[Buildroot] [External] Re: Adding new products in the CPE database ?

Weber, Matthew L Collins Matthew.Weber at collins.com
Tue Oct 5 19:12:02 UTC 2021 

All,

> From: Arnout Vandecappelle <arnout at mind.be>
> Sent: Tuesday, October 5, 2021 2:01 PM
> To: Thomas Petazzoni <thomas.petazzoni at bootlin.com>; Weber, Matthew L Collins <Matthew.Weber at collins.com>
> Cc: buildroot at uclibc.org <buildroot at uclibc.org>; Yann E. MORIN <yann.morin.1998 at free.fr>
> Subject: [External] Re: [Buildroot] Adding new products in the CPE database ?
>  
>
>
> On 04/10/2021 09:49, Thomas Petazzoni wrote:
> > Hello Matt,
> >
> > I was wondering what was the process to add a new product in the CPE
> > database.
> >
> > Indeed, I was investigating
> > https://urldefense.com/v3/__https://security-tracker.debian.org/tracker/CVE-2011-3332__;!!MvWE!VPRf0gaaOCsnE_JQM6pGz-1aoPEj-5ToeWvMQhYpCm-cI3SkMsp4OAcAY74VaSz9TE70$ , which is
> > affecting our "argus" package.
> >
> > However CVE-2011-3332 affects the Argus product from Iceni, a PDF
> > extracting tool at https://urldefense.com/v3/__https://www.iceni.com/legacy.htm__;!!MvWE!VPRf0gaaOCsnE_JQM6pGz-1aoPEj-5ToeWvMQhYpCm-cI3SkMsp4OAcAY74VaTcLkKg6$ .
> >
> > This is completely different than the Argus package we have, which is
> > https://urldefense.com/v3/__https://openargus.org/__;!!MvWE!VPRf0gaaOCsnE_JQM6pGz-1aoPEj-5ToeWvMQhYpCm-cI3SkMsp4OAcAY74VafTb08-R$ .
> >
> > The NVD CPE database has several Argus products known:
> > https://urldefense.com/v3/__https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=argus__;!!MvWE!VPRf0gaaOCsnE_JQM6pGz-1aoPEj-5ToeWvMQhYpCm-cI3SkMsp4OAcAY74VaXBFw7T9$ .
> >  From Iceni, from Oracle, from Litronic. But none of them correspond to
> > the Argus that we have packaged.
> >
> > So I guess we need to tell the NVD people to add an entry in the CPE
> > database for this other Argus product, so that we can then amend our
> > argus.mk package with the appropriate CPE ID information.
>
>   I believe it's simply sending mail to cpe_dictionary at nist.gov. From [1]:

Yeah, it isn't too bad.

What has worked before has been to build a proposed XML entry for the new addition that includes the basic VERSION and PROJECT reference fields.  The NIST cpe team then takes those refs and verifies they make sense before adding the new entry to the dictionary.  You don't necessarily need to include all prior versions (they sometimes fill these in).

Regards,
Matt

More information about the buildroot mailing list