Extend to product identification helpers to mitigate name / vendor changes?

[sthagen]

Situation / Comment

3.1.3.3 Full Product Name Type - Product Identification Helper

We welcome the addition of new ways to identify products besides CPE. Two issues we face in this regard is renaming or selling products and patching of software packages by Linux distributions. Both probably out of scope for CSAF, but they might be relevant context. If a vendor decides to rename a product or sell it to another company, it becomes difficult for an advisory consumer to determine, whether an advisory is relevant or not. Things like "previous name / vendor" or "alternative name" might be helpful in this regard. Determining whether an installed package from a Linux distribution is vulnerable based on identifiers using version numbers is difficult if the distribution has not yet published its own advisory. With distributions backporting patches and therefore deviating from upstream version numbers, it is not possible to derive this information from an upstream advisory.

Proposal

The TC will consider the feedback and analyze the possible contribution from CSAF to the mitigation of the identification dilemma from name changes in products and vendors.

Scope CSDPR01 Public Review comment

Received from Christian Keil (DFN-CERT) per email to the public csaf comments mailing list as part of https://lists.oasis-open.org/archives/csaf-comment/202109/msg00000.html @santosomar, @tschmidtb51

[santosomar]

Thank you for the feedback and input. During the TC monthly meeting on Sep 29, 2021, the OASIS Common Security Advisory Framework (CSAF) TC has reviewed your feedback and has voted not to making any changes at this time in CSAF 2.0.