the CPE above is not registered and may change once we contact NIST. The backslash is used to "quote" printable, non-alphanmuric characters in accordance with the CPE 2.3 specification.
  2. Other vulnerable LoopBack packages with a published CVE do not have an associated CPE. ~~LB2/3 is quite different from LB4. Hence one proposal is to utilise the DefinitelyTyped syntax by: a. Replacing the above CPE with double underscore b. Use hyphen as per-normal for LB2/3 packages (e.g. loopback-boot) This allows us to exploit the existing distinctive property separating LB2/3 and LB4, that LB2/3 packages are unscoped while LB4 packages are scoped.~~
  3. For "non-LoopBack" packages such as strong-soap, keep the loopback vendor and use the package name as per-normal, similar to 2.a.
achrinza commented 1 year ago

A discussion regarding CPE mapping concerns: https://github.com/cloudsecurityalliance/gsd-tools/discussions/189